146 files changed, 549 insertions, 225 deletions

diff --git a/etc/0ad.profile b/etc/0ad.profile
index 057dcf49e..766783997 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -24,6 +24,7 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/7z.profile b/etc/7z.profile
index ededacbbe..0330e4dbf 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -6,12 +6,12 @@ include /etc/firejail/7z.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
new file mode 100644
index 000000000..3a4404b28
--- /dev/null
+++ b/etc/akonadi_control.profile
@@ -0,0 +1,49 @@
+# Firejail profile for akonadi_control
+# Persistent local customizations
+include /etc/firejail/akonadi_control.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/kmail2rc
+noblacklist ${HOME}/.local/share/akonadi*
+noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/local-mail
+noblacklist ${HOME}/.local/share/notes
+noblacklist /tmp/akonadi-*
+noblacklist /usr/sbin
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+include /etc/firejail/whitelist-var-common.inc
+
+# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
+# this affects ubuntu and debian currently
+
+# apparmor
+caps.drop all
+ipc-namespace
+no3d
+netfilter
+nodvd
+nogroups
+# nonewprivs
+noroot
+nosound
+notv
+novideo
+# protocol unix,inet,inet6
+# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+tracelog
+
+private-dev
+# private-tmp - breaks programs that depend on akonadi
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/apktool.profile b/etc/apktool.profile
index bbf91c264..d5063d79b 100644
--- a/etc/apktool.profile
+++ b/etc/apktool.profile
@@ -6,8 +6,6 @@ include /etc/firejail/apktool.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 1f2228544..cf72561da 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ardour5.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/ardour4
 noblacklist ${HOME}/.config/ardour5
 noblacklist ${HOME}/.lv2
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/ark.profile b/etc/ark.profile
index beeb652cf..8e156df0f 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ark.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/arkrc
 
 include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ apparmor
 caps.drop all
 # net none
 netfilter
+# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/asunder.profile b/etc/asunder.profile
index 0fbc3a158..7d643877f 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
 # nogroups
 nonewprivs
 noroot
diff --git a/etc/atom.profile b/etc/atom.profile
index de09275cc..c513c7531 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -5,8 +5,6 @@ include /etc/firejail/atom.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
 
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 # net none
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/atril-previewer.profile b/etc/atril-previewer.profile
new file mode 100644
index 000000000..5d841bc0e
--- /dev/null
+++ b/etc/atril-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for atril-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/atril-previewer.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/atril.profile
diff --git a/etc/atril-thumbnailer.profile b/etc/atril-thumbnailer.profile
new file mode 100644
index 000000000..88c74735d
--- /dev/null
+++ b/etc/atril-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for atril-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/atril-thumbnailer.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/atril.profile
diff --git a/etc/atril.profile b/etc/atril.profile
index a05f11076..e08b70ac6 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -5,6 +5,7 @@ include /etc/firejail/atril.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.cache/atril
 noblacklist ${HOME}/.config/atril
 
 #noblacklist ${HOME}/.local/share
@@ -17,7 +18,7 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# apparmor
 caps.drop all
 machine-id
 no3d
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 93ba5a45d..71003f156 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
 nogroups
 nonewprivs
 noroot
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 8c85dd6be..907dbeb55 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -5,8 +5,6 @@ include /etc/firejail/audacity.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.audacity-data
 
 include /etc/firejail/disable-common.inc
@@ -18,8 +16,9 @@ include /etc/firejail/whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#net none
+net none
 no3d
+# nodbus - problems on Fedora 27
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/baobab.profile b/etc/baobab.profile
index e47e31bb1..5c1675611 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -5,8 +5,6 @@ include /etc/firejail/baobab.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 018569603..f23a29052 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -21,6 +21,7 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index dce7892a4..ae40c3ec7 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bleachbit.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -29,6 +28,7 @@ shell none
 private-dev
 # private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute breaks some systems, see issue #1850
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/blender-2.8.profile b/etc/blender-2.8.profile
new file mode 100644
index 000000000..4b907018e
--- /dev/null
+++ b/etc/blender-2.8.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for blender
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/blender.profile
diff --git a/etc/bless.profile b/etc/bless.profile
index 37d1e856f..10b471582 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bless.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/bless
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
index 66ba0168b..6eb1d753f 100644
--- a/etc/bluefish.profile
+++ b/etc/bluefish.profile
@@ -5,8 +5,6 @@ include /etc/firejail/bluefish.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/calligra.profile b/etc/calligra.profile
index f09716bc3..f7df8ce85 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -5,8 +5,6 @@ include /etc/firejail/calligra.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 # net none
+# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 6d5ec1c52..6a608c673 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -8,8 +8,6 @@ include /etc/firejail/globals.local
 # We can't blacklist much since catfish
 # is for finding files/content
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/catfish
 
