67 files changed, 547 insertions, 718 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 000000000..0951d753e
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,21 @@
+Welcome to firejail, and thank you for your interest in contributing!
+# Opening an issue:
+We welcome issues, whether to ask a question, provide information, request a new profile or
+feature, or to report a suspected bug or problem.
+If you want to request a program profile that we don't already have, please add a comment in
+our dedicated issue, #1139.
+When submitting a bug report, please provide the following information so that
+we can handle the report more easily:
+ - firejail version. If you're not sure, open a terminal and type `firejail --version`.
+ - Linux distribution (so that we can try to reproduce it, if necessary).
+ - If you know that the problem did not exist in an earlier version of firejail, please mention it.
+ - If you are reporting that a program does not work with firejail, please also run firejail with
+ the `--noprofile` argument.
+ For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and
+ let us know if it runs correctly or not.
+We take security bugs very seriously. If you believe you have found one, please report it by
+emailing us at netblue30@yahoo.com
diff --git a/README b/README
index ac70b1631..cf9ef47e4 100644
--- a/README
+++ b/README
@@ -597,6 +597,8 @@ Vasya Novikov (https://github.com/vn971)
        - seccomp syscall list update for glibc 2.26-10
 Veeti Paananen (https://github.com/veeti)
        - fixed Spotify profile
+Vincent43 (https://github.com/Vincent43)
+        - apparmor enhancements
 vismir2 (https://github.com/vismir2)
        - feh, ranger, 7z, keepass, keepassx and zathura profiles
        - claws-mail, mutt, git, emacs, vim profiles
diff --git a/README.md b/README.md
index 7bd691ba8..eebe91d10 100644
--- a/README.md
+++ b/README.md
@@ -98,7 +98,17 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.53
+## Browser profile unification
+All Chromium and Firefox browsers have been unified to instead extend
+chromium-common.profile and firefox-common.profile respectively.
+This allows for reduced maintenance and ease of adding new browsers.
+NOTE: All users of Firefox-based browsers who use addons and plugins
+that read/write from ${HOME} will need to uncomment the includes for
+firefox-common-addons.inc in firefox-common.profile.
 ## New profiles
 Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
-pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing
+pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
+tilp
diff --git a/RELNOTES b/RELNOTES
index fe871134b..b0a873e38 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,8 +5,9 @@ firejail (0.9.53) baseline; urgency=low
  * whitelist support for overlay and chroot sandboxes
  * private-dev support for overlay and chroot sandboxes
  * private-tmp support for overlay and chroot sandboxes
-  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary
+  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
-  * new profiles: pycharm-community, pycharm-professional
+  * new profiles: discord-canary, pycharm-community, pycharm-professional, kaffeine,
+  * new profiles: pdfchain, tilp
 -- netblue30 <netblue30@yahoo.com>  Tue, 12 Dec 2017 08:00:00 -0500
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 5c964bad1..d757d6f49 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -7,42 +7,15 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/mozilla/abrowser
 mkdir ${HOME}/.mozilla
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla/abrowser
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-caps.drop all
+# private-etc must first be enabled in firefox-common.profile
-netfilter
+#private-etc abrowser
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/akregator.profile b/etc/akregator.profile
index f2e5ea341..2c49ef9f0 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -17,6 +17,7 @@ mkfile ${HOME}/.config/akregatorrc
 mkdir ${HOME}/.local/share/akregator
 whitelist ${HOME}/.config/akregatorrc
 whitelist ${HOME}/.local/share/akregator
+whitelist ${HOME}/.local/share/kssl
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
diff --git a/etc/audacity.profile b/etc/audacity.profile
index e173fa65a..ea1d38132 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 caps.drop all
-net none
+#net none
 no3d
 nodvd
 nogroups
diff --git a/etc/bnox.profile b/etc/bnox.profile
index 4270755c8..3207a2923 100644
--- a/etc/bnox.profile
+++ b/etc/bnox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/bnox
 noblacklist ${HOME}/.config/bnox
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/bnox
 mkdir ${HOME}/.config/bnox
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/bnox
 whitelist ${HOME}/.config/bnox
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index 668e8a244..f37ac2a05 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -8,31 +8,10 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/brave
 # brave uses gpg for built-in password manager
 noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.config/brave
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/KeePass
 whitelist ${HOME}/.config/brave
-whitelist ${HOME}/.config/keepass
+whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.config/lastpass
-whitelist ${HOME}/.keepass
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-# caps.drop all
-netfilter
-# nonewprivs
-# noroot
-nodvd
-notv
-# protocol unix,inet,inet6,netlink
-# seccomp
-disable-mnt
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
new file mode 100644
index 000000000..5c5215309
--- /dev/null
+++ b/etc/chromium-common.profile
@@ -0,0 +1,32 @@
+# Firejail profile for chromium-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/chromium-common.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.keep sys_chroot,sys_admin
+netfilter
