175 files changed, 743 insertions, 453 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
index 88c9c453b..565d42567 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -24,6 +24,7 @@ whitelist ${HOME}/.cache/0ad
 whitelist ${HOME}/.config/0ad
 whitelist ${HOME}/.local/share/0ad
 include whitelist-common.inc
+include whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/7z.profile b/etc/7z.profile
index 15e99e936..284aa37a2 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -13,7 +13,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+apparmor
 caps.drop all
+hostname 7z
 ipc-namespace
 machine-id
 net none
@@ -33,4 +35,8 @@ shell none
 tracelog
 x11 none
+#private-bin 7z,7z*,p7zip
+private-cache
 private-dev
+memory-deny-write-execute
diff --git a/etc/7za.profile b/etc/7za.profile
index 28e483a8c..14188e1f0 100644
--- a/etc/7za.profile
+++ b/etc/7za.profile
@@ -1,5 +1,6 @@
 # Firejail profile for 7za
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include 7za.local
 # Persistent global definitions
diff --git a/etc/7zr.profile b/etc/7zr.profile
index 1b85badbc..2cb42fa40 100644
--- a/etc/7zr.profile
+++ b/etc/7zr.profile
@@ -1,5 +1,6 @@
 # Firejail profile for 7zr
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include 7zr.local
 # Persistent global definitions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index ece681c35..eb21349a9 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -39,6 +39,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile
index c774f3a60..af7c10448 100644
--- a/etc/QOwnNotes.profile
+++ b/etc/QOwnNotes.profile
@@ -20,7 +20,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/Nextcloud/Notes
-mkdir ${HOME}.config/PBE
+mkdir ${HOME}/.config/PBE
 mkdir ${HOME}/.local/share/PBE
 whitelist ${DOCUMENTS}
 whitelist ${HOME}/Nextcloud/Notes
diff --git a/etc/Viber.profile b/etc/Viber.profile
index ecc500769..925e130de 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -28,12 +28,10 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6
-seccomp
+seccomp !chroot
 shell none
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
-env QTWEBENGINE_DISABLE_SANDBOX=1
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 5ef75022b..ab5fdf942 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -1,6 +1,7 @@
 # Firejail profile for Xephyr
 # This file is overwritten after every install/update
 # Persistent local customizations
+quiet
 include Xephyr.local
 # Persistent global definitions
 include globals.local
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 3ecda698e..937d02d60 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -1,6 +1,7 @@
 # Firejail profile for Xvfb
 # Description: Virtual Framebuffer 'fake' X server
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include Xvfb.local
 # Persistent global definitions
@@ -30,6 +31,7 @@ nonewprivs
 nosound
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/acat.profile b/etc/acat.profile
index f35adf3dc..522d8db4e 100644
--- a/etc/acat.profile
+++ b/etc/acat.profile
@@ -1,5 +1,6 @@
 # Firejail profile for acat
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include acat.local
 # Persistent global definitions
diff --git a/etc/adiff.profile b/etc/adiff.profile
index f22a27e79..a80886d56 100644
--- a/etc/adiff.profile
+++ b/etc/adiff.profile
@@ -1,5 +1,6 @@
 # Firejail profile for adiff
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include adiff.local
 # Persistent global definitions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 1c16f940e..ffc613f1e 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist /sbin
 noblacklist /tmp/akonadi-*
 noblacklist /usr/sbin
@@ -45,8 +46,8 @@ nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6
+# protocol unix,inet,inet6,netlink
-# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 private-dev
diff --git a/etc/akregator.profile b/etc/akregator.profile
index 466eff22d..34933f283 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -36,7 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # chroot syscalls are needed for setting up the built-in sandbox
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc
new file mode 100644
index 000000000..1d794462c
--- /dev/null
+++ b/etc/allow-common-devel.inc
@@ -0,0 +1,17 @@
+# Rust
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+# Git
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+# Python
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
+# Java
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.java
diff --git a/etc/als.profile b/etc/als.profile
index aa7f29337..5eae228b6 100644
--- a/etc/als.profile
+++ b/etc/als.profile
@@ -1,5 +1,6 @@
 # Firejail profile for als
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include als.local
 # Persistent global definitions
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index ff7fb6711..2e4e564dd 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -7,17 +7,15 @@ include globals.local
 noblacklist ${HOME}/.AndroidStudio*
 noblacklist ${HOME}/.android
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/aosp.profile b/etc/aosp.profile
index 701bf4733..a5b1ba9f1 100644
--- a/etc/aosp.profile
+++ b/etc/aosp.profile
@@ -7,18 +7,16 @@ include globals.local
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.bash_history
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.repo_.gitconfig.json
 noblacklist ${HOME}/.repoconfig
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/apack.profile b/etc/apack.profile
index b09d3d718..9fef911af 100644
--- a/etc/apack.profile
+++ b/etc/apack.profile
@@ -1,5 +1,6 @@
 # Firejail profile for apack
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include apack.local
 # Persistent global definitions
diff --git a/etc/arepack.profile b/etc/arepack.profile
index d23fc21db..012f2f049 100644
--- a/etc/arepack.profile
+++ b/etc/arepack.profile
@@ -1,5 +1,6 @@
 # Firejail profile for arepack
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include arepack.local
 # Persistent global definitions
diff --git a/etc/asunder.profile b/etc/asunder.profile
index fc10739aa..1f3acd735 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -30,6 +30,7 @@ nodbus
 nonewprivs
 noroot
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/atom.profile b/etc/atom.profile
index 8928baf5d..b9cb49d08 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -8,18 +8,9 @@ include globals.local
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
-# allow rust
-noblacklist ${HOME}/.cargo/config
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.cargo/registry
+include allow-common-devel.inc
-# allow git config files
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-# allow python dev files
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/atool.profile b/etc/atool.profile
index c9d950259..fb75c8408 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -1,7 +1,7 @@
 # Firejail profile for atool
 # Description: Tool for managing file archives of various types
-quiet
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include atool.local
 # Persistent global definitions
diff --git a/etc/aunpack.profile b/etc/aunpack.profile
index c119ed9ad..6ce4aa491 100644
--- a/etc/aunpack.profile
+++ b/etc/aunpack.profile
@@ -1,5 +1,6 @@
 # Firejail profile for aunpack
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include aunpack.local
 # Persistent global definitions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index f46987cc7..6f7638fa3 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 # x11 xorg
diff --git a/etc/baobab.profile b/etc/baobab.profile
index d2980f75c..c419aa202 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -32,5 +32,3 @@ shell none
 private-bin baobab
 private-dev
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index 5bc91dc74..8dc3847a0 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
-ignore seccomp.drop
 seccomp
+ignore seccomp
 #private-bin basilisk
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 4f1b05c88..0de3bc480 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -42,7 +42,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/brackets.profile b/etc/brackets.profile
index 3e157d841..13a3bef79 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -8,13 +8,9 @@ include globals.local
 noblacklist ${HOME}/.config/Brackets
 #noblacklist /opt/brackets/
 #noblacklist /opt/google/
-# Uncomment the next two lines if you are developing rust.
