302 files changed, 2683 insertions, 568 deletions

diff --git a/README b/README
index 911a8719a..4bcbdd4b2 100644
--- a/README
+++ b/README
@@ -533,17 +533,17 @@ rogshdo (https://github.com/rogshdo)
 Ruan (https://github.com/ruany)
         - fixed hexchat profile
 rusty-snake (https://github.com/rusty-snake)
-        - fixed kdenlive profile
-        - added thunderbird-wayland and supertuxkart profiles
-        - fix bible-time, rhythmbox profiles
-        - more blacklists in disable-common.inc
-        - fixed some missing paths in disable-programs.inc
-        - added ghostwriter profle
-        - fix gajim profile, added gajim-history-manager profile
-        - updates for ~/.cargo
-        - added klavaro profile
-        - added mypaint, nano, celluoid profiles
-        - various profile hardening
+        - added profiles: thunderbird-wayland, supertuxkart, ghostwriter
+        - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
+        - added profiles: gajim-history-manager, freemind, nomacs, kid3
+        - added profiles: kid3-qt, kid3-cli, anki, anki
+        - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse
+        - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
+        - hardened profiles: disable-common.inc, disable-programs.inc
+        - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
+        - hardened profiles: gnome-clocks, meld, minetest, youtube-dl
+        - gnome-mpv was renamed to celluloid
+        - updates for ~/.cargo and ~/.python-history
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
         - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
diff --git a/README.md b/README.md
index 3eecca941..29a2fadff 100644
--- a/README.md
+++ b/README.md
@@ -102,4 +102,5 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.59
 
 ## New profiles:
-crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha
+crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha, Maelstrom, ostrichriders, bzflag, freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles, teeworlds, torcs, tremulous, warsow, lugaru, manaplus, pioneer, scorched3d, widelands, freemind, kid3, kid3-cli, kid3-qt, nomacs, freecol, opencity, openclonk, slashem, vulturesclaw, vultureseye, anki
+
diff --git a/RELNOTES b/RELNOTES
index d780cc823..3e5329a52 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,8 +6,14 @@ firejail (0.9.59) baseline; urgency=low
   * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
   * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
   * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
-  * new profiles: code-oss, pragha
+  * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
+  * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
+  * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
+  * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
+  * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
+  * new profiles: vultureseye, vulturesclaw, anki
   * memory-deny-write-execute now also blocks memfd_create
+  * drop support for flatpak/snap packages
 
 firejail (0.9.58,2) baseline; urgency=low
   * cgroup flag in /etc/firejail/firejail.config file
diff --git a/etc/Maelstrom.profile b/etc/Maelstrom.profile
new file mode 100644
index 000000000..cee49111e
--- /dev/null
+++ b/etc/Maelstrom.profile
@@ -0,0 +1,43 @@
+# Firejail profile for Maelstrom
+# Description: A space combat game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Maelstrom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/lib/games/Maelstrom-Scores
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /var/lib/games
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+#nonewprivs
+#noroot
+notv
+nou2f
+novideo
+#protocol unix
+#seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin Maelstrom
+private-cache
+private-dev
+private-tmp
diff --git a/etc/acat.profile b/etc/acat.profile
index 0b4579035..f35adf3dc 100644
--- a/etc/acat.profile
+++ b/etc/acat.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include acat.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include atool.profile
diff --git a/etc/adiff.profile b/etc/adiff.profile
index 9073b1477..f22a27e79 100644
--- a/etc/adiff.profile
+++ b/etc/adiff.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include adiff.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include atool.profile
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 4d40e6594..1c16f940e 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -22,6 +22,7 @@ noblacklist /usr/sbin
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -51,5 +52,3 @@ tracelog
 private-dev
 # private-tmp - breaks programs that depend on akonadi
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/als.profile b/etc/als.profile
index 24b8b976b..aa7f29337 100644
--- a/etc/als.profile
+++ b/etc/als.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include als.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include atool.profile
diff --git a/etc/anki.profile b/etc/anki.profile
new file mode 100644
index 000000000..6ab95dd52
--- /dev/null
+++ b/etc/anki.profile
@@ -0,0 +1,57 @@
+# Firejail profile for anki
+# Description: flexible, intelligent flashcard program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include anki.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.local/share/Anki2
+
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist ${HOME}/.local/share/Anki2
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin anki,python*
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,Trolltech.conf,ssl
+private-tmp
diff --git a/etc/apack.profile b/etc/apack.profile
index bd5e49a01..b09d3d718 100644
--- a/etc/apack.profile
+++ b/etc/apack.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include apack.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include atool.profile
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
index e28733c63..e353326df 100644
--- a/etc/arch-audit.profile
+++ b/etc/arch-audit.profile
@@ -12,6 +12,7 @@ noblacklist /var/lib/pacman
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,5 +45,3 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/arepack.profile b/etc/arepack.profile
index f5584b2be..d23fc21db 100644
--- a/etc/arepack.profile
+++ b/etc/arepack.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include arepack.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include atool.profile
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 10d607c49..6e5a87dab 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -28,7 +28,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
@@ -36,7 +36,7 @@ shell none
 private-bin aria2c,gzip
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,ssl
+private-etc alternatives,ca-certificates,ssl,resolv.conf
 private-lib libreadline.so.*
 private-tmp
 
diff --git a/etc/ark.profile b/etc/ark.profile
index b60674f95..9214e96ff 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/arkrc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,ba
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/arm.profile b/etc/arm.profile
index 217b61d09..d31b962ca 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/artha.profile b/etc/artha.profile
index 431fc3ed1..8ef5124de 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -11,14 +11,15 @@ noblacklist ${HOME}/.config/enchant
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+apparmor
 caps.drop all
 ipc-namespace
-machine-id
-net none
+# net none - breaks on Ubuntu
 no3d
 # nodbus
 nodvd
@@ -37,10 +38,8 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,machine-id,fonts
 private-lib libnotify.so.*
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/assogiate.profile b/etc/assogiate.profile
index 1161c24fe..c579cc280 100644
--- a/etc/assogiate.profile
+++ b/etc/assogiate.profile
@@ -10,6 +10,7 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -38,12 +39,10 @@ shell none
 tracelog
 
 disable-mnt
-private-bin assogiate
+private-bin assogiate,gtk-update-icon-cache
 private-cache
 private-dev
 private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.*
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/asunder.profile b/etc/asunder.profile
index 3167dfe12..fa2479051 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -14,6 +14,7 @@ noblacklist ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-tmp
 
 # mdwe is disabled due to breaking hardware accelerated decoding
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/atool.profile b/etc/atool.profile
index c82108cef..b17498e9d 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -18,15 +18,21 @@ noblacklist /usr/share/perl*
 
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+apparmor
 caps.drop all
-netfilter
+hostname atool
+ipc-namespace
+machine-id
 net none
+netfilter
 no3d
 nodvd
+nodbus
 nogroups
 nonewprivs
 noroot
@@ -39,9 +45,11 @@ seccomp
 shell none
 tracelog
 
+# private-bin atool,perl
 private-cache
-# private-bin atool
 private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
 private-etc alternatives,passwd,group,login.defs
 private-tmp
+
+memory-deny-write-execute
diff --git a/etc/atril.profile b/etc/atril.profile
index aca945ba3..2f39af823 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -15,6 +15,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -49,5 +50,3 @@ private-tmp
 
 # webkit gtk killed by memory-deny-write-execute
 #memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 590d3ffa3..4d0c93047 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -12,6 +12,7 @@ noblacklist ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,5 +41,3 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 4dd412359..200d3a387 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -12,6 +12,7 @@ noblacklist ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -41,5 +42,3 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/aunpack.profile b/etc/aunpack.profile
index cde9473e3..c119ed9ad 100644
--- a/etc/aunpack.profile
+++ b/etc/aunpack.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include aunpack.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include atool.profile
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index 7f5090251..f989ab1ba 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -8,12 +8,17 @@ include globals.local
 
 noblacklist ${HOME}/.config/Authenticator
 
-# Allow python 3.x (blacklisted by disable-interpreters.inc)
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+#noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +48,3 @@ private-etc alternatives,fonts,ld.so.cache
 private-tmp
 
 # memory-deny-write-execute - breaks on Arch
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 176d8cae7..f46987cc7 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -19,6 +19,7 @@ noblacklist ${HOME}/.local/share/baloo
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -46,6 +47,3 @@ private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kb
 private-cache
 private-dev
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index fa850fe1a..fae7d8133 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/blender.profile b/etc/blender.profile
index 77d073cd7..d23fe0810 100644
--- a/etc/blender.profile
+++ b/etc/blender.profile
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index b6b673976..f964438bc 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -10,16 +10,20 @@ blacklist /tmp/.X11-unix
 
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+apparmor
 caps.drop all
 hostname bsdtar
 ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
+nodbus
 nogroups
 nonewprivs
 # noroot
@@ -34,5 +38,8 @@ tracelog
 
 # support compressed archives
 private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
+private-cache
 private-dev
 private-etc alternatives,passwd,group,localtime
+
+memory-deny-write-execute
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile
index 891476cb1..ff86cbdfc 100644
--- a/etc/bunzip2.profile
+++ b/etc/bunzip2.profile
@@ -1,9 +1,11 @@
 # Firejail profile for bunzip2
+# Description: A high-quality data compression program
 # This file is overwritten after every install/update
 # Persistent local customizations
 include bunzip2.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include gzip.profile
diff --git a/etc/bzflag.profile b/etc/bzflag.profile
new file mode 100644
index 000000000..94cd40899
--- /dev/null
+++ b/etc/bzflag.profile
@@ -0,0 +1,44 @@
+# Firejail profile for bzflag
+# Description: 3D multi-player tank battle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzflag.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bzf
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.bzf
+whitelist ${HOME}/.bzf
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bzflag,bzflag-wrapper,bzfs,bzadmin
+private-cache
+private-dev
+private-tmp
diff --git a/etc/bzip2.profile b/etc/bzip2.profile
new file mode 100644
index 000000000..0f2fdd35a
--- /dev/null
+++ b/etc/bzip2.profile
@@ -0,0 +1,11 @@
+# Firejail profile for bzip2
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzip2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/caja.profile b/etc/caja.profile
index 49516de8c..f38110dc9 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -18,6 +18,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 1afcd0365..341348ff9 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -16,6 +16,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index 1f61ff9f5..5604a16b9 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -47,5 +48,3 @@ private-etc alternatives,ca-certificates,ssl,pki,pkcs11,hosts,machine-id,localti
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index fe2648792..5afbf2d56 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -18,6 +18,7 @@ noblacklist /usr/share/perl*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -50,5 +51,3 @@ private-lib perl*
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index d7dcf87dd..22bda418a 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index a182e5d20..3c7423316 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -6,11 +6,15 @@ include chromium-common.local
 # already included by caller profile
 #include globals.local
 
+# noexec ${HOME} breaks DRM binaries.
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
@@ -37,9 +41,5 @@ disable-mnt
 private-dev
 # private-tmp - problems with multiple browser sessions
 
-# breaks DRM binaries
-#noexec ${HOME}
-noexec /tmp
-
 # the file dialog needs to work without d-bus
 env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/clamav.profile b/etc/clamav.profile
index a48fa8039..45e7723eb 100644
--- a/etc/clamav.profile
+++ b/etc/clamav.profile
@@ -7,6 +7,8 @@ include clamav.local
 # Persistent global definitions
 include globals.local
 
+include disable-exec.inc
+
 caps.drop all
 ipc-namespace
 net none
@@ -30,5 +32,3 @@ private-dev
 read-only ${HOME}
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/clamtk.profile b/etc/clamtk.profile
index a93523acc..bc09808cb 100644
--- a/etc/clamtk.profile
+++ b/etc/clamtk.profile
@@ -5,6 +5,8 @@ include clamtk.local
 # Persistent global definitions
 include globals.local
 
+include disable-exec.inc
+
 caps.drop all
 ipc-namespace
 net none
@@ -23,6 +25,3 @@ seccomp
 shell none
 
 private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/clawsker.profile b/etc/clawsker.profile
index 404e1b8ed..c519ecedb 100644
--- a/etc/clawsker.profile
+++ b/etc/clawsker.profile
@@ -17,6 +17,7 @@ noblacklist /usr/share/perl*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -25,6 +26,7 @@ mkdir ${HOME}/.claws-mail
 whitelist ${HOME}/.claws-mail
 include whitelist-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
@@ -42,13 +44,11 @@ seccomp
 shell none
 
 disable-mnt
-private-bin clawsker,perl
+private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
 private-etc alternatives,fonts
-private-lib girepository-1.*,libgirepository-1.*,perl*
+private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 
 # memory-deny-write-execute - breaks on Arch
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/clipit.profile b/etc/clipit.profile
index 052d0464b..6e4d3fbaf 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/clipit
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cpio.profile b/etc/cpio.profile
index f63e0a552..b6f7e7f9f 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -13,14 +13,21 @@ noblacklist /sbin
 noblacklist /usr/sbin
 
 include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+apparmor
 caps.drop all
+hostname cpio
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
 nonewprivs
 nosound
 notv
@@ -30,4 +37,7 @@ seccomp
 shell none
 tracelog
 
+private-cache
 private-dev
+
+memory-deny-write-execute
diff --git a/etc/crawl-tiles.profile b/etc/crawl-tiles.profile
new file mode 100644
index 000000000..39151865e
--- /dev/null
+++ b/etc/crawl-tiles.profile
@@ -0,0 +1,7 @@
+# Firejail profile alias for crawl
+# This file is overwritten after every install/update
+
+ignore no3d
+
+# Redirect
+include crawl.profile
diff --git a/etc/crawl.profile b/etc/crawl.profile
new file mode 100644
index 000000000..af78ac738
--- /dev/null
+++ b/etc/crawl.profile
@@ -0,0 +1,45 @@
+# Firejail profile for crawl-tiles
+# Description: Roguelike dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include crawl-tiles.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.crawl
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.crawl
+whitelist ${HOME}/.crawl
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin crawl,crawl-tiles
+private-cache
+private-dev
+private-tmp
diff --git a/etc/d-feet.profile b/etc/d-feet.profile
index 1a11ca2a4..9475bdd2a 100644
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@@ -9,13 +9,16 @@ include globals.local
 noblacklist ${HOME}/.config/d-feet
 