 include /etc/firejail/disable-common.inc
@@ -23,6 +21,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index a11947334..7f07c5b26 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.keep sys_chroot,sys_admin
 netfilter
+nodbus
 nodvd
 nogroups
 notv
@@ -31,3 +32,6 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
+
+# the file dialog needs to work without d-bus
+env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/cin.profile b/etc/cin.profile
index d114e50b1..e86a4d9b4 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -5,8 +5,6 @@ include /etc/firejail/cin.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.bcast5
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/clamav.profile b/etc/clamav.profile
index c3a0132d0..41bd3b679 100644
--- a/etc/clamav.profile
+++ b/etc/clamav.profile
@@ -6,12 +6,11 @@ include /etc/firejail/clamav.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 caps.drop all
 ipc-namespace
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/cpio.profile b/etc/cpio.profile
index caee6570e..445e1cec7 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -6,7 +6,6 @@ include /etc/firejail/cpio.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 noblacklist /sbin
@@ -19,6 +18,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nonewprivs
 nosound
diff --git a/etc/default.profile b/etc/default.profile
index 82eded802..1af7ceba4 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -17,6 +17,7 @@ caps.drop all
 # ipc-namespace
 netfilter
 # no3d
+# nodbus
 # nodvd
 # nogroups
 nonewprivs
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
index f89e17239..ed73b8b8c 100644
--- a/etc/dex2jar.profile
+++ b/etc/dex2jar.profile
@@ -6,8 +6,6 @@ include /etc/firejail/dex2jar.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/dia.profile b/etc/dia.profile
index b1a723da0..fb3506955 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -5,8 +5,6 @@ include /etc/firejail/dia.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.dia
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 516876c6b..4df344cbc 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 19be56f86..0f605b933 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
 blacklist ${HOME}/.local/share/kglobalaccel
 blacklist ${HOME}/.local/share/kwin
 blacklist ${HOME}/.local/share/plasma
+blacklist ${HOME}/.local/share/plasmashell
 blacklist ${HOME}/.local/share/solid
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
@@ -296,6 +297,13 @@ blacklist /etc/ssh
 blacklist /home/.ecryptfs
 blacklist /var/backup
 
+# cloud provider configuration
+blacklist ${HOME}/.aws
+blacklist ${HOME}/.boto
+blacklist /etc/boto.cfg
+blacklist ${HOME}/.config/gcloud
+blacklist ${HOME}/.kube
+
 # system directories
 blacklist /sbin
 blacklist /usr/local/sbin
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 0d542c6d8..a6f12f3db 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Wire
+blacklist ${HOME}/.config/akonadi*
 blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
+blacklist ${HOME}/.config/emailidentities
 blacklist ${HOME}/.config/enchant
 blacklist ${HOME}/.config/eog
 blacklist ${HOME}/.config/epiphany
@@ -136,6 +138,7 @@ blacklist ${HOME}/.config/itch
 blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/k3brc
 blacklist ${HOME}/.config/kaffeinerc
+blacklist ${HOME}/.config/katemetainfos
 blacklist ${HOME}/.config/katepartrc
 blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
@@ -144,6 +147,7 @@ blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/klipperrc
+blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/kdeconnect
@@ -346,18 +350,21 @@ blacklist ${HOME}/.local/share/SuperHexagon
 blacklist ${HOME}/.local/share/TelegramDesktop
 blacklist ${HOME}/.local/share/Terraria
 blacklist ${HOME}/.local/share/TpLogger
+blacklist ${HOME}/.local/share/akonadi*
 blacklist ${HOME}/.local/share/akregator
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
+blacklist ${HOME}/.local/share/contacts
 blacklist ${HOME}/.local/share/data/Mumble
 blacklist ${HOME}/.local/share/data/MusE
 blacklist ${HOME}/.local/share/data/MuseScore
 blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
 blacklist ${HOME}/.local/share/feral-interactive
@@ -369,6 +376,7 @@ blacklist ${HOME}/.local/share/gnome-2048
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/gnome-recipes
 blacklist ${HOME}/.local/share/gnome-ring
 blacklist ${HOME}/.local/share/gnome-twitch
 blacklist ${HOME}/.local/share/gwenview
@@ -376,11 +384,14 @@ blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/kdenlive
 blacklist ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/kmail2
+blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
+blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/maps-places.json
 blacklist ${HOME}/.local/share/meld
@@ -397,6 +408,7 @@ blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
+blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
@@ -485,6 +497,7 @@ blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
 blacklist ${HOME}/Arduino
 blacklist ${HOME}/wallet.dat
+blacklist /tmp/akonadi-*
 blacklist /tmp/ssh-*
 
 # ~/.cache directory
@@ -495,6 +508,8 @@ blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
 blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/atril
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/borg
 blacklist ${HOME}/.cache/calibre
@@ -517,11 +532,14 @@ blacklist ${HOME}/.cache/google-chrome-unstable
 blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/INRIA/Natron
+blacklist ${HOME}/.cache/inkscape
 blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/iridium
 blacklist ${HOME}/.cache/kdenlive
 blacklist ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/kmail2
 blacklist ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite
 blacklist ${HOME}/.cache/kscreenlocker_greet
 blacklist ${HOME}/.cache/ksmserver-logout-greeter
 blacklist ${HOME}/.cache/ksplashqml
@@ -554,6 +572,7 @@ blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/vivaldi-snapshot
+blacklist ${HOME}/.cache/vlc
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
 blacklist ${HOME}/.cache/xmms2
diff --git a/etc/display.profile b/etc/display.profile
index 41512a0cb..69183f4ca 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -5,8 +5,6 @@ include /etc/firejail/display.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
index 9f7e1382b..1e28b854a 100644
--- a/etc/ebook-viewer.profile
+++ b/etc/ebook-viewer.profile
@@ -1,9 +1,8 @@
 # Firejail profile alias for calibre
 # This file is overwritten after every install/update
 
