33 files changed, 561 insertions, 96 deletions

diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index a9960ebea..b4325cd74 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -40,4 +40,4 @@ private
 # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
 private-dev
 # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-private-tmp
+#private-tmp
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 2c2f88ed5..287e5f52e 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -33,6 +33,6 @@ private
 private-cache
 private-dev
 private-tmp
-read-write /var/lib/bitlbee
 
 noexec /tmp
+read-write /var/lib/bitlbee
diff --git a/etc/cantata.profile b/etc/cantata.profile
new file mode 100644
index 000000000..e4a4de9c1
--- /dev/null
+++ b/etc/cantata.profile
@@ -0,0 +1,40 @@
+# Firejail profile for Cantata
+# Description: Multimedia player - Qt5 client for the music Player daemon (MPD)
+# This file is overwritten during software install.
+# Persistent local customizations
+include cantata.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/cantata
+noblacklist ${HOME}/.config/cantata
+noblacklist ${HOME}/.local/share/cantata
+noblacklist ${MUSIC}
+
+noblacklist ${PATH}/perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nonewprivs
+noroot
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl
+private-bin cantata,mpd,perl
+private-dev
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7de2a620f..5481f976f 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -94,6 +94,7 @@ blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
@@ -128,6 +129,7 @@ blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
+blacklist ${HOME}/.config/cantata
 blacklist ${HOME}/.config/catfish
 blacklist ${HOME}/.config/celluloid
 blacklist ${HOME}/.config/cherrytree
@@ -208,6 +210,7 @@ blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/konversationrc
 blacklist ${HOME}/.config/ktorrentrc
+blacklist ${HOME}/.config/ktouch2rc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
@@ -218,6 +221,7 @@ blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mono
@@ -305,6 +309,7 @@ blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
+blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
@@ -436,6 +441,7 @@ blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
@@ -451,6 +457,7 @@ blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/caja-python
+blacklist ${HOME}/.local/share/cantata
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/contacts
@@ -491,6 +498,7 @@ blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
+blacklist ${HOME}/.local/share/ktouch
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/local-mail
@@ -549,6 +557,7 @@ blacklist ${HOME}/.minetest
 blacklist ${HOME}/.moonchild productions/basilisk
 blacklist ${HOME}/.moonchild productions/pale moon
 blacklist ${HOME}/.mozilla
+blacklist ${HOME}/.mp3splt-gtk
 blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
 blacklist ${HOME}/.mplayer
@@ -572,6 +581,7 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qgis2
 blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
@@ -648,6 +658,7 @@ blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/bnox
 blacklist ${HOME}/.cache/borg
 blacklist ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/cantata
 blacklist ${HOME}/.cache/champlain
 blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/chromium-dev
diff --git a/etc/eo-common.profile b/etc/eo-common.profile
new file mode 100644
index 000000000..ad18e10c4
--- /dev/null
+++ b/etc/eo-common.profile
@@ -0,0 +1,47 @@
+# Firejail profile for eo-common
+# Description: Common profile for Eye of GNOME/MATE graphics viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include eo-common.local
+# Persistent global definitions
+# already included by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0
+private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch
diff --git a/etc/eog.profile b/etc/eog.profile
index 1dcc687fc..8e3aa42fe 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -6,46 +6,12 @@ include eog.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/eog
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.steam
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-ipc-namespace
-machine-id
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
 
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
 # comment those if you need that functionality
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
 private-bin eog
-private-cache
-private-dev
-private-etc alternatives,fonts
-private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
-private-tmp
 
-# memory-deny-write-execute
+# Redirect
+include eo-common.profile
diff --git a/etc/eom.profile b/etc/eom.profile
index 7cb3f98cd..437326d38 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -6,42 +6,12 @@ include eom.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/mate/eom
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.steam
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-include whitelist-var-common.inc
-
-caps.drop all
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
 
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
 # comment those if you need that functionality
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local
 private-bin eom
-private-dev
-private-etc alternatives,fonts
-private-lib
-private-tmp
 
-#memory-deny-write-execute - breaks on Arch
+# Redirect
+include eo-common.profile
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 2ee4aae6f..f694ea212 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -41,7 +41,7 @@ shell none
 tracelog
 
 # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
-# Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening.
+# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
 #private-bin exiftool,perl
 private-cache
 private-dev
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 080d9e81a..bccbb3412 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -9,7 +9,7 @@ include firefox-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-# Uncomment the following line to allow access to common programs/addons/plugins.
+# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
 #include firefox-common-addons.inc
 
 noblacklist ${HOME}/.pki
diff --git a/etc/firejail.config b/etc/firejail.config
index 497d9633e..92df8ad1a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -32,7 +32,7 @@
 
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
 # to these directories is enabled. Unlike --disable-mnt profile option this
-# cannot be overridden by --noblacklist.
+# cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 
 # Enable or disable file transfer support, default enabled.
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 2f4626891..04409a5e4 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
+machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -35,6 +38,7 @@ tracelog
 
 disable-mnt
 private-bin fairymax,gnome-chess,hoichess,gnuchess
+private-cache
 private-dev
-private-etc alternatives,fonts,gnome-chess
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
 private-tmp
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 47e6e5265..51662b59c 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -29,8 +29,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# Causes gpg to hang
-#shell none
+shell none
 tracelog
 
 # private-bin gpg,gpg-agent
diff --git a/etc/inkview.profile b/etc/inkview.profile
new file mode 100644
index 000000000..6c0127f37
--- /dev/null
+++ b/etc/inkview.profile
@@ -0,0 +1,8 @@
+# Firejail profile for inkview
+# Description: an SVG slideshow program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include inkview.local
+
+# Redirect
+include inkscape.profile
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 33b4509b7..c1adfd516 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -41,7 +41,7 @@ protocol netlink,unix
 seccomp
 shell none
 
-private-bin keepassxc
+private-bin keepassxc,keepassxc-proxy
 private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
diff --git a/etc/ktouch.profile b/etc/ktouch.profile
new file mode 100644
index 000000000..446bc50ee
--- /dev/null
+++ b/etc/ktouch.profile
@@ -0,0 +1,50 @@
+# Firejail profile for KTouch
+# Description: a typing tutor by KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ktouch.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ktouch2rc
+noblacklist ${HOME}/.local/share/ktouch
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.config/ktouch2rc
+mkdir ${HOME}/.local/share/ktouch
+whitelist ${HOME}/.config/ktouch2rc
+whitelist ${HOME}/.local/share/ktouch
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin ktouch
+private-cache
+private-dev
+private-etc alternatives,fonts,kde5rc,machine-id
+private-tmp
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 6e77cd741..5bb943323 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -29,9 +29,7 @@ include whitelist-var-common.inc
 # comment the next line to use the ubuntu profile instead of firejail's apparmor profile
 apparmor
 caps.drop all
-#machine-id
 netfilter
-#nodbus
 nodvd
 nogroups
 # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
@@ -50,5 +48,4 @@ tracelog
 private-dev
 private-tmp
 
-
 join-or-start libreoffice
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
index ce6486115..e4da0c66a 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/masterpdfeditor.profile
@@ -20,9 +20,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-ipc-namespace
 machine-id
-no3d
 nodvd
 nogroups
 nonewprivs
@@ -36,7 +34,6 @@ seccomp
 shell none
 tracelog
 
-private-bin masterpdfedito*
 private-cache
 private-dev
 private-etc alternatives,fonts
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile
new file mode 100644
index 000000000..a769a97ec
--- /dev/null
+++ b/etc/meteo-qt.profile
@@ -0,0 +1,53 @@
+# Firejail profile for meteo-qt
+# Description: System tray application for weather status information
+# This file is overwritten after every install/update
+# Persistent local customizations
+include meteo-qt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/meteo-qt
+
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python3*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.config/autostart
+mkdir ${HOME}/.config/meteo-qt
+whitelist ${HOME}/.config/meteo-qt
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin meteo-qt,python*
+private-cache
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/mp3splt-gtk.profile b/etc/mp3splt-gtk.profile
new file mode 100644
index 000000000..d14006112
--- /dev/null
+++ b/etc/mp3splt-gtk.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mp3splt-gtk
+# Description: Gtk utility for mp3/ogg splitting without decoding
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mp3splt-gtk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mp3splt-gtk
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin mp3splt-gtk
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,fonts,gtk-3.0,dconf,machine-id,openal,pulse
+private-tmp
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index ceeb59384..b2249f63b 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -24,7 +24,7 @@ ipc-namespace
 # net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
-# nodbus - breaks preferences, comment when needed
+# nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed
 nodbus
 nodvd
 nogroups
@@ -39,12 +39,10 @@ shell none
 tracelog
 
 # disable-mnt
-# private
 private-bin ocenaudio
 private-cache
 private-dev
 private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
-# private-lib
 private-tmp
 
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/orage.profile b/etc/orage.profile
index 2c55ab909..4e12892d6 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -24,7 +24,7 @@ nodvd
 nogroups
 nonewprivs
 noroot
-nosound
+# nosound - calendar application, It must be able to play sound to wake you up.
 notv
 nou2f
 novideo
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 444478149..bdd5404f5 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -6,9 +6,7 @@ include pidgin.local
 # Persistent global definitions
 include globals.local
 
-mkdir ${HOME}/.purple
 noblacklist ${HOME}/.purple
-whitelist ${HOME}/.purple
 
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
@@ -20,6 +18,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+
+mkdir ${HOME}/.purple
+whitelist ${HOME}/.purple
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/qgis.profile b/etc/qgis.profile
new file mode 100644
index 000000000..45fe59cf7
--- /dev/null
+++ b/etc/qgis.profile
@@ -0,0 +1,60 @@
+# Firejail profile for qgis
+# Description: GIS application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qgis.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/QtProject.conf
+noblacklist ${HOME}/.config/QGIS
+noblacklist ${HOME}/.local/share/QGIS
+noblacklist ${HOME}/.qgis2
+noblacklist ${DOCUMENTS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python3*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/QGIS
+mkdir ${HOME}/.qgis2
+mkdir ${HOME}/.config/QGIS
+whitelist ${HOME}/.local/share/QGIS
+whitelist ${HOME}/.qgis2
+whitelist ${HOME}/.config/QGIS
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+machine-id
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# blacklisting of mbind system calls breaks old version
+seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+protocol unix,inet,inet6,netlink
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf
+private-tmp
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index cd9f6c767..fc54a0716 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -50,7 +50,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# shell none - causes gpg to hang
+shell none
 tracelog
 
 disable-mnt
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 6f7f6ec85..00c2aabe2 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -6,9 +6,6 @@ include spotify.local
 include globals.local
 
 blacklist ${HOME}/.bashrc
-blacklist /lost+found
-blacklist /sbin
-blacklist /srv
 
 noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.config/spotify
@@ -49,5 +46,6 @@ private-bin spotify,bash,sh,zenity
 private-dev
 private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt spotify
+private-srv none
 private-tmp
 