 # Allow python (disabled by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
-#noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -29,8 +32,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-machine-id
-net none
+# net none - breaks on Ubuntu
 no3d
 nodvd
 nogroups
@@ -48,9 +50,7 @@ disable-mnt
 private-bin d-feet,python*
 private-cache
 private-dev
-private-etc alternatives,dbus-1,fonts
+private-etc alternatives,dbus-1,fonts,machine-id
 private-tmp
 
 # memory-deny-write-execute - Breaks on Arch
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index abaf5acd5..6b7f8f112 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -6,8 +6,11 @@ include dconf-editor.local
 # Persistent global definitions
 include globals.local
 
+whitelist ${HOME}/.local/share/glib-2.0
+
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -17,8 +20,7 @@ include whitelist-common.inc
 
 apparmor
 caps.drop all
-machine-id
-net none
+# net none - breaks application on older versions
 no3d
 nodvd
 nogroups
@@ -37,10 +39,8 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,machine-id
 private-lib
 private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/dconf.profile b/etc/dconf.profile
index d2376cc35..6ffcddaf5 100644
--- a/etc/dconf.profile
+++ b/etc/dconf.profile
@@ -6,8 +6,11 @@ include dconf.local
 # Persistent global definitions
 include globals.local
 
+whitelist ${HOME}/.local/share/glib-2.0
+
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,5 +47,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/default.profile b/etc/default.profile
index 917e42287..3eacf9546 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -10,11 +10,13 @@ include globals.local
 
 include disable-common.inc
 # include disable-devel.inc
+# include disable-exec.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-#include disable-xdg.inc
+# include disable-xdg.inc
 
+# apparmor
 caps.drop all
 # ipc-namespace
 netfilter
@@ -42,5 +44,3 @@ seccomp
 # private-tmp
 
 # memory-deny-write-execute
-# noexec ${HOME}
-# noexec /tmp
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 8df6e028f..e86c84272 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/devhelp.profile b/etc/devhelp.profile
index 7f00e55e7..4e618b7ea 100644
--- a/etc/devhelp.profile
+++ b/etc/devhelp.profile
@@ -9,6 +9,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -18,8 +19,7 @@ include whitelist-common.inc
 
 apparmor
 caps.drop all
-machine-id
-net none
+# net none - makes settings immutable
 # nodbus - makes settings immutable
 nodvd
 nogroups
@@ -38,11 +38,9 @@ disable-mnt
 private-bin devhelp
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
 private-tmp
 
 # memory-deny-write-execute - Breaks on Arch
-noexec ${HOME}
-noexec /tmp
 
 read-only ${HOME}
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
index ffab615d1..2d100c4b0 100644
--- a/etc/devilspie.profile
+++ b/etc/devilspie.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.devilspie
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,7 +45,5 @@ private-lib gconv
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 read-only ${HOME}
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index b89bf122b..2f599366b 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/devilspie2
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,7 +45,5 @@ private-lib gconv
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 read-only ${HOME}
diff --git a/etc/dig.profile b/etc/dig.profile
index 23970d9d0..1843f6e46 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.digrc
 
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -49,5 +50,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/digikam.profile b/etc/digikam.profile
index cc0e98ba3..e9c89a1b9 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -14,6 +14,7 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,5 +41,3 @@ shell none
 # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/disable-exec.inc b/etc/disable-exec.inc
new file mode 100644
index 000000000..ee3391730
--- /dev/null
+++ b/etc/disable-exec.inc
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-exec.local
+
+noexec ${HOME}
+noexec ${RUNUSER}
+noexec /dev/shm
+noexec /tmp
+# /var is noexec by default for unprivileged users
+# except there is a writable-var option, so just in case:
+noexec /var
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 971e00f18..96fd80daf 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -6,7 +6,6 @@ blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/Standard Notes Backups
-blacklist ${HOME}/snap
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
@@ -49,8 +48,10 @@ blacklist ${HOME}/.bcast5
 blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bzf
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.cliqz
+blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
 blacklist ${HOME}/.config/Atom
@@ -77,6 +78,7 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
+blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mendeley Ltd.
@@ -156,6 +158,7 @@ blacklist ${HOME}/.config/falkon
 blacklist ${HOME}/.config/filezilla
 blacklist ${HOME}/.config/flowblade
 blacklist ${HOME}/.config/font-manager
+blacklist ${HOME}/.config/freecol
 blacklist ${HOME}/.config/gajim
 blacklist ${HOME}/.config/galculator
 blacklist ${HOME}/.config/gconf
@@ -190,6 +193,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kgetrc
+blacklist ${HOME}/.config/kid3rc
 blacklist ${HOME}/.config/klavaro
 blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kmail2rc
@@ -203,8 +207,10 @@ blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
+blacklist ${HOME}/.config/lugaru
 blacklist ${HOME}/.config/lximage-qt
 blacklist ${HOME}/.config/mailtransports
+blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
@@ -223,6 +229,7 @@ blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/nheko
 blacklist ${HOME}/.config/NitroShare
+blacklist ${HOME}/.config/nomacs
 blacklist ${HOME}/.config/obs-studio
 blacklist ${HOME}/.config/okularpartrc
 blacklist ${HOME}/.config/okularrc
@@ -296,6 +303,7 @@ blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
+blacklist ${HOME}/.crawl
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dashcore
 blacklist ${HOME}/.devilspie
@@ -318,6 +326,9 @@ blacklist ${HOME}/.filezilla
 blacklist ${HOME}/.flowblade
 blacklist ${HOME}/.fltk
 blacklist ${HOME}/.fossamail
+blacklist ${HOME}/.freeciv
+blacklist ${HOME}/.freecol
+blacklist ${HOME}/.freemind
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.git-credential-cache
@@ -404,12 +415,14 @@ blacklist ${HOME}/.killingfloor
 blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.kodi
+blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
 blacklist ${HOME}/.lmmsrc.xml
 blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/3909/PapersPlease
+blacklist ${HOME}/.local/share/Anki2
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mendeley Ltd.
@@ -437,6 +450,7 @@ blacklist ${HOME}/.local/share/data/Mendeley Ltd.
 blacklist ${HOME}/.local/share/data/Mumble
 blacklist ${HOME}/.local/share/data/MusE
 blacklist ${HOME}/.local/share/data/MuseScore
+blacklist ${HOME}/.local/share/data/nomacs
 blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
@@ -445,6 +459,7 @@ blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
 blacklist ${HOME}/.local/share/feedreader
 blacklist ${HOME}/.local/share/feral-interactive
+blacklist ${HOME}/.local/share/freecol
 blacklist ${HOME}/.local/share/gajim
 blacklist ${HOME}/.local/share/geary
 blacklist ${HOME}/.local/share/geeqie
@@ -472,6 +487,8 @@ blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
+blacklist ${HOME}/.local/share/lugaru
+blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
@@ -483,6 +500,7 @@ blacklist ${HOME}/.local/share/nautilus
 blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
 blacklist ${HOME}/.local/share/nemo-python
+blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
@@ -508,6 +526,7 @@ blacklist ${HOME}/.local/share/uzbl
 blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
+blacklist ${HOME}/.local/share/warsow-2.1
 blacklist ${HOME}/.local/share/wesnoth
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
@@ -517,6 +536,7 @@ blacklist ${HOME}/.masterpdfeditor
 blacklist ${HOME}/.mcabber
 blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
+blacklist ${HOME}/.megaglest
 blacklist ${HOME}/.minetest
 blacklist ${HOME}/.moonchild productions/basilisk
 blacklist ${HOME}/.moonchild productions/pale moon
@@ -531,12 +551,16 @@ blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
+blacklist ${HOME}/.opencity
 blacklist ${HOME}/.openinvaders
 blacklist ${HOME}/.openshot
 blacklist ${HOME}/.openshot_qt
+blacklist ${HOME}/.openttd
 blacklist ${HOME}/.opera
 blacklist ${HOME}/.opera-beta
+blacklist ${HOME}/.ostrichriders
 blacklist ${HOME}/.pingus
+blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
 blacklist ${HOME}/.qmmp
@@ -546,6 +570,7 @@ blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
 blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.scorched3d
 blacklist ${HOME}/.scribus
 blacklist ${HOME}/.scribusrc
 blacklist ${HOME}/.simutrans
@@ -560,10 +585,14 @@ blacklist ${HOME}/.sword
 blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
+blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser-*
+blacklist ${HOME}/.tor-browser_*
+blacklist ${HOME}/.torcs
+blacklist ${HOME}/.tremulous
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknown-horizons
@@ -572,12 +601,14 @@ blacklist ${HOME}/.viking-maps
 blacklist ${HOME}/.vscode
 blacklist ${HOME}/.vscode-oss
 blacklist ${HOME}/.vst
+blacklist ${HOME}/.vultures
 blacklist ${HOME}/.w3m
 blacklist ${HOME}/.warzone2100-3.*
 blacklist ${HOME}/.waterfox
 blacklist ${HOME}/.weechat
 blacklist ${HOME}/.wget-hsts
 blacklist ${HOME}/.wgetrc
+blacklist ${HOME}/.widelands
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.wine64
@@ -620,6 +651,7 @@ blacklist ${HOME}/.cache/falkon
 blacklist ${HOME}/.cache/feedreader
 blacklist ${HOME}/.cache/font-manager
 blacklist ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/freecol
 blacklist ${HOME}/.cache/gajim
 blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/google-chrome
@@ -684,6 +716,7 @@ blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/vivaldi-snapshot
 blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/warsow-2.1
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
 blacklist ${HOME}/.cache/xmms2
@@ -692,3 +725,7 @@ blacklist ${HOME}/.cache/yandex-browser
 blacklist ${HOME}/.cache/yandex-browser-beta
 
 blacklist /var/games/nethack
+blacklist /var/games/slashem
+blacklist /var/games/vulturesclaw
+blacklist /var/games/vultureseye
+blacklist /var/lib/games/Maelstrom-Scores
diff --git a/etc/display.profile b/etc/display.profile
index ff19365ad..e66fa3ae9 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -12,6 +12,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
index 44156f97e..42529d302 100644
--- a/etc/easystroke.profile
+++ b/etc/easystroke.profile
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.easystroke
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
+apparmor
 caps.drop all
-ipc-namespace
 machine-id
 net none
 no3d
@@ -33,13 +35,13 @@ seccomp
 shell none
 
 disable-mnt
-private-bin easystroke,bash,sh
+# breaks custom shell command functionality
+#private-bin bash,easystroke,sh
 private-cache
 private-dev
-private-etc alternatives,fonts
-private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-etc alternatives,fonts,group,passwd
+# breaks custom shell command functionality
+#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/electrum.profile b/etc/electrum.profile
index a290683de..9d5cf7fab 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/enchant.profile b/etc/enchant.profile
index 7d304feb7..288d8799c 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/enchant
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +44,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 670808de2..562e8f542 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -8,6 +8,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -38,5 +39,3 @@ private-dev
 # private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/eog.profile b/etc/eog.profile
index 32b648bd9..f296cbcb4 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -23,9 +24,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-net none
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -37,7 +36,10 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 
+# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
+# comment those if you need that functionality
 private-bin eog
 private-cache
 private-dev
@@ -46,5 +48,3 @@ private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/eom.profile b/etc/eom.profile
index c34331da6..a6007f99c 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -19,11 +19,8 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
 caps.drop all
-# net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -37,6 +34,8 @@ seccomp
 shell none
 tracelog
 
+# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
+# comment those if you need that functionality
 private-bin eom
 private-dev
 private-etc alternatives,fonts
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
index 23bd25986..b4d275d22 100644
--- a/etc/exfalso.profile
+++ b/etc/exfalso.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 1838ce273..2ee4aae6f 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -15,6 +15,7 @@ noblacklist /usr/share/perl*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,12 +40,12 @@ seccomp
 shell none
 tracelog
 
-private-bin exiftool,perl
+# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
+# Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening.
+#private-bin exiftool,perl
 private-cache
 private-dev
 private-etc alternatives
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/feh-network.inc b/etc/feh-network.inc
index b74486f4f..f3876475e 100644
--- a/etc/feh-network.inc
+++ b/etc/feh-network.inc
@@ -1,2 +1,4 @@
 ignore net none
-private-etc resolv.conf,ca-certificates,ssl
+netfilter
+protocol unix,inet,inet6
+private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index aa7a91928..a1c311e42 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -48,5 +49,3 @@ private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf
 private-tmp
 
 # memory-deny-write-execute - it breaks old versions of ffmpeg
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile
index 6ab35e9a0..3681c40f1 100644
--- a/etc/ffmpegthumbnailer.profile
+++ b/etc/ffmpegthumbnailer.profile
@@ -10,6 +10,8 @@ include ffmpegthumbnailer.local
 private-bin ffmpegthumbnailer
 private-lib libffmpegthumbnailer.so.*
 