-blacklist /run/user/*/bus
-
 net none
+nodbus
 
 # Redirect
 include /etc/firejail/calibre.profile
diff --git a/etc/electron.profile b/etc/electron.profile
index 222beada0..52d45b3f8 100644
--- a/etc/electron.profile
+++ b/etc/electron.profile
@@ -14,6 +14,7 @@ whitelist ${DOWNLOADS}
 apparmor
 caps.drop all
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index ae61f1d93..cf32d579e 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -5,8 +5,6 @@ include /etc/firejail/engrampa.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -14,9 +12,11 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+apparmor
 caps.drop all
-# net none - makes settings immutable
+net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/eog.profile b/etc/eog.profile
index 545a6e432..66434ae05 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -5,8 +5,6 @@ include /etc/firejail/eog.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/eog
 noblacklist ${HOME}/.local/share/Trash
@@ -19,10 +17,11 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# apparmor - makes settings immutable
 caps.drop all
 # net none - makes settings immutable
 no3d
+# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -37,7 +36,7 @@ shell none
 private-bin eog
 private-dev
 private-etc fonts
-private-lib
+private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4
 private-tmp
 
 #memory-deny-write-execute  - breaks on Arch
diff --git a/etc/eom.profile b/etc/eom.profile
index c7c92db0e..48965bcb9 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -5,8 +5,6 @@ include /etc/firejail/eom.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/mate/eom
 noblacklist ${HOME}/.local/share/Trash
@@ -19,10 +17,11 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# apparmor - makes settings immutable
 caps.drop all
 # net none - makes settings immutable
 no3d
+# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/etr.profile b/etc/etr.profile
index ad2e5be5d..5c01636cc 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -5,8 +5,6 @@ include /etc/firejail/etr.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.etr
 
 include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile
new file mode 100644
index 000000000..d5bc6db33
--- /dev/null
+++ b/etc/evince-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for evince-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/evince-previewer.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/evince.profile
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile
new file mode 100644
index 000000000..abc21632d
--- /dev/null
+++ b/etc/evince-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for evince-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/evince-thumbnailer.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/evince.profile
diff --git a/etc/evince.profile b/etc/evince.profile
index 72c1ffc97..38c9ee9a9 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -5,8 +5,6 @@ include /etc/firejail/evince.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/evince
 
 include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ machine-id
 # net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
+# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,7 +37,7 @@ private-dev
 private-etc fonts
 
 #private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711
-#private-lib evince,libpoppler-glib.so.8
+private-lib evince,gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libpoppler-glib.so.8,librsvg-2.so.2
 
 private-tmp
 
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 18d1e3c81..8ab6012f5 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -6,7 +6,6 @@ include /etc/firejail/exiftool.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 noblacklist /usr/bin/perl
@@ -21,6 +20,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/feh.profile b/etc/feh.profile
index 1320434f1..ba7a76c49 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -5,8 +5,6 @@ include /etc/firejail/feh.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index acea1e834..538179107 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -6,8 +6,6 @@ include /etc/firejail/ffmpeg.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index bc4e70da4..eb76d1dbb 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -5,8 +5,6 @@ include /etc/firejail/file-roller.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -14,9 +12,11 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+apparmor
 caps.drop all
-# net none - makes settings immutable
+net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/file.profile b/etc/file.profile
index 041bf5ae5..2bdbaaaa8 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -6,7 +6,6 @@ include /etc/firejail/file.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +16,7 @@ caps.drop all
 hostname file
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 12d160155..1f531c1b7 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -25,6 +25,7 @@ caps.drop all
 # machine-id breaks pulse audio; it should work fine in setups where sound is not required
 #machine-id
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/firejail.config b/etc/firejail.config
index ade3e3c84..0cd4dca3a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -23,6 +23,9 @@
 # and it will harden the rest of the chroot tree.
 # chroot-desktop yes
 
+# Enable or disable dbus handling by --nodbus flag, default enabled.
+# dbus yes
+
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
 # to these directories is enabled.
 # disable-mnt no
diff --git a/etc/freecad.profile b/etc/freecad.profile
index bac502a5f..c51d88f7a 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -5,8 +5,6 @@ include /etc/firejail/freecad.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/FreeCAD
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index ca38ed1b8..8acd32bdd 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -5,8 +5,6 @@ include /etc/firejail/frozen-bubble.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.frozen-bubble
 
 include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/galculator.profile b/etc/galculator.profile
index b28c7943f..8229f8250 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -5,8 +5,6 @@ include /etc/firejail/galculator.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/galculator
 
