39 files changed, 369 insertions, 19 deletions

diff --git a/etc/audacity.profile b/etc/audacity.profile
index 4394416ff..779cd8cdb 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -11,7 +11,9 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+net none
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
@@ -23,3 +25,6 @@ tracelog
 private-bin audacity
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index b406b9985..7ea55f505 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -9,17 +9,21 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+net none
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
-shell none
-seccomp
 protocol unix
+seccomp
+shell none
 
 # private-bin
 # private-dev
 # private-tmp
 # private-etc
 
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/bless.profile b/etc/bless.profile
index b8325de39..869f13cc0 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -17,8 +17,20 @@ include /etc/firejail/disable-devel.inc
 
 #Options
 caps.drop all
+net none
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6
+nosound
+protocol unix           
 seccomp
+shell none
+
+private-dev
+private-etc fonts,mono
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 603d6345c..efd8b463b 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -11,7 +11,17 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+netfilter
+no3d
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/dino.profile b/etc/dino.profile
index a71ab27d7..3de858618 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -13,9 +13,9 @@ include /etc/firejail/disable-programs.inc
 whitelist ${HOME}/Downloads
 mkdir ${HOME}/.local/share/dino
 whitelist ${HOME}/.local/share/dino
+include /etc/firejail/whitelist-common.inc
 
 caps.drop all
-machine-id
 netfilter
 no3d
 nogroups
@@ -30,3 +30,6 @@ private-bin dino
 #private-etc fonts #breaks server connection
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index bad1f0263..32adac298 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -124,6 +124,7 @@ blacklist ${HOME}/.config/totem
 blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/viewnior
 blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
@@ -198,6 +199,7 @@ blacklist ${HOME}/.kde/share/config/okularrc
 blacklist ${HOME}/.killingfloor
 blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
+blacklist ${HOME}/.kodi
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
 blacklist ${HOME}/.lmmsrc.xml
@@ -230,6 +232,7 @@ blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/lollypop
+blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/multimc5
 blacklist ${HOME}/.local/share/mupen64plus
 blacklist ${HOME}/.local/share/nautilus
@@ -286,6 +289,8 @@ blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.ts3client
+blacklist ${HOME}/.viking
+blacklist ${HOME}/.viking-maps
 blacklist ${HOME}/.vst
 blacklist ${HOME}/.w3m
 blacklist ${HOME}/.warzone2100-3.*
diff --git a/etc/eog.profile b/etc/eog.profile
index c5afec7fa..7c2cd557c 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -11,7 +11,9 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+net none
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
@@ -24,3 +26,6 @@ private-bin eog
 private-dev
 private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index 94cefdd8b..ae50425b9 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
 #net none - creates some problems on some distributions
+no3d
 nogroups
 nonewprivs
 noroot
@@ -27,3 +28,6 @@ private-dev
 private-etc fonts
 # evince needs access to /tmp/mozilla* to work in firefox
 # private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/evolution.profile b/etc/evolution.profile
index cb6615716..04bf480ff 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -9,6 +9,7 @@ noblacklist ~/.cache/evolution
 noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
+noblacklist ~/.bogofilter
 
 noblacklist /var/spool/mail
 noblacklist /var/mail
@@ -20,6 +21,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
@@ -30,3 +32,6 @@ shell none
 
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 804d20ce1..a3f687651 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -9,13 +9,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+net none
+netfilter
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
-netfilter
 shell none
 tracelog
 
@@ -23,3 +25,6 @@ tracelog
 # private-tmp
 private-dev
 # private-etc fonts
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1bc3eb769..4d96c05c8 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
 
 whitelist ${DOWNLOADS}
@@ -59,3 +60,6 @@ include /etc/firejail/whitelist-common.inc
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-dev 
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 9f4eee9b3..07bdb1bbe 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -14,17 +14,22 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+netfilter
+net none
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
-netfilter
 shell none
 tracelog
 
 # private-bin gedit
-private-tmp
 private-dev
 # private-etc fonts
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 4088bd680..5f8ccb4fb 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -10,16 +10,18 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+net none
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
+shell none
 
 # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory
 # if you are not using external plugins, you can enable noexec statement below
-# noexec ${HOME} 
+# noexec ${HOME}
 
 noexec /tmp
 
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 714a97650..e9366f07d 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -17,7 +17,20 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+#net none                                     
+no3d
+nogroups
 nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+
+private-bin gnome-calculator
+private-dev
+private-etc fonts
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 53f447f7e..d24f492d8 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc
 
 caps.drop all
 netfilter
+no3d
 nogroups
 nonewprivs
 noroot
@@ -30,3 +31,6 @@ private-bin hexchat
 #debug note: private-bin requires perl, python, etc on some systems
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 2ba1a4380..6ff618187 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -16,8 +16,19 @@ include /etc/firejail/disable-devel.inc
 
 #Options
 caps.drop all
+net none
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6
+nosound
+protocol unix
 seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/keepass.profile b/etc/keepass.profile
index d269c3e8a..abe52eca3 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -15,14 +15,18 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+netfilter
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix,inet,inet6
 seccomp
-netfilter
 shell none
 