+# fix for ranger video thumbnails
+ignore private-cache
 
 # Redirect
 include ffmpeg.profile
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 777efe0e3..ad52b0e97 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -8,6 +8,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -16,11 +17,11 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-ipc-namespace
+#ipc-namespace - causing issues launching on archlinux
 machine-id
-net none
+# net none - breaks on older Ubuntu versions
 no3d
-# nodbus makes settings immutable - comment if you need settings support
+# nodbus - makes settings immutable - comment if you need settings support
 nodbus
 nodvd
 nogroups
@@ -41,5 +42,3 @@ private-dev
 # private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/file.profile b/etc/file.profile
index e084e80c2..c304b4efe 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -10,6 +10,7 @@ include globals.local
 blacklist /tmp/.X11-unix
 
 include disable-common.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
@@ -41,5 +42,3 @@ private-etc alternatives,magic.mgc,magic,localtime
 private-lib libarchive.so.*,libfakeroot,libmagic.so.*
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 2e77937ea..fb96d9d87 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 3089b7ce8..a2a34f33f 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -6,6 +6,9 @@ include firefox-common.local
 # already included by caller profile
 #include globals.local
 
+# noexec ${HOME} breaks DRM binaries.
+ignore noexec ${HOME}
+
 # Uncomment the following line to allow access to common programs/addons/plugins.
 #include firefox-common-addons.inc
 
@@ -14,6 +17,7 @@ noblacklist ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
@@ -55,7 +59,3 @@ private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
 private-tmp
-
-# Breaks DRM binaries.
-#noexec ${HOME}
-noexec /tmp
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index 4628b85ee..b57c27936 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/font-manager.profile b/etc/font-manager.profile
index 3c57a4327..98952e1cc 100644
--- a/etc/font-manager.profile
+++ b/etc/font-manager.profile
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -31,7 +34,7 @@ include whitelist-common.inc
 apparmor
 caps.drop all
 machine-id
-net none
+# net none - issues on older versions
 no3d
 nodvd
 nogroups
@@ -52,5 +55,3 @@ private-dev
 private-tmp
 
 #memory-deny-write-execute - Breaks on Arch
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index 2a833de06..dc4e43b09 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/freeciv-gtk3.profile b/etc/freeciv-gtk3.profile
new file mode 100644
index 000000000..fa36459e7
--- /dev/null
+++ b/etc/freeciv-gtk3.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for freeciv
+# This file is overwritten after every install/update
+
+# Redirect
+include freeciv.profile
diff --git a/etc/freeciv-mp-gtk3.profile b/etc/freeciv-mp-gtk3.profile
new file mode 100644
index 000000000..fa36459e7
--- /dev/null
+++ b/etc/freeciv-mp-gtk3.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for freeciv
+# This file is overwritten after every install/update
+
+# Redirect
+include freeciv.profile
diff --git a/etc/freeciv.profile b/etc/freeciv.profile
new file mode 100644
index 000000000..4813379a7
--- /dev/null
+++ b/etc/freeciv.profile
@@ -0,0 +1,44 @@
+# Firejail profile for freeciv
+# Description: A multi-player strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeciv.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.freeciv
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.freeciv
+whitelist ${HOME}/.freeciv
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin freeciv-gtk3,freeciv-mp-gtk3,freeciv-server,freeciv-manual
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freecol.profile b/etc/freecol.profile
new file mode 100644
index 000000000..7987cc076
--- /dev/null
+++ b/etc/freecol.profile
@@ -0,0 +1,60 @@
+# Firejail profile for freecol
+# Description: Turn-based multi-player strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freecol.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.freecol
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.cache/freecol
+noblacklist ${HOME}/.config/freecol
+noblacklist ${HOME}/.local/share/freecol
+
+# Allow access to java
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.java
+mkdir ${HOME}/.cache/freecol
+mkdir ${HOME}/.config/freecol
+mkdir ${HOME}/.local/share/freecol
+whitelist ${HOME}/.freecol
+whitelist ${HOME}/.java
+whitelist ${HOME}/.cache/freecol
+whitelist ${HOME}/.config/freecol
+whitelist ${HOME}/.local/share/freecol
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freemind.profile b/etc/freemind.profile
new file mode 100644
index 000000000..507bd564d
--- /dev/null
+++ b/etc/freemind.profile
@@ -0,0 +1,52 @@
+# Firejail profile for freemind
+# Description: Free mind mapping software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freemind.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${PATH}/java
+noblacklist /etc/java
+noblacklist /usr/lib/java
+noblacklist /usr/share/java
+noblacklist ${HOME}/.freemind
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin freemind,java,bash,sed,sh,grep,mkdir,echo,cp,uname,which,lsb_release,rpm,dpkg,dirname,readlink
+private-cache
+private-dev
+#private-etc alternatives,fonts,java
+private-tmp
+private-opt none
+private-srv none
diff --git a/etc/freshclam.profile b/etc/freshclam.profile
index 2dd55d8cc..2bab79e2e 100644
--- a/etc/freshclam.profile
+++ b/etc/freshclam.profile
@@ -6,6 +6,7 @@ include clamav.local
 # Persistent global definitions
 include globals.local
 
+include disable-exec.inc
 
 caps.keep setgid,setuid
 ipc-namespace
@@ -32,5 +33,3 @@ writable-var
 writable-var-log
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 3dd66dc23..bdb40d7e1 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -10,10 +10,13 @@ noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.config/gajim
 noblacklist ${HOME}/.local/share/gajim
 
-# Allow Python (blacklisted by disable-interpreters.inc)
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
-noblacklist /usr/lib64/python3*
+#noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 509d9bd05..92b400572 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.config/galculator
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/galculator
 whitelist ${HOME}/.config/galculator
@@ -21,6 +23,8 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
+hostname galculator
+ipc-namespace
 net none
 nodbus
 nodvd
@@ -37,7 +41,10 @@ shell none
 tracelog
 
 private-bin galculator
+private-cache
 private-dev
 private-etc alternatives,fonts
 private-lib
 private-tmp
+
+memory-deny-write-execute
diff --git a/etc/gcloud.profile b/etc/gcloud.profile
index d9df8fd37..a08aebf2c 100644
--- a/etc/gcloud.profile
+++ b/etc/gcloud.profile
@@ -5,12 +5,16 @@ include gcloud.local
 # Persistent global definitions
 include globals.local
 
+# noexec ${HOME} will break user-local installs of gcloud tooling
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.boto
 noblacklist ${HOME}/.config/gcloud
 noblacklist /var/run/docker.sock
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-programs.inc
 
 apparmor
@@ -34,8 +38,3 @@ disable-mnt
 private-dev
 private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
 private-tmp
-
-noexec /tmp
-
-# will break user-local installs of gcloud tooling
-# noexec ${HOME}
diff --git a/etc/gconf.profile b/etc/gconf.profile
index 94af21833..5cc6b87a0 100644
--- a/etc/gconf.profile
+++ b/etc/gconf.profile
@@ -8,14 +8,17 @@ include globals.local
 
 noblacklist ${HOME}/.config/gconf
 
-# Allow python2 (blacklisted by disable-interpreters.inc)
+# Allow python (blacklisted by disable-interpreters.inc)
 noblacklist ${PATH}/python2*
 #noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 #noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+#noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -53,5 +56,3 @@ private-lib libpython*,python2*
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index a583c534f..6b99ec580 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.python-history
 
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,5 +45,3 @@ private-dev
 private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/geekbench.profile b/etc/geekbench.profile
index 425fb7bb5..764c68131 100644
--- a/etc/geekbench.profile
+++ b/etc/geekbench.profile
@@ -8,6 +8,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -46,7 +47,5 @@ private-opt none
 private-tmp
 
 # memory-deny-write-execute - Breaks on Arch
-noexec ${HOME}
-noexec /tmp
 
 read-only ${HOME}
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index 615e6d01c..76011df19 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -12,6 +12,7 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -53,5 +54,3 @@ private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dcon
 #private-lib
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 9b14b1fe8..91001cd30 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -6,12 +6,17 @@ include gimp.local
 # Persistent global definitions
 include globals.local
 
+# gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
+# if you are not using external plugins, you can disable ignore noexec statement below
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.config/GIMP
 noblacklist ${HOME}/.gimp*
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
 include disable-common.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
@@ -35,8 +40,3 @@ shell none
 
 private-dev
 private-tmp
-
-# gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
-# if you are not using external plugins, you can enable noexec statement below
-# noexec ${HOME}
-noexec /tmp
diff --git a/etc/git.profile b/etc/git.profile
index 575793f58..44e3474f8 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -21,6 +21,7 @@ noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
 
 include disable-common.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
@@ -46,5 +47,3 @@ private-cache
 private-dev
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index eb124a4e8..c9ad4831f 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -9,6 +9,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
@@ -45,5 +46,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 32a7ca918..cb73a9477 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -8,6 +8,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-dev
 private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-keyring.profile b/etc/gnome-keyring.profile
index 88898a816..47d8ca2c0 100644
--- a/etc/gnome-keyring.profile
+++ b/etc/gnome-keyring.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.gnupg
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
@@ -47,5 +48,3 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index 9ea4fb9f6..c7cbd8388 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -8,6 +8,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -46,8 +47,6 @@ private-tmp
 writable-var-log
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 # comment this if you export logs to a file in your ${HOME}
 read-only ${HOME}
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 6ce44e7ce..97de9c2be 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.local/share/flatpak
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +44,3 @@ private-dev
 # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index c4dedcf1c..f31b8af2c 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile
index 01c65a5a4..e542181fa 100644
--- a/etc/gnome-pie.profile
+++ b/etc/gnome-pie.profile
@@ -16,8 +16,7 @@ include disable-passwdmgr.inc
 
 caps.drop all
 ipc-namespace
-machine-id
-net none
+# net none - breaks dbus
 no3d
 nodvd
 nogroups
@@ -34,7 +33,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index d856c1f83..931efbbab 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -35,14 +35,17 @@ noblacklist ${PATH}/urxvtcd
 noblacklist ${PATH}/xfce4-terminal
 noblacklist ${PATH}/xfce4-terminal.wrapper
 
-# Allow python (disabled by disable-interpreters.inc)
+# Allow python (blacklisted by disable-interpreters.inc)
 noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -56,7 +59,7 @@ apparmor
 caps.keep chown,dac_override,setgid,setuid
 ipc-namespace
 machine-id
-net none
+#net none - breaks on Ubuntu
 no3d
 nodvd
 nogroups
@@ -73,5 +76,3 @@ private-dev
 # private-etc alternatives
 writable-var
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile
index 214a3923f..c6af31ede 100644
--- a/etc/gnome-system-log.profile
+++ b/etc/gnome-system-log.profile
@@ -10,6 +10,7 @@ noblacklist /var/log
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -22,8 +23,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-machine-id
-net none
+# net none - breaks dbus
 no3d
 # nodbus
 nodvd
@@ -50,8 +50,6 @@ private-tmp
 writable-var-log
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 # uncomment this if you never export logs to a file in your ${HOME}
 #read-only ${HOME}
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index 4c66e3772..17371aec0 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/gpicview
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +44,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index b1bd59307..9507188fc 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -9,6 +9,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -20,7 +21,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-net none
+#net none - breaks dbus
 no3d
 nodvd
 nogroups
@@ -35,12 +36,13 @@ seccomp
 shell none
 
 disable-mnt
+private-bin gucharmap
 private-cache
 private-dev
+private-etc alternatives,fonts
+private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 read-only ${HOME}
diff --git a/etc/gunzip.profile b/etc/gunzip.profile
index fe35f8fe7..aff990ec0 100644
--- a/etc/gunzip.profile
+++ b/etc/gunzip.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include gunzip.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 # Redirect
 include gzip.profile
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 790e4920d..d4af3ed1a 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -19,6 +19,7 @@ noblacklist ${HOME}/.local/share/org.kde.gwenview
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -47,5 +48,3 @@ private-dev
 private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 1dbc661a1..27e262f87 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -5,16 +5,24 @@ quiet
 # Persistent local customizations
 include gzip.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 blacklist /tmp/.X11-unix
 
+include disable-exec.inc
+include disable-interpreters.inc
+
 ignore noroot
+
+apparmor
+hostname gzip
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
 nosound
 notv
 nou2f
@@ -22,6 +30,9 @@ novideo
 shell none
 tracelog
 
+private-cache
 private-dev
 
+memory-deny-write-execute
+
 include default.profile
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index a98f80bc7..324c629e3 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -35,5 +36,3 @@ shell none
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 783f91e82..e8abf4b31 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 24fd29fbe..ade50048e 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -10,6 +10,7 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -41,5 +42,3 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index ba0a2c9f9..ecc5e5d35 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -17,9 +17,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -50,5 +53,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kate.profile b/etc/kate.profile
index 4a78d718f..3035393c4 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -6,6 +6,8 @@ include kate.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.config/katemetainfos
 noblacklist ${HOME}/.config/katepartrc
 noblacklist ${HOME}/.config/katerc
@@ -16,6 +18,7 @@ noblacklist ${HOME}/.local/share/kate
 
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -45,7 +48,4 @@ private-dev
 # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
-# noexec ${HOME}
-noexec /tmp
-
 join-or-start kate
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index 8baefaa98..8c641802b 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -9,6 +9,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -45,5 +46,3 @@ private-dev
 # private-lib - problems on Arch
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index f7b5c89b3..82c8c6793 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -6,12 +6,15 @@ include kdenlive.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.cache/kdenlive
 noblacklist ${HOME}/.config/kdenliverc
 noblacklist ${HOME}/.local/share/kdenlive
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -33,6 +36,3 @@ shell none
 private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt
 private-dev
 # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11
-
-# noexec ${HOME}
-noexec /tmp
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 357eb435d..44e9c67bb 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -14,6 +14,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -45,5 +46,3 @@ private-etc alternatives,fonts,machine-id
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index f0546beda..33b4509b7 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -16,6 +16,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -47,8 +48,6 @@ private-tmp
 
