200 files changed, 1134 insertions, 772 deletions
diff --git a/etc/7z.profile b/etc/7z.profile
index 44ab377b3..ee2b493f8 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -4,23 +4,34 @@ quiet
 # Persistent local customizations
 include 7z.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
-ignore noroot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 private-dev
-include default.profile
diff --git a/etc/JDownloader.profile b/etc/JDownloader.profile
index d1bd5c9b2..1435f3422 100644
--- a/etc/JDownloader.profile
+++ b/etc/JDownloader.profile
@@ -5,14 +5,10 @@ include JDownloader.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.jd
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 6aba2678b..c2734b1c1 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -16,6 +16,7 @@ include disable-programs.inc
 mkdir ${HOME}/.Mathematica
 mkdir ${HOME}/.Wolfram Research
+mkdir ${HOME}/Documents/Wolfram Mathematica
 whitelist ${HOME}/.Mathematica
 whitelist ${HOME}/.Wolfram Research
 whitelist ${HOME}/Documents/Wolfram Mathematica
diff --git a/etc/Viber.profile b/etc/Viber.profile
index 3f3ee8590..40358aa87 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -5,7 +5,6 @@ include Viber.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.ViberPC
 include disable-common.inc
@@ -15,6 +14,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.ViberPC
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.ViberPC
 include whitelist-common.inc
@@ -36,5 +36,4 @@ private-bin sh,bash,dig,awk,Viber
 private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf
 private-tmp
 env QTWEBENGINE_DISABLE_SANDBOX=1
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index d9b7f8c26..230a88472 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -7,16 +7,13 @@ include globals.local
 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
-# To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+# To enable it, create a firejail-Xephyr symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
 #
 # or run "sudo firecfg"
 #
-blacklist /media
 whitelist /var/lib/xkb
 include whitelist-common.inc
@@ -34,10 +31,11 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # using a private home directory
 private
 # private-bin Xephyr,sh,xkbcomp
 # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
 private-dev
 # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-private-tmp
+#private-tmp
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index ed07485d6..3580f8336 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -9,7 +9,7 @@ include globals.local
 #
 # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
 # The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-Xvfb  symlink in /usr/local/bin:
+# is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
 #
@@ -17,8 +17,6 @@ include globals.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
-blacklist /media
 whitelist /var/lib/xkb
 include whitelist-common.inc
@@ -36,6 +34,7 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # using a private home directory
 private
 # private-bin Xvfb,sh,xkbcomp
diff --git a/etc/allow-java.inc b/etc/allow-java.inc
new file mode 100644
index 000000000..c6ab3b2eb
--- /dev/null
+++ b/etc/allow-java.inc
@@ -0,0 +1,4 @@
+noblacklist ${PATH}/java
+noblacklist /usr/lib/java
+noblacklist /etc/java
+noblacklist /usr/share/java
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc
new file mode 100644
index 000000000..51d76f9b1
--- /dev/null
+++ b/etc/allow-lua.inc
@@ -0,0 +1,4 @@
+noblacklist ${PATH}/lua*
+noblacklist /usr/include/lua*
+noblacklist /usr/lib/lua
+noblacklist /usr/share/lua
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc
new file mode 100644
index 000000000..d37328936
--- /dev/null
+++ b/etc/allow-perl.inc
@@ -0,0 +1,7 @@
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/perl
+noblacklist ${PATH}/site_perl
+noblacklist ${PATH}/vendor_perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc
new file mode 100644
index 000000000..8ea61648b
--- /dev/null
+++ b/etc/allow-python2.inc
@@ -0,0 +1,5 @@
+noblacklist ${PATH}/python2*
+noblacklist /usr/include/python2*
+noblacklist /usr/lib/python2*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/share/python2*
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc
new file mode 100644
index 000000000..91c7ffca4
--- /dev/null
+++ b/etc/allow-python3.inc
@@ -0,0 +1,5 @@
+noblacklist ${PATH}/python3*
+noblacklist /usr/include/python3*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python3*
+noblacklist /usr/share/python3*
diff --git a/etc/amule.profile b/etc/amule.profile
index 7cb2130bb..feb4a5e7e 100644
--- a/etc/amule.profile
+++ b/etc/amule.profile
@@ -6,7 +6,6 @@ include amule.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.aMule
 include disable-common.inc
@@ -16,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.aMule
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.aMule
 include whitelist-common.inc
diff --git a/etc/anki.profile b/etc/anki.profile
index 6ab95dd52..d50c720f7 100644
--- a/etc/anki.profile
+++ b/etc/anki.profile
@@ -10,12 +10,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.local/share/Anki2
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -25,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.local/share/Anki2
 whitelist ${DOCUMENTS}
 whitelist ${HOME}/.local/share/Anki2
 include whitelist-common.inc
diff --git a/etc/arduino.profile b/etc/arduino.profile
index 2ea8445fe..26bd3d0a7 100644
--- a/etc/arduino.profile
+++ b/etc/arduino.profile
@@ -11,11 +11,8 @@ noblacklist ${HOME}/.java
 noblacklist ${HOME}/Arduino
 noblacklist ${DOCUMENTS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/arm.profile b/etc/arm.profile
index ae93e9665..dd3fa190a 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.arm
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/assogiate.profile b/etc/assogiate.profile
index 6a9848e83..02a4798f4 100644
--- a/etc/assogiate.profile
+++ b/etc/assogiate.profile
@@ -7,7 +7,6 @@ include assogiate.local
 include globals.local
 noblacklist ${PICTURES}
-whitelist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -16,6 +15,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/atool.profile b/etc/atool.profile
index b17498e9d..3df32baac 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -7,14 +7,10 @@ include atool.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
+blacklist /tmp/.X11-unix
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index e08dc12eb..39546112e 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/Authenticator
 noblacklist ${HOME}/.config/Authenticator
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/autokey-common.profile b/etc/autokey-common.profile
index 44c0a3c15..47396fe43 100644
--- a/etc/autokey-common.profile
+++ b/etc/autokey-common.profile
@@ -10,14 +10,8 @@ noblacklist ${HOME}/.config/autokey
 noblacklist ${HOME}/.local/share/autokey
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
-noblacklist /usr/share/python2*
-noblacklist /usr/share/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/baobab.profile b/etc/baobab.profile
index fc4e7f268..893865edd 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -33,4 +33,4 @@ private-bin baobab
 private-dev
 private-tmp
-#memory-deny-write-execute  - breaks on Arch
+#memory-deny-write-execute - breaks on Arch
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index 5f9fc8ef7..5bc91dc74 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -10,7 +10,6 @@ noblacklist ${HOME}/.moonchild productions/basilisk
 mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index c41aafd47..4f1b05c88 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -6,12 +6,12 @@ include bibletime.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.bibletime
 noblacklist ${HOME}/.sword
 noblacklist ${HOME}/.local/share/bibletime
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 2c2f88ed5..287e5f52e 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -33,6 +33,6 @@ private
 private-cache
 private-dev
 private-tmp
-read-write /var/lib/bitlbee
 noexec /tmp
+read-write /var/lib/bitlbee
diff --git a/etc/bitwarden.profile b/etc/bitwarden.profile
index 2a6fe9d42..609543e14 100644
--- a/etc/bitwarden.profile
+++ b/etc/bitwarden.profile
@@ -6,9 +6,10 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Bitwarden
 ignore noexec /tmp
+noblacklist ${HOME}/.config/Bitwarden
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -17,11 +18,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-include whitelist-common.inc
+mkdir ${HOME}/.config/Bitwarden
-include whitelist-var-common.inc
 whitelist ${HOME}/.config/Bitwarden
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
 apparmor
 caps.drop all
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index cbc8c25d6..47c0cfa48 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -7,12 +7,8 @@ include bleachbit.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/blender.profile b/etc/blender.profile
index bfe906408..6a72fb602 100644
--- a/etc/blender.profile
+++ b/etc/blender.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/blender
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/brackets.profile b/etc/brackets.profile
index fa0d7e592..3e157d841 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -8,7 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/Brackets
 #noblacklist /opt/brackets/
 #noblacklist /opt/google/
-# Uncomment the the next two lines if you are developing rust.
+# Uncomment the next two lines if you are developing rust.
 # or put it in your brackets.local
 #noblacklist ${HOME}/.cargo/config
 #noblacklist ${HOME}/.cargo/registry
diff --git a/etc/brave-browser.profile b/etc/brave-browser.profile
index 6d9d162fd..e223ecf87 100644
--- a/etc/brave-browser.profile
+++ b/etc/brave-browser.profile
@@ -1,6 +1,5 @@
 # Firejail profile alias for brave
 # This file is overwritten after every install/update
 # Redirect
 include brave.profile
diff --git a/etc/brave.profile b/etc/brave.profile
index cc003d49a..984fab5a8 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -6,6 +6,9 @@ include brave.local
 # Persistent global definitions
 include globals.local
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
 noblacklist ${HOME}/.config/brave
 noblacklist ${HOME}/.config/BraveSoftware
 # brave uses gpg for built-in password manager
@@ -17,8 +20,5 @@ whitelist ${HOME}/.config/brave
 whitelist ${HOME}/.config/BraveSoftware
 whitelist ${HOME}/.gnupg
-# noexec /tmp is included in chromium-common.profile and breaks Brave
-ignore noexec /tmp
 # Redirect
 include chromium-common.profile
diff --git a/etc/caja.profile b/etc/caja.profile
index f38110dc9..2a95649af 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -14,12 +14,8 @@ noblacklist ${HOME}/.local/share/Trash
 # noblacklist ${HOME}/.local/share/caja-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/cantata.profile b/etc/cantata.profile
index e4a4de9c1..19abbfea2 100644
--- a/etc/cantata.profile
+++ b/etc/cantata.profile
@@ -11,9 +11,8 @@ noblacklist ${HOME}/.config/cantata
 noblacklist ${HOME}/.local/share/cantata
 noblacklist ${MUSIC}
-noblacklist ${PATH}/perl
+# Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist /usr/lib/perl*
+include allow-perl.inc
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 341348ff9..f615b5323 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -12,12 +12,8 @@ include globals.local
 noblacklist ${HOME}/.config/catfish
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index 5604a16b9..190a49588 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -12,12 +12,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index 5afbf2d56..1bb9b1860 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -10,11 +10,7 @@ include globals.local
 noblacklist ${DOCUMENTS}
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 44ef12aa2..70dea5bd9 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/cherrytree
 noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/chromium.profile b/etc/chromium.profile
index dab9ce449..1c977a8ba 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/chromium-flags.conf
 mkdir ${HOME}/.cache/chromium
 mkdir ${HOME}/.config/chromium
+mkfile ${HOME}/.config/chromium-flags.conf
 whitelist ${HOME}/.cache/chromium
 whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
diff --git a/etc/clawsker.profile b/etc/clawsker.profile
index c519ecedb..95f15398a 100644
--- a/etc/clawsker.profile
+++ b/etc/clawsker.profile
@@ -9,11 +9,7 @@ include globals.local
 noblacklist ${HOME}/.claws-mail
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 21bef48a4..38edf0d21 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -10,9 +10,10 @@ noblacklist ${HOME}/.conkeror.mozdev.org
 include disable-common.inc
 include disable-programs.inc
+mkdir ${HOME}/.conkeror.mozdev.org
+mkfile ${HOME}/.conkerorrc
 whitelist ${HOME}/.conkeror.mozdev.org
 whitelist ${HOME}/.conkerorrc
-whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
diff --git a/etc/cower.profile b/etc/cower.profile
index bc1eeedc0..69575cea4 100644
--- a/etc/cower.profile
+++ b/etc/cower.profile
@@ -1,20 +1,13 @@
 # Firejail profile for cower
+# Description: a simple AUR agent with a pretentious name
 # This file is overwritten after every install/update
-# This profile could be significantly strengthened by adding the following to cower.local
-# whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.config/cower/
 quiet
 # Persistent local customizations
 include cower.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/cower/config
+noblacklist ${HOME}/.config/cower
-read-only ${HOME}/.config/cower/config
 noblacklist /var/lib/pacman
 include disable-common.inc
@@ -23,6 +16,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
+# This profile could be significantly strengthened by adding the following to cower.local
+# whitelist ${HOME}/<Your Build Folder>
+# whitelist ${HOME}/.config/cower
 caps.drop all
 ipc-namespace
@@ -42,7 +40,9 @@ shell none
 disable-mnt
 private-bin cower
+private-cache
 private-dev
 private-tmp
 memory-deny-write-execute
+read-only ${HOME}/.config/cower/config
diff --git a/etc/cpio.profile b/etc/cpio.profile
index b6f7e7f9f..0bb45f5cd 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -7,11 +7,11 @@ include cpio.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 # include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/curl.profile b/etc/curl.profile
index 2703c6fe8..b8b91d278 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -7,10 +7,10 @@ include curl.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.curlrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/d-feet.profile b/etc/d-feet.profile
index 9475bdd2a..30749ab40 100644
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/d-feet
 # Allow python (disabled by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index 6b7f8f112..7cd39ca6a 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -6,8 +6,6 @@ include dconf-editor.local
 # Persistent global definitions
 include globals.local
-whitelist ${HOME}/.local/share/glib-2.0
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
 apparmor
@@ -39,7 +38,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
diff --git a/etc/dconf.profile b/etc/dconf.profile
index 6ffcddaf5..cf8b4ab43 100644
--- a/etc/dconf.profile
+++ b/etc/dconf.profile
@@ -6,8 +6,6 @@ include dconf.local
 # Persistent global definitions
 include globals.local
-whitelist ${HOME}/.local/share/glib-2.0
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -16,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+whitelist ${HOME}/.local/share/glib-2.0
 # dconf paths are whitelisted by the following
 include whitelist-common.inc
diff --git a/etc/deluge.profile b/etc/deluge.profile
index e86c84272..e86255d22 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/deluge
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index 2f599366b..9d67ee76e 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -8,6 +8,9 @@ include globals.local
 noblacklist ${HOME}/.config/devilspie2
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index 06a6be3aa..a6fed6c78 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -6,11 +6,8 @@ include dex2jar.local
 # Persistent global definitions
 include globals.local
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 9d7a34bc5..9d9be1426 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -242,6 +242,7 @@ read-only ${HOME}/.ssh/authorized_keys
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
+read-only ${HOME}/.cargo/env
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
@@ -275,7 +276,6 @@ read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
 read-only ${HOME}/.cargo/bin
-read-only ${HOME}/.cargo/env
 blacklist ${HOME}/.cargo/registry
 blacklist ${HOME}/.cargo/config
@@ -414,3 +414,12 @@ blacklist /usr/share/flatpak
 blacklist /var/lib/flatpak
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
+# mail directories used by mutt
+blacklist ${HOME}/.Mail
+blacklist ${HOME}/.mail
+blacklist ${HOME}/.signature
+blacklist ${HOME}/Mail
+blacklist ${HOME}/mail
+blacklist ${HOME}/postponed
+blacklist ${HOME}/sent
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc
index 22f58bb85..4c4eed25d 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/disable-interpreters.inc
@@ -19,6 +19,8 @@ blacklist ${HOME}/.nvm
 blacklist ${PATH}/cpan*
 blacklist ${PATH}/core_perl
 blacklist ${PATH}/perl
+blacklist ${PATH}/site_perl
+blacklist ${PATH}/vendor_perl
 blacklist /usr/lib/perl*
 blacklist /usr/share/perl*
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index aa1205549..b1e5a9e64 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -7,6 +7,7 @@ blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
+blacklist ${HOME}/mps
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
@@ -94,6 +95,7 @@ blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
@@ -117,6 +119,7 @@ blacklist ${HOME}/.config/artha.conf
 blacklist ${HOME}/.config/asunder
 blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/audacious
+blacklist ${HOME}/.config/autokey
 blacklist ${HOME}/.config/aweather
 blacklist ${HOME}/.config/baloofilerc
 blacklist ${HOME}/.config/baloorc
@@ -139,6 +142,7 @@ blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/corebird
+blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
@@ -196,6 +200,7 @@ blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
 blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/kid3rc
@@ -203,12 +208,12 @@ blacklist ${HOME}/.config/klavaro
 blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kmailsearchindexingrc
-blacklist ${HOME}/.config/kritarc
-blacklist ${HOME}/.config/kwriterc
-blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/konversationrc
+blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
+blacklist ${HOME}/.config/ktouch2rc
+blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
@@ -265,6 +270,7 @@ blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/remmina
 blacklist ${HOME}/.config/ristretto
 blacklist ${HOME}/.config/scribus
+blacklist ${HOME}/.config/scribusrc
 blacklist ${HOME}/.config/sinew.in
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
@@ -273,17 +279,17 @@ blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/snox
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
-blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/telepathy-account-widgets
 blacklist ${HOME}/.config/torbrowser
 blacklist ${HOME}/.config/totem
 blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
-blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/transmission
+blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/uzbl
 blacklist ${HOME}/.config/viewnior
@@ -307,6 +313,7 @@ blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
+blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
@@ -325,7 +332,6 @@ blacklist ${HOME}/.electron-cache
 blacklist ${HOME}/.electrum*
 blacklist ${HOME}/.elinks
 blacklist ${HOME}/.emacs
-blacklist ${HOME}/.emacs
 blacklist ${HOME}/.emacs.d
 blacklist ${HOME}/.ethereum
 blacklist ${HOME}/.etr
@@ -367,10 +373,10 @@ blacklist ${HOME}/.kde/share/apps/kaffeine
 blacklist ${HOME}/.kde/share/apps/kcookiejar
 blacklist ${HOME}/.kde/share/apps/kget
 blacklist ${HOME}/.kde/share/apps/khtml
+blacklist ${HOME}/.kde/share/apps/klatexformula
 blacklist ${HOME}/.kde/share/apps/konqsidebartng
 blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/ktorrent
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
@@ -423,10 +429,12 @@ blacklist ${HOME}/.kde4/share/config/okularrc
 blacklist ${HOME}/.killingfloor
 blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
+blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
+blacklist ${HOME}/.links
 blacklist ${HOME}/.lmmsrc.xml
 blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
@@ -438,6 +446,7 @@ blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
@@ -450,6 +459,7 @@ blacklist ${HOME}/.local/share/akonadi*
 blacklist ${HOME}/.local/share/akregator
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
+blacklist ${HOME}/.local/share/autokey
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/caja-python
@@ -492,8 +502,9 @@ blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
-blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
+blacklist ${HOME}/.local/share/ktorrentrc
+blacklist ${HOME}/.local/share/ktouch
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/local-mail
@@ -517,13 +528,13 @@ blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
+blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
@@ -576,6 +587,7 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qgis2
 blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
@@ -624,8 +636,8 @@ blacklist ${HOME}/.wget-hsts
 blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.widelands
 blacklist ${HOME}/.wine
-blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.wine64
+blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.xmind
 blacklist ${HOME}/.xmms
diff --git a/etc/display.profile b/etc/display.profile
index 0bab32db1..0b9d685e8 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -8,12 +8,8 @@ include globals.local
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 0dc0cc793..ffced747b 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -6,11 +6,11 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index bb41b71d1..daf4795c3 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -6,11 +6,11 @@ include dnsmasq.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/dooble.profile b/etc/dooble.profile
index 80bcce463..bc197b223 100644
--- a/etc/dooble.profile
+++ b/etc/dooble.profile
@@ -1,11 +1,12 @@
 # Firejail profile for dooble
 # This file is overwritten after every install/update
 # Persistent local customizations
+include dooble.local
+# Backward compatibility
 include dooble-qt4.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.dooble
 include disable-common.inc
diff --git a/etc/electrum.profile b/etc/electrum.profile
index ffa0fb5f6..ab554b21f 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.electrum
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 842a0db04..980fa7617 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -6,10 +6,10 @@ include elinks.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.elinks
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/enpass.profile b/etc/enpass.profile
index b337c721d..4ac35bbd6 100644
--- a/etc/enpass.profile
+++ b/etc/enpass.profile
@@ -20,12 +20,16 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.cache/Enpass
+mkfile ${HOME}/.config/sinew.in
+mkdir ${HOME}/.config/Sinew Software Systems
+mkdir ${HOME}/.local/share/Enpass
 whitelist ${HOME}/.cache/Enpass
 whitelist ${HOME}/.config/sinew.in
 whitelist ${HOME}/.config/Sinew Software Systems
 whitelist ${HOME}/.local/share/Enpass
 whitelist ${DOCUMENTS}
+include whitelist-common.inc
 include whitelist-var-common.inc
 # machine-id and nosound break audio notification functionality
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
index 6146a8952..978629452 100644
--- a/etc/exfalso.profile
+++ b/etc/exfalso.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.quodlibet
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 2ee4aae6f..52e090b89 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -6,12 +6,10 @@ include exiftool.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
-# Allow access to perl
+blacklist /tmp/.X11-unix
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
@@ -41,7 +39,7 @@ shell none
 tracelog
 # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
-# Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening.
+# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
 #private-bin exiftool,perl
 private-cache
 private-dev
diff --git a/etc/falkon.profile b/etc/falkon.profile
index af6aaa1a7..cabf5aeba 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -16,6 +16,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/falkon
+mkdir ${HOME}/.config/falkon
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index d1bebafb5..af535880d 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/filezilla
 noblacklist ${HOME}/.filezilla
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index 7a0c3e99f..7d9e512b2 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -56,8 +56,7 @@ whitelist ${HOME}/dwhelper
 noblacklist ${HOME}/.local/share/gnome-shell
 whitelist ${HOME}/.local/share/gnome-shell
 ignore nodbus
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
 # Flash plugin
 # private-etc must first be enabled in firefox-common.profile and in profiles including it.
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 080d9e81a..bccbb3412 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -9,7 +9,7 @@ include firefox-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-# Uncomment the following line to allow access to common programs/addons/plugins.
+# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
 #include firefox-common-addons.inc
 noblacklist ${HOME}/.pki
diff --git a/etc/firejail.config b/etc/firejail.config
index 497d9633e..92df8ad1a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -32,7 +32,7 @@
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
 # to these directories is enabled. Unlike --disable-mnt profile option this
-# cannot be overridden by --noblacklist.
+# cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 # Enable or disable file transfer support, default enabled.
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index 1e84d4ca6..40472ab93 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/flowblade
 noblacklist ${HOME}/.flowblade
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/font-manager.profile b/etc/font-manager.profile
index 98952e1cc..a1280124a 100644
--- a/etc/font-manager.profile
+++ b/etc/font-manager.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.cache/font-manager
 noblacklist ${HOME}/.config/font-manager
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
index f98ad9983..6d305e2af 100644
--- a/etc/fontforge.profile
+++ b/etc/fontforge.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.FontForge
 noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/franz.profile b/etc/franz.profile
index d6445ff8e..e917e5517 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -5,6 +5,8 @@ include franz.local
 # Persistent global definitions
 include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.cache/Franz
 noblacklist ${HOME}/.config/Franz
 noblacklist ${HOME}/.pki
@@ -12,6 +14,7 @@ noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
@@ -41,5 +44,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
diff --git a/etc/freecol.profile b/etc/freecol.profile
index 7987cc076..2d2853c9c 100644
--- a/etc/freecol.profile
+++ b/etc/freecol.profile
@@ -12,11 +12,8 @@ noblacklist ${HOME}/.cache/freecol
 noblacklist ${HOME}/.config/freecol
 noblacklist ${HOME}/.local/share/freecol
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/freemind.profile b/etc/freemind.profile
index 507bd564d..7ab4ae129 100644
--- a/etc/freemind.profile
+++ b/etc/freemind.profile
@@ -7,12 +7,11 @@ include freemind.local
 include globals.local
 noblacklist ${DOCUMENTS}
-noblacklist ${PATH}/java
-noblacklist /etc/java
-noblacklist /usr/lib/java
-noblacklist /usr/share/java
 noblacklist ${HOME}/.freemind
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 6de61840c..9596bc610 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -9,11 +9,7 @@ include globals.local
 noblacklist ${HOME}/.frozen-bubble
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 238b4fca9..75d2f0774 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/gajim
 noblacklist ${HOME}/.local/share/gajim
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gconf.profile b/etc/gconf.profile
index 5cc6b87a0..a795afa17 100644
--- a/etc/gconf.profile
+++ b/etc/gconf.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/gconf
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-#noblacklist ${PATH}/python3*
+#include allow-python3.inc
-noblacklist /usr/lib/python2*
-#noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-#noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/geary.profile b/etc/geary.profile
index a21eed9f1..a446c81d0 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -4,27 +4,25 @@
 # Persistent local customizations
 include geary.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 # Users have Geary set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
+ignore nodbus
+ignore private-tmp
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/geary
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/geary
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/geary
-include whitelist-common.inc
-ignore nodbus
-ignore private-tmp
 read-only ${HOME}/.config/mimeapps.list
 # allow browsers
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 91001cd30..762e743c8 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -7,7 +7,8 @@ include gimp.local
 include globals.local
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
-# if you are not using external plugins, you can disable ignore noexec statement below
+# if you are not using external plugins, you can comment 'ignore noexec' statement below
+# or put 'ignore ignore noexec ${HOME}' in your gimp.local
 ignore noexec ${HOME}
 noblacklist ${HOME}/.config/GIMP
diff --git a/etc/git.profile b/etc/git.profile
index 0eb69faed..f7c812e65 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -7,8 +7,6 @@ include git.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.emacs
@@ -22,6 +20,8 @@ noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 2f4626891..04409a5e4 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
+machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -35,6 +38,7 @@ tracelog
 disable-mnt
 private-bin fairymax,gnome-chess,hoichess,gnuchess
+private-cache
 private-dev
-private-etc alternatives,fonts,gnome-chess
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
 private-tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 6bebeb526..f843452c9 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/gnome-music
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index 931efbbab..08256f3a5 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -36,12 +36,8 @@ noblacklist ${PATH}/xfce4-terminal
 noblacklist ${PATH}/xfce4-terminal.wrapper
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index 4932c9e42..daa385234 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -5,14 +5,19 @@ include google-play-music-desktop-player.local
 # Persistent global definitions
 include globals.local
+# noexec /tmp breaks mpris support
+ignore noexec /tmp
 noblacklist ${HOME}/.config/Google Play Music Desktop Player
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Google Play Music Desktop Player
 # whitelist ${HOME}/.config/pulse
 # whitelist ${HOME}/.pulse
 whitelist ${HOME}/.config/Google Play Music Desktop Player
@@ -35,7 +40,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
-# noexec /tmp breaks mpris support
-#noexec /tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 7181837d5..61b485df5 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -6,10 +6,10 @@ include gpg-agent.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.gnupg
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 47e6e5265..99ad1b888 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -6,10 +6,10 @@ include gpg.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.gnupg
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -29,8 +29,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# Causes gpg to hang
+shell none
-#shell none
 tracelog
 # private-bin gpg,gpg-agent
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index be3742fe3..e6d37ee27 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -15,6 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Gpredict
 whitelist ${HOME}/.config/Gpredict
 include whitelist-common.inc
diff --git a/etc/gramps.profile b/etc/gramps.profile
index 764c14b60..54b154964 100644
--- a/etc/gramps.profile
+++ b/etc/gramps.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.gramps
 # Allow python (blacklisted by disable-interpreters.inc)
-#noblacklist ${PATH}/python2*
+#include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-#noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-#noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 27e262f87..810684eae 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -9,12 +9,15 @@ include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
-ignore noroot
+include disable-programs.inc
 apparmor
+caps.drop all
 hostname gzip
 ipc-namespace
 machine-id
@@ -23,10 +26,14 @@ no3d
 nodbus
 nodvd
 nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
@@ -34,5 +41,3 @@ private-cache
 private-dev
 memory-deny-write-execute
-include default.profile
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index ee70e6655..d032c93e6 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/hexchat
 noblacklist /usr/share/perl*
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 9d0ab43a0..be656bafa 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -8,11 +8,8 @@ include globals.local
 noblacklist ${HOME}/.imagej
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index ecc5e5d35..bc0377e53 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -13,12 +13,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index dce44e5d4..8442c6ed7 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -8,11 +8,8 @@ include globals.local
 noblacklist ${HOME}/.config/jd-gui.cfg
 noblacklist ${HOME}/.java
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index 5a575bb71..223c360b8 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -7,11 +7,8 @@ include globals.local
 noblacklist ${HOME}/.jitsi
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/klatexformula.profile b/etc/klatexformula.profile
new file mode 100644
index 000000000..d584f6a56
--- /dev/null
+++ b/etc/klatexformula.profile
@@ -0,0 +1,43 @@
+# Firejail profile for klatexformula
+# Description: generating images from LaTeX equations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include klatexformula.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.kde/share/apps/klatexformula
+noblacklist ${HOME}/.klatexformula
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/klatexformula_cmdl.profile b/etc/klatexformula_cmdl.profile
new file mode 100644
index 000000000..9137963c4
--- /dev/null
+++ b/etc/klatexformula_cmdl.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for klatexformula_cmdl
+# This file is overwritten after every install/update
+# Redirect
+include klatexformula.profile
diff --git a/etc/kodi.profile b/etc/kodi.profile
index dad085967..86afe46b5 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -15,12 +15,8 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/krita.profile b/etc/krita.profile
index 8f275f8df..49c36274a 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -15,12 +15,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ktouch.profile b/etc/ktouch.profile
new file mode 100644
index 000000000..446bc50ee
--- /dev/null
+++ b/etc/ktouch.profile
@@ -0,0 +1,50 @@
+# Firejail profile for KTouch
+# Description: a typing tutor by KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ktouch.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ktouch2rc
+noblacklist ${HOME}/.local/share/ktouch
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkfile ${HOME}/.config/ktouch2rc
+mkdir ${HOME}/.local/share/ktouch
+whitelist ${HOME}/.config/ktouch2rc
+whitelist ${HOME}/.local/share/ktouch
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin ktouch
+private-cache
+private-dev
+private-etc alternatives,fonts,kde5rc,machine-id
+private-tmp
diff --git a/etc/less.profile b/etc/less.profile
index 5ad7cb959..bc85e5ad5 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -5,24 +5,33 @@ quiet
 # Persistent local customizations
 include less.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
-ignore noroot
 apparmor
+caps.drop all
 ipc-namespace
 machine-id
 net none
 no3d
 nodbus
 nodvd
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 writable-var-log
@@ -35,5 +44,3 @@ private-cache
 private-dev
 memory-deny-write-execute
-include default.profile
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 6e77cd741..05dfd4ca6 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -10,12 +10,10 @@ noblacklist ${HOME}/.java
 noblacklist /usr/local/sbin
 noblacklist ${HOME}/.config/libreoffice
-# libreoffice uses java; if you don't care about java functionality,
+# libreoffice uses java for some certain operations
-# comment the next four lines
+# comment if you don't care about java functionality
-noblacklist ${PATH}/java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist /usr/lib/java
+include allow-java.inc
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -29,9 +27,7 @@ include whitelist-var-common.inc
 # comment the next line to use the ubuntu profile instead of firejail's apparmor profile
 apparmor
 caps.drop all
-#machine-id
 netfilter
-#nodbus
 nodvd
 nogroups
 # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
@@ -50,5 +46,4 @@ tracelog
 private-dev
 private-tmp
 join-or-start libreoffice
diff --git a/etc/liferea.profile b/etc/liferea.profile
index e778d7b55..70d317199 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/liferea
 noblacklist ${HOME}/.local/share/liferea
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/links.profile b/etc/links.profile
new file mode 100644
index 000000000..bd0b0cc92
--- /dev/null
+++ b/etc/links.profile
@@ -0,0 +1,64 @@
+# Firejail profile for links
+# Description: Text WWW browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include links.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.links
+blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# you may want to noblacklist files/directories blacklisted in
+# disable-programs.inc and used as associated programs
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.links
+whitelist ${HOME}/.links
+whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
+# to allow access only to user-configured associated media player
+machine-id
+netfilter
+# comment no3d (or put 'ignore no3d' in your links.local) if you want
+# to allow access only to user-configured associated media player
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# comment nosound (or put 'ignore nosound' in your links.local) if you want
+# to allow access only to user-configured associated media player
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
+# or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin links,sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Uncomment the following line (or put it in your links.local) allow external
+# media players
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+memory-deny-write-execute
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 76b8ed75c..6667815b9 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.local/share/lollypop
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index 7d42f2bfe..f7a059f50 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/mfusion
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
index ce6486115..e4da0c66a 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/masterpdfeditor.profile
@@ -20,9 +20,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-ipc-namespace
 machine-id
-no3d
 nodvd
 nogroups
 nonewprivs
@@ -36,7 +34,6 @@ seccomp
 shell none
 tracelog
-private-bin masterpdfedito*
 private-cache
 private-dev
 private-etc alternatives,fonts
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index ac5577b4c..2f6020ad3 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -15,12 +15,13 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/mate-calc
+mkdir ${HOME}/.config/caja
+mkdir ${HOME}/.config/mate-menu
 whitelist ${HOME}/.cache/mate-calc
 whitelist ${HOME}/.config/caja
-whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.config/dconf
 whitelist ${HOME}/.config/mate-menu
-whitelist ${HOME}/.themes
+include whitelist-common.inc
 caps.drop all
 net none
@@ -40,7 +41,7 @@ shell none
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc alternatives,fonts
+private-etc alternatives,dconf,fonts,gtk-3.0
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index bd3631445..f1a7ca18f 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -5,7 +5,6 @@ include mate-color-select.local
 # Persistent global definitions
 include globals.local
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,10 +12,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-whitelist ${HOME}/.config/gtk-3.0
+include whitelist-common.inc
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.icons
-whitelist ${HOME}/.themes
 caps.drop all
 netfilter
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index 1217910a0..d1dc76260 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -14,11 +14,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/mate/mate-dictionary
 whitelist ${HOME}/.config/mate/mate-dictionary
-whitelist ${HOME}/.config/gtk-3.0
+include whitelist-common.inc
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.icons
-whitelist ${HOME}/.themes
 caps.drop all
 netfilter
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 497014dab..4ebb5429a 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -18,11 +18,8 @@ noblacklist ${HOME}/.mediathek3
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/meld.profile b/etc/meld.profile
index 14e0f238d..34b1f22de 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -6,22 +6,17 @@ include meld.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/meld
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.local/share/meld
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.subversion
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
@@ -59,3 +54,4 @@ private-dev
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
 private-tmp
+read-only ${HOME}/.ssh
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile
index d54371371..ed6cc3ae0 100644
--- a/etc/mendeleydesktop.profile
+++ b/etc/mendeleydesktop.profile
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile
index a769a97ec..4437d86ea 100644
--- a/etc/meteo-qt.profile
+++ b/etc/meteo-qt.profile
@@ -10,9 +10,7 @@ noblacklist ${HOME}/.config/autostart
 noblacklist ${HOME}/.config/meteo-qt
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-whitelist ${HOME}/.config/autostart
 mkdir ${HOME}/.config/meteo-qt
+whitelist ${HOME}/.config/autostart
 whitelist ${HOME}/.config/meteo-qt
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index e4d39cd70..ffae4919f 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -6,6 +6,9 @@ include midori.local
 # Persistent global definitions
 include globals.local
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
@@ -13,9 +16,6 @@ noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
-# noexec ${HOME} breaks DRM binaries.
-?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile
index 81bf88b8b..db2bb6a93 100644
--- a/etc/mpDris2.profile
+++ b/etc/mpDris2.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/mpDris2
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index 0808c5a1a..775e137bc 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -6,14 +6,6 @@ include mpsyt.local
 # Persistent global definitions
 include globals.local
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.config/mps-youtube
@@ -22,6 +14,10 @@ noblacklist ${HOME}/mps
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 34542b11b..aa2335516 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -13,12 +13,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index f8e75379e..25b097d72 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.cache/ms-office-online
 noblacklist ${HOME}/.jak
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ms-skype.profile b/etc/ms-skype.profile
index 02084d923..df1618361 100644
--- a/etc/ms-skype.profile
+++ b/etc/ms-skype.profile
@@ -3,10 +3,13 @@
 # Persistent local customizations
 include ms-skype.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
-noblacklist ${HOME}/.cache/ms-skype-online
 ignore novideo
+noblacklist ${HOME}/.cache/ms-skype-online
 private-bin ms-skype
 # Redirect
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index b6407c4f9..98edf273e 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.local/share/multimc
 noblacklist ${HOME}/.local/share/multimc5
 noblacklist ${HOME}/.multimc5
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -24,6 +21,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.local/share/multimc
+mkdir ${HOME}/.local/share/multimc5
+mkdir ${HOME}/.multimc5
 whitelist ${HOME}/.local/share/multimc
 whitelist ${HOME}/.local/share/multimc5
 whitelist ${HOME}/.multimc5
diff --git a/etc/mutt.profile b/etc/mutt.profile
index cc3a323e0..419e17e95 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -6,8 +6,6 @@ include mutt.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /var/mail
 noblacklist /var/spool/mail
 noblacklist ${HOME}/.Mail
@@ -34,6 +32,8 @@ noblacklist ${HOME}/mail
 noblacklist ${HOME}/postponed
 noblacklist ${HOME}/sent
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/mypaint.profile b/etc/mypaint.profile
index 615bb60d1..19643e749 100644
--- a/etc/mypaint.profile
+++ b/etc/mypaint.profile
@@ -9,10 +9,12 @@ include globals.local
 noblacklist ${HOME}/.cache/mypaint
 noblacklist ${HOME}/.config/mypaint
 noblacklist ${HOME}/.local/share/mypaint
-noblacklist ${PATH}/python2*
-noblacklist /usr/lib/python2*
 noblacklist ${PICTURES}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/natron.profile b/etc/natron.profile
index 3f997a7a0..7ad217b72 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -5,18 +5,13 @@ include natron.local
 # Persistent global definitions
 include globals.local
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 noblacklist ${HOME}/.Natron
 noblacklist ${HOME}/.cache/INRIA/Natron
 noblacklist ${HOME}/.config/INRIA
-noblacklist /opt/natron
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
@@ -33,9 +28,9 @@ nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+nou2f
+protocol unix
 seccomp
 shell none
 private-bin natron,Natron,NatronRenderer
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 1d68ef8e3..b81313b6a 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -15,12 +15,8 @@ noblacklist ${HOME}/.local/share/nautilus
 noblacklist ${HOME}/.local/share/nautilus-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nemo.profile b/etc/nemo.profile
index a23ba1700..26cfedb66 100644
--- a/etc/nemo.profile
+++ b/etc/nemo.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.local/share/nemo
 noblacklist ${HOME}/.local/share/nemo-python
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile
index 2c23a4868..e1294153b 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/nethack-vultures.profile
@@ -6,7 +6,6 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.vultures
 noblacklist /var/log
@@ -43,4 +42,3 @@ private-cache
 private-dev
 private-tmp
 writable-var
diff --git a/etc/nethack.profile b/etc/nethack.profile
index 5375d2f4f..3df632451 100644
--- a/etc/nethack.profile
+++ b/etc/nethack.profile
@@ -6,7 +6,6 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 noblacklist /var/games/nethack
 include disable-common.inc
diff --git a/etc/nheko.profile b/etc/nheko.profile
index 2dfddf872..119b30239 100644
--- a/etc/nheko.profile
+++ b/etc/nheko.profile
@@ -18,11 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
 whitelist ${HOME}/.config/nheko
 whitelist ${HOME}/.cache/nheko/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
index 7aba69490..19b6615ef 100644
--- a/etc/nitroshare.profile
+++ b/etc/nitroshare.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/Nathan Osman
 noblacklist ${HOME}/.config/NitroShare
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/nylas.profile b/etc/nylas.profile
index 263e09198..c959eb991 100644
--- a/etc/nylas.profile
+++ b/etc/nylas.profile
@@ -14,6 +14,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.config/Nylas Mail
+mkdir ${HOME}/.nylas-mail
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Nylas Mail
 whitelist ${HOME}/.nylas-mail
diff --git a/etc/nyx.profile b/etc/nyx.profile
index ed39283b2..1ea33ac4d 100644
--- a/etc/nyx.profile
+++ b/etc/nyx.profile
@@ -6,14 +6,11 @@ include nyx.local
 # Persistent global definitions
 include globals.local
-noblacklist ${PATH}/python2*
+# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python2.inc
-noblacklist /usr/lib/python2*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
 noblacklist ${HOME}/.nyx
-mkdir ${HOME}/.nyx
-whitelist ${HOME}/.nyx
 include disable-common.inc
 include disable-devel.inc
@@ -23,6 +20,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.nyx
+whitelist ${HOME}/.nyx
+include whitelist-common.inc
+include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/obs.profile b/etc/obs.profile
index 1f02efc7f..038242cae 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -11,12 +11,8 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index ceeb59384..b2249f63b 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -24,7 +24,7 @@ ipc-namespace
 # net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
-# nodbus - breaks preferences, comment when needed
+# nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed
 nodbus
 nodvd
 nogroups
@@ -39,12 +39,10 @@ shell none
 tracelog
 # disable-mnt
-# private
 private-bin ocenaudio
 private-cache
 private-dev
 private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
-# private-lib
 private-tmp
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile
index 3ee78c59d..5bfcd0527 100644
--- a/etc/onionshare-gui.profile
+++ b/etc/onionshare-gui.profile
@@ -8,9 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/onionshare
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/openshot.profile b/etc/openshot.profile
index cfda1d0ce..0222243ed 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/orage.profile b/etc/orage.profile
index 2c55ab909..4e12892d6 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -24,7 +24,7 @@ nodvd
 nogroups
 nonewprivs
 noroot
-nosound
+# nosound - calendar application, It must be able to play sound to wake you up.
 notv
 nou2f
 novideo
diff --git a/etc/pandoc.profile b/etc/pandoc.profile
new file mode 100644
index 000000000..687a31cc2
--- /dev/null
+++ b/etc/pandoc.profile
@@ -0,0 +1,49 @@
+# Firejail profile for pandoc
+# Description: general markup converter
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pandoc.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# breaks pdf output
+#include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
+private-cache
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 98dcce0b7..bd3592f48 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -9,11 +9,8 @@ include globals.local
 noblacklist ${HOME}/.java
 noblacklist ${DOCUMENTS}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/picard.profile b/etc/picard.profile
index b756ed629..15fc7a454 100644
--- a/etc/picard.profile
+++ b/etc/picard.profile
@@ -11,12 +11,8 @@ noblacklist ${HOME}/.config/MusicBrainz
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index bdd5404f5..299f807af 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -6,11 +6,11 @@ include pidgin.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.purple
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
+noblacklist ${HOME}/.purple
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/pithos.profile b/etc/pithos.profile
index d6a0a7822..62050eb55 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -7,12 +7,8 @@ include pithos.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 83f5ccbb9..89a6a020b 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -10,12 +10,8 @@ include globals.local
 noblacklist ${HOME}/.config/pitivi
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile
index 2f287223b..03091af6d 100644
--- a/etc/playonlinux.profile
+++ b/etc/playonlinux.profile
@@ -16,19 +16,11 @@ noblacklist ${HOME}/.PlayOnLinux
 noblacklist ${PATH}/nc
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile
index 28ab8caa6..3bce425d9 100644
--- a/etc/pybitmessage.profile
+++ b/etc/pybitmessage.profile
@@ -10,12 +10,8 @@ noblacklist /usr/local/sbin
 noblacklist /usr/sbin
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index 1a6f171c8..0531aee4a 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.pythonrc.py
 noblacklist ${HOME}/.java
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index b0a6a0016..82e237d54 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/qBittorrentrc
 noblacklist ${HOME}/.local/share/data/qBittorrent
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -61,4 +57,4 @@ private-dev
 # private-lib - problems on Arch
 private-tmp
-# memory-deny-write-execute - problems on  Arch, see #1690 on GitHub repo
+# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/qgis.profile b/etc/qgis.profile
new file mode 100644
index 000000000..70788b207
--- /dev/null
+++ b/etc/qgis.profile
@@ -0,0 +1,57 @@
+# Firejail profile for qgis
+# Description: GIS application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qgis.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/QGIS
+noblacklist ${HOME}/.local/share/QGIS
+noblacklist ${HOME}/.qgis2
+noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/QGIS
+mkdir ${HOME}/.qgis2
+mkdir ${HOME}/.config/QGIS
+whitelist ${HOME}/.local/share/QGIS
+whitelist ${HOME}/.qgis2
+whitelist ${HOME}/.config/QGIS
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+machine-id
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# blacklisting of mbind system calls breaks old version
+seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+protocol unix,inet,inet6,netlink
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf
+private-tmp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 41c84425b..e2a3c9c23 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -22,6 +22,8 @@ mkdir ${HOME}/.cache/QuiteRss
 mkdir ${HOME}/.config/QuiteRss
 mkdir ${HOME}/.local/share/data
 mkdir ${HOME}/.local/share/data/QuiteRss
+mkdir ${HOME}/.local/share/QuiteRss
+mkfile ${HOME}/quiterssfeeds.opml
 whitelist ${HOME}/.cache/QuiteRss
 whitelist ${HOME}/.config/QuiteRss/
 whitelist ${HOME}/.config/QuiteRssrc
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 1b23b2baf..954b1a3b4 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -15,6 +15,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/qupzilla
+mkdir ${HOME}/.config/qupzilla
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/qupzilla
 whitelist ${HOME}/.config/qupzilla
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 9e3853a09..e556ecf1f 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -9,18 +9,13 @@ include globals.local
 noblacklist ${HOME}/.cache/qutebrowser
 noblacklist ${HOME}/.config/qutebrowser
 noblacklist ${HOME}/.local/share/qutebrowser
-# Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
-noblacklist ${PATH}/python3*
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # with >=llvm-4 mesa drivers need llvm stuff
 noblacklist /usr/lib/llvm*
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 1e50ca9fa..13e8911ea 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -11,18 +11,11 @@ noblacklist ${HOME}/.config/ranger
 noblacklist ${HOME}/.nanorc
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 # Allow perl
-# noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index 3cb30c459..fc770d62d 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -5,7 +5,6 @@ include ricochet.local
 # Persistent global definitions
 include globals.local
 noblacklist ${HOME}/.local/share/Ricochet
 include disable-common.inc
@@ -15,6 +14,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.local/share/Ricochet
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/Ricochet
 include whitelist-common.inc
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile
index c95bc3c3d..8170c62e7 100644
--- a/etc/rocketchat.profile
+++ b/etc/rocketchat.profile
@@ -7,6 +7,7 @@ include globals.local
 noblacklist ${HOME}/.config/Rocket.Chat
+mkdir ${HOME}/.config/Rocket.Chat
 whitelist ${HOME}/.config/Rocket.Chat
 include whitelist-common.inc
diff --git a/etc/scribus.profile b/etc/scribus.profile
index d8dc7b0e0..c50e0861c 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -27,12 +27,8 @@ noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index 485326fcc..176842c44 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -7,12 +7,8 @@ include sdat2img.local
 include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index cd9f6c767..7baae2603 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -32,6 +32,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -50,7 +51,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# shell none - causes gpg to hang
+shell none
 tracelog
 disable-mnt
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index d92c62a52..ca74efe68 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -18,6 +18,8 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/mozilla
 mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
 whitelist ${HOME}/.cache/mozilla
diff --git a/etc/server.profile b/etc/server.profile
index 686268a18..6e077ff84 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -9,12 +9,12 @@ include globals.local
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 # depending on your usage, you can enable some of the commands below:
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
 # noblacklist /var/opt
+blacklist /tmp/.X11-unix
 include disable-common.inc
 # include disable-devel.inc
 # include disable-exec.inc
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile
index 008cd218e..04696a918 100644
--- a/etc/signal-desktop.profile
+++ b/etc/signal-desktop.profile
@@ -5,10 +5,13 @@ include signal-desktop.local
 # Persistent global definitions
 include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.config/Signal
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 include disable-passwdmgr.inc
@@ -34,5 +37,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-noexec ${HOME}
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index ad200be37..eae7dada0 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -5,10 +5,14 @@ include skypeforlinux.local
 # Persistent global definitions
 include globals.local
+# breaks Skype
+ignore noexec /tmp
 noblacklist ${HOME}/.config/skypeforlinux
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -28,6 +32,3 @@ disable-mnt
 private-cache
 # private-dev - needs /dev/disk
 private-tmp
-noexec ${HOME}
-# noexec /tmp - breaks Skype
diff --git a/etc/slack.profile b/etc/slack.profile
index ed76be373..53baf5f40 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -13,7 +13,6 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-mkdir ${HOME}/.config
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 whitelist ${DOWNLOADS}
diff --git a/etc/slashem.profile b/etc/slashem.profile
index 011698e1f..8c84180d7 100644
--- a/etc/slashem.profile
+++ b/etc/slashem.profile
@@ -6,7 +6,6 @@ include slashem.local
 # Persistent global definitions
 include globals.local
 noblacklist /var/games/slashem
 include disable-common.inc
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 5ae498ab2..0363a2475 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -12,12 +12,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index 4d6e80840..d875146de 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -9,12 +9,8 @@ include globals.local
 noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
index 74582dd2f..edbe0e772 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/spectre-meltdown-checker.profile
@@ -11,12 +11,8 @@ include globals.local
 noblacklist ${PATH}/mount
 noblacklist ${PATH}/umount
-# Allow access to perl
+# Allow perl (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/cpan*
+include allow-perl.inc
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 6f7f6ec85..2d5c4a48f 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -5,15 +5,12 @@ include spotify.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
-blacklist /lost+found
-blacklist /sbin
-blacklist /srv
 noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.config/spotify
 noblacklist ${HOME}/.local/share/spotify
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -49,5 +46,6 @@ private-bin spotify,bash,sh,zenity
 private-dev
 private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt spotify
+private-srv none
 private-tmp
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 8aafca8aa..9af747b62 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -6,12 +6,12 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /etc/ssh
 noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile
index a61038157..d5d7a17e4 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/start-tor-browser.desktop.profile
@@ -3,7 +3,6 @@
 # Persistent local customizations
 include start-tor-browser.desktop.local
 noblacklist ${HOME}/.tor-browser-*
 noblacklist ${HOME}/.tor-browser_*
diff --git a/etc/steam.profile b/etc/steam.profile
index 8f08b18f0..5ab600bfb 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -25,19 +25,12 @@ noblacklist /usr/lib/llvm*
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
 noblacklist /sbin
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/strings.profile b/etc/strings.profile
index 0caecdf7b..ace0d9351 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -4,30 +4,43 @@ quiet
 # Persistent local customizations
 include strings.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
-ignore noroot
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
+#private
 private-bin strings
 private-cache
 private-dev
 private-etc alternatives
 private-lib libfakeroot
+private-tmp
 memory-deny-write-execute
-include default.profile
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile
index c07131893..b55300c88 100644
--- a/etc/subdownloader.profile
+++ b/etc/subdownloader.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.config/SubDownloader
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/surf.profile b/etc/surf.profile
index 0504b5fe5..5f116fd0c 100644
--- a/etc/surf.profile
+++ b/etc/surf.profile
@@ -15,6 +15,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.surf
+whitelist ${HOME}/.surf
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
diff --git a/etc/sysprof.profile b/etc/sysprof.profile
index 3cfea5c5e..e978e03f2 100644
--- a/etc/sysprof.profile
+++ b/etc/sysprof.profile
@@ -24,7 +24,7 @@ no3d
 nodvd
 nogroups
 nonewprivs
-# Ubuntu 16.04 version needs root privileges - uncomment if you don't use that
+# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that
 #noroot
 nosound
 notv
diff --git a/etc/tar.profile b/etc/tar.profile
index 14fc00d21..b6a874217 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -5,17 +5,19 @@ quiet
 # Persistent local customizations
 include tar.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
-ignore noroot
+include disable-programs.inc
 apparmor
+caps.drop all
 hostname tar
 ipc-namespace
 machine-id
@@ -24,10 +26,14 @@ no3d
 nodbus
 nodvd
 nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
@@ -39,8 +45,5 @@ private-etc alternatives,passwd,group,localtime
 private-lib libfakeroot
 memory-deny-write-execute
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
-include default.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
new file mode 100644
index 000000000..16bf05cec
--- /dev/null
+++ b/etc/templates/profile.template
@@ -0,0 +1,139 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# --- CUT HERE ---
+# This is a generic template to help you with creation of profiles
+# for new programs. PRs welcome at https://github.com/netblue30/firejail/
+#
+# Rules to follow:
+#  - lines with one # are often used in profiles
+#  - lines with two ## are only needed in special situations
+#  - make the profile as restrictive as possible while still keeping the program useful
+#    (e. g. a program that is unable to save user's work is considered a bad practice)
+#  - dedicate some time (based on how complex the application is) to profile testing before raising
+#    a pull request
+#  - keep the sections structure, use a single empty line as a separator
+#  - entries within sections are alphabetically sorted
+#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
+#    to not do this for essential utilities as this may *break* your OS! (related discussion:
+#    https://github.com/netblue30/firejail/issues/2507)
+#  - remove this comment section and any generic comment past 'Persistent global definitions'
+#
+# Sections structure
+#   HEADER
+#   COMMENTS
+#   IGNORES
+#   NOBLACKLISTS
+#   ALLOW INCLUDES
+#   BLACKLISTS
+#   DISABLE INCLUDES
+#   MKDIRS
+#   WHITELISTS
+#   WHITELIST INCLUDES
+#   OPTIONS (no*)
+#   PRIVATE OPTIONS (disable-mnt, private-*)
+#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
+#   REDIRECT INCLUDES
+#
+# --- CUT HERE ---
+##quiet
+# Persistent local customizations
+#include PROFILE.local
+# Persistent global definitions
+#include globals.local
+##ignore noexec ${HOME}
+##blacklist PATH
+# It is common practice to add files/dirs containing program-specific configuration
+# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
+# (keep list sorted) and then disable blacklisting below.
+# One way to retrieve the files a program uses is:
+#  - launch binary with --private naming a sandbox
+#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
+#  - work with the program, do some configuration changes and save them, open new documents,
+#    install plugins if they exists, etc
+#  - join the sandbox with bash:
+#      `firejail --join=test bash`
+#  - look what has changed and use that information to populate blacklist and whitelist sections
+#      `ls -aR`
+#noblacklist PATH
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+#include allow-python3.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
+#include allow-perl.inc
+# Allow java (blacklisted by disable-devel.inc)
+#include allow-java.inc
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
+#include disable-passwdmgr.inc
+#include disable-programs.inc
+#include disable-xdg.inc
+# This section often mirrors noblacklist section above. The idea is
+# that if a user feels too restricted (he's unable to save files into
+# home directory for instance) he/she may disable whitelist (nowhitelist)
+# in PROFILE.local but still be protected by BLACKLISTS section
+# (further explanation at https://github.com/netblue30/firejail/issues/1569)
+#mkdir PATH
+#mkfile PATH
+#whitelist PATH
+#include whitelist-common.inc
+#include whitelist-var-common.inc
+#apparmor
+#caps.drop all
+# CLI only
+##ipc-namespace
+#machine-id
+# 'net none' or 'netfilter'
+#net none
+#netfilter
+#no3d
+#nodbus
+#nodvd
+#nogroups
+#nonewprivs
+#noroot
+#nosound
+#notv
+#nou2f
+#novideo
+#protocol unix,inet,inet6,netlink
+#seccomp
+##seccomp.drop SYSCALLS
+#shell none
+#tracelog
+#disable-mnt
+##private
+#private-bin PROGRAMS
+#private-cache
+#private-dev
+#private-etc FILES
+# private-etc templates (see also #1734)
+#  Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#  Sound: alsa,asound.conf,machine-id,openal,pulse
+#  GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
+#  KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
+#  GUIs: fonts
+#  Alternatives: alternatives
+##private-lib LIBS
+##private-opt NAME
+#private-tmp
+##env VAR=VALUE
+#memory-deny-write-execute
+##read-only ${HOME}
+##join-or-start NAME
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template
new file mode 100644
index 000000000..0a0788e96
--- /dev/null
+++ b/etc/templates/redirect_alias-profile.template
@@ -0,0 +1,43 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PROFILE.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+#NOTE: let include globals.local commented
+# For more informations see profile.template
+# Ignore something that is in the included profile
+#ignore net none
+#ignore private-bin
+#ignore seccomp
+#...
+# Additional noblacklisting (if needed)
+#noblacklist PATH
+# Additional allow includes (if needed)
+# Additional blacklisting (if needed)
+#blacklist PATH
+# Additional whitelisting (if needed)
+#mkdir PATH
+##mkfile PATH
+#whitelist PATH
+# Additional options (if needed)
+# Additional private-options (if needed)
+# Add programs to private-bin (if needed)
+#private-bin PROGRAMS
+# Add files to private-etc (if needed)
+#private-etc FILES
+# Additional special options (if needed)
+# Redirect
+include PROFILE.profile
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
new file mode 100644
index 000000000..2464df9ee
--- /dev/null
+++ b/etc/templates/syscalls.txt
@@ -0,0 +1,43 @@
+Hints for writing seccomp.drop lines
+====================================
+@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
+@module=delete_module,finit_module,init_module
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_file_load,kexec_load,reboot
+@swap=swapoff,swapon
+@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
+@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@resources=mbind,migrate_pages,move_pages,set_mempolicy
+@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+@default-nodebuggers=@default,personality,process_vm_readv,ptrace
+@default-keep=execve,prctl
+---------+----------------+---------------+
+| @clock  | @cpu-emulation | @default-keep |
+| @module | @debug         |               |
+| @raw-io | @obsolete      |               |
+| @reboot | @resources     |               |
+| @swap   |                |               |
+---------+----------------+---------------+
+     :              :
+-------------+     :
+| @privileged |     :
+-------------+     :
+     :              :
+----------+        :
+| @default |........:
+----------+
+    :
+----------------------+
+| @default-nodebuggers |
+----------------------+
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 43865b6fb..2a7212395 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -5,17 +5,17 @@ include terasology.local
 # Persistent global definitions
 include globals.local
+ignore noexec /tmp
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/terasology
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -46,5 +46,3 @@ disable-mnt
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies
 private-tmp
-noexec ${HOME}
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index c7c810cda..ff4a85871 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -12,12 +12,8 @@ noblacklist ${HOME}/.config/torbrowser
 noblacklist ${HOME}/.local/share/torbrowser
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/transgui.profile b/etc/transgui.profile
index 8043bfa01..0d09cef87 100644
--- a/etc/transgui.profile
+++ b/etc/transgui.profile
@@ -2,7 +2,7 @@
 # Description: Cross-platform Transmission BitTorrent client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/transgui.local
+include transgui.local
 # Persistent global definitions
 include globals.local
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile
index c67200826..9a6052ada 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/transmission-daemon.profile
@@ -1,5 +1,5 @@
 # Firejail profile for transmission-daemon
-# Description:  Fast, easy and free BitTorrent client (daemon)
+# Description: Fast, easy and free BitTorrent client (daemon)
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile
index 3e3ad1a07..7b7a47f14 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/transmission-remote-cli.profile
@@ -8,12 +8,8 @@ include transmission-remote-cli.local
 #include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 mkdir ${HOME}/.cache/transmission
 mkdir ${HOME}/.config/transmission
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 1b657d083..3111a1e22 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -11,11 +11,8 @@ noblacklist ${HOME}/.tuxguitar*
 noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 6e4b5ed1c..8e7a4a8a8 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -6,11 +6,11 @@ include unbound.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 7fe37f061..5b55f30d2 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -5,21 +5,34 @@ quiet
 # Persistent local customizations
 include unrar.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname unrar
-ignore noroot
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
@@ -27,5 +40,3 @@ private-bin unrar
 private-dev
 private-etc alternatives,passwd,group,localtime
 private-tmp
-include default.profile
diff --git a/etc/unzip.profile b/etc/unzip.profile
index be6b6c321..79b41f9d8 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -5,29 +5,41 @@ quiet
 # Persistent local customizations
 include unzip.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+# GNOME Shell integration (chrome-gnome-shell)
+noblacklist ${HOME}/.local/share/gnome-shell
 blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname unzip
-ignore noroot
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 private-bin unzip
+private-cache
 private-dev
 private-etc alternatives,passwd,group,localtime
-# GNOME Shell integration (chrome-gnome-shell)
-noblacklist ${HOME}/.local/share/gnome-shell
-include default.profile
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 859656fa5..53fad0ba5 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -5,18 +5,31 @@ quiet
 # Persistent local customizations
 include uudeview.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
 hostname uudeview
-ignore noroot
+ipc-namespace
+machine-id
 net none
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
@@ -24,5 +37,3 @@ private-bin uudeview
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload
-include default.profile
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index dbee819cd..d4e54235b 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -10,12 +10,8 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/uzbl
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index f9fb1cefe..943719e75 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -6,12 +6,12 @@ include viewnior.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/viewnior
 noblacklist ${HOME}/.steam
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 143ac4f63..d577932e3 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -6,10 +6,10 @@ include w3m.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.w3m
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/wget.profile b/etc/wget.profile
index a7ef32e2c..ff10b2316 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -7,11 +7,11 @@ include wget.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index 3953de614..7c545d08f 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -16,7 +16,6 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 9b9757cd5..b44eae128 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -10,11 +10,8 @@ noblacklist ${HOME}/.config/wireshark
 noblacklist ${HOME}/.wireshark
 noblacklist ${DOCUMENTS}
-# Wireshark can use Lua for scripting
+# Allow lua (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/lua*
+include allow-lua.inc
-noblacklist /usr/lib/lua
-noblacklist /usr/include/lua*
-noblacklist /usr/share/lua
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xed.profile b/etc/xed.profile
index cce0432a4..9a7806b19 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -9,12 +9,8 @@ noblacklist ${HOME}/.config/xed
 noblacklist ${HOME}/.pythonrc.py
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 33056395e..043e513bd 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -6,11 +6,11 @@ include xiphos.local
 # Persistent global definitions
 include globals.local
-blacklist ${HOME}/.bashrc
 noblacklist ${HOME}/.sword
 noblacklist ${HOME}/.xiphos
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -18,6 +18,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.sword
+mkdir ${HOME}/.xiphos
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.xiphos
 include whitelist-common.inc
diff --git a/etc/xlinks.profile b/etc/xlinks.profile
new file mode 100644
index 000000000..ad1511791
--- /dev/null
+++ b/etc/xlinks.profile
@@ -0,0 +1,18 @@
+# Firejail profile for xlinks
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks.local
+noblacklist /tmp/.X11-unix
+noblacklist ${HOME}/.links
+include whitelist-common.inc
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks
+private-etc fonts
+# Redirect
+include links.profile
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index b4932c99e..5f4e3bf4c 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -11,12 +11,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xpra.profile b/etc/xpra.profile
index d967c1da2..dc8d7a665 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -8,21 +8,15 @@ include globals.local
 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
-# To enable it, create a firejail-xpra  symlink in /usr/local/bin:
+# To enable it, create a firejail-xpra symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
 #
 # or run "sudo firecfg"
-blacklist /media
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
 include disable-common.inc
 include disable-devel.inc
@@ -49,6 +43,7 @@ protocol unix
 seccomp
 shell none
+disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
 # private
 # older Xpra versions also use Xvfb
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index a1f265c1e..3adaa557c 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -5,23 +5,34 @@ quiet
 # Persistent local customizations
 include xzdec.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 blacklist /tmp/.X11-unix
-ignore noroot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
 net none
 no3d
 nodbus
 nodvd
+#nogroups
+nonewprivs
+#noroot
 nosound
 notv
 nou2f
 novideo
+protocol unix
+seccomp
 shell none
 tracelog
 private-dev
-include default.profile
diff --git a/etc/yelp.profile b/etc/yelp.profile
new file mode 100644
index 000000000..66f094e1d
--- /dev/null
+++ b/etc/yelp.profile
@@ -0,0 +1,51 @@
+# Firejail profile for yelp
+# Description: Help browser for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include yelp.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/yelp
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin yelp
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-tmp
+# read-only ${HOME} breaks some not necesarry featrues, comment it if
+# you need them or put 'ignore read-only ${HOME}' into your yelp.local.
+# broken features:
+#  1. yelp --editor-mode
+#  2. saving the window geometry
+read-only ${HOME}
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 621ffb2b0..1c2bad51c 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -7,20 +7,16 @@ include youtube-dl.local
 # Persistent global definitions
 include globals.local
+# breaks when installed via pip
+ignore noexec ${HOME}
 noblacklist ${HOME}/.netrc
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
-noblacklist ${PATH}/python2*
+include allow-python2.inc
-noblacklist ${PATH}/python3*
+include allow-python3.inc
-noblacklist /usr/lib/python2*
-noblacklist /usr/lib/python3*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/local/lib/python3*
-# breaks when installed via pip
-ignore noexec ${HOME}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile
index dc3164da1..0598ea18d 100644
--- a/etc/zaproxy.profile
+++ b/etc/zaproxy.profile
@@ -9,11 +9,8 @@ include globals.local
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.ZAP
-# Allow access to java
+# Allow java (blacklisted by disable-devel.inc)
-noblacklist ${PATH}/java
+include allow-java.inc
-noblacklist /usr/lib/java
-noblacklist /etc/java
-noblacklist /usr/share/java
 include disable-common.inc
 include disable-devel.inc
@@ -22,6 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.java
 mkdir ${HOME}/.ZAP
 whitelist ${HOME}/.java
 whitelist ${HOME}/.ZAP
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 456b197f3..6d312aff6 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -13,6 +13,8 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+mkdir ${HOME}/.cache/zoom
+mkfile ${HOME}/.config/zoomus.conf
 mkdir ${HOME}/.zoom
 whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
diff --git a/etc/zpaq.profile b/etc/zpaq.profile
index 6d4501e4f..6bf3605eb 100644
--- a/etc/zpaq.profile
+++ b/etc/zpaq.profile
@@ -10,6 +10,5 @@ include zpaq.local
 # mdwx breaks 'list' functionality
 ignore memory-deny-write-execute
 # Redirect
 include cpio.profile