21 files changed, 467 insertions, 29 deletions

diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
new file mode 100644
index 000000000..a401ac592
--- /dev/null
+++ b/etc/profile-a-l/balsa.profile
@@ -0,0 +1,78 @@
+# Firejail profile for balsa
+# Description: GNOME mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include balsa.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.balsa
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/mail
+noblacklist /var/mail
+noblacklist /var/spool/mail
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.balsa
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/mail
+whitelist ${HOME}/.balsa
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/mail
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/balsa
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin balsa,balsa-ab
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user filter
+dbus-user.own org.desktop.Balsa
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 54d3f742f..888367899 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -28,12 +28,8 @@ mkdir ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.config/celluloid
 whitelist ${HOME}/.config/gnome-mpv
 whitelist ${HOME}/.config/youtube-dl
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
 include whitelist-common.inc
+include whitelist-players.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile
new file mode 100644
index 000000000..a1de85afa
--- /dev/null
+++ b/etc/profile-a-l/chromium-freeworld.profile
@@ -0,0 +1,5 @@
+# Firejail profile for chromium-freeworld
+# This file is overwritten after every install/update
+
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
new file mode 100644
index 000000000..e5debfd82
--- /dev/null
+++ b/etc/profile-a-l/cola.profile
@@ -0,0 +1,10 @@
+# Firejail profile for cola
+# Description: Linux native frontend for Git,alternative call for git-cola
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cola.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include git-cola.profile
\ No newline at end of file
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
new file mode 100644
index 000000000..76a14d99b
--- /dev/null
+++ b/etc/profile-a-l/dbus-send.profile
@@ -0,0 +1,59 @@
+# Firejail profile for dbus-send
+# Description: Send a message to a message bus
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dbus-send.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+# Breaks abstract sockets
+#net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin dbus-send
+private-cache
+private-dev
+private-etc alternatives,dbus-1
+private-lib libpcre2-8.so.0
+private-tmp
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 74314cf92..7eb7660dd 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -14,6 +14,7 @@ include disable-common.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# include disable-write-mnt.inc
 # include disable-xdg.inc
 
 # include whitelist-common.inc
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 39366470f..5957d4316 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -8,8 +8,6 @@ include globals.local
 
 noblacklist ${HOME}/.config/electron-mail
 
-whitelist ${DOWNLOADS}
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -21,8 +19,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/electron-mail
 whitelist ${HOME}/.config/electron-mail
+whitelist ${DOWNLOADS}
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -45,12 +45,12 @@ shell none
 private-bin electron-mail
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
 private-opt ElectronMail
 private-tmp
 
 # breaks tray functionality
 # dbus-user none
-# dbus-system none
+dbus-system none
 
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 80c704c6b..e8b49a395 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-write-mnt.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 0d0153fc2..aabef65fc 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -15,9 +15,12 @@ whitelist /usr/share/eog
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
 private-bin eog
 
-dbus-user filter
-dbus-user.own org.gnome.eog
-dbus-user.talk ca.desrt.dconf
+
+# broken on Debian 10 (buster) running LXDE got the folowing error:
+# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
+#dbus-user filter
+#dbus-user.own org.gnome.eog
+#dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 # Redirect
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
new file mode 100644
index 000000000..58b053041
--- /dev/null
+++ b/etc/profile-a-l/equalx.profile
@@ -0,0 +1,63 @@
+# Firejail profile for equalx
+# Description: A graphical editor for writing LaTeX equations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include equalx.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/equalx
+noblacklist ${HOME}/.equalx
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/equalx
+mkdir ${HOME}/.equalx
+whitelist ${HOME}/.config/equalx
+whitelist ${HOME}/.equalx
+whitelist /usr/share/poppler
+whitelist /usr/share/ghostscript
+whitelist /usr/share/texlive
+whitelist /usr/share/equalx
+whitelist /var/lib/texmf
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin equalx,gs,pdflatex,pdftocairo
+private-cache
+private-dev
+private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 179540806..31cb1776c 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -29,20 +29,20 @@ no3d
 nodvd
 nogroups
 nonewprivs
-# noroot
+noroot
 nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 #seccomp
 #shell none
 
 disable-mnt
 private
 private-bin bash,fdns,sh
-# private-cache
-private-dev
+private-cache
+#private-dev
 private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
 # private-lib
 private-tmp
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 337311ed8..ce2013c57 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -24,7 +24,7 @@ include whitelist-usr-share-common.inc
 # firefox requires a shell to launch on Arch.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
 # Fedora use shell scripts to launch firefox, at least this is required
-#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname
+#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
 