+nodvd
+nogroups
+notv
+shell none
+disable-mnt
+private-dev
+# private-tmp - problems with multiple browser sessions
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 64d790121..ad9f9af33 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -8,34 +8,14 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/chromium
 noblacklist ${HOME}/.config/chromium
 noblacklist ${HOME}/.config/chromium-flags.conf
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/chromium
 mkdir ${HOME}/.config/chromium
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-disable-mnt
 # private-bin chromium,chromium-browser,chromedriver
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/clementine.profile b/etc/clementine.profile
index a736f7bf9..ccf6f9c97 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -5,6 +5,7 @@ include /etc/firejail/clementine.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/Clementine
 noblacklist ${HOME}/.config/Clementine
 include /etc/firejail/disable-common.inc
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
index 086dfa233..4ff96311d 100644
--- a/etc/cliqz.profile
+++ b/etc/cliqz.profile
@@ -7,77 +7,14 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/cliqz
 noblacklist ${HOME}/.config/cliqz
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
-noblacklist ${HOME}/.pki
+mkdir ${HOME}/.cache/cliqz
+mkdir ${HOME}/.config/cliqz
+whitelist ${HOME}/.cache/cliqz
+whitelist ${HOME}/.config/cliqz
-include /etc/firejail/disable-common.inc
+# private-etc must first be enabled in firefox-common.profile
-include /etc/firejail/disable-devel.inc
+#private-etc cliqz
-include /etc/firejail/disable-programs.inc
-mkdir ${HOME}/.cache/mozilla/firefox
+# Redirect
-mkdir ${HOME}/.mozilla
+include /etc/firejail/firefox-common.profile
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.cache/mozilla/firefox
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde/share/config/okularpartrc
-whitelist ${HOME}/.kde/share/config/okularrc
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.kde4/share/config/okularpartrc
-whitelist ${HOME}/.kde4/share/config/okularrc
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
-whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-# private-bin firefox,which,sh,dbus-launch,dbus-send,env
-private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
-private-tmp
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index 66cd27461..ce51906ba 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -7,67 +7,15 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.8pecxstudios
 noblacklist ${HOME}/.cache/8pecxstudios
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.8pecxstudios
 mkdir ${HOME}/.cache/8pecxstudios
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.8pecxstudios
 whitelist ${HOME}/.cache/8pecxstudios
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-disable-mnt
 # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
-private-dev
+# private-etc must first be enabled in firefox-common.profile
-private-dev
+#private-etc cyberfox
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse
-private-tmp
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/firefox-common.profile
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 91c554f2e..54a292bc2 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -7,7 +7,10 @@ blacklist-nolog ${HOME}/.*_history
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.cache/greenclip*
 blacklist-nolog ${HOME}/.history
+blacklist-nolog ${HOME}/.kde/share/apps/klipper
+blacklist-nolog ${HOME}/.kde4/share/apps/klipper
 blacklist-nolog ${HOME}/.local/share/fish/fish_history
+blacklist-nolog ${HOME}/.local/share/klipper
 blacklist-nolog ${HOME}/.macromedia
 blacklist-nolog /tmp/clipmenu*
@@ -42,20 +45,21 @@ blacklist /etc/X11/Xsession.d
 blacklist /etc/xdg/autostart
 # KDE config
-blacklist ${HOME}/.config/*.notifyrc
 blacklist ${HOME}/.config/khotkeysrc
 blacklist ${HOME}/.config/krunnerrc
+blacklist ${HOME}/.config/ksslcertificatemanager
 blacklist ${HOME}/.config/kwinrc
 blacklist ${HOME}/.config/kwinrulesrc
 blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
+blacklist ${HOME}/.config/plasmashellrc
 blacklist ${HOME}/.config/plasmavaultrc
 blacklist ${HOME}/.kde/share/apps/konsole
 blacklist ${HOME}/.kde/share/apps/kwin
 blacklist ${HOME}/.kde/share/apps/plasma
 blacklist ${HOME}/.kde/share/apps/solid
-blacklist ${HOME}/.kde/share/config/*.notifyrc
 blacklist ${HOME}/.kde/share/config/khotkeysrc
 blacklist ${HOME}/.kde/share/config/krunnerrc
+blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
 blacklist ${HOME}/.kde/share/config/kwinrc
 blacklist ${HOME}/.kde/share/config/kwinrulesrc
 blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
@@ -63,9 +67,9 @@ blacklist ${HOME}/.kde4/share/apps/konsole
 blacklist ${HOME}/.kde4/share/apps/kwin
 blacklist ${HOME}/.kde4/share/apps/plasma
 blacklist ${HOME}/.kde4/share/apps/solid
-blacklist ${HOME}/.kde4/share/config/*.notifyrc
 blacklist ${HOME}/.kde4/share/config/khotkeysrc
 blacklist ${HOME}/.kde4/share/config/krunnerrc
+blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
 blacklist ${HOME}/.kde4/share/config/kwinrc
 blacklist ${HOME}/.kde4/share/config/kwinrulesrc
 blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
@@ -74,15 +78,29 @@ blacklist ${HOME}/.local/share/konsole
 blacklist ${HOME}/.local/share/kwin
 blacklist ${HOME}/.local/share/plasma
 blacklist ${HOME}/.local/share/solid
+read-only ${HOME}/.cache/ksycoca5_*
+read-only ${HOME}/.config/*notifyrc
 read-only ${HOME}/.config/kdeglobals
+read-only ${HOME}/.config/kio_httprc
+read-only ${HOME}/.config/kiorc
 read-only ${HOME}/.config/kioslaverc
+read-only ${HOME}/.config/ksslcablacklist
+read-only ${HOME}/.kde/share/apps/kssl
+read-only ${HOME}/.kde/share/config/*notifyrc
 read-only ${HOME}/.kde/share/config/kdeglobals
+read-only ${HOME}/.kde/share/config/kio_httprc
 read-only ${HOME}/.kde/share/config/kioslaverc
+read-only ${HOME}/.kde/share/config/ksslcablacklist
 read-only ${HOME}/.kde/share/kde4/services
+read-only ${HOME}/.kde4/share/apps/kssl
+read-only ${HOME}/.kde4/share/config/*notifyrc
 read-only ${HOME}/.kde4/share/config/kdeglobals
+read-only ${HOME}/.kde4/share/config/kio_httprc
 read-only ${HOME}/.kde4/share/config/kioslaverc
+read-only ${HOME}/.kde4/share/config/ksslcablacklist
 read-only ${HOME}/.kde4/share/kde4/services
 read-only ${HOME}/.local/share/kservices5
+read-only ${HOME}/.local/share/kssl
 # kdeinit socket
 blacklist /run/user/*/kdeinit5__*
@@ -236,6 +254,7 @@ read-only ${HOME}/bin
 blacklist   ${HOME}/.local/share/Trash
 # Write-protection for desktop entries
+read-only ${HOME}/.config/menus
 read-only ${HOME}/.local/share/applications
 # top secret
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 4d9c4d85f..8e72dc47e 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -129,11 +129,15 @@ blacklist ${HOME}/.config/iridium
 blacklist ${HOME}/.config/itch
 blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/k3brc
+blacklist ${HOME}/.config/kaffeinerc
 blacklist ${HOME}/.config/katepartrc
 blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
 blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kdenliverc
+blacklist ${HOME}/.config/kgetrc
+blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/kdeconnect
@@ -258,6 +262,7 @@ blacklist ${HOME}/.java
 blacklist ${HOME}/.jitsi
 blacklist ${HOME}/.kde/share/apps/digikam
 blacklist ${HOME}/.kde/share/apps/gwenview
+blacklist ${HOME}/.kde/share/apps/kaffeine
 blacklist ${HOME}/.kde/share/apps/kcookiejar
 blacklist ${HOME}/.kde/share/apps/kget
 blacklist ${HOME}/.kde/share/apps/khtml
@@ -272,9 +277,11 @@ blacklist ${HOME}/.kde/share/config/baloorc
 blacklist ${HOME}/.kde/share/config/digikam
 blacklist ${HOME}/.kde/share/config/gwenviewrc
 blacklist ${HOME}/.kde/share/config/k3brc
+blacklist ${HOME}/.kde/share/config/kaffeinerc
 blacklist ${HOME}/.kde/share/config/kcookiejarrc
 blacklist ${HOME}/.kde/share/config/kgetrc
 blacklist ${HOME}/.kde/share/config/khtmlrc
+blacklist ${HOME}/.kde/share/config/klipperrc
 blacklist ${HOME}/.kde/share/config/konq_history
 blacklist ${HOME}/.kde/share/config/konqsidebartngrc
 blacklist ${HOME}/.kde/share/config/konquerorrc
@@ -285,6 +292,7 @@ blacklist ${HOME}/.kde/share/config/okularpartrc
 blacklist ${HOME}/.kde/share/config/okularrc
 blacklist ${HOME}/.kde4/share/apps/digikam
 blacklist ${HOME}/.kde4/share/apps/gwenview
+blacklist ${HOME}/.kde4/share/apps/kaffeine
 blacklist ${HOME}/.kde4/share/apps/kcookiejar
 blacklist ${HOME}/.kde4/share/apps/kget
 blacklist ${HOME}/.kde4/share/apps/khtml
@@ -298,9 +306,11 @@ blacklist ${HOME}/.kde4/share/config/baloofilerc
 blacklist ${HOME}/.kde4/share/config/digikam
 blacklist ${HOME}/.kde4/share/config/gwenviewrc
 blacklist ${HOME}/.kde4/share/config/k3brc
+blacklist ${HOME}/.kde4/share/config/kaffeinerc
 blacklist ${HOME}/.kde4/share/config/kcookiejarrc
 blacklist ${HOME}/.kde4/share/config/kgetrc
 blacklist ${HOME}/.kde4/share/config/khtmlrc
+blacklist ${HOME}/.kde4/share/config/klipperrc
 blacklist ${HOME}/.kde4/share/config/konq_history
 blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
 blacklist ${HOME}/.kde4/share/config/konquerorrc
@@ -338,6 +348,7 @@ blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/data/Mumble
 blacklist ${HOME}/.local/share/data/MusE
 blacklist ${HOME}/.local/share/data/MuseScore
+blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/epiphany
@@ -354,7 +365,11 @@ blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/gnome-ring
 blacklist ${HOME}/.local/share/gnome-twitch
 blacklist ${HOME}/.local/share/gwenview
+blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
+blacklist ${HOME}/.local/share/kdenlive
+blacklist ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
 blacklist ${HOME}/.local/share/kwrite
@@ -436,6 +451,7 @@ blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser-*
 blacklist ${HOME}/.ts3client
@@ -465,6 +481,7 @@ blacklist /tmp/ssh-*
 # ~/.cache directory
 blacklist ${HOME}/.cache/0ad
 blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Clementine
 blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
@@ -477,6 +494,8 @@ blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/chromium-dev
 blacklist ${HOME}/.cache/cliqz
 blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/discover
+blacklist ${HOME}/.cache/dolphin
 blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
 blacklist ${HOME}/.cache/fossamail
@@ -490,6 +509,13 @@ blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/INRIA/Natron
 blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/kscreenlocker_greet
+blacklist ${HOME}/.cache/ksmserver-logout-greeter
+blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/midori
@@ -498,17 +524,20 @@ blacklist ${HOME}/.cache/mozilla
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/nheko/nheko
 blacklist ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
 blacklist ${HOME}/.cache/opera-beta
 blacklist ${HOME}/.cache/org.gnome.Books
 blacklist ${HOME}/.cache/pdfmod
 blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/plasmashell
 blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
 blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
 blacklist ${HOME}/.cache/thunderbird
 blacklist ${HOME}/.cache/torbrowser
diff --git a/etc/dnox.profile b/etc/dnox.profile
index d6626c048..505884ca6 100644
--- a/etc/dnox.profile
+++ b/etc/dnox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/dnox
 noblacklist ${HOME}/.config/dnox
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/dnox
 mkdir ${HOME}/.config/dnox
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/dnox
 whitelist ${HOME}/.config/dnox
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