 # 2.2.4 crashes on database open
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
 join-or-start keepassxc
diff --git a/etc/kget.profile b/etc/kget.profile
index 2ef84a0ee..485edc1a4 100644
--- a/etc/kget.profile
+++ b/etc/kget.profile
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/kget
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -38,5 +39,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kid3-cli.profile b/etc/kid3-cli.profile
new file mode 100644
index 000000000..bee62b5d9
--- /dev/null
+++ b/etc/kid3-cli.profile
@@ -0,0 +1,6 @@
+# Firejail profile for kid3-cli
+# This file is overwritten after every install/update
+include kid3-cli.local
+
+# Redirect
+include kid3.profile
diff --git a/etc/kid3-qt.profile b/etc/kid3-qt.profile
new file mode 100644
index 000000000..9bcede077
--- /dev/null
+++ b/etc/kid3-qt.profile
@@ -0,0 +1,8 @@
+# Firejail profile for kid3-qt
+# This file is overwritten after every install/update
+include kid3-qt.local
+
+noblacklist ${HOME}/.config/Kid3
+
+# Redirect
+include kid3.profile
diff --git a/etc/kid3.profile b/etc/kid3.profile
new file mode 100644
index 000000000..3171e94fe
--- /dev/null
+++ b/etc/kid3.profile
@@ -0,0 +1,45 @@
+# Firejail profile for kid3
+# Description: Audio Tag Editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kid3.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${HOME}/.config/kid3rc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,drirc,fonts,kde5rc,gtk-3.0,dconf,machine-id,ca-certificates,ssl,pki,hostname,hosts,resolv.conf,pulse,,crypto-policies
+private-tmp
+private-opt none
+private-srv none
+
+memory-deny-write-execute
diff --git a/etc/klavaro.profile b/etc/klavaro.profile
index 04b4a5ae5..5ad5e2699 100644
--- a/etc/klavaro.profile
+++ b/etc/klavaro.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/klavaro
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -51,5 +52,3 @@ private-opt none
 private-srv none
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 1f8403ef1..009b2c063 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -31,6 +31,7 @@ noblacklist /tmp/akonadi-*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -58,5 +59,3 @@ writable-run-user
 private-dev
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kodi.profile b/etc/kodi.profile
index 303310591..dad085967 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -6,6 +6,9 @@ include kodi.local
 # Persistent global definitions
 include globals.local
 
+# noexec ${HOME} breaks plugins
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.kodi
 noblacklist ${MUSIC}
 noblacklist ${PICTURES}
@@ -16,9 +19,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,7 +46,3 @@ tracelog
 
 private-dev
 private-tmp
-
-# breaks plugins
-#noexec ${HOME}
-noexec /tmp
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 03c51ccce..19174459c 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde4/share/config/konversationrc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/krita.profile b/etc/krita.profile
index 3313106a2..8f275f8df 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -6,6 +6,9 @@ include krita.local
 # Persistent global definitions
 include globals.local
 
+# noexec ${HOME} may break krita, see issue #1953
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.config/kritarc
 noblacklist ${HOME}/.local/share/krita
 noblacklist ${DOCUMENTS}
@@ -16,9 +19,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -45,7 +51,3 @@ shell none
 private-cache
 private-dev
 private-tmp
-
-# noexec ${HOME} may break krita, see issue #1953
-# noexec ${HOME}
-noexec /tmp
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index 7b7571176..f30a1b7e6 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/ktorrent
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -57,5 +58,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index 834f6f2dd..ee07636d3 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/kwin
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,6 +40,3 @@ private-bin kwin_x11
 private-dev
 private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index bc4fba97d..9b0640eab 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -17,6 +17,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -47,7 +48,5 @@ private-dev
 private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
 
 join-or-start kwrite
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 0e6c86b80..6e77cd741 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -19,6 +19,7 @@ noblacklist /usr/share/java
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
@@ -49,7 +50,5 @@ tracelog
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
 
 join-or-start libreoffice
diff --git a/etc/liferea.profile b/etc/liferea.profile
index c498541d4..5927747b8 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/lincity-ng.profile b/etc/lincity-ng.profile
new file mode 100644
index 000000000..b55ac9a15
--- /dev/null
+++ b/etc/lincity-ng.profile
@@ -0,0 +1,44 @@
+# Firejail profile for lincity-ng
+# Description: City simulation game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lincity-ng.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.lincity-ng
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.lincity-ng
+whitelist ${HOME}/.lincity-ng
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin lincity-ng
+private-cache
+private-dev
+private-tmp
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 047424e5e..c4717965a 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/lrunzip.profile b/etc/lrunzip.profile
new file mode 100644
index 000000000..96aeee770
--- /dev/null
+++ b/etc/lrunzip.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrunzip
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lrunzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include cpio.profile
diff --git a/etc/lrz.profile b/etc/lrz.profile
new file mode 100644
index 000000000..03de48104
--- /dev/null
+++ b/etc/lrz.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrz
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lrz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include cpio.profile
diff --git a/etc/lrzcat.profile b/etc/lrzcat.profile
new file mode 100644
index 000000000..6d95c41a0
--- /dev/null
+++ b/etc/lrzcat.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzcat
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lrzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include cpio.profile
diff --git a/etc/lrzip.profile b/etc/lrzip.profile
new file mode 100644
index 000000000..148d23393
--- /dev/null
+++ b/etc/lrzip.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzip
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lrzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include cpio.profile
diff --git a/etc/lrztar.profile b/etc/lrztar.profile
new file mode 100644
index 000000000..90327c2bb
--- /dev/null
+++ b/etc/lrztar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrztar
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lrztar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include cpio.profile
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile
new file mode 100644
index 000000000..6aa91cabd
--- /dev/null
+++ b/etc/lrzuntar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzuntar
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lrzuntar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include cpio.profile
diff --git a/etc/lugaru.profile b/etc/lugaru.profile
new file mode 100644
index 000000000..d81441572
--- /dev/null
+++ b/etc/lugaru.profile
@@ -0,0 +1,49 @@
+# Firejail profile for lugaru
+# Description: Ninja rabbit fighting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lugaru.local
+# Persistent global definitions
+include globals.local
+
+# note: crashes after entering
+
+noblacklist ${HOME}/.config/lugaru
+noblacklist ${HOME}/.local/share/lugaru
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/lugaru
+mkdir ${HOME}/.local/share/lugaru
+whitelist ${HOME}/.config/lugaru
+whitelist ${HOME}/.local/share/lugaru
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin lugaru
+private-cache
+private-dev
+private-tmp
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index 170085117..793cd59bb 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/manaplus.profile b/etc/manaplus.profile
new file mode 100644
index 000000000..93d409bf8
--- /dev/null
+++ b/etc/manaplus.profile
@@ -0,0 +1,48 @@
+# Firejail profile for manaplus
+# Description: 2D MMORPG client for Evol Online and The Mana World
+# This file is overwritten after every install/update
+# Persistent local customizations
+include manaplus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mana
+noblacklist ${HOME}/.local/share/mana
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mana
+mkdir ${HOME}/.config/mana/mana
+mkdir ${HOME}/.local/share/mana
+whitelist ${HOME}/.config/mana
+whitelist ${HOME}/.local/share/mana
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin manaplus
+private-cache
+private-dev
+private-tmp
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
index 3d88b1f82..ce6486115 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/masterpdfeditor.profile
@@ -11,18 +11,18 @@ noblacklist ${HOME}/.masterpdfeditor
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
-net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,11 +36,9 @@ seccomp
 shell none
 tracelog
 
-private-bin masterpdfeditor*
+private-bin masterpdfedito*
 private-cache
 private-dev
 private-etc alternatives,fonts
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 6bb393376..d2681f32d 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -10,6 +10,7 @@ blacklist /tmp/.X11-unix
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -41,5 +42,3 @@ private-etc alternatives
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/megaglest.profile b/etc/megaglest.profile
new file mode 100644
index 000000000..08eae6dfc
--- /dev/null
+++ b/etc/megaglest.profile
@@ -0,0 +1,44 @@
+# Firejail profile for megaglest
+# Description: 3D multi-player real time strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include megaglest.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.megaglest
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.megaglest
+whitelist ${HOME}/.megaglest
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin megaglest,megaglest_editor,megaglest_g3dviewer
+private-cache
+private-dev
+private-tmp
diff --git a/etc/megaglest_editor.profile b/etc/megaglest_editor.profile
new file mode 100644
index 000000000..02aad8084
--- /dev/null
+++ b/etc/megaglest_editor.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for megaglest
+# This file is overwritten after every install/update
+
+# Redirect
+include megaglest.profile
diff --git a/etc/meld.profile b/etc/meld.profile
index 2b87094fb..395771cf2 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -8,17 +8,35 @@ include globals.local
 
 noblacklist ${HOME}/.local/share/meld
 
-include disable-common.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
+
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.subversion
+
+# Uncomment the next line if you don't need to compare files in disable-common.inc.
+#include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
-include disable-programs.inc
+# Uncomment the next line if you don't need to compare files in disable-programs.inc.
+#include disable-programs.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-net none
+ipc-namespace
+machine-id
+netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -27,14 +45,15 @@ nosound
 notv
 nou2f
 novideo
-protocol unix
+protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
-private-bin meld,python*
+private-bin bzr,cvs,git,hg,meld,python*,svn
 private-cache
 private-dev
+# Uncomment the next line if you don't need to compare in /etc.
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile
index 046526310..a3d6092f1 100644
--- a/etc/mendeleydesktop.profile
+++ b/etc/mendeleydesktop.profile
@@ -19,6 +19,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/minetest.profile b/etc/minetest.profile
index aa50847ea..b3e692446 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.minetest
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.minetest
 whitelist ${HOME}/.minetest
@@ -33,13 +35,12 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private-bin minetest
+private-cache
 private-dev
 # private-etc needs to be updated, see #1702
 #private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile
index 48b5070f6..b179ecfaf 100644
--- a/etc/mpDris2.profile
+++ b/etc/mpDris2.profile
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index f057bdd9e..0808c5a1a 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -24,6 +24,7 @@ noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -57,5 +58,3 @@ private-bin mpsyt,mplayer,mpv,youtube-dl,python*,env,ffmpeg
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mpv.profile b/etc/mpv.profile
index cf113c1bb..c2ae9c6f9 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index 6334ecd41..f23617f8d 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index c1d4f2cbe..1d5953ff7 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -10,6 +10,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,4 +41,5 @@ private-dev
 private-etc alternatives,fonts
 private-tmp
 
+memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 5f009c681..9750a31f4 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -15,6 +15,7 @@ noblacklist ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -38,6 +39,3 @@ tracelog
 
 # private-bin musescore,mscore
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mypaint.profile b/etc/mypaint.profile
index 21fd841cf..615bb60d1 100644
--- a/etc/mypaint.profile
+++ b/etc/mypaint.profile
@@ -15,6 +15,7 @@ noblacklist ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -44,5 +45,3 @@ private-dev
 private-etc alternatives,fonts,gtk-3.0,dconf
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/nano.profile b/etc/nano.profile
index ed172b37c..50e251d49 100644
--- a/etc/nano.profile
+++ b/etc/nano.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.nanorc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +44,3 @@ private-dev
 private-etc alternatives,nanorc
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/natron.profile b/etc/natron.profile
index 790fe437d..85e23c759 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -5,11 +5,13 @@ include natron.local
 # Persistent global definitions
 include globals.local
 
-# Allow access to python
+# Allow python (blacklisted by disable-interpreters.inc)
 noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 noblacklist ${HOME}/.Natron
 noblacklist ${HOME}/.cache/INRIA/Natron
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index b5e65e3ee..1d68ef8e3 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -19,6 +19,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nemo.profile b/etc/nemo.profile
index 8da094015..2364ea4a7 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -16,6 +16,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/netactview.profile b/etc/netactview.profile
index 58235c31b..c91822a9d 100644
--- a/etc/netactview.profile
+++ b/etc/netactview.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.netactview
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -47,5 +48,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile
new file mode 100644
index 000000000..771430337
--- /dev/null
+++ b/etc/nethack-vultures.profile
@@ -0,0 +1,47 @@
+# Firejail profile for nethack-vultures
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nethack.local
+# Persistent global definitions
+include globals.local
+
+
+noblacklist ${HOME}/.vultures
+noblacklist /var/log
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.vultures
+whitelist ${HOME}/.vultures
+whitelist /var/log/vultures
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+#nonewprivs
+#noroot
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
index bf8fff7cd..4d2c5bdf2 100644
--- a/etc/nitroshare.profile
+++ b/etc/nitroshare.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nomacs.profile b/etc/nomacs.profile
new file mode 100644
index 000000000..4bda5cbce
--- /dev/null
+++ b/etc/nomacs.profile
@@ -0,0 +1,48 @@
+# Firejail profile for nomacs
+# Description: a fast and small image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nomacs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/nomacs
+noblacklist ${HOME}/.local/share/nomacs
+noblacklist ${HOME}/.local/share/data/nomacs
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+#private-bin nomacs
+private-cache
+private-dev
+private-etc alternatives,hosts,ca-certificates,ssl,pki,crypto-policies,resolv.conf,drirc,fonts,gtk-3.0,dconf,machine-id,login.defs
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/obs.profile b/etc/obs.profile
index 87afdc222..5e3ce092a 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index be218e3a8..ceeb59384 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -12,6 +12,7 @@ noblacklist ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -47,5 +48,3 @@ private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
 private-tmp
 