-# or put it in your brackets.local
+# Allows files commonly used by IDEs
-#noblacklist ${HOME}/.cargo/config
+include allow-common-devel.inc
-#noblacklist ${HOME}/.cargo/registry
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
 include disable-common.inc
 include disable-passwdmgr.inc
@@ -31,7 +27,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!ioperm
 shell none
 private-cache
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index 1411ce7bd..17c67ed26 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -20,8 +20,8 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodvd
 nodbus
+nodvd
 nogroups
 nonewprivs
 # noroot
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile
index ff86cbdfc..37b47c2ce 100644
--- a/etc/bunzip2.profile
+++ b/etc/bunzip2.profile
@@ -1,6 +1,7 @@
 # Firejail profile for bunzip2
 # Description: A high-quality data compression program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include bunzip2.local
 # Persistent global definitions
diff --git a/etc/bzcat.profile b/etc/bzcat.profile
new file mode 100644
index 000000000..edefb6bb8
--- /dev/null
+++ b/etc/bzcat.profile
@@ -0,0 +1,15 @@
+# Firejail profile for bzcat
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+ignore read-write
+read-only ${HOME}
+# Redirect
+include gzip.profile
diff --git a/etc/bzip2.profile b/etc/bzip2.profile
index 0f2fdd35a..0756e0537 100644
--- a/etc/bzip2.profile
+++ b/etc/bzip2.profile
@@ -1,6 +1,7 @@
 # Firejail profile for bzip2
 # Description: A high-quality data compression program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include bzip2.local
 # Persistent global definitions
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index fe3202cea..7b2d344e5 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -44,7 +44,7 @@ x11 none
 private-cache
 private-dev
-private-lib perl*
+private-lib libfreebl3.so,perl*
 private-tmp
 memory-deny-write-execute
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 147b0de4b..4d92157d0 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -27,7 +27,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks clementine
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 private-dev
 private-tmp
diff --git a/etc/code.profile b/etc/code.profile
index 6faf429e1..7ac4e1619 100644
--- a/etc/code.profile
+++ b/etc/code.profile
@@ -5,20 +5,14 @@ include code.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cargo/config
-noblacklist ${HOME}/.cargo/registry
 noblacklist ${HOME}/.config/Code
 noblacklist ${HOME}/.config/Code - OSS
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 noblacklist ${HOME}/.vscode
 noblacklist ${HOME}/.vscode-oss
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/conplay.profile b/etc/conplay.profile
index 101ce2f17..d0ad7c753 100644
--- a/etc/conplay.profile
+++ b/etc/conplay.profile
@@ -1,4 +1,6 @@
 # Firejail profile for conplay
+# Description: MPEG audio player/decoder
+# This file is overwritten after every install/update
 # Persistent local customizations
 include conplay.local
 # Persistent global definitions
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index 7cd39ca6a..29f676535 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -41,5 +41,3 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
-# memory-deny-write-execute
diff --git a/etc/devhelp.profile b/etc/devhelp.profile
index 60bebb0c9..02b752b5f 100644
--- a/etc/devhelp.profile
+++ b/etc/devhelp.profile
@@ -41,6 +41,6 @@ private-dev
 private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue 1803)
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
diff --git a/etc/dig.profile b/etc/dig.profile
index 6f2c1f755..611cbf026 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -1,7 +1,7 @@
 # Firejail profile for dig
 # Description: DNS lookup utility
-quiet
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include dig.local
 # Persistent global definitions
diff --git a/etc/dino.profile b/etc/dino.profile
index f7b220936..82ddf2819 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -1,4 +1,5 @@
 # Firejail profile for dino
+# Description: Modern XMPP Chat Client using GTK+/Vala
 # This file is overwritten after every install/update
 # Persistent local customizations
 include dino.local
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 7ca5a6b89..fe49ce2f4 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -67,6 +67,7 @@ blacklist ${HOME}/.config/khotkeysrc
 blacklist ${HOME}/.config/krunnerrc
 blacklist ${HOME}/.config/kscreenlockerrc
 blacklist ${HOME}/.config/ksslcertificatemanager
+blacklist ${HOME}/.config/kwalletrc
 blacklist ${HOME}/.config/kwinrc
 blacklist ${HOME}/.config/kwinrulesrc
 blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
@@ -79,6 +80,7 @@ blacklist ${HOME}/.kde/share/config/khotkeysrc
 blacklist ${HOME}/.kde/share/config/krunnerrc
 blacklist ${HOME}/.kde/share/config/kscreensaverrc
 blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde/share/config/kwalletrc
 blacklist ${HOME}/.kde/share/config/kwinrc
 blacklist ${HOME}/.kde/share/config/kwinrulesrc
 blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
@@ -89,6 +91,7 @@ blacklist ${HOME}/.kde4/share/config/khotkeysrc
 blacklist ${HOME}/.kde4/share/config/krunnerrc
 blacklist ${HOME}/.kde4/share/config/kscreensaverrc
 blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde4/share/config/kwalletrc
 blacklist ${HOME}/.kde4/share/config/kwinrc
 blacklist ${HOME}/.kde4/share/config/kwinrulesrc
 blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
@@ -281,8 +284,7 @@ read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
 read-only ${HOME}/.cargo/bin
-blacklist ${HOME}/.cargo/registry
+read-only ${HOME}/.cargo/env
-blacklist ${HOME}/.cargo/config
 # Write-protection for desktop entries
 read-only ${HOME}/.config/menus
@@ -297,11 +299,14 @@ blacklist ${HOME}/*.kdbx
 blacklist ${HOME}/*.key
 blacklist ${HOME}/.Private
 blacklist ${HOME}/.caff
+blacklist ${HOME}/.cargo/credentials
 blacklist ${HOME}/.cert
 blacklist ${HOME}/.config/keybase
 blacklist ${HOME}/.davfs2/secrets
 blacklist ${HOME}/.ecryptfs
 blacklist ${HOME}/.fetchmailrc
+blacklist ${HOME}/.git-credential-cache
+blacklist ${HOME}/.git-credentials
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/.gnupg
 blacklist ${HOME}/.config/hub
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index cc6877693..e54b651a6 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -3,6 +3,7 @@
 include disable-programs.local
 blacklist ${HOME}/Arduino
+blacklist ${HOME}/i2p
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/SoftMaker
@@ -28,9 +29,9 @@ blacklist ${HOME}/.Steam
 blacklist ${HOME}/.Steampath
 blacklist ${HOME}/.Steampid
 blacklist ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.VSCodium
 blacklist ${HOME}/.ViberPC
 blacklist ${HOME}/.VirtualBox
-blacklist ${HOME}/.VSCodium
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
@@ -51,6 +52,8 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.bogofilter
 blacklist ${HOME}/.bzf
+blacklist ${HOME}/.cargo/registry
+blacklist ${HOME}/.cargo/config
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
@@ -94,9 +97,9 @@ blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PBE
-blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
+blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Rambox
@@ -179,10 +182,11 @@ blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/ghostwriter
 blacklist ${HOME}/.config/git
 blacklist ${HOME}/.config/globaltime
+blacklist ${HOME}/.config/gnome-builder
 blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/gnome-mpv
-blacklist ${HOME}/.config/godot
 blacklist ${HOME}/.config/gnome-pie
+blacklist ${HOME}/.config/godot
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
@@ -190,6 +194,7 @@ blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/i2p
 blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
 blacklist ${HOME}/.config/iridium
@@ -231,8 +236,8 @@ blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mono
-blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mpDris2
+blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
@@ -253,8 +258,8 @@ blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.kde.gwenviewrc
-blacklist ${HOME}/.config/pavucontrol.ini
 blacklist ${HOME}/.config/pavucontrol-qt
+blacklist ${HOME}/.config/pavucontrol.ini
 blacklist ${HOME}/.config/pcmanfm
 blacklist ${HOME}/.config/pdfmod
 blacklist ${HOME}/.config/Pinta
@@ -302,6 +307,7 @@ blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vivaldi-snapshot
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/xchat
 blacklist ${HOME}/.config/xed
@@ -322,6 +328,7 @@ blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
+blacklist ${HOME}/.config/Zulip
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
 blacklist ${HOME}/.curlrc
@@ -350,8 +357,6 @@ blacklist ${HOME}/.freecol
 blacklist ${HOME}/.freemind
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.gimp*
-blacklist ${HOME}/.git-credentials
-blacklist ${HOME}/.git-credential-cache
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gnome/gnome-schedule
 blacklist ${HOME}/.googleearth/Cache/
@@ -364,9 +369,11 @@ blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
 blacklist ${HOME}/.hedgewars
 blacklist ${HOME}/.hugin
+blacklist ${HOME}/.i2p
 blacklist ${HOME}/.icedove
 blacklist ${HOME}/.imagej
 blacklist ${HOME}/.inkscape
+blacklist ${HOME}/.itch
 blacklist ${HOME}/.jack-server
 blacklist ${HOME}/.jack-settings
 blacklist ${HOME}/.jak
@@ -409,13 +416,13 @@ blacklist ${HOME}/.kde4/share/apps/kaffeine
 blacklist ${HOME}/.kde4/share/apps/kcookiejar
 blacklist ${HOME}/.kde4/share/apps/kget
 blacklist ${HOME}/.kde4/share/apps/khtml
-blacklist ${HOME}/.kde4/share/apps/konqueror
 blacklist ${HOME}/.kde4/share/apps/konqsidebartng
+blacklist ${HOME}/.kde4/share/apps/konqueror
 blacklist ${HOME}/.kde4/share/apps/kopete
 blacklist ${HOME}/.kde4/share/apps/ktorrent
 blacklist ${HOME}/.kde4/share/apps/okular
-blacklist ${HOME}/.kde4/share/config/baloorc
 blacklist ${HOME}/.kde4/share/config/baloofilerc
+blacklist ${HOME}/.kde4/share/config/baloorc
 blacklist ${HOME}/.kde4/share/config/digikam
 blacklist ${HOME}/.kde4/share/config/gwenviewrc
 blacklist ${HOME}/.kde4/share/config/k3brc
@@ -438,9 +445,9 @@ blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
 blacklist ${HOME}/.lincity-ng
+blacklist ${HOME}/.links
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
-blacklist ${HOME}/.links
 blacklist ${HOME}/.lmmsrc.xml
 blacklist ${HOME}/.local/lib/vivaldi
 blacklist ${HOME}/.local/share/0ad
@@ -494,6 +501,7 @@ blacklist ${HOME}/.local/share/geeqie
 blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
 blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-builder
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/gnome-recipes
@@ -502,10 +510,13 @@ blacklist ${HOME}/.local/share/gnome-twitch
 blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
+blacklist ${HOME}/.local/share/i2p
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/kdenlive
 blacklist ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/kiwix
+blacklist ${HOME}/.local/share/kiwix-desktop
 blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/knotes
@@ -626,8 +637,7 @@ blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
-blacklist ${HOME}/.tor-browser-*
+blacklist ${HOME}/.tor-browser*
-blacklist ${HOME}/.tor-browser_*
 blacklist ${HOME}/.torcs
 blacklist ${HOME}/.tremulous
 blacklist ${HOME}/.ts3client
@@ -635,6 +645,8 @@ blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknown-horizons
 blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
+blacklist ${HOME}/.vim
+blacklist ${HOME}/.vimrc
 blacklist ${HOME}/.vscode
 blacklist ${HOME}/.vscode-oss
 blacklist ${HOME}/.vst
@@ -704,6 +716,7 @@ blacklist ${HOME}/.cache/godot
 blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gnome-builder
 blacklist ${HOME}/.cache/gnome-recipes
 blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/gradio
@@ -726,6 +739,7 @@ blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/Mendeley Ltd.
 blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/minetest
 blacklist ${HOME}/.cache/moonchild productions/basilisk
 blacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index c04451373..bba94e3cb 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -1,6 +1,7 @@
 # Firejail profile for dnscrypt-proxy
 # Description: Tool for securing communications between a client and a DNS resolver
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include dnscrypt-proxy.local
 # Persistent global definitions
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index daf4795c3..dfb1b61c1 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -1,6 +1,7 @@
 # Firejail profile for dnsmasq
 # Description: Small caching DNS proxy and DHCP/TFTP server
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include dnsmasq.local
 # Persistent global definitions
diff --git a/etc/emacs.profile b/etc/emacs.profile
index f8b451f02..ab378105e 100644
--- a/etc/emacs.profile
+++ b/etc/emacs.profile
@@ -11,10 +11,9 @@ noblacklist ${HOME}/.emacs.d
 # if you need gpg uncomment the following line
 # or put it into your emacs.local
 #noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.pythonhist
+include allow-common-devel.inc
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-passwdmgr.inc
@@ -27,5 +26,6 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/eo-common.profile b/etc/eo-common.profile
index f4b263f50..c4ad8ced4 100644
--- a/etc/eo-common.profile
+++ b/etc/eo-common.profile
@@ -43,5 +43,3 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/etr.profile b/etc/etr.profile
index d93d3de63..97a43bb59 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -1,4 +1,5 @@
 # Firejail profile for etr
+# Description: High speed arctic racing game
 # This file is overwritten after every install/update
 # Persistent local customizations
 include etr.local
@@ -29,6 +30,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/falkon.profile b/etc/falkon.profile
index cabf5aeba..0024b6660 100644
--- a/etc/falkon.profile
+++ b/etc/falkon.profile
@@ -34,9 +34,10 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
 private-dev
+# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
 # private-tmp - interferes with the opening of downloaded files
diff --git a/etc/feedreader.profile b/etc/feedreader.profile
index e453cc611..e381b12d6 100644
--- a/etc/feedreader.profile
+++ b/etc/feedreader.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 mkdir ${HOME}/.cache/feedreader
 mkdir ${HOME}/.local/share/feedreader
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile
index 3681c40f1..6d72c3b99 100644
--- a/etc/ffmpegthumbnailer.profile
+++ b/etc/ffmpegthumbnailer.profile
@@ -1,6 +1,7 @@
 # Firejail profile for ffmpegthumbnailer
 # Description: FFmpeg-based video thumbnailer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include ffmpegthumbnailer.local
 # Persistent global definitions
diff --git a/etc/ffplay.profile b/etc/ffplay.profile
index b42cc29bc..71187a5b5 100644
--- a/etc/ffplay.profile
+++ b/etc/ffplay.profile
@@ -1,6 +1,7 @@
 # Firejail profile for ffplay
 # Description: FFmpeg-based media player
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include ffplay.local
 # Persistent global definitions
diff --git a/etc/ffprobe.profile b/etc/ffprobe.profile
index bd8643206..cb24a7d05 100644
--- a/etc/ffprobe.profile
+++ b/etc/ffprobe.profile
@@ -1,6 +1,7 @@
 # Firejail profile for ffprobe
 # Description: FFmpeg-based media prober
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include ffprobe.local
 # Persistent global definitions
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index db1426f36..496152540 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -37,5 +37,3 @@ tracelog
 # private-bin file-roller
 private-dev
 # private-tmp
-# memory-deny-write-execute
diff --git a/etc/file.profile b/etc/file.profile
index 69fa7d8cd..37c7ee9e7 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -33,10 +33,11 @@ shell none
 tracelog
 x11 none
-#private-bin file
+#private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd
 private-cache
 private-dev
 private-etc alternatives,localtime,magic,magic.mgc
-private-lib libarchive.so.*,libfakeroot,libmagic.so.*
+private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*
 memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 6ad4a9bc2..02d6199a0 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -46,7 +46,7 @@ notv
 ?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
 # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
 #tracelog
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 84c647cb9..8d90a0917 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -16,6 +16,8 @@ whitelist ${HOME}/.mozilla
 # firefox requires a shell to launch on Arch.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
+# Fedora use shell scripts to launch firefox, at least this is required
+#private-bin awk,basename,bash,cat,dbus-launch,dbus-send,dirname,env,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
diff --git a/etc/firejail.config b/etc/firejail.config
index 1f80cedee..565796d5a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,9 +2,6 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
-# Resolve symbolic links in path of user home directories, default disabled.
-# homedir-symlink no
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 3931aa64a..6cef181c8 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -31,6 +31,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/geany.profile b/etc/geany.profile
index 2cffb8777..31599e32a 100644
--- a/etc/geany.profile
+++ b/etc/geany.profile
@@ -7,13 +7,9 @@ include geany.local
 include globals.local
 noblacklist ${HOME}/.config/geany
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.git-credentials
+include allow-common-devel.inc
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/gedit.profile b/etc/gedit.profile
index ed6efc3b6..837396654 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -8,13 +8,9 @@ include globals.local
 noblacklist ${HOME}/.config/enchant
 noblacklist ${HOME}/.config/gedit
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.git-credentials
+include allow-common-devel.inc
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index 1fb2d8f58..2479ec16d 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -35,9 +35,9 @@ protocol unix,inet,inet6,netlink
 shell none
 #tracelog -- breaks
-# Breaks Translation
+private-bin gettext,ghostwriter,pandoc
-#private-bin ghostwriter,pandoc
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
 private-tmp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 762e743c8..fab7fa123 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -8,7 +8,7 @@ include globals.local
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
 # if you are not using external plugins, you can comment 'ignore noexec' statement below
-# or put 'ignore ignore noexec ${HOME}' in your gimp.local
+# or put 'noexec ${HOME}' in your gimp.local
 ignore noexec ${HOME}
 noblacklist ${HOME}/.config/GIMP
diff --git a/etc/git.profile b/etc/git.profile
index f7c812e65..8b1c81ca4 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -15,7 +15,6 @@ noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.oh-my-zsh
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
diff --git a/etc/gitg.profile b/etc/gitg.profile
index f6f51ef6f..08c1c94b6 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -22,6 +22,7 @@ include disable-programs.inc
 include whitelist-var-common.inc
 caps.drop all
+netfilter
 no3d
 nodvd
 nogroups
@@ -39,6 +40,3 @@ private-bin git,gitg,ssh
 private-cache
 private-dev
 private-tmp
-# mdwe breaks diff in older versions
-#memory-deny-write-execute
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index dfa1a5da8..726a74089 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -6,15 +6,12 @@ include gnome-builder.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cache/gnome-builder
-noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.config/gnome-builder
-noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.local/share/gnome-builder
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.python-history
+include allow-common-devel.inc
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/gnome-character-map.profile b/etc/gnome-character-map.profile
index 35db448f2..27804fdd0 100644
--- a/etc/gnome-character-map.profile
+++ b/etc/gnome-character-map.profile
@@ -6,4 +6,5 @@ include gnome-character-map.local
 # added by included profile
 #include globals.local
+# Redirect
 include gucharmap.profile
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 3bbad67bb..aa0b7dbe3 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -28,6 +28,7 @@ noroot
 nosound
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index 6c9c83e5f..cbeb82465 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -13,15 +13,9 @@ noblacklist ${PATH}/at
 noblacklist ${PATH}/crontab
 # Needs access to these files/dirs
-noblacklist /etc/at.allow
-noblacklist /etc/at.deny
 noblacklist /etc/cron.allow
 noblacklist /etc/cron.deny
-noblacklist /etc/fonts
-noblacklist /etc/ld.so.preload
-noblacklist /etc/pam.d
 noblacklist /etc/shadow
-noblacklist /var/spool/at
 noblacklist /var/spool/cron
 # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
@@ -41,14 +35,6 @@ include disable-xdg.inc
 mkfile ${HOME}/.gnome/gnome-schedule
 whitelist ${HOME}/.gnome/gnome-schedule
-whitelist /etc/at.allow
-whitelist /etc/at.deny
-whitelist /etc/cron.allow
-whitelist /etc/cron.deny
-whitelist /etc/fonts
-whitelist /etc/pam.d
-whitelist /etc/ld.so.preload
-whitelist /etc/shadow
 whitelist /var/spool/atd
 whitelist /var/spool/cron
 include whitelist-common.inc
@@ -72,5 +58,6 @@ tracelog
 disable-mnt
 private-cache
 private-dev
+private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,ld.so.preload,pam.d,shadow
 writable-var
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile
index f1347a8dc..b2907b32c 100644
--- a/etc/gnome-system-log.profile
+++ b/etc/gnome-system-log.profile
@@ -6,8 +6,6 @@ include gnome-system-log.local
 # Persistent global definitions
 include globals.local
-noblacklist /var/log
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/gunzip.profile b/etc/gunzip.profile
index aff990ec0..6e97c6b78 100644
--- a/etc/gunzip.profile
+++ b/etc/gunzip.profile
@@ -1,5 +1,6 @@
 # Firejail profile for gunzip
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include gunzip.local
 # Persistent global definitions
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 489be3931..5a5d81378 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -45,6 +45,6 @@ shell none
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
-private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
 # memory-deny-write-execute
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 1e9f898e0..898a07a5f 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -26,6 +26,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 seccomp
 tracelog
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile
new file mode 100644
index 000000000..e46fb3317
--- /dev/null
+++ b/etc/i2prouter.profile
@@ -0,0 +1,71 @@
+# Firejail profile for I2P
+# Description: A distributed anonymous network
+# This file is overwritten after every install/update
+# Persistent local customizations
+include i2prouter.local
+# Persistent global definitions
+include globals.local
+# Notice: default browser will not be able to automatically open, due to sandbox.
+# Auto-opening default browser can be disabled in the I2P router console.
+# This profile will not currently work with any Arch User Repository i2p packages,
+# use the distro-independent official java installer instead
+# Only needed if i2prouter binary is in home directory, java installer does this
+ignore noexec ${HOME}
+noblacklist ${HOME}/.config/i2p
+noblacklist ${HOME}/.i2p
+noblacklist ${HOME}/.local/share/i2p
+noblacklist ${HOME}/i2p
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+noblacklist /usr/sbin
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/i2p
+mkdir ${HOME}/.i2p
+mkdir ${HOME}/.local/share/i2p
+mkdir ${HOME}/i2p
+whitelist ${HOME}/.config/i2p
+whitelist ${HOME}/.i2p
+whitelist ${HOME}/.local/share/i2p
+whitelist ${HOME}/i2p
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+whitelist /usr/sbin/wrapper*
+include whitelist-common.inc
+# May break I2P if wrapper is placed in the home directory
+# If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
+#apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl
+private-tmp
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
index 4f3047e08..a7d0d531f 100644
--- a/etc/idea.sh.profile
+++ b/etc/idea.sh.profile
@@ -7,17 +7,15 @@ include globals.local
 noblacklist ${HOME}/.IdeaIC*
 noblacklist ${HOME}/.android
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/itch.profile b/etc/itch.profile
index c0b4fe6ce..b3c78c810 100644
--- a/etc/itch.profile
+++ b/etc/itch.profile
@@ -8,6 +8,7 @@ include globals.local
 # itch.io has native firejail/sandboxing support bundled in
 # See https://itch.io/docs/itch/using/sandbox/linux.html
+noblacklist ${HOME}/.itch
 noblacklist ${HOME}/.config/itch
 include disable-common.inc
@@ -16,7 +17,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+mkdir ${HOME}/.itch
 mkdir ${HOME}/.config/itch
+whitelist ${HOME}/.itch
 whitelist ${HOME}/.config/itch
 include whitelist-common.inc
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile
new file mode 100644
index 000000000..8b7b12882
--- /dev/null
+++ b/etc/kiwix-desktop.profile
@@ -0,0 +1,49 @@
+# Firejail profile for kiwix-desktop
+# Description: view/manage ZIM files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kiwix-desktop.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/kiwix
+noblacklist ${HOME}/.local/share/kiwix-desktop
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/kiwix
+mkdir ${HOME}/.local/share/kiwix-desktop
+whitelist ${HOME}/.local/share/kiwix
+whitelist ${HOME}/.local/share/kiwix-desktop
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+# no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 0b602c79a..198b05a11 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -51,7 +51,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
 private-dev
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index ee07636d3..d512dd100 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -5,6 +5,9 @@ include kwin_x11.local
 # Persistent global definitions
 include globals.local
+# fix automatical kwin_x11 sandboxing:
+# echo KDEWM=kwin_x11 >> ~/.pam_environment
 noblacklist ${HOME}/.cache/kwin
 noblacklist ${HOME}/.config/kwinrc
 noblacklist ${HOME}/.config/kwinrulesrc
diff --git a/etc/less.profile b/etc/less.profile
index 0f31d344b..282b033a6 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -8,8 +8,6 @@ include less.local
 include globals.local
 noblacklist ${HOME}/.lesshst
-read-only ${HOME}
-read-write ${HOME}/.lesshst
 include disable-devel.inc
 include disable-exec.inc
@@ -45,3 +43,5 @@ private-dev
 writable-var-log
 memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.lesshst
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index b8a6201b2..aa113883e 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -34,6 +34,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile
 protocol unix,inet,inet6
 # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile
diff --git a/etc/lrunzip.profile b/etc/lrunzip.profile
index 72abec8bb..c010cbd96 100644
--- a/etc/lrunzip.profile
+++ b/etc/lrunzip.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrunzip
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrunzip.local
 # Persistent global definitions
diff --git a/etc/lrz.profile b/etc/lrz.profile
index c1f928bde..8077be945 100644
--- a/etc/lrz.profile
+++ b/etc/lrz.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrz
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrz.local
 # Persistent global definitions
diff --git a/etc/lrzcat.profile b/etc/lrzcat.profile
index edcd7f8cd..d05ee7aae 100644
--- a/etc/lrzcat.profile
+++ b/etc/lrzcat.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrzcat
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrzcat.local
 # Persistent global definitions
diff --git a/etc/lrzip.profile b/etc/lrzip.profile
index a69096e28..3767767f6 100644
--- a/etc/lrzip.profile
+++ b/etc/lrzip.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrzip
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrzip.local
 # Persistent global definitions
diff --git a/etc/lrztar.profile b/etc/lrztar.profile
index 54b04b4ec..673e9f62e 100644
--- a/etc/lrztar.profile
+++ b/etc/lrztar.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrztar
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrztar.local
 # Persistent global definitions
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile
index f21169b24..245d1c669 100644
--- a/etc/lrzuntar.profile
+++ b/etc/lrzuntar.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lrzuntar
 # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lrzuntar.local
 # Persistent global definitions
diff --git a/etc/mencoder.profile b/etc/mencoder.profile
index 136412d11..aac394a59 100644
--- a/etc/mencoder.profile
+++ b/etc/mencoder.profile
@@ -25,4 +25,5 @@ shell none
 private-bin mencoder
+# Redirect
 include mplayer.profile
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 3b9807b28..20370a5b5 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -26,6 +26,7 @@ noroot
 nosound
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 0b5ebf705..6c5963793 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -31,7 +31,7 @@ novideo
 protocol unix,inet,inet6
 # blacklisting of ioprio_set system calls breaks auto-updating of
 # MPD's database when files in music_directory are changed
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+seccomp !ioprio_set
 shell none
 #private-bin bash,mpd
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index 878a5f654..546755ecb 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -48,16 +48,22 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
+nodvd
 # Seems to cause issues with Nvidia drivers sometimes
 nogroups
 nonewprivs
 noroot
+notv
+nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
 private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
+#private-cache
 private-dev
 private-tmp
diff --git a/etc/mpv.profile b/etc/mpv.profile
index d8163d20a..289a3cd5d 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -16,6 +16,7 @@ include allow-python2.inc
 include allow-python3.inc
 noblacklist ${MUSIC}
+noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 include disable-common.inc
diff --git a/etc/mutt.profile b/etc/mutt.profile
index c424dbb85..92babd50f 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -17,7 +17,6 @@ noblacklist ${HOME}/.emacs
 noblacklist ${HOME}/.emacs.d
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mail
-noblacklist ${HOME}/.mailcap
 noblacklist ${HOME}/.msmtprc
 noblacklist ${HOME}/.mutt
 noblacklist ${HOME}/.muttrc
diff --git a/etc/nano.profile b/etc/nano.profile
index 30a6e03e7..9965d8a6b 100644
--- a/etc/nano.profile
+++ b/etc/nano.profile
@@ -1,6 +1,7 @@
 # Firejail profile for nano
 # Description: nano is an easy text editor for the terminal
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include nano.local
 # Persistent global definitions
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile
index e1294153b..079f44ee7 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/nethack-vultures.profile
@@ -7,7 +7,6 @@ include nethack.local
 include globals.local
 noblacklist ${HOME}/.vultures
-noblacklist /var/log
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/okular.profile b/etc/okular.profile
index 99357934d..56fd21fc8 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -49,7 +49,7 @@ tracelog
 private-bin kbuildsycoca4,kdeinit4,lpr,okular
 private-dev
-private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 # memory-deny-write-execute
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index d80b3d351..5925ccc09 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/p7zip.profile b/etc/p7zip.profile
index 644292f2b..7e0069afc 100644
--- a/etc/p7zip.profile
+++ b/etc/p7zip.profile
@@ -1,6 +1,7 @@
 # Firejail profile for p7zip
 # Description: 7zr file archiver with high compression ratio
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include p7zip.local
 # Persistent global definitions
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 11464e6cf..acb2ce176 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -14,8 +14,8 @@ whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
-ignore seccomp.drop
 seccomp
+ignore seccomp
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index c5016201d..f1a5741d0 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -1,4 +1,5 @@
 # Firejail profile for pdftotext
+# Description: Portable Document Format (PDF) to text converter
 # This file is overwritten after every install/update
 # Persistent local customizations
 include pdftotext.local
diff --git a/etc/ping.profile b/etc/ping.profile
index 00ac45c5a..4ff5250d7 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -1,4 +1,5 @@
 # Firejail profile for ping
+# Description: send ICMP ECHO_REQUEST to network hosts
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 782ee200d..a3adc55a2 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 81b2b1481..dadfcc44e 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -6,11 +6,11 @@ include pluma.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/enchant
 noblacklist ${HOME}/.config/pluma
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
+# Allows files commonly used by IDEs
-noblacklist ${HOME}/.pythonhist
+include allow-common-devel.inc
-noblacklist ${HOME}/.pythonrc.py
 include disable-common.inc
 include disable-devel.inc
@@ -42,7 +42,7 @@ tracelog
 private-bin pluma
 private-dev
-private-lib pluma
+private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
 memory-deny-write-execute
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 116698312..970290002 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -8,8 +8,6 @@ include globals.local
 noblacklist ${HOME}/.config/ppsspp
 noblacklist ${DOCUMENTS}
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index 17218adee..9ee426a95 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -6,14 +6,13 @@ include pycharm-community.local
 include globals.local
 noblacklist ${HOME}/.PyCharmCE*
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-passwdmgr.inc
diff --git a/etc/pzstd.profile b/etc/pzstd.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/pzstd.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
index 1399328d3..47b9d6a9a 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/qemu-system-x86_64.profile
@@ -1,4 +1,5 @@
 # Firejail profile for qemu-system-x86_64
+# Description: QEMU system emulator for x86_64
 # This file is overwritten after every install/update
 # Persistent local customizations
 include qemu-system-x86_64.local
diff --git a/etc/qgis.profile b/etc/qgis.profile
index 80a10efce..88ed0cd81 100644
--- a/etc/qgis.profile
+++ b/etc/qgis.profile
@@ -45,7 +45,7 @@ notv
 nou2f
 novideo
 # blacklisting of mbind system calls breaks old version
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,mincore,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice
+seccomp !mbind
 protocol unix,inet,inet6,netlink
 shell none
 tracelog
diff --git a/etc/qt-faststart.profile b/etc/qt-faststart.profile
index cf459472a..2cdff33a6 100644
--- a/etc/qt-faststart.profile
+++ b/etc/qt-faststart.profile
@@ -1,6 +1,7 @@
 # Firejail profile for qt-faststart
 # Description: FFmpeg-based media utility
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include qt-faststart.local
 # Persistent global definitions
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 954b1a3b4..3f3270dd6 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include qupzilla.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 noblacklist ${HOME}/.cache/qupzilla
 noblacklist ${HOME}/.config/qupzilla
@@ -17,26 +18,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/qupzilla
 mkdir ${HOME}/.config/qupzilla
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/qupzilla
 whitelist ${HOME}/.config/qupzilla
-include whitelist-common.inc
-include whitelist-var-common.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-protocol unix,inet,inet6,netlink
-# blacklisting of chroot system calls breaks qupzilla
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-# tracelog
-private-dev
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
 # private-tmp - interferes with the opening of downloaded files
+# Redirect
+include falkon.profile
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index e556ecf1f..95c189458 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -9,8 +9,6 @@ include globals.local
 noblacklist ${HOME}/.cache/qutebrowser
 noblacklist ${HOME}/.config/qutebrowser
 noblacklist ${HOME}/.local/share/qutebrowser
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -38,5 +36,5 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 # tracelog
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile
index e6af4c2cb..4372fabe1 100644
--- a/etc/riot-desktop.profile
+++ b/etc/riot-desktop.profile
@@ -7,8 +7,7 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
-ignore seccomp
+seccomp !chroot
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # Redirect
 include riot-web.profile
diff --git a/etc/rnano.profile b/etc/rnano.profile
index 565c957e0..d9048982a 100644
--- a/etc/rnano.profile
+++ b/etc/rnano.profile
@@ -1,6 +1,7 @@
 # Firejail profile for rnano
 # Description: A restricted nano
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include rnano.local
 # Persistent global definitions
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile
new file mode 100644
index 000000000..bda3bca92
--- /dev/null
+++ b/etc/rsync-download_only.profile
@@ -0,0 +1,55 @@
+# Firejail profile for rsync
+# Description: a fast, versatile, remote (and local) file-copying tool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include rsync.local
+# Persistent global definitions
+include globals.local
+# Warning: This profile is writte to use rsync as an client for downloading,
+# it is not writen to use rsync as an daemon (rsync --daemon) or to create backups.
+# Usage: firejail --profile=rsync-download_only rsync
+blacklist /tmp/.X11-unix
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# Uncomment or add to rsync.local to enable extra hardening
+#whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin rsync
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+memory-deny-write-execute
diff --git a/etc/scallion.profile b/etc/scallion.profile
index 232ec4346..dee9e1f40 100644
--- a/etc/scallion.profile
+++ b/etc/scallion.profile
@@ -7,7 +7,6 @@ include scallion.local
 include globals.local
 noblacklist ${PATH}/llvm*
-noblacklist /usr/lib/llvm*
 noblacklist ${PATH}/openssl
 noblacklist ${PATH}/openssl-1.0
 noblacklist ${DOCUMENTS}
diff --git a/etc/scp.profile b/etc/scp.profile
index ca902061c..287b8029a 100644
--- a/etc/scp.profile
+++ b/etc/scp.profile
@@ -1,6 +1,7 @@
 # Firejail profile for scp
 # Description: Secure shell copy
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include scp.local
 # Persistent global definitions
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile
index 7c0e59c74..6410da4d8 100644
--- a/etc/seahorse-daemon.profile
+++ b/etc/seahorse-daemon.profile
@@ -1,6 +1,7 @@
 # Firejail profile for seahorse-daemon
 # Description: PGP encryption and signing
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include seahorse-daemon.local
 # Persistent global definitions
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile
index 96f365a4b..4bf23c512 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/seahorse-tool.profile
@@ -7,8 +7,6 @@ include seahorse-tool.local
 # added by included profile
 #include globals.local
-noblacklist ${DOWNLOADS}
 private-tmp
 memory-deny-write-execute
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 0c824e95b..b9a0fd149 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -8,7 +8,6 @@ include globals.local
 blacklist /tmp/.X11-unix
-noblacklist ${HOME}/.config/dconf
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.ssh
 noblacklist /tmp/ssh-*
diff --git a/etc/sftp.profile b/etc/sftp.profile
index c980e1751..66dc2a57b 100644
--- a/etc/sftp.profile
+++ b/etc/sftp.profile
@@ -1,6 +1,7 @@
 # Firejail profile for sftp
 # Description: Secure file transport protocol
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include sftp.local
 # Persistent global definitions
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index e6c48561f..5b3c5439d 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -1,4 +1,5 @@
 # Firejail profile for shotcut
+# Description: A free, open source, cross-platform video editor
 # This file is overwritten after every install/update
 # Persistent local customizations
 include shotcut.local
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 64441483d..a0c9e8303 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 tracelog
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 7febcde46..c6f5f70b0 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index c10be717b..6f9bfd201 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -27,7 +27,7 @@ notv
 # novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !ioperm
 shell none
 # private-bin kbuildsycoca4,kdeinit4,skanlite
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index eae7dada0..fe9ededa4 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -25,7 +25,7 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/slack.profile b/etc/slack.profile
index 5c10ef0ba..8b5338fa7 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -20,7 +20,6 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 caps.drop all
-name slack
 netfilter
 nodvd
 nogroups
@@ -35,5 +34,5 @@ shell none
 disable-mnt
 private-bin locale,slack
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 private-tmp
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 9cba69a77..d423bb65c 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -42,4 +42,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
 private-tmp
-#memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 15e2de9b0..9934e92b0 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -24,6 +24,7 @@ nodvd
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7a9bb5abe..6949299af 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -30,6 +30,7 @@ nonewprivs
 nosound
 notv
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 5703f932a..aa6902854 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -34,7 +34,7 @@ nosound
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 disable-mnt
 private-dev
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile
index 9c3175ad7..2f73c9fee 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/start-tor-browser.desktop.profile
@@ -6,8 +6,7 @@ include start-tor-browser.desktop.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.tor-browser-*
+noblacklist ${HOME}/.tor-browser*
-noblacklist ${HOME}/.tor-browser_*
 whitelist ${HOME}/.tor-browser-ar
 whitelist ${HOME}/.tor-browser-ca
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index 1c2a2cd10..a8b5d109e 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -28,7 +28,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
diff --git a/etc/steam.profile b/etc/steam.profile
index 569f281a0..654ea825e 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -19,8 +19,6 @@ noblacklist ${HOME}/.local/share/vulkan
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/strings.profile b/etc/strings.profile
index 621e8e177..0817d7331 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,4 +1,5 @@
 # Firejail profile for strings
+# Description: print the strings of printable characters in files
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
@@ -43,3 +44,4 @@ private-lib libfakeroot
 private-tmp
 memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile
index d0176a657..6de408740 100644
--- a/etc/subdownloader.profile
+++ b/etc/subdownloader.profile
@@ -31,6 +31,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 287a078b3..4c64ee766 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -1,4 +1,5 @@
 # Firejail profile for supertux2
+# Description: Jump'n run like game
 # This file is overwritten after every install/update
 # Persistent local customizations
 include supertux2.local
@@ -27,6 +28,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,netlink
 seccomp
 shell none
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile
index 2cd5ec3ad..8a48eeac8 100644
--- a/etc/supertuxkart.profile
+++ b/etc/supertuxkart.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin supertuxkart
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,selinux,ssl,system-fips,xdg
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile
index 8a7d45449..ffe9605b6 100644
--- a/etc/tb-starter-wrapper.profile
+++ b/etc/tb-starter-wrapper.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.tb
 mkdir ${HOME}/.tb
 whitelist ${HOME}/.tb
-x11 xorg
+private-bin tb-starter-wrapper
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile
index 8d5917148..c1c666f58 100644
--- a/etc/teamspeak3.profile
+++ b/etc/teamspeak3.profile
@@ -33,7 +33,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 shell none
 disable-mnt
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 2fc5c3ef1..0d67e222f 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -87,6 +87,9 @@ include globals.local
 # Allow lua (blacklisted by disable-interpreters.inc)
 #include allow-lua.inc
+# Allows files commonly used by IDEs
+#include allow-common-devel.inc
 #include disable-common.inc
 #include disable-devel.inc
 #include disable-exec.inc
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 30ad6feea..bc45d9f9d 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -1,6 +1,9 @@
 Hints for writing seccomp.drop lines
 ====================================
+Definition of groups
+--------------------
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @module=delete_module,finit_module,init_module
 @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
@@ -20,6 +23,8 @@ Hints for writing seccomp.drop lines
 @default-keep=execve,prctl
+Inheritance of groups
+---------------------
 +---------+----------------+---------------+
 | @clock  | @cpu-emulation | @default-keep |
@@ -41,7 +46,28 @@ Hints for writing seccomp.drop lines
 | @default-nodebuggers |
 +----------------------+
+common used seccomp.drop lines
+------------------------------
 @default without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 @default-nodebuggers without chroot: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+Building a seccomp.drop line if seccomp breaks a programm
+---------------------------------------------------------
+```
+$ journalctl --grep=syscall --follow
+<...> audit[…]: SECCOMP <...> syscall=161 <...>
+$ firejail --debug-syscalls | grep 161
+161     - chroot
+```
+TODO: write a short explanation
+TODO: suggest to use `allow-debuggers` instead of `seccomp.drop` if possible
+see also
+--------
+ - contrib/syscalls.sh
+ - https://firejail.wordpress.com/documentation-2/seccomp-guide/
diff --git a/etc/tor-browser.profile b/etc/tor-browser.profile
new file mode 100644
index 000000000..0cd84abf5
--- /dev/null
+++ b/etc/tor-browser.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+noblacklist ${HOME}/.tor-browser
+mkdir ${HOME}/.tor-browser
+whitelist ${HOME}/.tor-browser
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 75bcb04b4..1183cd2f7 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -42,13 +42,13 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp !chroot
 shell none
 # tracelog may cause issues, see github issue #1930
 #tracelog
 disable-mnt
-private-bin bash,cat,cp,cut,dirname,env,expr,file,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,python*,readlink,realpath,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
+private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 60732bcf2..486be5fe6 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -7,37 +7,8 @@ include transmission-cli.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+private-bin transmission-cli
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-apparmor
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-# private-bin transmission-cli
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-private-lib
-private-tmp
-memory-deny-write-execute
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-common.profile b/etc/transmission-common.profile
new file mode 100644
index 000000000..1b1fc4af7
--- /dev/null
+++ b/etc/transmission-common.profile
@@ -0,0 +1,46 @@
+# Firejail profile for transmission-common
+# Description: Fast, easy and free BitTorrent client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-common.local
+noblacklist ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.cache/transmission
+mkdir ${HOME}/.config/transmission
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/transmission
+whitelist ${HOME}/.config/transmission
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodbus
+nodvd
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-dev
+private-lib
+private-tmp
+memory-deny-write-execute
diff --git a/etc/transmission-create.profile b/etc/transmission-create.profile
index 9b84bc33a..8220b7887 100644
--- a/etc/transmission-create.profile
+++ b/etc/transmission-create.profile
@@ -1,11 +1,13 @@
 # Firejail profile for transmission-create
 # Description: CLI utility to create BitTorrent .torrent files
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-create.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+private-bin transmission-create
 # Redirect
-include transmission-cli.profile
+include transmission-common.profile
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile
index 9a6052ada..f1e7fcb17 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/transmission-daemon.profile
@@ -7,38 +7,16 @@ include transmission-daemon.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+whitelist /var/lib/transmission
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
+caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-apparmor
+private-bin transmission-daemon
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-# private-bin transmission-daemon
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-private-lib
-private-tmp
-memory-deny-write-execute
+read-write /var/lib/transmission
+writable-var-log
+writable-run-user
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-edit.profile b/etc/transmission-edit.profile
index 07990aa15..df381b5cd 100644
--- a/etc/transmission-edit.profile
+++ b/etc/transmission-edit.profile
@@ -1,11 +1,13 @@
 # Firejail profile for transmission-edit
 # Description: CLI utility to modify BitTorrent .torrent files' announce URLs
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-edit.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
+private-bin transmission-edit
 # Redirect
-include transmission-cli.profile
+include transmission-common.profile
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 29df63573..01bdeb4ef 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,50 +1,15 @@
 # Firejail profile for transmission-gtk
 # Description: Fast, easy and free BitTorrent client (GTK GUI)
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-gtk.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-mkdir ${HOME}/.cache/transmission
-mkdir ${HOME}/.config/transmission
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
-include whitelist-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
 private-bin transmission-gtk
-private-dev
-private-lib
-private-tmp
-# Causes freeze during opening file dialog in Archlinux, see issue #1855
+ignore memory-deny-write-execute
-# memory-deny-write-execute
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 9fda5245f..94f3c3a20 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,49 +1,18 @@
 # Firejail profile for transmission-qt
 # Description: Fast, easy and free BitTorrent client (Qt GUI)
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-qt.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+private-bin transmission-qt
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-mkdir ${HOME}/.cache/transmission
-mkdir ${HOME}/.config/transmission
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
-include whitelist-common.inc
-include whitelist-var-common.inc
-apparmor
+# private-lib - breaks on Arch
-caps.drop all
+ignore private-lib
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-private-bin transmission-qt
+ignore memory-deny-write-execute
-private-dev
-# private-lib - problems on Arch
-private-tmp
-# memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile
index 98b875fc5..8b3a966c1 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/transmission-remote-cli.profile
@@ -1,25 +1,17 @@
 # Firejail profile for transmission-remote-cli
 # Description: A remote control utility for transmission-daemon (CLI)
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-remote-cli.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-mkdir ${HOME}/.cache/transmission
+private-bin python*,transmission-remote-cli
-mkdir ${HOME}/.config/transmission
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
-include whitelist-common.inc
-include whitelist-var-common.inc
-# private-bin python*
-private-etc fonts
 # Redirect
-include transmission-remote.profile
+include transmission-common.profile
diff --git a/etc/transmission-remote-gtk.profile b/etc/transmission-remote-gtk.profile
index b7173def5..a6400e2c0 100644
--- a/etc/transmission-remote-gtk.profile
+++ b/etc/transmission-remote-gtk.profile
@@ -1,20 +1,22 @@
 # Firejail profile for transmission-remote-gtk
 # Description: A remote control utility for transmission-daemon (GTK GUI)
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-remote-gtk.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
-mkdir ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission-remote-gtk
-mkdir ${HOME}/.config/transmission
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
-include whitelist-common.inc
-include whitelist-var-common.inc
-private-etc fonts
+mkdir ${HOME}/.config/transmission-remote-gtk
+whitelist ${HOME}/.config/transmission-remote-gtk
+private-etc fonts,hostname,hosts,resolv.conf
+# Problems with private-lib (see issue #2889)
+ignore private-lib
+ignore memory-deny-write-execute
 # Redirect
-include transmission-remote.profile
+include transmission-common.profile
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile
index ddeb9adf9..fee4999e6 100644
--- a/etc/transmission-remote.profile
+++ b/etc/transmission-remote.profile
@@ -7,37 +7,8 @@ include transmission-remote.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+private-bin transmission-remote
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-apparmor
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-# private-bin transmission-remote
-private-dev
 private-etc alternatives,hosts,nsswitch.conf
-private-lib
-private-tmp
-memory-deny-write-execute
+# Redirect
+include transmission-common.profile
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 779606f04..5a3c83f58 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -1,41 +1,14 @@
 # Firejail profile for transmission-show
 # Description: CLI utility to show BitTorrent .torrent file metadata
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include transmission-show.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/transmission
+private-bin transmission-show
-noblacklist ${HOME}/.config/transmission
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-apparmor
-caps.drop all
-machine-id
-netfilter
-nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol inet,inet6
-seccomp
-shell none
-tracelog
-private-dev
 private-etc alternatives,hosts,nsswitch.conf
-private-lib
-private-tmp
-memory-deny-write-execute
+# Redirect
+include transmission-common.profile
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index b62d3111d..7223ea2e1 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/unzstd.profile b/etc/unzstd.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/unzstd.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/vim.profile b/etc/vim.profile
index 49abb0d44..d27a9a633 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -6,14 +6,13 @@ include vim.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
 noblacklist ${HOME}/.vimrc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 45f9949f3..c0dbc9116 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -26,7 +26,7 @@ whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
-caps.drop all
+caps.keep net_raw,sys_admin,sys_nice
 netfilter
 nodvd
 notv
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 85cbc5e43..e65e0a0c3 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -30,6 +30,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/webstorm.profile b/etc/webstorm.profile
index e820bae00..fc4e8e571 100644
--- a/etc/webstorm.profile
+++ b/etc/webstorm.profile
@@ -7,14 +7,13 @@ include globals.local
 noblacklist ${HOME}/.WebStorm*
 noblacklist ${HOME}/.android
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
 noblacklist ${PATH}/node
 noblacklist ${HOME}/.nvm
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index a67d3a1b8..934edfce9 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -30,6 +30,7 @@ nonewprivs
 noroot
 notv
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/whalebird.profile b/etc/whalebird.profile
new file mode 100644
index 000000000..26932b6b3
--- /dev/null
+++ b/etc/whalebird.profile
@@ -0,0 +1,45 @@
+# Firejail profile for whalebird
+# Description: Electron-based Mastodon/Pleroma client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include whalebird.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/Whalebird
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/Whalebird
+whitelist ${HOME}/.config/Whalebird
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin whalebird
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
diff --git a/etc/whois.profile b/etc/whois.profile
index f101ee637..859542533 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -1,7 +1,7 @@
 # Firejail profile for whois
 # Description: Intelligent WHOIS client
-quiet
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include whois.local
 # Persistent global definitions
diff --git a/etc/wine.profile b/etc/wine.profile
index 34c695cf1..192c375cd 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -11,8 +11,6 @@ noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/steam
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.wine
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xed.profile b/etc/xed.profile
index a02f1ef51..a67230e51 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -9,7 +9,6 @@ noblacklist ${HOME}/.config/xed
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
-noblacklist ${HOME}/.pythonrc.py
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile
index 3fbdf66ab..c6ba9bd9d 100644
--- a/etc/xmr-stak.profile
+++ b/etc/xmr-stak.profile
@@ -6,7 +6,6 @@ include xmr-stak.local
 include globals.local
 noblacklist ${HOME}/.xmr-stak
-noblacklist /usr/lib/llvm*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 6f66b9300..1033a7471 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -1,6 +1,7 @@
 # Firejail profile for xpra
 # Description: Tool to detach/reattach running X programs
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include xpra.local
 # Persistent global definitions
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 6fc519bee..d87d29ee8 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -19,6 +19,8 @@ noblacklist ${VIDEOS}
 include allow-python2.inc
 include allow-python3.inc
+blacklist /tmp/.X11-unix
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 922284353..db03076be 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -28,6 +28,7 @@ noroot
 nosound
 notv
 nou2f
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/zpaq.profile b/etc/zpaq.profile
index 6bf3605eb..80329ecfd 100644
--- a/etc/zpaq.profile
+++ b/etc/zpaq.profile
@@ -1,6 +1,7 @@
 # Firejail profile for zpaq
 # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm.
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include zpaq.local
 # Persistent global definitions
diff --git a/etc/zstd.profile b/etc/zstd.profile
new file mode 100644
index 000000000..ea7bbfb0d
--- /dev/null
+++ b/etc/zstd.profile
@@ -0,0 +1,42 @@
+# Firejail profile for zstd
+# Description: Zstandard - Fast real-time compression algorithm
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zstd.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+apparmor
+caps.drop all
+hostname zstd
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+private-cache
+private-dev
+memory-deny-write-execute
diff --git a/etc/zstdcat.profile b/etc/zstdcat.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/zstdcat.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/zstdgrep.profile b/etc/zstdgrep.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/zstdgrep.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/zstdless.profile b/etc/zstdless.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/zstdless.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/zstdmt.profile b/etc/zstdmt.profile
new file mode 100644
index 000000000..ce9af3286
--- /dev/null
+++ b/etc/zstdmt.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Redirect
+include zstd.profile
diff --git a/etc/zulip.profile b/etc/zulip.profile
new file mode 100644
index 000000000..999c2f77a
--- /dev/null
+++ b/etc/zulip.profile
@@ -0,0 +1,47 @@
+# Firejail profile for zulip
+# Description: Real-time team chat based on the email threading model
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zulip.local
+# Persistent global definitions
+include globals.local
+ignore noexec /tmp
+noblacklist ${HOME}/.config/Zulip
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/Zulip
+whitelist ${HOME}/.config/Zulip
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin locale,zulip
+private-cache
+private-dev
+private-etc asound.conf,fonts,machine-id
+private-tmp