 include /etc/firejail/disable-common.inc
@@ -22,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/gcloud.profile b/etc/gcloud.profile
new file mode 100644
index 000000000..195dc9302
--- /dev/null
+++ b/etc/gcloud.profile
@@ -0,0 +1,40 @@
+# Firejail profile for gcloud
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gcloud.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.boto
+noblacklist ${HOME}/.config/gcloud
+noblacklist /var/run/docker.sock
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodbus
+nodvd
+# required for sudo-free docker
+#nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-dev
+private-etc ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
+private-tmp
+
+noexec /tmp
+
+# will break user-local installs of gcloud tooling
+# noexec ${HOME}
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 97eb692de..e78b8a708 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gedit.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 noblacklist ${HOME}/.config/enchant
 noblacklist ${HOME}/.config/gedit
 noblacklist ${HOME}/.gitconfig
@@ -18,10 +16,12 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+# apparmor - makes settings immutable
 caps.drop all
-# net none - makes settings immutable
 machine-id
+# net none - makes settings immutable
 no3d
+# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 3cc012a88..49df54d1f 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gimp.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.gimp*
 
 include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index d13208a1e..dfb93c3b0 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -6,7 +6,6 @@ include /etc/firejail/gnome-calculator.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -14,10 +13,12 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# apparmor - makes settings immutable
 caps.drop all
+# net none
 netfilter
 no3d
+# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -32,7 +33,7 @@ shell none
 disable-mnt
 private-bin gnome-calculator
 private-dev
-private-lib
+private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2
 private-tmp
 
 #memory-deny-write-execute  - breaks on Arch
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
new file mode 100644
index 000000000..7e7902dff
--- /dev/null
+++ b/etc/gnome-logs.profile
@@ -0,0 +1,40 @@
+# Firejail profile for gnome-logs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gnome-logs.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+whitelist /var/log/journal
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin gnome-logs
+private-dev
+#private-etc fonts
+#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,librsvg-2.so.2
+private-tmp
+writable-var-log
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
new file mode 100644
index 000000000..2f7657c0c
--- /dev/null
+++ b/etc/gnome-recipes.profile
@@ -0,0 +1,45 @@
+# Firejail profile for gnome-recipes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gnome-recipes.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+noblacklist ${HOME}/.local/share/gnome-recipes
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.cache/gnome-recipes
+whitelist ${HOME}/.cache/gnome-recipes
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin gnome-recipes,tar
+private-dev
+private-etc ca-certificates,fonts,ssl,crypto-policies,pki
+# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
+# not widely tested though, leaving it to devs discretion to enable it later
+#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index 8d47d9c31..c6453e972 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gpicview.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/gpicview
 
 include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index d79b72152..d17be41cc 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -5,8 +5,6 @@ include /etc/firejail/gwenview.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/gwenviewrc
 noblacklist ${HOME}/.config/org.kde.gwenviewrc
 noblacklist ${HOME}/.gimp*
@@ -24,8 +22,10 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+apparmor
 caps.drop all
 # net none
+# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 5187bb9f0..779067770 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -6,12 +6,12 @@ include /etc/firejail/gzip.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index b99842d60..ff9dd248f 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
 nogroups
 nonewprivs
 noroot
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
index ad1aae523..c8ab268c8 100644
--- a/etc/hashcat.profile
+++ b/etc/hashcat.profile
@@ -6,8 +6,6 @@ include /etc/firejail/hashcat.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.hashcat
 noblacklist /usr/include
 
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/highlight.profile b/etc/highlight.profile
index a7c667ce1..781866f3b 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -5,7 +5,6 @@ include /etc/firejail/highlight.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/hugin.profile b/etc/hugin.profile
index bff074b74..3847a7daf 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -5,8 +5,6 @@ include /etc/firejail/hugin.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.hugin
 
 include /etc/firejail/disable-common.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/imagej.profile b/etc/imagej.profile
index 058da2805..7396160af 100644
--- a/etc/imagej.profile
+++ b/etc/imagej.profile
@@ -5,8 +5,6 @@ include /etc/firejail/imagej.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.imagej
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 5a19a75f1..8c157bf2a 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -5,8 +5,6 @@ include /etc/firejail/img2txt.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -14,6 +12,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index 6e669ea2c..af24bc3e9 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -5,9 +5,9 @@ include /etc/firejail/inkscape.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist ${HOME}/.inkscape
+noblacklist ${HOME}/.cache/inkscape
 noblacklist ${HOME}/.config/inkscape
-
+noblacklist ${HOME}/.inkscape
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -18,7 +18,8 @@ include /etc/firejail/whitelist-var-common.inc
 
 apparmor
 caps.drop all
-netfilter
+net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index bf461b93d..f70eff3e4 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -5,8 +5,6 @@ include /etc/firejail/jd-gui.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/jd-gui.cfg
 noblacklist ${HOME}/.java
 
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/kate.profile b/etc/kate.profile
index a3d2be6b2..b3c1e81d8 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -5,8 +5,7 @@ include /etc/firejail/kate.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
+noblacklist ${HOME}/.config/katemetainfos
 noblacklist ${HOME}/.config/katepartrc
 noblacklist ${HOME}/.config/katerc
 noblacklist ${HOME}/.config/kateschemarc
@@ -21,9 +20,10 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# apparmor
 caps.drop all
 # net none
+# nodbus
 netfilter
 nodvd
 nogroups
@@ -42,4 +42,7 @@ private-dev
 # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
+# noexec ${HOME}
+noexec /tmp
+
 join-or-start kate
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
index 3f024f3fa..86a3b1462 100644
--- a/etc/kcalc.profile
+++ b/etc/kcalc.profile
@@ -20,9 +20,11 @@ whitelist ${HOME}/.kde4/share/config/kcalcrc
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 5c770856a..819279b10 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -5,7 +5,6 @@ include /etc/firejail/kdenlive.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
 noblacklist ${HOME}/.cache/kdenlive
 noblacklist ${HOME}/.config/kdenliverc
 noblacklist ${HOME}/.local/share/kdenlive
@@ -18,6 +17,7 @@ include /etc/firejail/disable-programs.inc
 apparmor
 caps.drop all
 # net none
+# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index f7b0bd5d1..14af2682c 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -5,8 +5,6 @@ include /etc/firejail/keepassx.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/*.kdb
 noblacklist ${HOME}/*.kdbx
 noblacklist ${HOME}/.config/keepassx
@@ -23,6 +21,7 @@ caps.drop all
 machine-id
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 66b524d29..0e464cbe4 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/keepassxc.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/*.kdb
 noblacklist ${HOME}/*.kdbx
 noblacklist ${HOME}/.config/keepassxc
@@ -22,9 +20,11 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
+nodbus
 nogroups
 nonewprivs
 noroot
diff --git a/etc/kmail.profile b/etc/kmail.profile
index ca774f4ec..3e425b62e 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,13 +5,32 @@ include /etc/firejail/kmail.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# kmail has problems launching akonadi in debian and ubuntu.
+# one solution is to have akonadi already running when kmail is started
+
+noblacklist ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.cache/kmail2
+noblacklist ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/akonadi*
+noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/emailidentities
+noblacklist ${HOME}/.local/share/kmail2
+noblacklist ${HOME}/.local/share/local-mail
+noblacklist ${HOME}/.local/share/notes
+noblacklist /tmp/akonadi-*
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+include /etc/firejail/whitelist-var-common.inc
+
+# apparmor
 caps.drop all
 netfilter
 nodvd
@@ -22,11 +41,14 @@ nosound
 notv
 novideo
 protocol unix,inet,inet6,netlink
-# blacklisting of chroot system calls breaks kmail
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
 
 private-dev
-# private-tmp - breaks akonadi and opening of email attachments
+# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 94ada7855..4bbbd332d 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -5,27 +5,12 @@ include /etc/firejail/knotes.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist ${HOME}/.config/knotesrc
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+# knotes has problems launching akonadi in debian and ubuntu.
+# one solution is to have akonadi already running when knotes is started
 
-include /etc/firejail/whitelist-var-common.inc
+noblacklist ${HOME}/.config/knotesrc
+noblacklist ${HOME}/.local/share/knotes
 
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix
-seccomp
-shell none
-tracelog
 
-private-dev
-#private-tmp - problems on kubuntu 17.04
+# Redirect
+include /etc/firejail/kmail.profile
diff --git a/etc/krita.profile b/etc/krita.profile
index 0f4c5210b..24948c584 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -5,7 +5,6 @@ include /etc/firejail/krita.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
 noblacklist ${HOME}/.config/kritarc
 noblacklist ${HOME}/.local/share/krita
 
@@ -18,6 +17,7 @@ apparmor
 caps.drop all
 ipc-namespace
 # net none
+# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/krunner.profile b/etc/krunner.profile
index 1e97f4290..17526c4ea 100644
--- a/etc/krunner.profile
+++ b/etc/krunner.profile
@@ -10,10 +10,13 @@ include /etc/firejail/globals.local
 #   with its own profile, if it is sandboxed automatically.
 
 # noblacklist ${HOME}/.cache/krunner
+# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite
+# noblacklist ${HOME}/.config/chromium
 noblacklist ${HOME}/.config/krunnerrc
 noblacklist ${HOME}/.kde/share/config/krunnerrc
 noblacklist ${HOME}/.kde4/share/config/krunnerrc
 # noblacklist ${HOME}/.local/share/baloo
+# noblacklist ${HOME}/.mozilla
 
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index a785f3541..ac51259c0 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -5,8 +5,6 @@ include /etc/firejail/kwrite.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/katepartrc
 noblacklist ${HOME}/.config/katerc
 noblacklist ${HOME}/.config/kateschemarc
@@ -26,6 +24,7 @@ apparmor
 caps.drop all
 # net none
 netfilter
+# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +42,7 @@ private-dev
 private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
 
+noexec ${HOME}
+noexec /tmp
+
 join-or-start kwrite
diff --git a/etc/less.profile b/etc/less.profile
index 3b1c5d6bf..e2616ba4f 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -6,12 +6,12 @@ include /etc/firejail/less.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index ceb680951..15961321e 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -21,6 +21,7 @@ apparmor
 caps.drop all
 machine-id
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/lmms.profile b/etc/lmms.profile
index b2bacb246..a9fecf5be 100644
--- a/etc/lmms.profile
+++ b/etc/lmms.profile
@@ -5,8 +5,6 @@ include /etc/firejail/lmms.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.lmmsrc.xml
 
 include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ caps.drop all
 ipc-namespace
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
index f8c5c34ca..948c7226d 100644
--- a/etc/macrofusion.profile
+++ b/etc/macrofusion.profile
@@ -5,8 +5,6 @@ include /etc/firejail/macrofusion.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/mfusion
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index be5dac206..f452b751a 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mate-calc.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/mate-calc
 
 include /etc/firejail/disable-common.inc
@@ -24,6 +22,7 @@ whitelist ${HOME}/.themes
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index de9297174..c3c84ed39 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -5,7 +5,6 @@ include /etc/firejail/mediainfo.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/meld.profile b/etc/meld.profile
index 1a451ff57..78d9e0c76 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -5,8 +5,6 @@ include /etc/firejail/meld.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.local/share/meld
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/mpv.profile b/etc/mpv.profile
index a4dc679f4..dcd8b05e1 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
 nogroups
 nonewprivs
 noroot
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 9e04c3a81..af5859dbc 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mupdf.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 machine-id
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index e05babc91..2e3d7cfb8 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/mupen64plus.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/mupen64plus
 noblacklist ${HOME}/.local/share/mupen64plus
 
@@ -24,6 +22,7 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nonewprivs
 noroot
diff --git a/etc/natron.profile b/etc/natron.profile
index 413ea53f9..cf01c862c 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -5,8 +5,6 @@ include /etc/firejail/natron.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.Natron
 noblacklist ${HOME}/.cache/INRIA/Natron
 noblacklist ${HOME}/.config/INRIA
@@ -19,6 +17,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/ncdu.profile b/etc/ncdu.profile
new file mode 100644
index 000000000..ab79a325e
--- /dev/null
+++ b/etc/ncdu.profile
@@ -0,0 +1,29 @@
+# Firejail profile for ncdu
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/ncdu.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+caps.drop all
+ipc-namespace
+nodbus
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+# private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index b6d4a63b5..c807a5399 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -5,7 +5,6 @@ include /etc/firejail/odt2txt.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 include /etc/firejail/disable-common.inc
@@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/okular.profile b/etc/okular.profile
index ffe0d2bfb..f1f0b2c7e 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -5,8 +5,6 @@ include /etc/firejail/okular.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.cache/okular
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
@@ -30,6 +28,7 @@ caps.drop all
 machine-id
 # net none
 netfilter
+# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 191f8d87b..3c3609dae 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -5,8 +5,6 @@ include /etc/firejail/open-invaders.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.openinvaders
 
 include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 5bab7ce7d..ec4b47c29 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -14,3 +14,6 @@ netfilter
 noroot
 protocol unix,inet,inet6
 seccomp
+
+read-only ${HOME}/.config/openbox/autostart
+read-only ${HOME}/.config/openbox/environment
diff --git a/etc/openshot.profile b/etc/openshot.profile
index ca9110be6..b9eb29590 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
index 08c607020..0dcd21549 100644
--- a/etc/pcmanfm.profile
+++ b/etc/pcmanfm.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pcmanfm.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.local/share/Trash
 # noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below
 # noblacklist ${HOME}/.config/pcmanfm
@@ -19,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 # net none - see issue #1467, computer:/// location broken
 no3d
+# nodbus
 nodvd
 nonewprivs
 noroot
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
index d43c0911e..b4ccb6003 100755
--- a/etc/pdfchain.profile
+++ b/etc/pdfchain.profile
@@ -5,9 +5,6 @@ include /etc/firejail/pdfchain.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -19,6 +16,7 @@ caps.drop all
 ipc-namespace
 net none
 no3d
+nodbus
 nogroups
 nonewprivs
 noroot
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile
index 8ac09dcdc..9b08dfd84 100644
--- a/etc/pdfmod.profile
+++ b/etc/pdfmod.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pdfmod.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.cache/pdfmod
 noblacklist ${HOME}/.config/pdfmod
 
@@ -22,6 +20,7 @@ ipc-namespace
 machine-id
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index c1515ab73..465f68fd6 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pdfsam.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.java
 
 include /etc/firejail/disable-common.inc
@@ -18,6 +16,7 @@ caps.drop all
 machine-id
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 736faa5ea..a97063754 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -5,7 +5,6 @@ include /etc/firejail/pdftotext.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 include /etc/firejail/disable-common.inc
@@ -19,6 +18,7 @@ caps.drop all
 machine-id
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/peek.profile b/etc/peek.profile
index 01db4fa08..7b7ab9470 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -5,8 +5,6 @@ include /etc/firejail/peek.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.cache/peek
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/pingus.profile b/etc/pingus.profile
index ec7eff632..b287e7ee8 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pingus.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.pingus
 
 include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/pinta.profile b/etc/pinta.profile
index 4a8815a73..b51521ef7 100644
--- a/etc/pinta.profile
+++ b/etc/pinta.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pinta.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/Pinta
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/pluma.profile b/etc/pluma.profile
index b50e3cbaf..d0acfeb1a 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -5,8 +5,6 @@ include /etc/firejail/pluma.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 noblacklist ${HOME}/.config/pluma
 