index c1604826e..ce167b7a7 100644
--- a/etc/dolphin.profile
+++ b/etc/dolphin.profile
@@ -8,7 +8,8 @@ include /etc/firejail/globals.local
 # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
 noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.config/dolphinrc - diable-programs.inc is disabled, see below
+# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below
+# noblacklist ${HOME}/.config/dolphinrc
 # noblacklist ${HOME}/.local/share/dolphin
 include /etc/firejail/disable-common.inc
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 76544010f..6fa6ec65e 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -16,7 +16,6 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
new file mode 100644
index 000000000..b237c3c05
--- /dev/null
+++ b/etc/firefox-common-addons.inc
@@ -0,0 +1,55 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/firefox-common-addons.local
+noblacklist ${HOME}/.config/kgetrc
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+# noblacklist ${HOME}/.local/share/gnome-shell/extensions
+noblacklist ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/kgetrc
+whitelist ${HOME}/.config/okularpartrc
+whitelist ${HOME}/.config/okularrc
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.kde/share/apps/kget
+whitelist ${HOME}/.kde/share/apps/okular
+whitelist ${HOME}/.kde/share/config/kgetrc
+whitelist ${HOME}/.kde/share/config/okularpartrc
+whitelist ${HOME}/.kde/share/config/okularrc
+whitelist ${HOME}/.kde4/share/apps/kget
+whitelist ${HOME}/.kde4/share/apps/okular
+whitelist ${HOME}/.kde4/share/config/kgetrc
+whitelist ${HOME}/.kde4/share/config/okularpartrc
+whitelist ${HOME}/.kde4/share/config/okularrc
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/gnome-shell/extensions
+whitelist ${HOME}/.local/share/kget
+whitelist ${HOME}/.local/share/okular
+whitelist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
new file mode 100644
index 000000000..0c4271edc
--- /dev/null
+++ b/etc/firefox-common.profile
@@ -0,0 +1,44 @@
+# Firejail profile for firefox-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/firefox-common.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# uncomment the following line to allow access to common programs/addons/plugins
+#include /etc/firejail/firefox-common-addons.inc
+noblacklist ${HOME}/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 079cb1536..0ab6a6141 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -6,90 +6,17 @@ include /etc/firejail/firefox.local
 include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.kde/share/apps/kget
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/kgetrc
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/kget
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/kgetrc
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
 noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla/firefox
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.kde/share/apps/kget
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde/share/config/kgetrc
-whitelist ${HOME}/.kde/share/config/okularpartrc
-whitelist ${HOME}/.kde/share/config/okularrc
-whitelist ${HOME}/.kde4/share/apps/kget
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.kde4/share/config/kgetrc
-whitelist ${HOME}/.kde4/share/config/okularpartrc
-whitelist ${HOME}/.kde4/share/config/okularrc
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.drop all
-# machine-id breaks pulse audio; it should work fine in setups where sound is not required
-#machine-id
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-disable-mnt
 # firefox requires a shell to launch on Arch.
-# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
+#private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
-private-dev
+# private-etc must first be enabled in firefox-common.profile
-# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc firefox
-# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies
-private-tmp
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/firefox-common.profile
diff --git a/etc/firejail-default b/etc/firejail-default
index e532af430..859f8683a 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -8,14 +8,16 @@
 # We don't know if this definition is available outside Debian and Ubuntu, so
 # we declare our own here.
 ##########
-@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
+@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
 profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 ##########
-# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
+# D-Bus is a huge security hole. Uncomment those lines if you need D-Bus
 # functionality.
 ##########
+##include <abstractions/dbus-strict>
+##include <abstractions/dbus-session-strict>
 #dbus,
 ##########
@@ -59,6 +61,9 @@ owner /{run,dev}/shm/** rmwk,
 /run/firejail/mnt/oroot/{run,dev}/shm/ r,
 owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
+# Needed for wine
+/{,var/}run/firejail/profile/@{PID} w,
 ##########
 # Mask /proc and /sys information leakage. The configuration here is barely
 # enough to run "top" or "ps aux".
@@ -72,6 +77,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 /proc/stat r,
 /proc/sys/kernel/pid_max r,
 /proc/sys/kernel/shmmax r,
+/proc/sys/kernel/yama/ptrace_scope r,
 /proc/sys/vm/overcommit_memory r,
 /proc/sys/vm/overcommit_ratio r,
 /proc/sys/kernel/random/uuid r,
@@ -93,15 +99,22 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 /proc/@{PID}/statm r,
 /proc/@{PID}/status r,
 /proc/@{PID}/task/@{PID}/stat r,
+/proc/@{PID}/task/@{PID}/status r,
 /proc/@{PID}/maps r,
+/proc/@{PID}/mem r,
 /proc/@{PID}/mounts r,
 /proc/@{PID}/mountinfo r,
+deny /proc/@{PID}/oom_adj w,
 /proc/@{PID}/oom_score_adj r,
+deny /proc/@{PID}/oom_score_adj w,
 /proc/@{PID}/auxv r,
 /proc/@{PID}/net/dev r,
 /proc/@{PID}/loginuid r,
 /proc/@{PID}/environ r,
+# Needed by chromium crash handler. Uncomment if you need it.