 # memory-deny-write-execute - breaks on Arch
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/okular.profile b/etc/okular.profile
index 0192a1d3d..48e45ca3f 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -20,6 +20,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -52,7 +53,5 @@ private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 join-or-start okular
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile
index 1955901b0..75f6194a6 100644
--- a/etc/onionshare-gui.profile
+++ b/etc/onionshare-gui.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/onionshare
 # Allow python (blacklisted by disable-interpreters.inc)
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/opencity.profile b/etc/opencity.profile
new file mode 100644
index 000000000..6a27c8095
--- /dev/null
+++ b/etc/opencity.profile
@@ -0,0 +1,44 @@
+# Firejail profile for opencity
+# Description: Full 3D city simulator game project
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opencity.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.opencity
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.opencity
+whitelist ${HOME}/.opencity
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin opencity
+private-cache
+private-dev
+private-tmp
diff --git a/etc/openclonk.profile b/etc/openclonk.profile
new file mode 100644
index 000000000..02663c2f4
--- /dev/null
+++ b/etc/openclonk.profile
@@ -0,0 +1,44 @@
+# Firejail profile for openclonk
+# Description: Multiplayer action, tactics and skill game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openclonk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.clonk
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.clonk
+whitelist ${HOME}/.clonk
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin openclonk,c4group
+private-cache
+private-dev
+private-tmp
diff --git a/etc/openshot.profile b/etc/openshot.profile
index e383ecf06..cfda1d0ce 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,5 +43,3 @@ shell none
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/openttd.profile b/etc/openttd.profile
new file mode 100644
index 000000000..5de4d325d
--- /dev/null
+++ b/etc/openttd.profile
@@ -0,0 +1,44 @@
+# Firejail profile for openttd
+# Description: Transport system simulation game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openttd.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openttd
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.openttd
+whitelist ${HOME}/.openttd
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin openttd
+private-cache
+private-dev
+private-tmp
diff --git a/etc/ostrichriders.profile b/etc/ostrichriders.profile
new file mode 100644
index 000000000..bef784126
--- /dev/null
+++ b/etc/ostrichriders.profile
@@ -0,0 +1,45 @@
+# Firejail profile for ostrichriders
+# Description: Knights flying on ostriches compete against other riders
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ostrichriders.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ostrichriders
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.ostrichriders
+whitelist ${HOME}/.ostrichriders
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin ostrichriders
+private-cache
+# private-dev should be commented for controllers
+private-dev
+private-tmp
diff --git a/etc/patch.profile b/etc/patch.profile
index c0937bfc5..9515bffdf 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-xdg.inc
@@ -39,5 +40,3 @@ private-dev
 private-lib libfakeroot
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 6bda9e7d3..18b9b7fc6 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pavucontrol.ini
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -19,7 +20,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-ipc-namespace
+#ipc-namespace
 net none
 no3d
 nodbus
@@ -43,5 +44,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
index d9f721578..98a9f1840 100644
--- a/etc/pdfchain.profile
+++ b/etc/pdfchain.profile
@@ -9,6 +9,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -38,5 +39,3 @@ private-etc alternatives,dconf,fonts,gtk-3.0,xdg
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/picard.profile b/etc/picard.profile
index dc13d7d6e..26002e14d 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 91a204557..444478149 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -6,14 +6,24 @@ include pidgin.local
 # Persistent global definitions
 include globals.local
 
+mkdir ${HOME}/.purple
 noblacklist ${HOME}/.purple
+whitelist ${HOME}/.purple
+
+ignore noexec ${RUNUSER}
+ignore noexec /dev/shm
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -24,13 +34,10 @@ notv
 nou2f
 protocol unix,inet,inet6
 seccomp
-shell none
+# shell none
 tracelog
 
-private-bin pidgin
+# private-bin pidgin
 private-cache
 private-dev
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pioneer.profile b/etc/pioneer.profile
new file mode 100644
index 000000000..a240aa5fc
--- /dev/null
+++ b/etc/pioneer.profile
@@ -0,0 +1,44 @@
+# Firejail profile for pioneer
+# Description: A game of lonely space adventure
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pioneer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.pioneer
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.pioneer
+whitelist ${HOME}/.pioneer
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin pioneer,modelcompiler,savegamedump
+private-cache
+private-dev
+private-tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
index b201dcfea..6492ace7b 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 5bd6fd357..ac7922833 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile
index c97c27435..2f287223b 100644
--- a/etc/playonlinux.profile
+++ b/etc/playonlinux.profile
@@ -20,6 +20,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 noblacklist ${PATH}/cpan*
diff --git a/etc/pluma.profile b/etc/pluma.profile
index a8b1e4cc6..25142bc18 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pluma
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -42,7 +43,5 @@ private-lib pluma
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 join-or-start pluma
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile
index 92cae0f97..63ae156a1 100644
--- a/etc/pybitmessage.profile
+++ b/etc/pybitmessage.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index bfe8b614e..3caaacf09 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -5,7 +5,6 @@ include pycharm-community.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/snap
 noblacklist ${HOME}/.PyCharmCE*
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.java
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 7b1f05574..b0a6a0016 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -16,9 +16,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -59,5 +62,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute - problems on  Arch, see #1690 on GitHub repo
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 06598c769..6cb3fe4cd 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 3dc4c6a30..0ca5a5ef0 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.config/tox
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/tox
 whitelist ${DOWNLOADS}
@@ -20,9 +22,11 @@ whitelist ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,9 +40,9 @@ tracelog
 
 disable-mnt
 private-bin qtox
-private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
+private-cache
 private-dev
+private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
+memory-deny-write-execute
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index ac9f9bfd9..9e3853a09 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 # with >=llvm-4 mesa drivers need llvm stuff
 noblacklist /usr/lib/llvm*
diff --git a/etc/ranger.profile b/etc/ranger.profile
index ee1ef0f9d..1e50ca9fa 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 # Allow perl
 # noblacklist ${PATH}/cpan*
diff --git a/etc/redshift.profile b/etc/redshift.profile
index 351b54075..e60877172 100644
--- a/etc/redshift.profile
+++ b/etc/redshift.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/redshift.conf
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
@@ -45,5 +46,3 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/regextester.profile b/etc/regextester.profile
index 19d6a89f4..c7c59bec2 100644
--- a/etc/regextester.profile
+++ b/etc/regextester.profile
@@ -8,6 +8,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
@@ -45,8 +46,6 @@ private-lib libgranite.so.*
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 # never write anything
 read-only ${HOME}
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 6b673a924..df874f378 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/rhythmbox
 include disable-common.inc
 include disable-devel.inc
 # rhythmbox is using Python
+include disable-exec.inc
 #include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-bin rhythmbox
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/scorched3d.profile b/etc/scorched3d.profile
new file mode 100644
index 000000000..e94d436cf
--- /dev/null
+++ b/etc/scorched3d.profile
@@ -0,0 +1,44 @@
+# Firejail profile for scorched3d
+# Description: Game based loosely on the classic DOS game Scorched Earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.scorched3d
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.scorched3d
+whitelist ${HOME}/.scorched3d
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds
+private-cache
+private-dev
+private-tmp
diff --git a/etc/scribus.profile b/etc/scribus.profile
index a8e510b8a..5bec43d85 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -31,6 +31,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index 01a056767..d78b51766 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile
new file mode 100644
index 000000000..1beb0edc6
--- /dev/null
+++ b/etc/seahorse-daemon.profile
@@ -0,0 +1,15 @@
+# Firejail profile for seahorse-daemon
+# Description: PGP encryption and signing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-daemon.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+
+memory-deny-write-execute
+
+# Redirect
+include seahorse.profile
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile
index bbab69162..96f365a4b 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/seahorse-tool.profile
@@ -7,22 +7,11 @@ include seahorse-tool.local
 # added by included profile
 #include globals.local
 
-# dconf
-mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
+noblacklist ${DOWNLOADS}
 
-include disable-xdg.inc
-include whitelist-var-common.inc
-
-apparmor
-ipc-namespace
-
-disable-mnt
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 # Redirect
-include gpg.profile
+include seahorse.profile
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 0bf3b89fd..cd9f6c767 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -4,22 +4,57 @@
 # Persistent local customizations
 include seahorse.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 # dconf
-mkdir ${HOME}/.config/dconf
+noblacklist ${HOME}/.config/dconf
 whitelist ${HOME}/.config/dconf
 
+# gpg
+mkdir ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+
 # ssh
+whitelist /etc/ld.so.preload
 noblacklist /etc/ssh
+whitelist /etc/ssh
 noblacklist /tmp/ssh-*
+whitelist /tmp/ssh-*
+mkdir ${HOME}/.ssh
 noblacklist ${HOME}/.ssh
+whitelist ${HOME}/.ssh
 
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
-ipc-namespace
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+# shell none - causes gpg to hang
+tracelog
+
+disable-mnt
+private-cache
+private-dev
 
-# Redirect
-include gpg.profile
+writable-run-user
diff --git a/etc/server.profile b/etc/server.profile
index 8da4853e7..686268a18 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -17,10 +17,11 @@ noblacklist /usr/sbin
 
 include disable-common.inc
 # include disable-devel.inc
+# include disable-exec.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-#include disable-xdg.inc
+# include disable-xdg.inc
 
 caps
 # ipc-namespace
@@ -48,5 +49,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute
-# noexec ${HOME}
-# noexec /tmp
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile
index 6862d51ee..ead475e07 100644
--- a/etc/simplescreenrecorder.profile
+++ b/etc/simplescreenrecorder.profile
@@ -10,6 +10,7 @@ noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -17,7 +18,6 @@ include disable-xdg.inc
 
 apparmor
 caps.drop all
-net none
 nodvd
 nogroups
 nonewprivs
@@ -35,5 +35,3 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/slashem.profile b/etc/slashem.profile
new file mode 100644
index 000000000..0a372ce5f
--- /dev/null
+++ b/etc/slashem.profile
@@ -0,0 +1,47 @@
+# Firejail profile for slashem
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include slashem.local
+# Persistent global definitions
+include globals.local
+
+
+noblacklist /var/games/slashem
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+whitelist /var/games/slashem
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+#nonewprivs
+#noroot
+nosound
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+
+#memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 57ab2cde6..e347d23d6 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -13,6 +13,7 @@ noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -36,5 +37,3 @@ private-bin smplayer,smtube,mplayer,mpv
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index d34ccf901..4d6e80840 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -13,9 +13,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -23,8 +26,10 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-net none
+ipc-namespace
+machine-id
 no3d
 nodvd
 nogroups
@@ -42,5 +47,3 @@ private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 8122079e1..4758871d3 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -42,5 +43,3 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 02b66955f..8aafca8aa 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -16,7 +16,6 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-shell none
 caps.drop all
 netfilter
 no3d
@@ -26,4 +25,6 @@ noroot
 notv
 protocol unix,inet,inet6
 seccomp
+shell none
+
 writable-run-user
diff --git a/etc/ssh.profile b/etc/ssh.profile
index de627dcf0..4c8af65b8 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -12,6 +12,7 @@ noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
 
 include disable-common.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
@@ -36,6 +37,4 @@ private-dev
 # private-tmp # Breaks when exiting
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 writable-run-user
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index ba7248b73..5458120ef 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Standard Notes
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,5 +41,3 @@ private-dev
 private-tmp
 private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile
index 2b01eca88..a61038157 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/start-tor-browser.desktop.profile
@@ -1,66 +1,75 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
-
-
-noblacklist ${HOME}/.tor-browser-ar:
-mkdir ${HOME}/.tor-browser-ar:
-whitelist ${HOME}/.tor-browser-ar:
-
-noblacklist ${HOME}/.tor-browser-en:
-mkdir ${HOME}/.tor-browser-en:
-whitelist ${HOME}/.tor-browser-en:
-
-noblacklist ${HOME}/.tor-browser-en-us:
-mkdir ${HOME}/.tor-browser-en-us:
-whitelist ${HOME}/.tor-browser-en-us:
-
-noblacklist ${HOME}/.tor-browser-es:
-mkdir ${HOME}/.tor-browser-es:
-whitelist ${HOME}/.tor-browser-es:
-
-noblacklist ${HOME}/.tor-browser-es-es:
-mkdir ${HOME}/.tor-browser-es-es:
-whitelist ${HOME}/.tor-browser-es-es:
-
-noblacklist ${HOME}/.tor-browser-fa:
-mkdir ${HOME}/.tor-browser-fa:
-whitelist ${HOME}/.tor-browser-fa:
-
-noblacklist ${HOME}/.tor-browser-fr:
-mkdir ${HOME}/.tor-browser-fr:
-whitelist ${HOME}/.tor-browser-fr:
-
-noblacklist ${HOME}/.tor-browser-it:
-mkdir ${HOME}/.tor-browser-it:
-whitelist ${HOME}/.tor-browser-it:
-
-noblacklist ${HOME}/.tor-browser-ja:
-mkdir ${HOME}/.tor-browser-ja:
-whitelist ${HOME}/.tor-browser-ja:
-
-noblacklist ${HOME}/.tor-browser-ko:
-mkdir ${HOME}/.tor-browser-ko:
-whitelist ${HOME}/.tor-browser-ko:
-
-noblacklist ${HOME}/.tor-browser-pl:
-mkdir ${HOME}/.tor-browser-pl:
-whitelist ${HOME}/.tor-browser-pl:
-
-noblacklist ${HOME}/.tor-browser-pt-br:
-mkdir ${HOME}/.tor-browser-pt-br:
-whitelist ${HOME}/.tor-browser-pt-br:
-
-noblacklist ${HOME}/.tor-browser-ru:
-mkdir ${HOME}/.tor-browser-ru:
-whitelist ${HOME}/.tor-browser-ru:
-
-noblacklist ${HOME}/.tor-browser-vi:
-mkdir ${HOME}/.tor-browser-vi:
-whitelist ${HOME}/.tor-browser-vi:
-
-noblacklist ${HOME}/.tor-browser-zh-cn:
-mkdir ${HOME}/.tor-browser-zh-cn:
-whitelist ${HOME}/.tor-browser-zh-cn:
+# Persistent local customizations
+include start-tor-browser.desktop.local
+
+
+noblacklist ${HOME}/.tor-browser-*
+noblacklist ${HOME}/.tor-browser_*
+
+whitelist ${HOME}/.tor-browser-ar
+whitelist ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-en
+whitelist ${HOME}/.tor-browser-en-us
+whitelist ${HOME}/.tor-browser-es
+whitelist ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-fa
+whitelist ${HOME}/.tor-browser-fr
+whitelist ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-it
+whitelist ${HOME}/.tor-browser-ja
+whitelist ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ko
+whitelist ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-pl
+whitelist ${HOME}/.tor-browser-pt-br
+whitelist ${HOME}/.tor-browser-ru
+whitelist ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-vi
+whitelist ${HOME}/.tor-browser-zh-cn
+whitelist ${HOME}/.tor-browser-zh-tw
+
+whitelist ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en_US
+whitelist ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-TW
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index b0cb52a0f..8acf77349 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -5,9 +5,11 @@ include start-tor-browser.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec ${HOME}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -36,5 +38,3 @@ private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,r
 private-dev
 private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp
-
-noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 9d348347e..8f08b18f0 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -36,6 +36,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/strings.profile b/etc/strings.profile
index ca7bd0922..0caecdf7b 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -8,6 +8,7 @@ include strings.local
 #include globals.local
 
 blacklist /tmp/.X11-unix
+include disable-exec.inc
 
 ignore noroot
 net none
@@ -28,7 +29,5 @@ private-etc alternatives
 private-lib libfakeroot
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
 
 include default.profile
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile
index 009cf65df..c07131893 100644
--- a/etc/subdownloader.profile
+++ b/etc/subdownloader.profile
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -42,5 +45,3 @@ private-etc alternatives,fonts
 private-tmp
 
