22 files changed, 533 insertions, 22 deletions

diff --git a/README b/README
index ba29905f0..c3a046ead 100644
--- a/README
+++ b/README
@@ -33,14 +33,15 @@ Maintainer:
 - netblue30 (netblue30@yahoo.com)
 
 Committers
+- chiraag-nataraj (https://github.com/chiraag-nataraj)
+- crass (https://github.com/crass)
 - Fred-Barclay (https://github.com/Fred-Barclay)
 - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
 - smithsohu (https://github.com/smitsohu)
 - SkewedZeppelin (https://github.com/SkewedZeppelin)
-- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer)
+- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
 - Topi Miettinen (https://github.com/topimiettinen)
 - Vincent43 (https://github.com/Vincent43)
-- chiraag-nataraj (https://github.com/chiraag-nataraj)
 - netblue30 (netblue30@yahoo.com)
 
 
diff --git a/README.md b/README.md
index 0c3cd38bb..e5b38827d 100644
--- a/README.md
+++ b/README.md
@@ -98,4 +98,36 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 
 `````
-# Current development version: 0.9.57
+# Current development version: 0.9.56.1
+
+This is probably a bugfix release: fixes, small features, new profiles. If we end up implementing something major
+we'll switch to a regular 0.9.57 release.
+
+# New Long Term Support (LTS) version
+
+We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old.
+The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely
+used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib),
+and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as
+seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened.
+
+We have an rc1 release out, the final version will follow in the next few weeks:
+`````
+firejail (0.9.56-LTS~rc1) baseline; urgency=low
+  * code based on Firejail version 0.9.56
+  * much smaller code base for SUID executable
+  * command line options removed:
+     --audit, --build, --cgroup, --chroot, --get, --ls, --output,
+     --output-stderr, --overlay, --overlay-named, --overlay-tmpfs,
+     --overlay-clean, --private-home, --private-bin, --private-etc,
+     --private-opt, --private-srv, --put, --rlimit*, --trace, --tracelog,
+     --x11*, --xephyr*
+  * compile-time options: --enable-apparmor, --disable-seccomp,
+     --disable-globalcfg, --disable-network, --disable-userns,
+     --disable-whitelist, --disable-suid, --enable-fatal-warnings,
+     --enable-busybox-workaround
+ -- netblue30 <netblue30@yahoo.com>  Wed, 3 Oct 2018 08:00:00 -0500
+`````
+
+The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase
+
diff --git a/RELNOTES b/RELNOTES
index 98398e51f..e3e3cdf35 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,3 +1,8 @@
+firejail (0.9.56.1) baseline; urgency=low
+  * work in progress
+  * --disable-mnt rework
+ -- netblue30 <netblue30@yahoo.com>  Thu, 11 Oct 2018 08:00:00 -0500
+
 firejail (0.9.56) baseline; urgency=low
   * modif: removed CFG_CHROOT_DESKTOP configuration option
   * modif: removed compile time --enable-network=restricted
diff --git a/configure b/configure
index a7ef3a392..9e117dcbe 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.57.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.56.1.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.57'
-PACKAGE_STRING='firejail 0.9.57'
+PACKAGE_VERSION='0.9.56.1'
+PACKAGE_STRING='firejail 0.9.56.1'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.57 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.56.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1337,7 +1337,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.57:";;
+     short | recursive ) echo "Configuration of firejail 0.9.56.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1442,7 +1442,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.57
+firejail configure 0.9.56.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.57, which was
+It was created by firejail $as_me 0.9.56.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.57, which was
+This file was extended by firejail $as_me 0.9.56.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4433,7 +4433,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.57
+firejail config.status 0.9.56.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index d1b827fef..2084b66f1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.57, netblue30@yahoo.com, , https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.56.1, netblue30@yahoo.com, , https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
new file mode 100644
index 000000000..558f62f0e
--- /dev/null
+++ b/etc/QMediathekView.profile
@@ -0,0 +1,54 @@
+# Firejail profile for QMediathekView
+# Description: Search, download or stream files from mediathek.de
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/QMediathekView.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/QMediathekView
+noblacklist ${HOME}/.local/share/QMediathekView
+
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.mplayer
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+netfilter
+# no3d
+# nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
+private-cache
+private-dev
+# private-etc none
+# private-lib
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
new file mode 100644
index 000000000..4231c58ff
--- /dev/null
+++ b/etc/aria2c.profile