+#ptrace (trace tracedby),
 ##########
 # Allow running programs only from well-known system directories. If you need
 # to run programs from your home directory, uncomment /home line.
@@ -133,6 +146,11 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 /run/firejail/mnt/oroot/opt/** ix,
 ##########
+# Allow acces to cups printing socket
+##########
+/run/cups/cups.sock w,
+##########
 # Allow all networking functionality, and control it from Firejail.
 ##########
 network inet,
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index d9be8b9c5..63f9d19a9 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -5,35 +5,13 @@ include /etc/firejail/flashpeak-slimjet.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-# This is a whitelisted profile, the internal browser sandbox
-# is disabled because it requires sudo password. The command
-# to run it is as follows:
-#  firejail flashpeak-slimjet --no-sandbox
 noblacklist ${HOME}/.cache/slimjet
 noblacklist ${HOME}/.config/slimjet
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/slimjet
 mkdir ${HOME}/.config/slimjet
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/slimjet
 whitelist ${HOME}/.config/slimjet
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-disable-mnt
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 9c7306b85..ab16558ea 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/google-chrome-beta
 mkdir ${HOME}/.config/google-chrome-beta
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/google-chrome-beta
 whitelist ${HOME}/.config/google-chrome-beta
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index bb05b3e99..b7d0eccf3 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/google-chrome-unstable
 mkdir ${HOME}/.config/google-chrome-unstable
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/google-chrome-unstable
 whitelist ${HOME}/.config/google-chrome-unstable
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 19ebfa974..6e44190ae 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -7,32 +7,11 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/google-chrome
 mkdir ${HOME}/.config/google-chrome
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/google-chrome
 whitelist ${HOME}/.config/google-chrome
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-disable-mnt
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 8ad3ac5f3..58e059087 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -39,7 +39,7 @@ tracelog
 private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4
 private-dev
-# private-etc X11
+private-etc fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 # memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 634ced575..02f8e9eeb 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -6,6 +6,7 @@ include /etc/firejail/hexchat.local
 include /etc/firejail/globals.local
 noblacklist ${HOME}/.config/hexchat
+noblacklist /usr/share/perl*
 # noblacklist /usr/lib/python2*
 # noblacklist /usr/lib/python3*
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 9e5526c95..42e762c21 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -7,46 +7,14 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/mozilla/icecat
 mkdir ${HOME}/.mozilla
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla/icecat
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
-disable-mnt
+# private-etc must first be enabled in firefox-common.profile
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-etc icecat
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/firefox-common.profile
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
index f6b57dde0..51f15aa1b 100644
--- a/etc/iceweasel.profile
+++ b/etc/iceweasel.profile
@@ -5,6 +5,8 @@ include /etc/firejail/iceweasel.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+# private-etc must first be enabled in firefox-common.profile
+#private-etc iceweasel
 # Redirect
 include /etc/firejail/firefox.profile
diff --git a/etc/inox.profile b/etc/inox.profile
index fbc654434..652761c54 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -7,30 +7,11 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/inox
 noblacklist ${HOME}/.config/inox
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/inox
 mkdir ${HOME}/.config/inox
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/inox
 whitelist ${HOME}/.config/inox
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/iridium.profile b/etc/iridium.profile
index 76026722f..2869c3070 100644
--- a/etc/iridium.profile
+++ b/etc/iridium.profile
@@ -8,30 +8,10 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/iridium
 noblacklist ${HOME}/.config/iridium
-include /etc/firejail/disable-common.inc
-# chromium/iridium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/iridium
 mkdir ${HOME}/.config/iridium
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/iridium
 whitelist ${HOME}/.config/iridium
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/kaffeine.profile b/etc/kaffeine.profile
new file mode 100644
index 000000000..07280ab6d
--- /dev/null
+++ b/etc/kaffeine.profile
@@ -0,0 +1,37 @@
+# Firejail profile for kaffeine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/kaffeine.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/kaffeinerc
+noblacklist ${HOME}/.kde/share/apps/kaffeine
+noblacklist ${HOME}/.kde/share/config/kaffeinerc
+noblacklist ${HOME}/.kde4/share/apps/kaffeine
+noblacklist ${HOME}/.kde4/share/config/kaffeinerc
+noblacklist ${HOME}/.local/share/kaffeine
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+# private-bin kaffeine
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 871706b02..b6d48356d 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -6,6 +6,9 @@ include /etc/firejail/kdenlive.local
 include /etc/firejail/globals.local
 # blacklist /run/user/*/bus
+noblacklist ${HOME}/.cache/kdenlive
+noblacklist ${HOME}/.config/kdenliverc
+noblacklist ${HOME}/.local/share/kdenlive
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -25,7 +28,7 @@ shell none
 private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
 private-dev
-# private-etc fonts,alternatives,X11,pulse,passwd
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg,X11
 # noexec ${HOME}
 noexec /tmp
diff --git a/etc/kget.profile b/etc/kget.profile
index 25c66e044..c4e073c2b 100644
--- a/etc/kget.profile
+++ b/etc/kget.profile
@@ -5,10 +5,12 @@ include /etc/firejail/kget.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/kgetrc
 noblacklist ${HOME}/.kde/share/apps/kget
 noblacklist ${HOME}/.kde/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/apps/kget
 noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.local/share/kget
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 7aad57987..ca774f4ec 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -25,6 +25,8 @@ protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks kmail
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
 private-dev
-# private-tmp
+# private-tmp - breaks akonadi and opening of email attachments
diff --git a/etc/krita.profile b/etc/krita.profile
index 0d2b62c5d..c621e2c72 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 # blacklist /run/user/*/bus
 noblacklist ${HOME}/.config/kritarc
+noblacklist ${HOME}/.local/share/krita
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/krunner.profile b/etc/krunner.profile
index 606b67677..1e97f4290 100644
--- a/etc/krunner.profile
+++ b/etc/krunner.profile
@@ -5,12 +5,15 @@ include /etc/firejail/krunner.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-# start a program in krunner: program will run with this generic profile
+# - programs started in krunner run with this generic profile.
-# open a file in krunner: file viewer will run with its own profile (if firejailed automatically)
+# - when a file is opened in krunner, the file viewer runs in its own sandbox
+#   with its own profile, if it is sandboxed automatically.