 # memory-deny-write-execute - Breaks on Arch
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile
index 696ac4de0..60d80ecd4 100644
--- a/etc/supertuxkart.profile
+++ b/etc/supertuxkart.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/supertuxkart
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
@@ -51,5 +52,3 @@ private-tmp
 private-opt none
 private-srv none
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/sysprof.profile b/etc/sysprof.profile
index eedf4c4b4..3cfea5c5e 100644
--- a/etc/sysprof.profile
+++ b/etc/sysprof.profile
@@ -8,6 +8,7 @@ include globals.local
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +44,3 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
 private-tmp
 
 # memory-deny-write-execute - Breaks GUI on Arch
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/tar.profile b/etc/tar.profile
index e1cfe9c80..14fc00d21 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -10,12 +10,20 @@ include tar.local
 
 blacklist /tmp/.X11-unix
 
-hostname tar
+include disable-exec.inc
+include disable-interpreters.inc
+
 ignore noroot
+
+apparmor
+hostname tar
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
 nosound
 notv
 nou2f
@@ -25,10 +33,13 @@ tracelog
 
 # support compressed archives
 private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
+private-cache
 private-dev
 private-etc alternatives,passwd,group,localtime
 private-lib libfakeroot
 
+memory-deny-write-execute
+
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
 
diff --git a/etc/teeworlds.profile b/etc/teeworlds.profile
new file mode 100644
index 000000000..782f337d3
--- /dev/null
+++ b/etc/teeworlds.profile
@@ -0,0 +1,44 @@
+# Firejail profile for teeworlds
+# Description: Online multi-player platform 2D shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include teeworlds.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.teeworlds
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.teeworlds
+whitelist ${HOME}/.teeworlds
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin teeworlds
+private-cache
+private-dev
+private-tmp
diff --git a/etc/tor-browser-ca.profile b/etc/tor-browser-ca.profile
new file mode 100644
index 000000000..db70a7109
--- /dev/null
+++ b/etc/tor-browser-ca.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ca
+
+mkdir ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-ca
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-cs.profile b/etc/tor-browser-cs.profile
new file mode 100644
index 000000000..77b271b68
--- /dev/null
+++ b/etc/tor-browser-cs.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-cs
+
+mkdir ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-cs
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-da.profile b/etc/tor-browser-da.profile
new file mode 100644
index 000000000..3b9fff9a4
--- /dev/null
+++ b/etc/tor-browser-da.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-da
+
+mkdir ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-da
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-de.profile b/etc/tor-browser-de.profile
new file mode 100644
index 000000000..3b4f7f94f
--- /dev/null
+++ b/etc/tor-browser-de.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-de
+
+mkdir ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-de
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-el.profile b/etc/tor-browser-el.profile
new file mode 100644
index 000000000..b978b6042
--- /dev/null
+++ b/etc/tor-browser-el.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-el
+
+mkdir ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-el
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-ga-ie.profile b/etc/tor-browser-ga-ie.profile
new file mode 100644
index 000000000..994897a87
--- /dev/null
+++ b/etc/tor-browser-ga-ie.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ga-ie
+
+mkdir ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-ga-ie
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-he.profile b/etc/tor-browser-he.profile
new file mode 100644
index 000000000..6367b4c0a
--- /dev/null
+++ b/etc/tor-browser-he.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-he
+
+mkdir ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-he
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-hu.profile b/etc/tor-browser-hu.profile
new file mode 100644
index 000000000..68e79833e
--- /dev/null
+++ b/etc/tor-browser-hu.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-hu
+
+mkdir ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-hu
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-id.profile b/etc/tor-browser-id.profile
new file mode 100644
index 000000000..85b455ba2
--- /dev/null
+++ b/etc/tor-browser-id.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-id
+
+mkdir ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-id
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-is.profile b/etc/tor-browser-is.profile
new file mode 100644
index 000000000..48e88db71
--- /dev/null
+++ b/etc/tor-browser-is.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-is
+
+mkdir ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-is
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-ka.profile b/etc/tor-browser-ka.profile
new file mode 100644
index 000000000..173b85e5c
--- /dev/null
+++ b/etc/tor-browser-ka.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ka
+
+mkdir ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ka
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-nb.profile b/etc/tor-browser-nb.profile
new file mode 100644
index 000000000..d1352dd80
--- /dev/null
+++ b/etc/tor-browser-nb.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-nb
+
+mkdir ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nb
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-nl.profile b/etc/tor-browser-nl.profile
new file mode 100644
index 000000000..d4443cca2
--- /dev/null
+++ b/etc/tor-browser-nl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-nl
+
+mkdir ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-nl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-sv-se.profile b/etc/tor-browser-sv-se.profile
new file mode 100644
index 000000000..c8544262f
--- /dev/null
+++ b/etc/tor-browser-sv-se.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-sv-se
+
+mkdir ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-sv-se
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-tr.profile b/etc/tor-browser-tr.profile
new file mode 100644
index 000000000..2343fa8de
--- /dev/null
+++ b/etc/tor-browser-tr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-tr
+
+mkdir ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-tr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-zh-tw.profile b/etc/tor-browser-zh-tw.profile
new file mode 100644
index 000000000..6fe09c6c1
--- /dev/null
+++ b/etc/tor-browser-zh-tw.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-zh-tw
+
+mkdir ${HOME}/.tor-browser-zh-tw
+whitelist ${HOME}/.tor-browser-zh-tw
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ar.profile b/etc/tor-browser_ar.profile
new file mode 100644
index 000000000..1e1f5ce35
--- /dev/null
+++ b/etc/tor-browser_ar.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ar
+
+mkdir ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ar
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ca.profile b/etc/tor-browser_ca.profile
new file mode 100644
index 000000000..e114b6051
--- /dev/null
+++ b/etc/tor-browser_ca.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ca
+
+mkdir ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_ca
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_cs.profile b/etc/tor-browser_cs.profile
new file mode 100644
index 000000000..498068bc6
--- /dev/null
+++ b/etc/tor-browser_cs.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_cs
+
+mkdir ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_cs
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_da.profile b/etc/tor-browser_da.profile
new file mode 100644
index 000000000..5c25c03c8
--- /dev/null
+++ b/etc/tor-browser_da.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_da
+
+mkdir ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_da
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_de.profile b/etc/tor-browser_de.profile
new file mode 100644
index 000000000..d530e7dbe
--- /dev/null
+++ b/etc/tor-browser_de.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_de
+
+mkdir ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_de
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_el.profile b/etc/tor-browser_el.profile
new file mode 100644
index 000000000..67d5ab440
--- /dev/null
+++ b/etc/tor-browser_el.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_el
+
+mkdir ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_el
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_en-US.profile b/etc/tor-browser_en-US.profile
new file mode 100644
index 000000000..b298ab2b8
--- /dev/null
+++ b/etc/tor-browser_en-US.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_en-US
+
+mkdir ${HOME}/.tor-browser_en-US
+whitelist ${HOME}/.tor-browser_en-US
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_en.profile b/etc/tor-browser_en.profile
new file mode 100644
index 000000000..6bb0616b1
--- /dev/null
+++ b/etc/tor-browser_en.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_en
+
+mkdir ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_es-ES.profile b/etc/tor-browser_es-ES.profile
new file mode 100644
index 000000000..78f57ffe5
--- /dev/null
+++ b/etc/tor-browser_es-ES.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_es-ES
+
+mkdir ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_es-ES
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_es.profile b/etc/tor-browser_es.profile
new file mode 100644
index 000000000..ea34a07c9
--- /dev/null
+++ b/etc/tor-browser_es.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_es
+
+mkdir ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_fa.profile b/etc/tor-browser_fa.profile
new file mode 100644
index 000000000..fbc416ce5
--- /dev/null
+++ b/etc/tor-browser_fa.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_fa
+
+mkdir ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fa
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_fr.profile b/etc/tor-browser_fr.profile
new file mode 100644
index 000000000..caea6db5b
--- /dev/null
+++ b/etc/tor-browser_fr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_fr
+
+mkdir ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_fr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ga-IE.profile b/etc/tor-browser_ga-IE.profile
new file mode 100644
index 000000000..6342daebf
--- /dev/null
+++ b/etc/tor-browser_ga-IE.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ga-IE
+
+mkdir ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_ga-IE
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_he.profile b/etc/tor-browser_he.profile
new file mode 100644
index 000000000..cc4150620
--- /dev/null
+++ b/etc/tor-browser_he.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_he
+
+mkdir ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_he
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_hu.profile b/etc/tor-browser_hu.profile
new file mode 100644
index 000000000..952a0b68a
--- /dev/null
+++ b/etc/tor-browser_hu.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_hu
+
+mkdir ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_hu
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_id.profile b/etc/tor-browser_id.profile
new file mode 100644
index 000000000..a006b27c0
--- /dev/null
+++ b/etc/tor-browser_id.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_id
+
+mkdir ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_id
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_is.profile b/etc/tor-browser_is.profile
new file mode 100644
index 000000000..038e0fabb
--- /dev/null
+++ b/etc/tor-browser_is.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_is
+
+mkdir ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_is
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_it.profile b/etc/tor-browser_it.profile
new file mode 100644
index 000000000..3d2566994
--- /dev/null
+++ b/etc/tor-browser_it.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_it
+
+mkdir ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_it
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ja.profile b/etc/tor-browser_ja.profile
new file mode 100644
index 000000000..08c942bcd
--- /dev/null
+++ b/etc/tor-browser_ja.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ja
+
+mkdir ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ja
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ka.profile b/etc/tor-browser_ka.profile
new file mode 100644
index 000000000..97664be4d
--- /dev/null
+++ b/etc/tor-browser_ka.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ka
+
+mkdir ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ka
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ko.profile b/etc/tor-browser_ko.profile
new file mode 100644
index 000000000..98cf1e3e1
--- /dev/null
+++ b/etc/tor-browser_ko.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ko
+
+mkdir ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_ko
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_nb.profile b/etc/tor-browser_nb.profile
new file mode 100644
index 000000000..6df840573
--- /dev/null
+++ b/etc/tor-browser_nb.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_nb
+
+mkdir ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nb
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_nl.profile b/etc/tor-browser_nl.profile
new file mode 100644
index 000000000..3f545f888
--- /dev/null
+++ b/etc/tor-browser_nl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_nl
+
+mkdir ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_nl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_pl.profile b/etc/tor-browser_pl.profile
new file mode 100644
index 000000000..4e04dc027
--- /dev/null
+++ b/etc/tor-browser_pl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_pl
+
+mkdir ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_pt-BR.profile b/etc/tor-browser_pt-BR.profile
new file mode 100644
index 000000000..7f864886c
--- /dev/null
+++ b/etc/tor-browser_pt-BR.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_pt-BR
+
+mkdir ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_pt-BR
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ru.profile b/etc/tor-browser_ru.profile
new file mode 100644
index 000000000..2fae6fbe7
--- /dev/null
+++ b/etc/tor-browser_ru.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ru
+
+mkdir ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_ru
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_sv-SE.profile b/etc/tor-browser_sv-SE.profile
new file mode 100644
index 000000000..2157f8d2b
--- /dev/null
+++ b/etc/tor-browser_sv-SE.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_sv-SE
+
+mkdir ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_sv-SE
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_tr.profile b/etc/tor-browser_tr.profile
new file mode 100644
index 000000000..20ac246ca
--- /dev/null
+++ b/etc/tor-browser_tr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_tr
+
+mkdir ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_tr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_vi.profile b/etc/tor-browser_vi.profile
new file mode 100644
index 000000000..4faa06ff6
--- /dev/null
+++ b/etc/tor-browser_vi.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_vi
+
+mkdir ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_vi
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_zh-CN.profile b/etc/tor-browser_zh-CN.profile
new file mode 100644
index 000000000..e4d8215e6
--- /dev/null
+++ b/etc/tor-browser_zh-CN.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_zh-CN
+
+mkdir ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-CN
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_zh-TW.profile b/etc/tor-browser_zh-TW.profile
new file mode 100644
index 000000000..8a28015a6
--- /dev/null
+++ b/etc/tor-browser_zh-TW.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_zh-TW
+
+mkdir ${HOME}/.tor-browser_zh-TW
+whitelist ${HOME}/.tor-browser_zh-TW
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 2b1cc6549..c7c810cda 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -6,6 +6,8 @@ include torbrowser-launcher.local
 # Persistent global definitions
 include globals.local
 
