From ac5a936b331ab738ff5dadfb5153b6480f9b0bce Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 2 Nov 2017 13:03:34 -0400
Subject: matching noblacklist in profile files with blacklist in
 disable-programs.inc

---
 etc/atril.profile         |  4 +++-
 etc/bitlbee.profile       |  2 +-
 etc/brackets.profile      |  4 ++--
 etc/caja.profile          |  6 +++---
 etc/cherrytree.profile    |  4 ++--
 etc/cliqz.profile         |  2 +-
 etc/digikam.profile       |  1 +
 etc/disable-common.inc    | 12 ++++++++++++
 etc/disable-programs.inc  | 46 +++++++++++++++++++++++++++++++++++++++++++---
 etc/dolphin.profile       |  4 ++--
 etc/evolution.profile     |  3 +--
 etc/firefox.profile       |  2 +-
 etc/gnome-mplayer.profile |  1 +
 etc/inkscape.profile      |  2 ++
 etc/krita.profile         |  1 +
 etc/kwrite.profile        |  1 +
 etc/lximage-qt.profile    |  2 +-
 etc/midori.profile        |  4 ++--
 etc/openbox.profile       |  2 +-
 etc/pcmanfm.profile       |  4 ++--
 etc/vlc.profile           |  1 +
 etc/vym.profile           |  2 +-
 etc/waterfox.profile      |  2 +-
 etc/wireshark.profile     |  2 ++
 etc/xreader.profile       |  2 +-
 src/firejail/fs.c         | 33 +++++++++++++++++++++++++++++++--
 26 files changed, 120 insertions(+), 29 deletions(-)

diff --git a/etc/atril.profile b/etc/atril.profile
index 98142012c..50592ec3a 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -6,7 +6,9 @@ include /etc/firejail/atril.local
 include /etc/firejail/globals.local
 
 noblacklist ~/.config/atril
-noblacklist ~/.local/share
+
+#noblacklist ~/.local/share
+# it seems to use only ~/.local/share/webkitgtk
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 1b7b2c258..0f57c9e69 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -7,7 +7,7 @@ include /etc/firejail/globals.local
 
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
+# noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/brackets.profile b/etc/brackets.profile
index 0a8c592a7..a5a06f9f3 100644
--- a/etc/brackets.profile
+++ b/etc/brackets.profile
@@ -6,8 +6,8 @@ include /etc/firejail/brackets.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.config/Brackets
-noblacklist /opt/brackets/
-noblacklist /opt/google/
+#noblacklist /opt/brackets/
+#noblacklist /opt/google/
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/caja.profile b/etc/caja.profile
index 97663fddb..83b6befa3 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -8,9 +8,9 @@ include /etc/firejail/globals.local
 # Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
 # is already a caja process running on MATE desktops firejail will have no effect.
 
-noblacklist ~/.config/caja
-noblacklist ~/.local/share/Trash
-noblacklist ~/.local/share/caja-python
+# noblacklist ~/.config/caja - disable-programs.inc is disabled, see below
+# noblacklist ~/.local/share/Trash
+# noblacklist ~/.local/share/caja-python
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 88be562c8..3db2aeb09 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -6,8 +6,8 @@ include /etc/firejail/cherrytree.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.config/cherrytree
-noblacklist /usr/bin/python2*
-noblacklist /usr/lib/python3*
+#noblacklist /usr/bin/python2*
+#noblacklist /usr/lib/python3*
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
index a7c791a02..d61d46dca 100644
--- a/etc/cliqz.profile
+++ b/etc/cliqz.profile
@@ -16,7 +16,7 @@ noblacklist ~/.kde/share/config/okularrc
 noblacklist ~/.kde4/share/apps/okular
 noblacklist ~/.kde4/share/config/okularpartrc
 noblacklist ~/.kde4/share/config/okularrc
-noblacklist ~/.local/share/gnome-shell/extensions
+# noblacklist ~/.local/share/gnome-shell/extensions
 noblacklist ~/.local/share/okular
 noblacklist ~/.local/share/qpdfview
 