diff --git a/etc/sysprof.profile b/etc/sysprof.profile
index 3cfea5c5e..e978e03f2 100644
--- a/etc/sysprof.profile
+++ b/etc/sysprof.profile
@@ -24,7 +24,7 @@ no3d
 nodvd
 nogroups
 nonewprivs
-# Ubuntu 16.04 version needs root privileges - uncomment if you don't use that
+# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that
 #noroot
 nosound
 notv
diff --git a/etc/templates/Notes b/etc/templates/Notes
new file mode 100644
index 000000000..a4170207b
--- /dev/null
+++ b/etc/templates/Notes
@@ -0,0 +1,7 @@
+Notes
+=====
+
+ * Lines with one # are often used
+ * Lines with two ## are only in special situation needed
+ * Add programs specific paths like .config/program to disable-programs.inc
+ * Add the name of the profile/program to src/firecfg/firecfg.config
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
new file mode 100644
index 000000000..d7da0ed20
--- /dev/null
+++ b/etc/templates/profile.template
@@ -0,0 +1,82 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+##quiet
+# Persistent local customizations
+#include PROFILE.local
+# Persistent global definitions
+#include globals.local
+
+##ignore noexec ${HOME}
+
+##blacklist PATH
+
+#noblacklist PATH
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
+#noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
+#noblacklist /usr/lib/python3*
+#noblacklist /usr/local/lib/python2*
+#noblacklist /usr/local/lib/python3*
+
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
+#include disable-passwdmgr.inc
+#include disable-programs.inc
+#include disable-xdg.inc
+
+#mkdir PATH
+#mkfile PATH
+#whitelist PATH
+#include whitelist-common.inc
+#include whitelist-var-common.inc
+
+#apparmor
+#caps.drop all
+# CLI only
+##ipc-namespace
+#machine-id
+# 'net none' or 'netfilter'
+#net none
+#netfilter
+#no3d
+#nodbus
+#nodvd
+#nogroups
+#nonewprivs
+#noroot
+#nosound
+#notv
+#nou2f
+#novideo
+#protocol unix,inet,inet6,netlink
+#seccomp
+##seccomp.drop SYSCALLS
+#shell none
+#tracelog
+
+#disable-mnt
+##private
+#private-bin PROGRAMS
+#private-cache
+#private-dev
+#private-etc FILES
+# private-etc templates (see also #1734)
+#  Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#  Sound: alsa,asound.conf,machine-id,openal,pulse
+#  GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
+#  KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
+#  GUIs: fonts
+#  Alternatives: alternatives
+##private-lib LIBS
+##private-opt NAME
+#private-tmp
+
+##env VAR=VALUE
+#memory-deny-write-execute
+##read-only ${HOME}
+##join-or-start NAME
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template
new file mode 100644
index 000000000..56dd43ca4
--- /dev/null
+++ b/etc/templates/redirect_alias-profile.template
@@ -0,0 +1,36 @@
+# Firejail profile for PRGOGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PROFILE.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+#NOTE: let include globals.local commented
+
+# Additional blacklisting (if needed)
+#blacklist PATH
+
+# Additional noblacklisting (if needed)
+#noblacklist PATH
+
+# Additional whitelisting (if needed)
+#mkdir PATH
+#mkfile PATH
+#whitelist PATH
+
+# Additional options if needed (see firejail-profile.example)
+
+# Add programs to private-bin (if needed)
+#private-bin PROGRAMS
+# Add files to private-etc (if needed)
+#private-etc FILES
+
+# Ignore something that is in the included profile
+#ignore net none
+#ignore private-bin
+#ignore seccomp
+#...
+
+# Redirect
+include PROFILE.profile
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
new file mode 100644
index 000000000..ec8247517
--- /dev/null
+++ b/etc/templates/syscalls.txt
@@ -0,0 +1,43 @@
+Hints for writing seccomp.drop lines
+====================================
+
+@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
+@module=delete_module,finit_module,init_module
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_load,kexec_file_load,reboot,
+@swap=swapon,swapoff
+
+@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+
+@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
+@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@resources=set_mempolicy,migrate_pages,move_pages,mbind
+
+@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+
+@default-nodebuggers=@default,ptrace,personality,process_vm_readv
+
+@default-keep=execve,prctl
+
+
++---------+----------------+---------------+
+| @clock  | @cpu-emulation | @default-keep |
+| @module | @debug         |               |
+| @raw-io | @obsolete      |               |
+| @reboot | @resources     |               |
+| @swap   |                |               |
++---------+----------------+---------------+
+     :              :
++-------------+     :
+| @privileged |     :
++-------------+     :
+     :              :
++----------+        :
+| @default |........:
++----------+
+    :
++----------------------+
+| @default-nodebuggers |
++----------------------+
+
diff --git a/etc/transgui.profile b/etc/transgui.profile
index 8043bfa01..0d09cef87 100644
--- a/etc/transgui.profile
+++ b/etc/transgui.profile
@@ -2,7 +2,7 @@
 # Description: Cross-platform Transmission BitTorrent client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/transgui.local
+include transgui.local
 # Persistent global definitions
 include globals.local
 
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 3ad03e2c6..33056395e 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.xiphos
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -20,8 +21,11 @@ include disable-programs.inc
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.xiphos
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -36,7 +40,9 @@ seccomp
 shell none
 tracelog
 
+disable-mnt
 private-bin xiphos
+private-cache
 private-dev
-private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssli,sword.conf,pki,crypto-policies
 private-tmp
diff --git a/etc/yelp.profile b/etc/yelp.profile
new file mode 100644
index 000000000..66f094e1d
--- /dev/null
+++ b/etc/yelp.profile
@@ -0,0 +1,51 @@
+# Firejail profile for yelp
+# Description: Help browser for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include yelp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/yelp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin yelp
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-tmp
+
+# read-only ${HOME} breaks some not necesarry featrues, comment it if
+# you need them or put 'ignore read-only ${HOME}' into your yelp.local.
+# broken features:
+#  1. yelp --editor-mode
+#  2. saving the window geometry
+read-only ${HOME}