+# noblacklist ${HOME}/.cache/krunner
 noblacklist ${HOME}/.config/krunnerrc
 noblacklist ${HOME}/.kde/share/config/krunnerrc
 noblacklist ${HOME}/.kde4/share/config/krunnerrc
+# noblacklist ${HOME}/.local/share/baloo
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
@@ -21,6 +24,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index 91bb62efc..534e7cd51 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -5,6 +5,7 @@ include /etc/firejail/kwin_x11.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/kwin
 noblacklist ${HOME}/.config/kwinrc
 noblacklist ${HOME}/.config/kwinrulesrc
 noblacklist ${HOME}/.local/share/kwin
@@ -33,7 +34,7 @@ tracelog
 disable-mnt
 private-bin kwin_x11
 private-dev
-private-etc drirc,fonts,ld.so.cache,machine-id,xdg
+private-etc drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 noexec ${HOME}
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 3548a75ad..220e0f02c 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -34,3 +34,5 @@ private-tmp
 noexec ${HOME}
 noexec /tmp
+join-or-start libreoffice
diff --git a/etc/okular.profile b/etc/okular.profile
index 31b773852..d98d4792f 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 # blacklist /run/user/*/bus
+noblacklist ${HOME}/.cache/okular
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
 noblacklist ${HOME}/.kde/share/apps/okular
@@ -42,7 +43,7 @@ tracelog
 private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
-private-etc alternatives,cups,fonts,ld.so.cache,machine-id
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 # memory-deny-write-execute
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 3fe86d26c..38a3152d2 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -5,24 +5,13 @@ include /etc/firejail/opera-beta.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera-beta
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera-beta
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/opera
 whitelist ${HOME}/.config/opera-beta
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-netfilter
-nodvd
-notv
-disable-mnt
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/opera.profile b/etc/opera.profile
index fed7564b2..c0138c555 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -8,25 +8,13 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera
 noblacklist ${HOME}/.opera
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera
 mkdir ${HOME}/.opera
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/opera
 whitelist ${HOME}/.config/opera
 whitelist ${HOME}/.opera
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-netfilter
-nodvd
-notv
-disable-mnt
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 1112a9bb7..ff7087e55 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -8,53 +8,15 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/moonchild productions/pale moon
 noblacklist ${HOME}/.moonchild productions/pale moon
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-# These are uncommented in the Firefox profile. If you run into trouble you may
-# want to uncomment (some of) them.
-#whitelist ${HOME}/dwhelper
-#whitelist ${HOME}/.zotero
-#whitelist ${HOME}/.vimperatorrc
-#whitelist ${HOME}/.vimperator
-#whitelist ${HOME}/.pentadactylrc
-#whitelist ${HOME}/.pentadactyl
-#whitelist ${HOME}/.keysnail.js
-#whitelist ${HOME}/.config/gnome-mplayer
-#whitelist ${HOME}/.cache/gnome-mplayer/plugin
-#whitelist ${HOME}/.pki
-#whitelist ${HOME}/.lastpass
-# For silverlight
-#whitelist ${HOME}/.wine-pipelight
-#whitelist ${HOME}/.wine-pipelight64
-#whitelist ${HOME}/.config/pipelight-widevine
-#whitelist ${HOME}/.config/pipelight-silverlight5.1
 mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
-include /etc/firejail/whitelist-common.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-# private-bin palemoon
+#private-bin palemoon
-# private-dev (disabled for now as it will interfere with webcam use in palemoon)
+# private-etc must first be enabled in firefox-common.profile
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-etc palemoon
-# private-opt palemoon
+#private-opt palemoon
-private-tmp
-disable-mnt
+# Redirect
+include /etc/firejail/firefox-common.profile
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
new file mode 100755
index 000000000..d43c0911e
--- /dev/null
+++ b/etc/pdfchain.profile
@@ -0,0 +1,39 @@
+# Firejail profile for pdfchain
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/pdfchain.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+blacklist /run/user/*/bus
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-bin pdfchain,pdftk,sh
+private-dev
+private-etc dconf,fonts,gtk-3.0,xdg
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index a01b1e9a8..da870ab76 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/qBittorrent
 noblacklist ${HOME}/.config/qBittorrent
 noblacklist ${HOME}/.config/qBittorrentrc
+noblacklist ${HOME}/.local/share/data/qBittorrent
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/qtox.profile b/etc/qtox.profile
index a8d980a18..648282db4 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -33,7 +33,7 @@ tracelog
 disable-mnt
 private-bin qtox
-private-etc fonts,resolv.conf,ld.so.cache
+private-etc fonts,resolv.conf,ld.so.cache,localtime
 private-dev
 private-tmp
diff --git a/etc/remmina.profile b/etc/remmina.profile
index 3bb6aa0b1..cc209b84a 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -5,6 +5,7 @@ include /etc/firejail/remmina.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+noblacklist ${HOME}/.remmina
 noblacklist ${HOME}/.config/remmina
 noblacklist ${HOME}/.local/share/remmina
 noblacklist ${HOME}/.ssh
@@ -23,6 +24,7 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
+# seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev
 shell none
 private-dev
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 001b91387..8ce63fbf0 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local
 blacklist /run/user/*/bus
 # Support for PDF readers comes with Scribus 1.5 and higher
+noblacklist ${HOME}/.cache/okular
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
 noblacklist ${HOME}/.config/scribus
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index c27fb3819..1f64567ef 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -5,8 +5,6 @@ include /etc/firejail/soundconverter.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-blacklist /run/user/*/bus
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 736bd3520..fcd0ab92e 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -42,7 +42,7 @@ shell none
 tracelog
 disable-mnt
-private-bin spotify,bash,sh
+private-bin spotify,bash,sh,zenity
 private-dev
 private-etc fonts,machine-id,pulse,resolv.conf
 private-opt spotify
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 226781332..6045d6d17 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -21,14 +21,14 @@ whitelist ${HOME}/.cache/thunderbird
 whitelist ${HOME}/.gnupg
 # whitelist ${HOME}/.icedove
 whitelist ${HOME}/.thunderbird
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
 # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
 ignore private-tmp
-# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+# machine-id breaks audio in browsers; enable it when sound is not required
-#machine-id
+# machine-id
 read-only ${HOME}/.config/mimeapps.list
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
 # allow browsers
 # Redirect
diff --git a/etc/tilp.profile b/etc/tilp.profile
new file mode 100644
index 000000000..a6165fbfe
--- /dev/null
+++ b/etc/tilp.profile
@@ -0,0 +1,34 @@