 include /etc/firejail/disable-common.inc
@@ -16,10 +14,12 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+# apparmor - makes settings immutable
 caps.drop all
-# net none - makes settings immutable
 machine-id
+# net none - makes settings immutable
 no3d
+# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 8df8177eb..14a9e8adc 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -30,6 +30,7 @@ apparmor
 caps.drop all
 machine-id
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 211a1b2d5..fd5bbf89c 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -5,8 +5,6 @@ include /etc/firejail/ranger.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 # noblacklist /usr/bin/cpan*
 noblacklist /usr/bin/perl
 noblacklist /usr/lib/perl*
@@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index a20bdb883..6322f8217 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -13,10 +13,11 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# apparmor - makes settings immutable
 caps.drop all
 netfilter
 # no3d
+# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 8ce63fbf0..f9f585a20 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -5,8 +5,6 @@ include /etc/firejail/scribus.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 # Support for PDF readers comes with Scribus 1.5 and higher
 noblacklist ${HOME}/.cache/okular
 noblacklist ${HOME}/.config/okularpartrc
@@ -33,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,3 +47,6 @@ tracelog
 # private-bin scribus,gs,gimp*
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
index bc94ae2a0..2f3d94f01 100644
--- a/etc/sdat2img.profile
+++ b/etc/sdat2img.profile
@@ -6,8 +6,6 @@ include /etc/firejail/sdat2img.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index 3f2cc3d33..293a89ba3 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -5,8 +5,6 @@ include /etc/firejail/shotcut.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/Meltytech
 
 include /etc/firejail/disable-common.inc
@@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 8b4113d2f..adde3f8ce 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -5,8 +5,6 @@ include /etc/firejail/simutrans.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.simutrans
 
 include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 316cf5821..4fa649654 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -5,8 +5,6 @@ include /etc/firejail/skanlite.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 # net none
 netfilter
+# nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index 64eff5670..187b0674a 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+# nodbus - problems with KDE
 # nogroups
 nonewprivs
 noroot
diff --git a/etc/spotify.profile b/etc/spotify.profile
index c973783a9..dfd3bae7f 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -31,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,7 +45,7 @@ tracelog
 disable-mnt
 private-bin spotify,bash,sh,zenity
 private-dev
-private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf
+private-etc fonts,ld.so.cache,machine-id,pulse,resolv.conf
 private-opt spotify
 private-tmp
 
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 933d55b79..22c37645d 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -5,8 +5,6 @@ include /etc/firejail/sqlitebrowser.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/sqlitebrowser
 
 include /etc/firejail/disable-common.inc
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/steam.profile b/etc/steam.profile
index 4965d3a54..bcdea9bc7 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -32,7 +32,10 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
+#ipc-namespace
 netfilter
+# nodbus disabled as it breaks appindicator support
+#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,10 +47,17 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 # tracelog disabled as it breaks integrated browser
-# tracelog
+#tracelog
+
+# private-bin is disabled while in testing, but has been tested working with multiple games
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
+# extra programs are available which might be needed for select games
+#private-bin java,java-config,mono,python*
+# picture viewers are are needed for viewing screenshots
+#private-bin eog,eom,gthumb,pix,viewnior,xviewer
 
 # private-dev should be commented for controllers
 private-dev
-# private-etc breaks some games
-#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies
+# private-etc breaks a small selection of games on some systems, comment to support those
+private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives
 private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 09273f35d..8995ad2a6 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -6,12 +6,12 @@ include /etc/firejail/strings.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index d60d7fa5f..24f42c276 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -5,8 +5,6 @@ include /etc/firejail/supertux2.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.local/share/supertux2
 
 include /etc/firejail/disable-common.inc
@@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 415a42cf5..be9c2aa64 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -5,8 +5,6 @@ include /etc/firejail/synfigstudio.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/synfig
 noblacklist ${HOME}/.synfig
 
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/tar.profile b/etc/tar.profile
index bd7973abf..5f54bf02d 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -6,13 +6,13 @@ include /etc/firejail/tar.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 hostname tar
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/terasology.profile b/etc/terasology.profile
index ea25938d3..e671c4dc3 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -5,8 +5,6 @@ include /etc/firejail/terasology.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/terasology
 
@@ -25,6 +23,7 @@ caps.drop all
 ipc-namespace
 net none
 netfilter
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/thunderbird-beta.profile b/etc/thunderbird-beta.profile
new file mode 100644
index 000000000..73d2419da
--- /dev/null
+++ b/etc/thunderbird-beta.profile
@@ -0,0 +1,8 @@
+# Firejail profile alias for thunderbird-beta
+# This file is overwritten after every install/update
+
+
+whitelist /opt/thunderbird-beta
+
+# Redirect
+include /etc/firejail/thunderbird.profile
diff --git a/etc/totem.profile b/etc/totem.profile
index 6dbc5f0c2..ad3845d90 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -15,9 +15,10 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
-apparmor
+# apparmor - makes settings immutable
 caps.drop all
 netfilter
+# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 3d249748d..ee044aa0d 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -25,6 +25,7 @@ apparmor
 caps.drop all
 machine-id
 netfilter
+nodbus
 nodvd
 nonewprivs
 noroot
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 4f4d9bac1..a8fb80fd8 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -25,6 +25,7 @@ apparmor
 caps.drop all
 machine-id
 netfilter
+nodbus
 nodvd
 nonewprivs
 noroot
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 135371747..575bf77dc 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -5,8 +5,6 @@ include /etc/firejail/transmission-show.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.cache/transmission
 noblacklist ${HOME}/.config/transmission
 