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.config/torbrowser
 noblacklist ${HOME}/.local/share/torbrowser
 
@@ -14,9 +16,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -51,5 +56,3 @@ private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,r
 private-dev
 private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp
-
-noexec /tmp
diff --git a/etc/torcs.profile b/etc/torcs.profile
new file mode 100644
index 000000000..d9c59b276
--- /dev/null
+++ b/etc/torcs.profile
@@ -0,0 +1,43 @@
+# Firejail profile for torcs
+# Description: The Open Racing Car Simulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torcs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.torcs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.torcs
+whitelist ${HOME}/.torcs
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/totem.profile b/etc/totem.profile
index fd473b03c..f541d3cc2 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -13,6 +13,7 @@ noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-dev
 # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/transgui.profile b/etc/transgui.profile
index 83191ab58..8043bfa01 100644
--- a/etc/transgui.profile
+++ b/etc/transgui.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/transgui
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -48,5 +49,3 @@ private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 65682df52..60732bcf2 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,5 +41,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile
index c101e18b5..c67200826 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/transmission-daemon.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -41,5 +42,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 6fd310a73..29df63573 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -47,5 +48,3 @@ private-tmp
 
 # Causes freeze during opening file dialog in Archlinux, see issue #1855
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index f35eb0036..9fda5245f 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -46,5 +47,3 @@ private-dev
 private-tmp
 
 # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile
index a2e950176..3e3ad1a07 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/transmission-remote-cli.profile
@@ -7,11 +7,13 @@ include transmission-remote-cli.local
 # added by included profile
 #include globals.local
 
-# Allow python (disabled by disable-interpreters.inc)
+# Allow python (blacklisted by disable-interpreters.inc)
 noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 mkdir ${HOME}/.cache/transmission
 mkdir ${HOME}/.config/transmission
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile
index 7e6f67317..d9ba7be71 100644
--- a/etc/transmission-remote.profile
+++ b/etc/transmission-remote.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,5 +41,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 691b8959e..58f7af47c 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -38,5 +39,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/tremulous.profile b/etc/tremulous.profile
new file mode 100644
index 000000000..a56ac2c07
--- /dev/null
+++ b/etc/tremulous.profile
@@ -0,0 +1,44 @@
+# Firejail profile for tremulous
+# Description: First Person Shooter game based on the Quake 3 engine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tremulous.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.tremulous
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.tremulous
+whitelist ${HOME}/.tremulous
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin tremulous,tremulous-wrapper,tremded
+private-cache
+private-dev
+private-tmp
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index 7e6b35d13..dbee819cd 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 94b6c2052..f9fb1cefe 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -14,10 +14,12 @@ noblacklist ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+apparmor
 caps.drop all
 net none
 no3d
@@ -38,10 +40,8 @@ tracelog
 private-bin viewnior
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,machine-id
 private-tmp
 
 # memory-deny-write-executes breaks on Arch - see issue #1808
 #memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 370180b6b..64ac7a4f0 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -14,6 +14,7 @@ noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -39,5 +40,3 @@ private-tmp
 
 # mdwe is disabled due to breaking hardware accelerated decoding
 #memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/vulturesclaw.profile b/etc/vulturesclaw.profile
new file mode 100644
index 000000000..2e9078a7b
--- /dev/null
+++ b/etc/vulturesclaw.profile
@@ -0,0 +1,8 @@
+# Firejail profile alias for nethack-vultures
+# This file is overwritten after every install/update
+
+noblacklist /var/games/vulturesclaw
+whitelist /var/games/vulturesclaw
+
+# Redirect
+include nethack-vultures.profile
diff --git a/etc/vultureseye.profile b/etc/vultureseye.profile
new file mode 100644
index 000000000..44c263cfc
--- /dev/null
+++ b/etc/vultureseye.profile
@@ -0,0 +1,8 @@
+# Firejail profile alias for nethack-vultures
+# This file is overwritten after every install/update
+
+noblacklist /var/games/vultureseye
+whitelist /var/games/vultureseye
+
+# Redirect
+include nethack-vultures.profile
diff --git a/etc/warsow.profile b/etc/warsow.profile
new file mode 100644
index 000000000..e884ab07a
--- /dev/null
+++ b/etc/warsow.profile
@@ -0,0 +1,49 @@
+# Firejail profile for warsow
+# Description: Fast paced 3D first person shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warsow.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/warsow-2.1
+noblacklist ${HOME}/.local/share/warsow-2.1
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/warsow-2.1
+mkdir ${HOME}/.local/share/warsow-2.1
+whitelist ${HOME}/.cache/warsow-2.1
+whitelist ${HOME}/.local/share/warsow-2.1
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin warsow
+private-cache
+private-dev
+private-tmp
diff --git a/etc/widelands.profile b/etc/widelands.profile
new file mode 100644
index 000000000..c6b5f27da
--- /dev/null
+++ b/etc/widelands.profile
@@ -0,0 +1,44 @@
+# Firejail profile for widelands
+# Description: Open source realtime-strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include widelands.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.widelands
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.widelands
+whitelist ${HOME}/.widelands
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin widelands
+private-cache
+private-dev
+private-tmp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index a08b97d05..9b9757cd5 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -18,6 +18,7 @@ noblacklist /usr/share/lua
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -48,5 +49,3 @@ private-dev
 # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xed.profile b/etc/xed.profile
index cd565f684..117f48f83 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -12,9 +12,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -47,5 +50,3 @@ private-tmp
 
 # xed uses python plugins, memory-deny-write-execute breaks python
 # memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xfce4-mixer.profile b/etc/xfce4-mixer.profile
index 9c8c5c531..952625ef8 100644
--- a/etc/xfce4-mixer.profile
+++ b/etc/xfce4-mixer.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -45,5 +46,3 @@ private-etc alternatives,asound.conf,fonts,pulse,machine-id
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 0df879d7c..b4932c99e 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -15,9 +15,12 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +46,3 @@ private-dev
 # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 2ff6c2a5d..d967c1da2 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -21,6 +21,8 @@ noblacklist ${PATH}/python2*
 noblacklist ${PATH}/python3*
 noblacklist /usr/lib/python2*
 noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xreader.profile b/etc/xreader.profile
index e0a3ddee3..643c5a317 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -42,5 +43,3 @@ private-etc alternatives,fonts,ld.so.cache
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index c73630053..b483e9404 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -43,5 +44,3 @@ private-lib
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 0878c91ef..621ffb2b0 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -19,8 +19,12 @@ noblacklist /usr/lib/python3*
 noblacklist /usr/local/lib/python2*
 noblacklist /usr/local/lib/python3*
 
+# breaks when installed via pip
+ignore noexec ${HOME}
+
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -28,10 +32,13 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
+machine-id
 netfilter
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,8 +52,11 @@ seccomp
 shell none
 tracelog
 
+disable-mnt
+private-bin youtube-dl,python*,ffmpeg
+private-cache
 private-dev
+private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types
+private-tmp
 
-# breaks when installed via pip
-#noexec ${HOME}
-noexec /tmp
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/zpaq.profile b/etc/zpaq.profile
new file mode 100644
index 000000000..6d4501e4f
--- /dev/null
+++ b/etc/zpaq.profile
@@ -0,0 +1,15 @@
+# Firejail profile for zpaq
+# Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zpaq.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# mdwx breaks 'list' functionality
+ignore memory-deny-write-execute
+
+
+# Redirect
+include cpio.profile
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 525d9b6f9..a40b5a824 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -227,7 +227,7 @@ void fix_desktop_files(char *homedir) {
                         continue;
                 }
 
-                // try to decide if we need to covert this file
+                // try to decide if we need to convert this file
                 char *change_exec = NULL;
                 int change_dbus = 0;
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 6bb9765bd..d5c502a67 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -12,6 +12,7 @@ FossaMail
 Fritzing
 Gitter
 JDownloader
+Maelstrom
 Mathematica
 Natron
 QMediathekView
@@ -68,6 +69,9 @@ brackets
 brasero
 brave
 brave-browser
+bunzip2
+bzflag
+bzip2
 calibre
 calligra
 calligraauthor
@@ -102,6 +106,8 @@ code-oss
 conkeror
 conky
 corebird
+crawl
+crawl-tiles
 crow
 cryptocat
 cvlc
@@ -177,6 +183,11 @@ fossamail
 franz
 freecad
 freecadcmd
+freeciv
+freeciv-gtk3
+freeciv-mp-gtk3
+freecol
+freemind
 freshclam
 frozen-bubble
 gajim
@@ -272,6 +283,9 @@ keepassx
 keepassx2
 keepassxc
 kget
+kid3
+kid3-cli
+kid3-qt
 kino
 klavaro
 kmail
@@ -288,6 +302,7 @@ leafpad
 less
 libreoffice
 liferea
+lincity-ng
 linphone
 lmms
 lobase
@@ -300,11 +315,18 @@ lollypop
 lomath
 loweb
 lowriter
+lrunzip
+lrz
+lrzcat
+lrzip
+lrztar
+lrzuntar
 luminance-hdr
 lximage-qt
 lxmusic
 lynx
 macrofusion
+manaplus
 masterpdfeditor
 masterpdfeditor4
 masterpdfeditor5
@@ -316,6 +338,8 @@ mathematica
 mcabber
 mediainfo
 mediathekview
+megaglest
+megaglest_editor
 meld
 mencoder
 mendeleydesktop
@@ -355,6 +379,7 @@ nitroshare-cli
 nitroshare-nmh
 nitroshare-send
 nitroshare-ui
+nomacs
 nylas
 nyx
 obs
@@ -363,11 +388,14 @@ odt2txt
 okular
 onionshare-gui
 open-invaders
+opencity
 openshot
 openshot-qt
+openttd
 opera
 opera-beta
 orage
+ostrichriders
 palemoon
 parole
 patch
@@ -382,6 +410,7 @@ pidgin
 #ping - disabled until we fix  #1912
 pingus
 pinta
+pioneer
 pithos
 pitivi
 pix
@@ -420,9 +449,11 @@ rtorrent
 runenpass.sh
 sayonara
 scallion
+scorched3d
 scribus
 sdat2img
 seahorse
+seahorse-daemon
 seahorse-tool
 seamonkey
 seamonkey-bin
@@ -438,6 +469,7 @@ skanlite
 skype
 skypeforlinux
 slack
+slashem
 smplayer
 smtube
 snox
@@ -464,6 +496,7 @@ synfigstudio
 sysprof
 sysprof-cli
 teamspeak3
+teeworlds
 telegram
 telegram-desktop
 terasology
@@ -472,21 +505,38 @@ thunderbird-beta
 thunderbird-wayland
 tilp
 tor-browser-ar
+tor-browser-ca
+tor-browser-cs
+tor-browser-da
+tor-browser-de
+tor-browser-el
 tor-browser-en
 tor-browser-en-us
 tor-browser-es
 tor-browser-es-es
 tor-browser-fa
 tor-browser-fr
+tor-browser-ga-ie
+tor-browser-he
+tor-browser-hu
+tor-browser-id
+tor-browser-is
 tor-browser-it
 tor-browser-ja
+tor-browser-ka
 tor-browser-ko
-torbrowser-launcher
+tor-browser-nb
+tor-browser-nl
 tor-browser-pl
 tor-browser-pt-br
 tor-browser-ru
+tor-browser-sv-se
+tor-browser-tr
 tor-browser-vi
 tor-browser-zh-cn
+tor-browser-zh-tw
+torbrowser-launcher
+torcs
 totem
 tracker
 transgui
@@ -500,6 +550,7 @@ transmission-remote
 transmission-remote-cli
 transmission-remote-gtk
 transmission-show
+tremulous
 truecraft
 tuxguitar
 uefitool
@@ -517,8 +568,11 @@ vivaldi-snapshot
 vivaldi-stable
 vlc
 vscodium
+vulturesclaw
+vultureseye
 vym
 w3m
+warsow
 warzone2100
 waterfox
 webstorm
@@ -527,6 +581,7 @@ weechat-curses
 wesnoth
 wget
 whois
+widelands
 wine
 wire-desktop
 wireshark
@@ -560,3 +615,4 @@ zaproxy
 zart
 zathura
 zoom
+zpaq
diff --git a/src/firecfg/util.c b/src/firecfg/util.c
index 00dbad073..23a66ba67 100644
--- a/src/firecfg/util.c
+++ b/src/firecfg/util.c
@@ -59,8 +59,8 @@ int which(const char *program) {
                 char *ptr = strtok(path2, ":");
                 while (ptr) {
                         // Ubuntu 18.04 is adding  /snap/bin to PATH;
-                        // they populate /snap/bin with simbolic links to /usr/bin/ programs;
-                        // most simlinked programs are not installed by default.
+                        // they populate /snap/bin with symbolic links to /usr/bin/ programs;
+                        // most symlinked programs are not installed by default.
                         // Removing /snap/bin from our search
                         if (strcmp(ptr, "/snap/bin") != 0) {
                                 if (find(program, ptr)) {
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 01ddf2a14..4cb10c875 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -57,13 +57,14 @@
 #define RUN_LIB_FILE    "/run/firejail/mnt/libfiles"
 #define RUN_DNS_ETC     "/run/firejail/mnt/dns-etc"
 
-#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp.list"        // list of seccomp files installed
-#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
-#define RUN_SECCOMP_32  "/run/firejail/mnt/seccomp.32"          // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp.mdwx"                // filter for memory-deny-write-execute
-#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp.block_secondary"     // secondary arch blocking filter
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp.postexec"            // filter for post-exec library
+#define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
+#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp/seccomp.list"        // list of seccomp files installed
+#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"                     // configured filter
+#define RUN_SECCOMP_32          "/run/firejail/mnt/seccomp/seccomp.32"          // 32bit arch filter installed on 64bit architectures
+#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp/seccomp.mdwx"                // filter for memory-deny-write-execute
+#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp/seccomp.block_secondary"     // secondary arch blocking filter
+#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp/seccomp.postexec"            // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
 #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
@@ -95,7 +96,6 @@
 #define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
 #define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
 #define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
-#define RUN_RESOLVCONF_FILE     "/run/firejail/mnt/resolv.conf"
 #define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
 #define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
 #define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
@@ -521,6 +521,7 @@ void logsignal(int s);
 void logmsg(const char *msg);
 void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
+void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 808ead240..70c6ac88a 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) {
                 fslib_duplicate(buf);
         }
         fclose(fp);
+        unlink(RUN_LIB_FILE);
 }
 
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 3d5006236..46dae0271 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -100,9 +100,6 @@ static void extract_command(int argc, char **argv, int index) {
 
         // build command
         build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
-
-        if (arg_debug)
-                printf("Extracted command #%s#\n", cfg.command_line);
 }
 
 static void extract_nogroups(pid_t pid) {
@@ -290,12 +287,8 @@ pid_t switch_to_child(pid_t pid) {
 
 void join(pid_t pid, int argc, char **argv, int index) {
         EUID_ASSERT();
-        char *homedir = cfg.homedir;
-        pid_t parent = pid;
-
-        extract_command(argc, argv, index);
-        signal (SIGTERM, signal_handler);
 
+        pid_t parent = pid;
         // in case the pid is that of a firejail process, use the pid of the first child process
         pid = switch_to_child(pid);
 
@@ -375,19 +368,15 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 EUID_USER();
                 if (chdir("/") < 0)
                         errExit("chdir");
-                if (homedir) {
+                if (cfg.homedir) {
                         struct stat s;
-                        if (stat(homedir, &s) == 0) {
+                        if (stat(cfg.homedir, &s) == 0) {
                                 /* coverity[toctou] */
-                                if (chdir(homedir) < 0)
+                                if (chdir(cfg.homedir) < 0)
                                         errExit("chdir");
                         }
                 }
 
-                // set cpu affinity
-                if (cfg.cpus)   // not available for uid 0
-                        set_cpu_affinity();
-
                 // set caps filter
                 EUID_ROOT();
                 if (apply_caps == 1)    // not available for uid 0
@@ -418,33 +407,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 }
 
                 EUID_USER();
-                // set nice
-                if (arg_nice) {
-                        errno = 0;
-                        int rv = nice(cfg.nice);
-                        (void) rv;
-                        if (errno) {
-                                fwarning("cannot set nice value\n");
-                                errno = 0;
-                        }
-                }
-
-                // set environment, add x11 display
-                env_defaults();
-                if (display) {
-                        char *display_str;
-                        if (asprintf(&display_str, ":%d", display) == -1)
-                                errExit("asprintf");
-                        setenv("DISPLAY", display_str, 1);
-                        free(display_str);
-                }
-
-                if (cfg.command_line == NULL) {
-                        assert(cfg.shell);
-                        cfg.command_line = cfg.shell;
-                        cfg.window_title = cfg.shell;
-                }
-
                 int cwd = 0;
                 if (cfg.cwd) {
                         if (chdir(cfg.cwd) == 0)
@@ -464,8 +426,38 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         }
                 }
 
+                // drop privileges
                 drop_privs(arg_nogroups);
-                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+
+                // kill the child in case the parent died
+                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+
+                extract_command(argc, argv, index);
+                if (cfg.command_line == NULL) {
+                        assert(cfg.shell);
+                        cfg.command_line = cfg.shell;
+                        cfg.window_title = cfg.shell;
+                }
+                if (arg_debug)
+                        printf("Extracted command #%s#\n", cfg.command_line);
+
+                // set cpu affinity
+                if (cfg.cpus)   // not available for uid 0
+                        set_cpu_affinity();
+
+                // set nice value
+                if (arg_nice)
+                        set_nice(cfg.nice);
+
+                // add x11 display
+                if (display) {
+                        char *display_str;
+                        if (asprintf(&display_str, ":%d", display) == -1)
+                                errExit("asprintf");
+                        setenv("DISPLAY", display_str, 1);
+                        free(display_str);
+                }
+
                 start_application(0, NULL);
 
                 // it will never get here!!!
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e186002af..ece4c2cb5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -866,11 +866,10 @@ static void run_builder(int argc, char **argv) {
         (void) argc;
 
         // drop privileges
-        EUID_ROOT();
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
+        if (setresgid(-1, getgid(), getgid()) != 0)
+                errExit("setresgid");
+        if (setresuid(-1, getuid(), getuid()) != 0)
+                errExit("setresuid");
 
         assert(getenv("LD_PRELOAD") == NULL);
         umask(orig_umask);
@@ -1522,6 +1521,9 @@ int main(int argc, char **argv) {
                         if (!ppath)
                                 errExit("strdup");
 
+                        // checking for strange chars in the file name, no globbing
+                        invalid_filename(ppath, 0);
+
                         if (*ppath == ':' || access(ppath, R_OK) || is_dir(ppath)) {
                                 int has_colon = (*ppath == ':');
                                 char *ptr = ppath;
@@ -1623,7 +1625,7 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--writable-var") == 0) {
                         arg_writable_var = 1;
                 }
-                else if (strcmp(argv[1], "--keep-var-tmp") == 0) {
+                else if (strcmp(argv[i], "--keep-var-tmp") == 0) {
                         arg_keep_var_tmp = 1;
                 }
                 else if (strcmp(argv[i], "--writable-run-user") == 0) {
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 9ad4e8ba1..dca36a4d8 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -161,32 +161,29 @@ int check_kernel_procs(void) {
 
 void run_no_sandbox(int argc, char **argv) {
         EUID_ASSERT();
+        // drop privileges
+        if (setresgid(-1, getgid(), getgid()) != 0)
+                errExit("setresgid");
+        if (setresuid(-1, getuid(), getuid()) != 0)
+                errExit("setresuid");
 
         // process limited subset of options
         int i;
         for (i = 0; i < argc; i++) {
                 if (strcmp(argv[i], "--debug") == 0)
                         arg_debug = 1;
-                else if (strcmp(argv[i], "--shell=none") == 0 ||
-                    strncmp(argv[i], "--shell=", 8) == 0)
+                else if (strncmp(argv[i], "--shell=", 8) == 0)
                         fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
         }
 
-        // use $SHELL to get shell used in sandbox
-        char *shell =  getenv("SHELL");
-        if (shell && access(shell, R_OK) == 0)
-                cfg.shell = shell;
-
-        // guess shell otherwise
-        if (!cfg.shell) {
-                cfg.shell = guess_shell();
-                if (arg_debug)
-                        printf("Autoselecting %s as shell\n", cfg.shell);
-        }
+        // use $SHELL to get shell used in sandbox, guess shell otherwise
+        cfg.shell = guess_shell();
         if (!cfg.shell) {
                 fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
                 exit(1);
         }
+        else if (arg_debug)
+                printf("Selecting %s as shell\n", cfg.shell);
 
         int prog_index = 0;
         // find first non option arg:
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 2effebbaa..a7af4b127 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -86,6 +86,8 @@ void preproc_mount_mnt_dir(void) {
                 fs_logger2("tmpfs", RUN_MNT_DIR);
 
 #ifdef HAVE_SECCOMP
+                create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
+
                 if (arg_seccomp_block_secondary)
                         copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
                 else {
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index ee62bba32..a63f29322 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -34,11 +34,10 @@ void run_symlink(int argc, char **argv, int run_as_is) {
                 return;
 
         // drop privileges
-        EUID_ROOT();
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
+        if (setresgid(-1, getgid(), getgid()) != 0)
+                errExit("setresgid");
+        if (setresuid(-1, getuid(), getuid()) != 0)
+                errExit("setresuid");
 
         // find the real program by looking in PATH
         char *p = getenv("PATH");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9bb8e545c..101a16d00 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1038,17 +1038,6 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
-        // set nice
-        if (arg_nice) {
-                errno = 0;
-                int rv = nice(cfg.nice);
-                (void) rv;
-                if (errno) {
-                        fwarning("cannot set nice value\n");
-                        errno = 0;
-                }
-        }
-
         EUID_ROOT();
         // clean /tmp/.X11-unix sockets
         fs_x11();
@@ -1064,20 +1053,11 @@ int sandbox(void* sandbox_arg) {
         // save state of nonewprivs
         save_nonewprivs();
 
-        // set capabilities
-        set_caps();
-
-        // set cpu affinity
-        if (cfg.cpus) {
-                save_cpu(); // save cpu affinity mask to CPU_CFG file
-                EUID_USER();
-                set_cpu_affinity();
-                EUID_ROOT();
-        }
+        // save cpu affinity mask to CPU_CFG file
+        save_cpu();
 
         // save cgroup in CGROUP_CFG file
-        if (cfg.cgroup)
-                save_cgroup();
+        save_cgroup();
 
         // set seccomp
 #ifdef HAVE_SECCOMP
@@ -1118,14 +1098,19 @@ int sandbox(void* sandbox_arg) {
                 int rv = unlink(RUN_SECCOMP_MDWX);
                 (void) rv;
         }
+        // make seccomp filters read-only
+        fs_rdonly(RUN_SECCOMP_DIR);
 #endif
 
+        // set capabilities
+        set_caps();
+
         //****************************************
         // communicate progress of sandbox set up
         // to --join
         //****************************************
 
-        FILE *fp = create_ready_for_join_file();
+        FILE *rj = create_ready_for_join_file();
 
         //****************************************
         // create a new user namespace
@@ -1175,10 +1160,23 @@ int sandbox(void* sandbox_arg) {
         }
 
         //****************************************
-        // drop privileges, fork the application and monitor it
+        // drop privileges
         //****************************************
         drop_privs(arg_nogroups);
-        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the sandbox in case the parent died
+
+        // kill the sandbox in case the parent died
+        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+
+        //****************************************
+        // set cpu affinity
+        //****************************************
+
+        if (cfg.cpus)
+                set_cpu_affinity();
+
+        //****************************************
+        // fork the application and monitor it
+        //****************************************
         pid_t app_pid = fork();
         if (app_pid == -1)
                 errExit("fork");
@@ -1196,13 +1194,15 @@ int sandbox(void* sandbox_arg) {
                                 printf("AppArmor enabled\n");
                 }
 #endif
-                // set rlimits
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
                 set_rlimits();
-                // start app
-                start_application(0, fp);
+
+                start_application(0, rj);
         }
 
-        fclose(fp);
+        fclose(rj);
 
         int status = monitor_application(app_pid);      // monitor application
         flush_stdin();
diff --git a/src/firejail/util.c b/src/firejail/util.c
index dd298a31a..3e2cd13d5 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -119,12 +119,12 @@ clean_all:
 // drop privileges
 // - for root group or if nogroups is set, supplementary groups are not configured
 void drop_privs(int nogroups) {
-        EUID_ROOT();
         gid_t gid = getgid();
         if (arg_debug)
                 printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n",  getpid(), getuid(), gid, nogroups);
 
         // configure supplementary groups
+        EUID_ROOT();
         if (gid == 0 || nogroups) {
                 if (setgroups(0, NULL) < 0)
                         errExit("setgroups");
@@ -135,10 +135,10 @@ void drop_privs(int nogroups) {
                 clean_supplementary_groups(gid);
 
         // set uid/gid
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
+        if (setresgid(-1, getgid(), getgid()) != 0)
+                errExit("setresgid");
+        if (setresuid(-1, getuid(), getuid()) != 0)
+                errExit("setresuid");
 }
 
 
@@ -250,6 +250,16 @@ void logerr(const char *msg) {
         closelog();
 }
 
+
+void set_nice(int inc) {
+        errno = 0;
+        int rv = nice(inc);
+        (void) rv;
+        if (errno)
+                fwarning("cannot set nice value\n");
+}
+
+
 static int copy_file_by_fd(int src, int dst) {
         assert(src >= 0);
         assert(dst >= 0);
diff --git a/src/lib/common.c b/src/lib/common.c
index 3d701e62f..1678a4092 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -254,7 +254,7 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
                 if (strncmp(arg, "--", 2) != 0)
                         break;
 
-                if (strcmp(arg, "--x11=xorg") == 0)
+                if (strcmp(arg, "--x11=xorg") == 0 || strcmp(arg, "--x11=none") == 0)
                         return 0;
 
                 // check x11 xpra or xephyr
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8f5aa777f..eed98710b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -48,6 +48,10 @@ Firejail allows the user to manage application security using security profiles.
 Each profile defines a set of permissions for a specific application or group
 of applications. The software includes security profiles for a number of more common
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.PP
+Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
+are not supported. Snap and flatpak packages have their own native management tools and will
+not work when sandboxed with Firejail.
 
 .SH USAGE
 Without any options, the sandbox consists of a filesystem build in a new mount namespace,
@@ -2496,7 +2500,7 @@ Make a firefox symlink to /usr/bin/firejail:
 .br
 
 .br
-$ ln -s /usr/bin/firejail /usr/local/bin/firefox
+$ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
 .br
 
 .br
@@ -2536,7 +2540,7 @@ $ firejail --tree
       1221:netblue:/usr/lib/firefox/firefox
 .RE
 
-We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details.
+We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details.
 
 .SH EXAMPLES
 .TP
@@ -2603,7 +2607,7 @@ $ firejail --read-only=~/dir[1-4]
 
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
-and transfer files from the container to the host filesystem.
+and transfer files between the container and the host filesystem.
 
 .TP
 \fB\-\-get=name|pid filename