@@ -0,0 +1,45 @@
+# Firejail profile for aria2c
+# Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/aria2c.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.aria2
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+# private
+private-bin aria2c,gzip
+private-cache
+private-dev
+private-etc ca-certificates,ssl
+private-lib libreadline.so.*
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
new file mode 100644
index 000000000..f10abdda8
--- /dev/null
+++ b/etc/authenticator.profile
@@ -0,0 +1,49 @@
+# Firejail profile for authenticator
+# Description: 2FA code generator for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/authenticator.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# blacklisted in 'disable-programs.local'
+noblacklist ${HOME}/.config/Authenticator
+
+# Allow python 3.x (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+# apparmor
+caps.drop all
+net none
+no3d
+# nodbus - makes settings immutable
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+# novideo
+nou2f
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+# private-bin authenticator
+private-cache
+private-dev
+private-etc fonts,ld.so.cache
+# private-lib
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
new file mode 100644
index 000000000..c8b8be04e
--- /dev/null
+++ b/etc/checkbashisms.profile
@@ -0,0 +1,49 @@
+# Firejail profile for checkbashisms
+# Description: Lint tool for shell scripts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/checkbashisms.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${DOCUMENTS}
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index cb8ae6a80..0274fd66b 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -16,19 +16,24 @@ include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-common.inc
+
 caps.drop all
 netfilter
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
+private-cache
 private-dev
 private-tmp
 
diff --git a/etc/desktop.profile b/etc/desktop.profile
new file mode 100644
index 000000000..8bfa885a3
--- /dev/null
+++ b/etc/desktop.profile
@@ -0,0 +1,44 @@
+# Firejail profile for desktop
+# Description: Extend your GitHub workflow beyond your browser with GitHub Desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/github-desktop.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+whitelist ${HOME}/.gitconfig
+whitelist ${HOME}/.config/GitHub Desktop
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+
+include /etc/firejail/whitelist-common.inc
+
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+
+disable-mnt
+# private-bin Atom,desktop
+# private-cache
+# private-dev
+# private-etc none
+# private-lib
+# private-tmp
+
+# memory-deny-write-execute
+# noexec ${HOME}
+# noexec /tmp
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
new file mode 100644
index 000000000..dbfb05798
--- /dev/null
+++ b/etc/devilspie.profile
@@ -0,0 +1,49 @@
+# Firejail profile for devilspie
+# Description: Window matching daemon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/devilspie.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.devilspie
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin devilspie
+private-cache
+private-dev
+private-etc none
+private-lib gconv
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
+
+# devilspie will never write anything
+read-only ${HOME}
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
new file mode 100644
index 000000000..3a9a9659a
--- /dev/null
+++ b/etc/devilspie2.profile
@@ -0,0 +1,49 @@
+# Firejail profile for devilspie2
+# Description: Window matching daemon (Lua)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/devilspie2.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/devilspie2
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin devilspie2
+private-cache
+private-dev
+private-etc none
+private-lib gconv
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
+
+# devilspie2 will never write anything
+read-only ${HOME}
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 1213e4f24..6fa0eed26 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
 blacklist ${HOME}/.arduino15
+blacklist ${HOME}/.aria2
 blacklist ${HOME}/.arm
 blacklist ${HOME}/.asunder_album_genre
 blacklist ${HOME}/.asunder_album_title
@@ -46,6 +47,7 @@ blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
+blacklist ${HOME}/.config/Authenticator
 blacklist ${HOME}/.config/Beaker Browser
 blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/Clementine
@@ -55,6 +57,7 @@ blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
 blacklist ${HOME}/.config/Fritzing
 blacklist ${HOME}/.config/GIMP
+blacklist ${HOME}/.config/GitHub Desktop
 blacklist ${HOME}/.config/Gitter
 blacklist ${HOME}/.config/Google
 blacklist ${HOME}/.config/Google Play Music Desktop Player
@@ -63,6 +66,7 @@ blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
 blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/Meltytech
+blacklist ${HOME}/.config/Min
 blacklist ${HOME}/.config/Mousepad
 blacklist ${HOME}/.config/Mumble
 blacklist ${HOME}/.config/MusE
@@ -70,6 +74,7 @@ blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Rambox
@@ -111,6 +116,7 @@ blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
+blacklist ${HOME}/.config/devilspie2
 blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/discord
@@ -252,11 +258,13 @@ blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dashcore
+blacklist ${HOME}/.devilspie
 blacklist ${HOME}/.dia
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dooble
 blacklist ${HOME}/.dosbox
 blacklist ${HOME}/.dropbox*
+blacklist ${HOME}/.easystroke
 blacklist ${HOME}/.electron-cache
 blacklist ${HOME}/.electrum*
 blacklist ${HOME}/.elinks
@@ -360,6 +368,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mumble
+blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
 blacklist ${HOME}/.local/share/Steam
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
new file mode 100644
index 000000000..6fac08a5d
--- /dev/null
+++ b/etc/easystroke.profile
@@ -0,0 +1,45 @@
+# Firejail profile for easystroke
+# Description: Control your desktop using mouse gestures
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/easystroke.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.easystroke
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+# nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin easystroke
+private-cache
+private-dev
+private-etc fonts
+private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/file.profile b/etc/file.profile
index 5d1227520..00e18de20 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -30,10 +30,12 @@ shell none
 tracelog
 x11 none
 
-private-bin file
+#private-bin file
+private-cache
 private-dev
 private-etc magic.mgc,magic,localtime
 private-lib
+private-tmp
 
 memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/min.profile b/etc/min.profile
new file mode 100644
index 000000000..91c6fce3c
--- /dev/null
+++ b/etc/min.profile
@@ -0,0 +1,50 @@
+# Firejail profile for min
+# Description: A faster, smarter web browser.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/min.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.config/Min
+
+noblacklist ${HOME}/.pki
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+# ipc-namespace
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+#machine-id
+netfilter
+# no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+# private-bin min
+private-cache
+private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
+private-tmp
+
+# memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 5bea9525f..ae2fbf18f 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -21,9 +21,13 @@ shell none
 tracelog
 
 private-bin strings
+private-cache
 private-dev
+private-etc none
 private-lib
 
 memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
 
 include /etc/firejail/default.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 746c70c53..2190f133d 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -10,9 +10,11 @@ Discord
 DiscordCanary
 FossaMail
 Fritzing
+GitHub Desktop
 JDownloader
 Mathematica
 Natron
+QMediathekView
 Telegram
 Viber
 VirtualBox
@@ -85,6 +87,7 @@ clipit
 cliqz
 cmus
 code
+com.github.bilelmoussaoui.Authenticator
 conkeror
 conky
 corebird
@@ -111,6 +114,7 @@ dooble-qt4
 dosbox
 dragon
 dropbox
+easystroke
 ebook-viewer
 electrum
 elinks
@@ -276,6 +280,7 @@ mediainfo
 mediathekview
 meld
 midori
+min
 minetest
 mousepad
 mplayer
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 40155b155..1d74dc8dc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -453,7 +453,7 @@ void fs_chroot(const char *rootdir);
 void fs_check_chroot_dir(const char *rootdir);
 void fs_private_tmp(void);
 void fs_private_cache(void);
-void fs_mnt(void);
+void fs_mnt(const int enforce);
 
 // profile.c
 // find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 83830cff6..b958df81a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) {
 }
 
 // Disable /mnt, /media, /run/mount and /run/media access
-void fs_mnt(void) {
-        disable_file(BLACKLIST_FILE, "/mnt");
-        disable_file(BLACKLIST_FILE, "/media");
-        disable_file(BLACKLIST_FILE, "/run/mount");
-        disable_file(BLACKLIST_FILE, "//run/media");
+void fs_mnt(const int enforce) {
+        if (enforce) {
+                // disable-mnt set in firejail.config
+                // overriding with noblacklist is not possible in this case
+                disable_file(BLACKLIST_FILE, "/mnt");
+                disable_file(BLACKLIST_FILE, "/media");
+                disable_file(BLACKLIST_FILE, "/run/mount");
+                disable_file(BLACKLIST_FILE, "/run/media");
+        }
+        else {
+                EUID_USER();
+                profile_add("blacklist /mnt");
+                profile_add("blacklist /media");
+                profile_add("blacklist /run/mount");
+                profile_add("blacklist /run/media");
+                EUID_ROOT();
+        }
 }
 
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5441522ab..8eede6f93 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,8 +923,10 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // handle /mnt and /media
         //****************************
-        if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT))
-                fs_mnt();
+        if (checkcfg(CFG_DISABLE_MNT))
+                fs_mnt(1);
+        else if (arg_disable_mnt)
+                fs_mnt(0);
 
         //****************************
         // apply the profile file