+# Firejail profile for tilp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/tilp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.tilp
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin tilp
+private-etc fonts
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index e97ce6740..02ef57cce 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.config/torbrowser
+mkdir ${HOME}/.local/share/torbrowser
 whitelist ${HOME}/.config/torbrowser
 whitelist ${HOME}/.local/share/torbrowser
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/unbound.profile b/etc/unbound.profile
index c03a25752..233e7464f 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -15,6 +15,9 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist /var/lib/unbound
+whitelist /var/run
 caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
 no3d
 nodvd
@@ -23,6 +26,7 @@ nosound
 notv
 novideo
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+writable-var
 disable-mnt
 private
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 3a1f72f23..aeef58292 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -8,28 +8,10 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/vivaldi
 noblacklist ${HOME}/.config/vivaldi
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/vivaldi
 mkdir ${HOME}/.config/vivaldi
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/vivaldi
 whitelist ${HOME}/.config/vivaldi
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-disable-mnt
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index b2abb3a5f..fdd299bbf 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -7,83 +7,22 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.cache/waterfox
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-# noblacklist ${HOME}/.local/share/gnome-shell/extensions
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.waterfox
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
 mkdir ${HOME}/.cache/waterfox
 mkdir ${HOME}/.waterfox
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.cache/waterfox
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde/share/config/okularpartrc
-whitelist ${HOME}/.kde/share/config/okularrc
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.kde4/share/config/okularpartrc
-whitelist ${HOME}/.kde4/share/config/okularrc
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/gnome-shell/extensions
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.mozilla
 whitelist ${HOME}/.waterfox
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
-# private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
+#private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
-private-dev
+# private-etc must first be enabled in firefox-common.profile
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
+#private-etc waterfox
-private-tmp
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/firefox-common.profile
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 3beb11bfb..c664d5a53 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -55,14 +55,20 @@ whitelist ${HOME}/.config/dconf
 whitelist ${HOME}/.config/Kvantum
 whitelist ${HOME}/.config/Trolltech.conf
 whitelist ${HOME}/.config/kdeglobals
+whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
+whitelist ${HOME}/.config/ksslcablacklist
 whitelist ${HOME}/.config/qt5ct
 whitelist ${HOME}/.kde/share/config/kdeglobals
+whitelist ${HOME}/.kde/share/config/kio_httprc
 whitelist ${HOME}/.kde/share/config/kioslaverc
+whitelist ${HOME}/.kde/share/config/ksslcablacklist
 whitelist ${HOME}/.kde/share/config/oxygenrc
 whitelist ${HOME}/.kde/share/icons
 whitelist ${HOME}/.kde4/share/config/kdeglobals
+whitelist ${HOME}/.kde4/share/config/kio_httprc
 whitelist ${HOME}/.kde4/share/config/kioslaverc
+whitelist ${HOME}/.kde4/share/config/ksslcablacklist
 whitelist ${HOME}/.kde4/share/config/oxygenrc
 whitelist ${HOME}/.kde4/share/icons
 whitelist ${HOME}/.local/share/qt5ct
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile
index 1c7769727..fdb7694a5 100644
--- a/etc/yandex-browser.profile
+++ b/etc/yandex-browser.profile
@@ -9,35 +9,15 @@ noblacklist ${HOME}/.cache/yandex-browser
 noblacklist ${HOME}/.cache/yandex-browser-beta
 noblacklist ${HOME}/.config/yandex-browser
 noblacklist ${HOME}/.config/yandex-browser-beta
-noblacklist ${HOME}/.pki
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
 mkdir ${HOME}/.cache/yandex-browser
 mkdir ${HOME}/.cache/yandex-browser-beta
 mkdir ${HOME}/.config/yandex-browser
 mkdir ${HOME}/.config/yandex-browser-beta
-mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/yandex-browser
 whitelist ${HOME}/.cache/yandex-browser-beta
 whitelist ${HOME}/.config/yandex-browser
 whitelist ${HOME}/.config/yandex-browser-beta
-whitelist ${HOME}/.pki
-include /etc/firejail/whitelist-common.inc
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-disable-mnt
-private-dev
-# private-tmp - problems with multiple browser sessions
-noexec ${HOME}
+# Redirect
-noexec /tmp
+include /etc/firejail/chromium-common.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e9e1db287..9bd60171b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -185,6 +185,7 @@ iridium-browser
 jd-gui
 jitsi
 k3b
+kaffeine
 karbon
 kate
 kcalc
@@ -265,6 +266,7 @@ opera-beta
 orage
 palemoon
 parole
+pdfchain
 pdfmod
 pdfsam
 pdftotext
@@ -336,6 +338,7 @@ telegram
 telegram-desktop
 terasology
 thunderbird
+tilp
 tor-browser-ar
 tor-browser-en
 tor-browser-en-us
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 7436b7755..631276c0b 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -109,10 +109,12 @@ void appimage_set(const char *appimage) {
        EUID_ROOT();
        if (size == 0) {
+                fmessage("Mounting appimage type 1\n");
                if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
                        errExit("mounting appimage");
        }
        else {
+                fmessage("Mounting appimage type 2\n");
                if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
                        errExit("mounting appimage");
        }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 97e740e6b..e8dc390d4 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -513,7 +513,7 @@ const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname, int globbing);
 uid_t get_group_id(const char *group);
-int remove_directory(const char *path);
+int remove_overlay_directory(void);
 void flush_stdin(void);
 void create_empty_dir_as_root(const char *dir, mode_t mode);
 void create_empty_file_as_root(const char *dir, mode_t mode);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index ab2958593..25b52f5ce 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -725,7 +725,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
                errExit("asprintf");
        if (is_link(dirname)) {
-                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                fprintf(stderr, "Error: ~/.firejail directory is a symbolic link\n");
                exit(1);
        }
        if (stat(dirname, &s) == -1) {
@@ -753,7 +753,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
                }
        }
        else if (s.st_uid != getuid()) {
-                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                fprintf(stderr, "Error: ~/.firejail directory is not owned by the current user\n");
                exit(1);
        }
        free(dirname);
@@ -837,6 +837,7 @@ void fs_overlayfs(void) {
        if (arg_overlay_keep) {
                // set base for working and diff directories
                basedir = cfg.overlay_dir;
+                assert(basedir);
                // does the overlay exist?
                if (stat(basedir, &s) == 0) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 00e3729d0..7543c5f4b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -314,16 +314,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifdef HAVE_OVERLAYFS
        else if (strcmp(argv[i], "--overlay-clean") == 0) {
                if (checkcfg(CFG_OVERLAYFS)) {
-                        char *path;
+                        if (remove_overlay_directory()) {
-                        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+                                fprintf(stderr, "Error: cannot remove overlay directory\n");
-                                errExit("asprintf");
+                                exit(1);
-                        EUID_ROOT();
+                        }
-                        if (setreuid(0, 0) < 0 ||
-                            setregid(0, 0) < 0)
-                                errExit("setreuid/setregid");
-                        errno = 0;
-                        if (remove_directory(path))
-                                errExit("remove_directory");
                }
                else
                        exit_err_feature("overlayfs");
@@ -1429,6 +1423,11 @@ int main(int argc, char **argv) {
 #ifdef HAVE_OVERLAYFS
                else if (strcmp(argv[i], "--overlay") == 0) {
                        if (checkcfg(CFG_OVERLAYFS)) {
+                                if (arg_overlay) {
+                                        fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                        exit(1);
+                                }
                                if (cfg.chrootdir) {
                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                        exit(1);
@@ -1453,6 +1452,10 @@ int main(int argc, char **argv) {
                }
                else if (strncmp(argv[i], "--overlay-named=", 16) == 0) {
                        if (checkcfg(CFG_OVERLAYFS)) {
+                                if (arg_overlay) {
+                                        fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                        exit(1);
+                                }
                                if (cfg.chrootdir) {
                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                        exit(1);
@@ -1485,6 +1488,10 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
                        if (checkcfg(CFG_OVERLAYFS)) {
+                                if (arg_overlay) {
+                                        fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                        exit(1);
+                                }
                                if (cfg.chrootdir) {
                                        fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                        exit(1);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d0c43d13e..77308b7ac 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -920,6 +920,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_OVERLAYFS
        if (strncmp(ptr, "overlay-named ", 14) == 0) {
                if (checkcfg(CFG_OVERLAYFS)) {
+                        if (arg_overlay) {
+                                fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                exit(1);
+                        }
                        if (cfg.chrootdir) {
                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                exit(1);
@@ -951,6 +955,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        } else if (strcmp(ptr, "overlay-tmpfs") == 0) {
                if (checkcfg(CFG_OVERLAYFS)) {
+                        if (arg_overlay) {
+                                fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                exit(1);
+                        }
                        if (cfg.chrootdir) {
                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                exit(1);
@@ -966,6 +974,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
        } else if (strcmp(ptr, "overlay") == 0) {
                if (checkcfg(CFG_OVERLAYFS)) {
+                        if (arg_overlay) {
+                                fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                exit(1);
+                        }
                        if (cfg.chrootdir) {
                                fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                exit(1);
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 5a9f3a6e0..0adca5e33 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -800,21 +800,55 @@ uid_t get_group_id(const char *group) {
        return gid;
 }
+static int len_homedir = 0;
 static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
        (void) sb;
        (void) typeflag;
        (void) ftwbuf;
+        assert(fpath);
-        int rv = remove(fpath);
+        if (len_homedir == 0)
-        if (rv)
+                len_homedir = strlen(cfg.homedir);
-                perror(fpath);
-        return rv;
+        char *rp = realpath(fpath, NULL);       // this should never fail!
+        if (!rp)
+                return 1;
+        if (strncmp(rp, cfg.homedir, len_homedir) != 0)
+                return 1;
+        free(rp);
+        if (remove(fpath)) {    // removes the link not the actual file
+                fprintf(stderr, "Error: cannot remove file %s\n", fpath);
+                exit(1);
+        }
+        return 0;
 }
-int remove_directory(const char *path) {
+int remove_overlay_directory(void) {
+        sleep(1);
+        char *path;
+        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        // deal with obvious problems such as symlinks and root ownership
+        if (is_link(path)) {
+                fprintf(stderr, "Error: cannot follow symbolic link\n");
+                exit(1);
+        }
+        if (access(path, R_OK | W_OK | X_OK) == -1) {
+                fprintf(stderr, "Error: cannot access ~/.firejail directory\n");
+                exit(1);
+        }
+        EUID_ROOT();
+        if (setreuid(0, 0) < 0 ||
+            setregid(0, 0) < 0)
+                errExit("setreuid/setregid");
+        errno = 0;
        // FTW_PHYS - do not follow symbolic links
        return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS);
 }