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 7c41417ec..357354e70 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -9,6 +9,7 @@ include globals.local
 
 noblacklist ${PICTURES}
 noblacklist ${HOME}/.config/Dharkael
+noblacklist ${HOME}/.config/flameshot
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +20,11 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.config/Dharkael
+#mkdir ${HOME}/.config/flameshot
 #whitelist ${PICTURES}
 #whitelist ${HOME}/.config/Dharkael
+#whitelist ${HOME}/.config/flameshot
 whitelist /usr/share/flameshot
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -53,4 +57,5 @@ private-tmp
 
 dbus-user filter
 dbus-user.own org.dharkael.Flameshot
+dbus-user.own org.flameshot.Flameshot
 dbus-system none
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
new file mode 100644
index 000000000..ab907eb0d
--- /dev/null
+++ b/etc/profile-a-l/fractal.profile
@@ -0,0 +1,54 @@
+# Firejail profile for fractal
+# Description: Desktop client for Matrix 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fractal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/fractal
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/fractal
+whitelist ${HOME}/.cache/fractal
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin fractal
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Fractal
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index fa01d04b7..118ed62ca 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -10,24 +10,24 @@ include geary.local
 # Users have Geary set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
 
-ignore dbus-user none
+ignore dbus-user filter
 ignore dbus-system none
 ignore private-tmp
 
-noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.cache/geary
+noblacklist ${HOME}/.config/geary
 noblacklist ${HOME}/.local/share/geary
 
-mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/geary
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/geary
-whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.cache/geary
 whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/geary
+whitelist /usr/share/geary
 
 read-only ${HOME}/.config/mimeapps.list
 
-whitelist /usr/share/geary
-
 # allow Mozilla browsers
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 30e80f519..4708078dd 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.subversion
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/git-cola
 # Put your editor,diff viewer config path below and uncomment to load settings
@@ -28,7 +29,19 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+# Whitelist your editor, diff viewer, gnupg path below in /usr/share/
+whitelist /usr/share/git
+whitelist /usr/share/git-cola
+whitelist /usr/share/git-core
+whitelist /usr/share/git-gui
+whitelist /usr/share/gitk
+whitelist /usr/share/gitweb
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -49,18 +62,22 @@ seccomp
 shell none
 tracelog
 
-# private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gvim,leafpad,meld,mousepad,nano,notepadqq,python*,sh,ssh,vim,vimdiff,which,xed
+# Add your own diff viewer,editor,pinentry program
+# pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
-# Comment if you sign commits with GPG
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
 private-tmp
+writable-run-user
 
-dbus-user filter
+# Breaks meld as diff viewer
+# dbus-user filter
 # Uncomment if you need keyring access
 # dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
-read-only ${HOME}/.ssh
-read-only ${HOME}/.gnupg
 read-only ${HOME}/.git-credentials
+
+# Comment if you need to allow hosts
+read-only ${HOME}/.ssh
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index 7a684dd59..8f637902c 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -6,6 +6,8 @@ include gnome-builder.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.bash_history
+
 noblacklist ${HOME}/.cache/gnome-builder
 noblacklist ${HOME}/.config/gnome-builder
 noblacklist ${HOME}/.local/share/gnome-builder
@@ -34,3 +36,5 @@ seccomp
 shell none
 
 private-dev
+
+read-write ${HOME}/.bash_history
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 615be7873..ed430b654 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -52,3 +52,8 @@ private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,passwd
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.PasswordSafe
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 898a07a5f..8ac07d3da 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -8,6 +8,8 @@ include globals.local
 
 noblacklist ${HOME}/.hedgewars
 
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
new file mode 100644
index 000000000..9899ff195
--- /dev/null
+++ b/etc/profile-a-l/kazam.profile
@@ -0,0 +1,54 @@
+# Firejail profile for kazam
+# Description: Screen capture tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kazam.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+noblacklist ${HOME}/.config/kazam
+
+include allow-python2.inc 
+include allow-python3.inc 
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/kazam
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# private-bin kazam,python*
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
new file mode 100644
index 000000000..cf3a69fd7
--- /dev/null
+++ b/etc/profile-a-l/kube.profile
@@ -0,0 +1,81 @@
+# Firejail profile for kube
+# Description: Qt mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/kube
+noblacklist ${HOME}/.config/kube
+noblacklist ${HOME}/.config/sink
+noblacklist ${HOME}/.local/share/kube
+noblacklist ${HOME}/.local/share/sink
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/kube
+mkdir ${HOME}/.config/kube
+mkdir ${HOME}/.config/sink
+mkdir ${HOME}/.local/share/kube
+mkdir ${HOME}/.local/share/sink
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/kube
+whitelist ${HOME}/.config/kube
+whitelist ${HOME}/.config/sink
+whitelist ${HOME}/.local/share/kube
+whitelist ${HOME}/.local/share/sink
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/kube
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin kube,sink_synchronizer
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini