69 files changed, 163 insertions, 35 deletions
diff --git a/etc/amarok.profile b/etc/amarok.profile
index e10cfbefe..478d5285c 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -17,6 +17,7 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 # seccomp
 shell none
diff --git a/etc/audacious.profile b/etc/audacious.profile
index eddc100ca..bd2367fe0 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -24,8 +24,10 @@ seccomp
 shell none
 tracelog
-private-bin audacious
+# private-bin audacious
 private-dev
 private-tmp
 memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/caja.profile b/etc/caja.profile
index d234e6c9b..97663fddb 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -24,6 +24,7 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index bc045fb77..4ab49163b 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -22,6 +22,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/cmus.profile b/etc/cmus.profile
index cf0830475..2d6f2454b 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -17,6 +17,7 @@ netfilter
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/cpio.profile b/etc/cpio.profile
index f082d2e40..7f4bc4a84 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -17,11 +17,12 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
-net none
 no3d
 nodvd
+nonewprivs
 nosound
 notv
+novideo
 seccomp
 shell none
 tracelog
diff --git a/etc/curl.profile b/etc/curl.profile
index af7eabf59..972bbe9cc 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index e0d32da0f..81ccbc530 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -5,29 +5,8 @@ include /etc/firejail/cvlc.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-noblacklist ${HOME}/.config/vlc
+# cvlc doesn't like private-bin
+ignore private-bin
-include /etc/firejail/disable-common.inc
+# Redirect
-include /etc/firejail/disable-devel.inc
+include /etc/firejail/vlc.profile
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-caps.drop all
-netfilter
-# nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-# clvc doesn't like private-bin
-# private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
-private-dev
-private-tmp
-# mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7ec842728..13ed3f212 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -179,6 +179,8 @@ blacklist ${HOME}/.config/xmms2
 blacklist ${HOME}/.config/xplayer
 blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
+blacklist ${HOME}/.config/yandex-browser
+blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
@@ -428,3 +430,5 @@ blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/wesnoth
 blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/yandex-browser
+blacklist ${HOME}/.cache/yandex-browser-beta
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index d82efef04..a1ccfbe22 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -5,19 +5,30 @@ include /etc/firejail/dnscrypt-proxy.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+caps
+# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource
 no3d
 nodvd
+nonewprivs
 nosound
 notv
+novideo
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+disable-mnt
 private
 private-dev
+# mdwe can break modules/plugins
+# memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index bf52a5d8a..ce159c343 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -5,8 +5,11 @@ include /etc/firejail/dnsmasq.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -14,12 +17,12 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps
-netfilter
 no3d
 nodvd
 nonewprivs
 nosound
 notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
index bec2960f1..fa9b26e82 100644
--- a/etc/dosbox.profile
+++ b/etc/dosbox.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/enchant.profile b/etc/enchant.profile
index a7b549a4c..b7034b937 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 2f7f25ff8..9f29b229b 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -29,6 +29,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 565212161..75e5be1b9 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -26,6 +26,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index 19d45a1d8..01da2cafe 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -19,6 +19,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/feh.profile b/etc/feh.profile
index 61b456e34..7935b1354 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -13,17 +13,19 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
-private-bin feh
+private-bin feh,jpegexiforient,jpegtran
 private-dev
 private-etc feh
 private-tmp
diff --git a/etc/file.profile b/etc/file.profile
index 9a4dba7ef..a83b2cf7d 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -21,6 +21,7 @@ nogroups
 nonewprivs
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -30,3 +31,7 @@ x11 none
 private-bin file
 private-dev
 private-etc magic.mgc,magic,localtime
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 63bfd1e0d..866aaabca 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -19,6 +19,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 619fa1562..1bd45ebd1 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -10,7 +10,11 @@ noblacklist ~/.config/okularpartrc
 noblacklist ~/.config/okularrc
 noblacklist ~/.config/qpdfview
 noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.kde/share/config/okularpartrc
+noblacklist ~/.kde/share/config/okularrc
 noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde4/share/config/okularpartrc
+noblacklist ~/.kde4/share/config/okularrc
 noblacklist ~/.local/share/gnome-shell/extensions
 noblacklist ~/.local/share/okular
 noblacklist ~/.local/share/qpdfview
@@ -34,7 +38,11 @@ whitelist ~/.config/pipelight-silverlight5.1
 whitelist ~/.config/pipelight-widevine
 whitelist ~/.config/qpdfview
 whitelist ~/.kde/share/apps/okular
+whitelist ~/.kde/share/config/okularpartrc
+whitelist ~/.kde/share/config/okularrc
 whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde4/share/config/okularpartrc
+whitelist ~/.kde4/share/config/okularrc
 whitelist ~/.keysnail.js
 whitelist ~/.lastpass
 whitelist ~/.local/share/gnome-shell/extensions
@@ -66,7 +74,6 @@ tracelog
 # private-bin firefox,which,sh,dbus-launch,dbus-send,env
 private-dev
-# private-dev might prevent video calls going out
 # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-tmp
diff --git a/etc/galculator.profile b/etc/galculator.profile
index a2e855656..37f147f0f 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -24,6 +24,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index c9f9d0074..a50fd4370 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/git.profile b/etc/git.profile
index 92bf66b92..14fb55118 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -29,6 +29,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 4921fb0c4..6547c73df 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gpa.profile b/etc/gpa.profile
index 58dfcd3e1..8d721e2c0 100644
--- a/etc/gpa.profile
+++ b/etc/gpa.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 13bceaa5a..8fd2ce232 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gpg.profile b/etc/gpg.profile
index d99afdfe2..8c39f85e3 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index ec9245e58..26bc589ee 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 63ad07894..287e214e1 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile
index 7713f216f..14662443c 100644
--- a/etc/guayadeque.profile
+++ b/etc/guayadeque.profile
@@ -18,6 +18,7 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 3f6ecec2c..0f04953d8 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -14,6 +14,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 83b023a90..d3cacc581 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index bd454a2c8..943350484 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -19,6 +19,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/lynx.profile b/etc/lynx.profile
index db01a5b8f..d54bed564 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index bd1ada2b5..2e31e09ec 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol inet,inet6
 seccomp
 shell none
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index d6a55610f..e502269f7 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index c7bb458df..62527c17d 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -19,6 +19,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 9f3be0d27..4937df51f 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -26,4 +26,5 @@ nodvd
 nonewprivs
 noroot
 notv
+novideo
 seccomp
diff --git a/etc/musescore.profile b/etc/musescore.profile
index bd00bea69..3b5a0b13c 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -10,6 +10,11 @@ noblacklist ~/.config/MuseScore
 noblacklist ~/.local/share/data/MusE
 noblacklist ~/.local/share/data/MuseScore
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 206edefae..aafa3d75d 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -44,6 +44,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 57d6faa17..45d23cae6 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -25,6 +25,7 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/nylas.profile b/etc/nylas.profile
index 5d84d1326..d96c6b0d4 100644
--- a/etc/nylas.profile
+++ b/etc/nylas.profile
@@ -26,6 +26,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index da2d03635..e8c2d54c7 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/parole.profile b/etc/parole.profile
index 794d91481..a8ce63e73 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -13,7 +13,6 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 netfilter
-nodvd
 nonewprivs
 noroot
 notv
diff --git a/etc/pix.profile b/etc/pix.profile
index ed9298727..5440e4634 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -22,6 +22,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index ea635ab6e..86db5c26c 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -35,6 +35,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 # shell none
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 7d69f38f9..2d1df0f72 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -32,3 +32,5 @@ private-dev
 private-tmp
 memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 6f20f6d7f..96fe04e83 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -34,6 +34,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 717eca099..9be19c4b1 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -24,6 +24,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index a44d99e5b..c18a1b06c 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -18,6 +18,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 8eac3610b..a9f6cc461 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -6,10 +6,7 @@ include /etc/firejail/spotify.local
 include /etc/firejail/globals.local
 blacklist ${HOME}/.bashrc
-blacklist /boot
 blacklist /lost+found
-blacklist /opt
-blacklist /root
 blacklist /sbin
 blacklist /srv
 blacklist /sys
diff --git a/etc/tar.profile b/etc/tar.profile
index 34a4f34d6..f14894c25 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -15,6 +15,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 5752c96f3..c7446ed68 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index c4bf7a08d..0bb721c64 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 5351a1efa..08964bbab 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 130defc8e..0b09bffcb 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -20,6 +20,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 877ad635b..56ff4f886 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/unbound.profile b/etc/unbound.profile
index c1cb86893..afc903e88 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -5,19 +5,30 @@ include /etc/firejail/unbound.local
 # Persistent global definitions
 include /etc/firejail/globals.local
+blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+caps
+# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource
 no3d
 nodvd
+nonewprivs
 nosound
 notv
+novideo
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
+disable-mnt
 private
 private-dev
+# mdwe can break modules/plugins
+# memory-deny-write-execute
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 6a3ac5527..12559a721 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -15,6 +15,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
diff --git a/etc/unzip.profile b/etc/unzip.profile
index bb30d74cd..9828fa9b4 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -15,6 +15,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 192d13f80..b30cbaa2a 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -13,6 +13,7 @@ net none
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index a02845885..af4a2d655 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -19,12 +19,14 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 net none
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
@@ -34,3 +36,7 @@ private-bin viewnior
 private-dev
 private-etc fonts
 private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/vim.profile b/etc/vim.profile
index 7b5566f5b..97ed06d96 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -20,5 +20,6 @@ nogroups
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/w3m.profile b/etc/w3m.profile
index b25e19135..0d3037b26 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 38e568860..5a07d4b74 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -28,6 +28,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/xmms.profile b/etc/xmms.profile
index d2e6eddac..717c81fd0 100644
--- a/etc/xmms.profile
+++ b/etc/xmms.profile
@@ -18,6 +18,7 @@ no3d
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/xreader.profile b/etc/xreader.profile
index dd09c8a92..c02b9a014 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -30,7 +30,7 @@ tracelog
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-# private-etc fonts
+# private-etc fonts,ld.so.cache
 # xreader needs access to /tmp/mozilla* to work in firefox
 # private-tmp
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 7f21f5d2f..d5c4ac6f0 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -14,6 +14,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 shell none
 tracelog
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile
new file mode 100644
index 000000000..bfb7b9d87
--- /dev/null
+++ b/etc/yandex-browser.profile
@@ -0,0 +1,42 @@
+# Firejail profile for yandex-browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/yandex-browser.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ~/.cache/yandex-browser
+noblacklist ~/.cache/yandex-browser-beta
+noblacklist ~/.config/yandex-browser
+noblacklist ~/.config/yandex-browser-beta
+noblacklist ~/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+mkdir ~/.cache/yandex-browser
+mkdir ~/.cache/yandex-browser-beta
+mkdir ~/.config/yandex-browser
+mkdir ~/.config/yandex-browser-beta
+mkdir ~/.pki
+whitelist ${DOWNLOADS}
+whitelist ~/.cache/yandex-browser
+whitelist ~/.cache/yandex-browser-beta
+whitelist ~/.config/yandex-browser
+whitelist ~/.config/yandex-browser-beta
+whitelist ~/.pki
+include /etc/firejail/whitelist-common.inc
+caps.keep sys_chroot,sys_admin
+netfilter
+nodvd
+nogroups
+notv
+shell none
+private-dev
+# private-tmp - problems with multiple browser sessions
+noexec ${HOME}
+noexec /tmp