-private-tmp
 private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 379b8a668..845a1bcc9 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 net none
+no3d
 nogroups
 nonewprivs
 noroot
@@ -28,3 +29,6 @@ private-bin keepassx
 private-etc fonts
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
index a21caf3f1..32dddc2fe 100644
--- a/etc/keepassx2.profile
+++ b/etc/keepassx2.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 net none
+no3d
 nogroups
 nonewprivs
 noroot
@@ -24,6 +25,9 @@ seccomp
 shell none
 
 private-bin keepassx2
-private-etc fonts
 private-dev
+private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 654a30682..369d4a5ae 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc
 # To use KeePassHTTP, comment out `net none`
 caps.drop all
 net none
+no3d
 nogroups
 nonewprivs
 noroot
@@ -25,6 +26,9 @@ seccomp
 shell none
 
 private-bin keepassxc
-private-etc fonts
 private-dev
+private-etc fonts
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/kodi.profile b/etc/kodi.profile
new file mode 100644
index 000000000..b81b010bf
--- /dev/null
+++ b/etc/kodi.profile
@@ -0,0 +1,27 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/kodi.local
+
+# Firejail profile for kodi
+noblacklist ${HOME}/.kodi
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 685073e7c..fb82195b3 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -17,7 +17,11 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
 tracelog
 
 private-dev
 # whitelist /tmp/.X11-unix/
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 06ed415d6..e84118b9e 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -18,7 +18,17 @@ include /etc/firejail/disable-devel.inc
 #Options
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+
+private-dev
+private-etc fonts
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/meld.profile b/etc/meld.profile
new file mode 100644
index 000000000..4b95b866d
--- /dev/null
+++ b/etc/meld.profile
@@ -0,0 +1,29 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/meld.local
+
+# Firejail profile for meld
+noblacklist ${HOME}/.local/share/meld
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+net none
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index 6b8946be3..12a7646ae 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -26,6 +26,15 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
+#seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/mumble.profile b/etc/mumble.profile
index d5405a6ae..c5c6a4d1a 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -18,6 +18,7 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
+no3d
 nonewprivs
 nogroups
 noroot
@@ -28,3 +29,6 @@ tracelog
 
 private-bin mumble
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 37adabb39..dfe463c98 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -14,8 +14,19 @@ include /etc/firejail/disable-devel.inc
 
 #Options
 caps.drop all
+net none
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
-protocol unix,inet,inet6
+nosound
+protocol unix
 seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
index 500e35989..c25b5772b 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -17,7 +17,16 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 40a959d05..f3158b206 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -3,7 +3,8 @@
 include /etc/firejail/qtox.local
 
 # qTox instant messaging profile
-noblacklist ${HOME}/.config/tox
+noblacklist ~/.config/tox
+noblacklist ~/.config/qt5ct
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -11,6 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 mkdir ${HOME}/.config/tox
 whitelist ${HOME}/.config/tox
+mkdir ${HOME}/.config/qt5ct
+whitelist ${HOME}/.config/qt5ct
 whitelist ${DOWNLOADS}
 
 caps.drop all
diff --git a/etc/ssh.profile b/etc/ssh.profile
index b1ef6b27e..425841399 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -14,7 +14,18 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6
 seccomp
+shell none
+tracelog
+
+private-dev
+#private-tmp #Breaks when exiting
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index b527589de..536588e4b 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -12,7 +12,13 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
+tracelog
+
+private-dev
+private-tmp
diff --git a/etc/totem.profile b/etc/totem.profile
index 0b3942cf0..fadfbb00b 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -12,8 +12,18 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+netfilter
+nogroups
 nonewprivs
 noroot
-netfilter
 protocol unix,inet,inet6
 seccomp
+shell none
+
+private-bin totem
+private-dev
+private-etc fonts
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
new file mode 100644
index 000000000..190c04e39
--- /dev/null
+++ b/etc/viewnior.profile
@@ -0,0 +1,30 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/viewnior.local
+
+# Firejail profile for viewnior
+noblacklist ~/.config/viewnior
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+blacklist ~/.bashrc
+blacklist ~/.Xauthority
+
+caps.drop all
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin viewnior
+private-dev
+private-etc fonts
+private-tmp
diff --git a/etc/viking.profile b/etc/viking.profile
new file mode 100644
index 000000000..2b68d731c
--- /dev/null
+++ b/etc/viking.profile
@@ -0,0 +1,30 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/viking.local
+
+# Firejail profile for viking
+
+noblacklist ${HOME}/.viking
+noblacklist ${HOME}/.viking-maps
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 0c96f0108..21282dfbd 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -22,3 +22,6 @@ shell none
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 # private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/wget.profile b/etc/wget.profile
index cd156a376..3ba97d95d 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -10,11 +10,11 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+no3d
+nogroups
 nonewprivs
 noroot
-nogroups
 nosound
-no3d
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -22,7 +22,9 @@ shell none
 blacklist /tmp/.X11-unix
 
 # private-bin wget
-# private-etc resolv.conf
 private-dev
+# private-etc resolv.conf
 private-tmp
 
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 90909edf1..dc224b31c 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc
 #protocol unix,inet,inet6,netlink
 
 netfilter
+no3d
 nogroups
 nonewprivs
 nosound
@@ -28,3 +29,6 @@ tracelog
 #private-bin wireshark
 private-dev
 private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index f2690c6c3..6bfb26484 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -23,7 +23,16 @@ include /etc/firejail/whitelist-common.inc
 #Options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+
+private-bin xonotic-sdl,xonotic-glx,blind-id
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
new file mode 100644
index 000000000..720a27af2
--- /dev/null
+++ b/etc/youtube-dl.profile
@@ -0,0 +1,26 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/youtube-dl.local
+
+# Firejail profile for youtube-dl
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+
+noexec ${HOME}
+noexec /tmp