@@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 machine-id
 net none
+nodbus
 nodvd
 nonewprivs
 noroot
diff --git a/etc/uefitool.profile b/etc/uefitool.profile
index 6cff5249c..a10b44fb1 100644
--- a/etc/uefitool.profile
+++ b/etc/uefitool.profile
@@ -5,8 +5,6 @@ include /etc/firejail/uefitool.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -16,6 +14,7 @@ caps.drop all
 ipc-namespace
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/unrar.profile b/etc/unrar.profile
index f7e25d5d7..ba2a86f4c 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -6,13 +6,13 @@ include /etc/firejail/unrar.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 hostname unrar
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/unzip.profile b/etc/unzip.profile
index fe16c670d..fddc79260 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -6,13 +6,13 @@ include /etc/firejail/unzip.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 hostname unzip
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index f7699552d..b64ecaa3e 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -6,11 +6,10 @@ include /etc/firejail/uudeview.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 hostname uudeview
 ignore noroot
 net none
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 39bf3f7ce..135147266 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -5,7 +5,6 @@ include /etc/firejail/viewnior.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist ${HOME}/.bashrc
 
 noblacklist ${HOME}/.Steam
@@ -20,6 +19,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/vlc.profile b/etc/vlc.profile
index dad9a9ae1..c8c84b992 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -5,6 +5,7 @@ include /etc/firejail/vlc.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/vlc
 
@@ -18,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
+# nodbus - problems with KDE
 # nogroups
 nonewprivs
 noroot
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
index 67707ffb8..ac8f0fe2a 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/x-terminal-emulator.profile
@@ -5,12 +5,11 @@ include /etc/firejail/x-terminal-emulator.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 caps.drop all
 ipc-namespace
 net none
 netfilter
+nodbus
 nogroups
 noroot
 protocol unix
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index 467f96003..8493fe658 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xcalc.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -18,6 +16,7 @@ caps.drop all
 net none
 netfilter
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/xed.profile b/etc/xed.profile
index e4ab673e8..5d46560b7 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xed.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 noblacklist ${HOME}/.config/xed
 
 include /etc/firejail/disable-common.inc
@@ -16,10 +14,12 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+# apparmor - makes settings immutable
 caps.drop all
-# net none - makes settings immutable
 machine-id
+# net none - makes settings immutable
 no3d
+# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 7b8042e5c..9eeda4d29 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xpdf.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.xpdfrc
 
 include /etc/firejail/disable-common.inc
@@ -20,6 +18,7 @@ caps.drop all
 machine-id
 net none
 no3d
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/xplayer-audio-preview.profile b/etc/xplayer-audio-preview.profile
new file mode 100644
index 000000000..a422b9989
--- /dev/null
+++ b/etc/xplayer-audio-preview.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xplayer-audio-preview
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/xplayer-audio-preview.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/xplayer.profile
diff --git a/etc/xplayer-video-thumbnailer b/etc/xplayer-video-thumbnailer
new file mode 100644
index 000000000..1ec5250bf
--- /dev/null
+++ b/etc/xplayer-video-thumbnailer
@@ -0,0 +1,10 @@
+# Firejail profile for xplayer-video-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/xplayer-video-thumbnailer.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/xplayer.profile
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 8ea361d79..7e475bd58 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -15,8 +15,10 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+# apparmor - makes settings immutable
 caps.drop all
 netfilter
+# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
diff --git a/etc/xreader-previewer.profile b/etc/xreader-previewer.profile
new file mode 100644
index 000000000..4c42c147c
--- /dev/null
+++ b/etc/xreader-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xreader-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/xreader-previewer.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/xreader.profile
diff --git a/etc/xreader-thumbnailer.profile b/etc/xreader-thumbnailer.profile
new file mode 100644
index 000000000..bc0bcbb67
--- /dev/null
+++ b/etc/xreader-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xreader-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/xreader-thumbnailer.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+
+# Redirect
+include /etc/firejail/xreader.profile
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 00bd1ee2f..1ddfad26f 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+# apparmor
 caps.drop all
 no3d
 nodvd
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 7c4ede111..26f9f0238 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -5,8 +5,6 @@ include /etc/firejail/xviewer.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus - makes settings immutable
-
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/xviewer
 noblacklist ${HOME}/.local/share/Trash
@@ -19,9 +17,11 @@ include /etc/firejail/disable-programs.inc
 
 include /etc/firejail/whitelist-var-common.inc
 
+# apparmor - makes settings immutable
 caps.drop all
 # net none - makes settings immutable
 no3d
+# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 1136a6535..5913fd07a 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -6,12 +6,12 @@ include /etc/firejail/xzdec.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
 blacklist /tmp/.X11-unix
 
 ignore noroot
 net none
 no3d
+nodbus
 nodvd
 nosound
 notv
diff --git a/etc/zart.profile b/etc/zart.profile
index e9fd9b3bd..60eb09c71 100644
--- a/etc/zart.profile
+++ b/etc/zart.profile
@@ -5,8 +5,6 @@ include /etc/firejail/zart.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
@@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
+nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 288abb8ec..3edece779 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -5,8 +5,6 @@ include /etc/firejail/zathura.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# blacklist /run/user/*/bus
-
 noblacklist ${HOME}/.config/zathura
 noblacklist ${HOME}/.local/share/zathura
 
@@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 # net none
+# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -31,5 +30,6 @@ private-bin zathura
 private-dev
 private-etc fonts
 private-tmp
+
 read-only ${HOME}/
 read-write ${HOME}/.local/share/zathura/