diff --git a/etc/digikam.profile b/etc/digikam.profile
index ef518470e..5557e5457 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -5,6 +5,7 @@ include /etc/firejail/digikam.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.config/digikam
 noblacklist ${HOME}/.config/digikamrc
 noblacklist ${HOME}/.kde/share/apps/digikam
 noblacklist ${HOME}/.kde4/share/apps/digikam
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 6c8a68d9e..8d8d839a9 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -155,6 +155,17 @@ blacklist /etc/anacrontab
 blacklist /etc/cron*
 blacklist /etc/profile.d
 blacklist /etc/rc.local
+# rc1.d, rc2.d, ...
+blacklist /etc/rc?.d
+blacklist /etc/kernel*
+blacklist /etc/grub*
+blacklist /etc/dkms
+blacklist /etc/apparmor*
+blacklist /etc/selinux
+blacklist /etc/modules*
+blacklist /etc/logrotate*
+blacklist /etc/adduser.conf
+blacklist ${HOME}/.config/openbox
 
 # Startup files
 read-only ${HOME}/.antigen
@@ -201,6 +212,7 @@ read-only ${HOME}/.nano
 read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.vim
+read-only ${HOME}/.viminfo
 read-only ${HOME}/.vimrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 73a2e6515..144fa7741 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -24,6 +24,7 @@ blacklist ${HOME}/.ZAP
 blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.arduino15
+blacklist ${HOME}/.arm
 blacklist ${HOME}/.atom
 blacklist ${HOME}/.attic
 blacklist ${HOME}/.audacity-data
@@ -41,6 +42,7 @@ blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
 blacklist ${HOME}/.config/Gitter
 blacklist ${HOME}/.config/Google
+blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
@@ -50,12 +52,15 @@ blacklist ${HOME}/.config/Mousepad
 blacklist ${HOME}/.config/Mumble
 blacklist ${HOME}/.config/MusE
 blacklist ${HOME}/.config/MuseScore
+blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
+blacklist ${HOME}/.config/Rambox
 blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
+blacklist ${HOME}/.config/Signal
 blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/VirtualBox
@@ -89,6 +94,7 @@ blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
 blacklist ${HOME}/.config/digikam
+blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
 blacklist ${HOME}/.config/enchant
@@ -105,6 +111,7 @@ blacklist ${HOME}/.config/gedit
 blacklist ${HOME}/.config/geeqie
 blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/globaltime
+blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
@@ -112,7 +119,9 @@ blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
+blacklist ${HOME}/.config/iridium
 blacklist ${HOME}/.config/itch
 blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/k3brc
@@ -121,17 +130,21 @@ blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
 blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kritarc
+blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
+blacklist ${HOME}/.config/liferea
 blacklist ${HOME}/.config/lximage-qt
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/midori
+blacklist ${HOME}/.config/mono
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
 blacklist ${HOME}/.config/nautilus
@@ -157,11 +170,13 @@ blacklist ${HOME}/.config/qupzilla
 blacklist ${HOME}/.config/qutebrowser
 blacklist ${HOME}/.config/ranger
 blacklist ${HOME}/.config/redshift.conf
+blacklist ${HOME}/.config/remmina
 blacklist ${HOME}/.config/ristretto
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/smplayer
+blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/synfig
@@ -169,8 +184,10 @@ blacklist ${HOME}/.config/telepathy-account-widgets
 blacklist ${HOME}/.config/torbrowser
 blacklist ${HOME}/.config/totem
 blacklist ${HOME}/.config/tox
+blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/uzbl
 blacklist ${HOME}/.config/viewnior
 blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vlc
@@ -199,7 +216,7 @@ blacklist ${HOME}/.dia
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dooble
 blacklist ${HOME}/.dosbox
-blacklist ${HOME}/.dropbox-dist
+blacklist ${HOME}/.dropbox*
 blacklist ${HOME}/.electrum*
 blacklist ${HOME}/.elinks
 blacklist ${HOME}/.emacs
@@ -209,6 +226,7 @@ blacklist ${HOME}/.etr
 blacklist ${HOME}/.filezilla
 blacklist ${HOME}/.flowblade
 blacklist ${HOME}/.fltk
+blacklist ${HOME}/.fossamail
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.git-credential-cache
@@ -228,6 +246,7 @@ blacklist ${HOME}/.jack-server
 blacklist ${HOME}/.jack-settings
 blacklist ${HOME}/.java
 blacklist ${HOME}/.jitsi
+blacklist ${HOME}/.kde/share/apps/digikam
 blacklist ${HOME}/.kde/share/apps/gwenview
 blacklist ${HOME}/.kde/share/apps/kcookiejar
 blacklist ${HOME}/.kde/share/apps/kget
@@ -235,7 +254,8 @@ blacklist ${HOME}/.kde/share/apps/khtml
 blacklist ${HOME}/.kde/share/apps/konqsidebartng
 blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/okular
+blacklist ${HOME}/.kde/share/apps/khtml
+blacklist ${HOME}/.kde/share/apps/ktorrent
 blacklist ${HOME}/.kde/share/config/baloofilerc
 blacklist ${HOME}/.kde/share/config/baloorc
 blacklist ${HOME}/.kde/share/config/digikam
@@ -251,6 +271,7 @@ blacklist ${HOME}/.kde/share/config/kopeterc
 blacklist ${HOME}/.kde/share/config/ktorrentrc
 blacklist ${HOME}/.kde/share/config/okularpartrc
 blacklist ${HOME}/.kde/share/config/okularrc
+blacklist ${HOME}/.kde4/share/apps/digikam
 blacklist ${HOME}/.kde4/share/apps/gwenview
 blacklist ${HOME}/.kde4/share/apps/kcookiejar
 blacklist ${HOME}/.kde4/share/apps/kget
@@ -258,6 +279,7 @@ blacklist ${HOME}/.kde4/share/apps/khtml
 blacklist ${HOME}/.kde4/share/apps/konqueror
 blacklist ${HOME}/.kde4/share/apps/konqsidebartng
 blacklist ${HOME}/.kde4/share/apps/kopete
+blacklist ${HOME}/.kde4/share/apps/ktorrent
 blacklist ${HOME}/.kde4/share/apps/okular
 blacklist ${HOME}/.kde4/share/config/baloorc
 blacklist ${HOME}/.kde4/share/config/baloofilerc
@@ -311,16 +333,22 @@ blacklist ${HOME}/.local/share/feral-interactive
 blacklist ${HOME}/.local/share/gajim
 blacklist ${HOME}/.local/share/geary
 blacklist ${HOME}/.local/share/geeqie
+blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/gnome-ring
+blacklist ${HOME}/.local/share/gnome-twitch
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/ktorrentrc
+blacklist ${HOME}/.local/share/ktorrent
 blacklist ${HOME}/.local/share/kwrite
+blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/meld
+blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/multimc
 blacklist ${HOME}/.local/share/multimc5
 blacklist ${HOME}/.local/share/mupen64plus
@@ -335,6 +363,7 @@ blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
+blacklist ${HOME}/.local/share/remmina
 blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
@@ -343,6 +372,7 @@ blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
 blacklist ${HOME}/.local/share/wesnoth
@@ -395,21 +425,24 @@ blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser-en
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.tuxguitar*
-blacklist ${HOME}/.unknow-horizons
+blacklist ${HOME}/.unknown-horizons
 blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
 blacklist ${HOME}/.vst
 blacklist ${HOME}/.w3m
 blacklist ${HOME}/.warzone2100-3.*
+blacklist ${HOME}/.waterfox
 blacklist ${HOME}/.weechat
 blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.wine
+blacklist ${HOME}/.wireshark
 blacklist ${HOME}/.wine64
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.xmms
 blacklist ${HOME}/.xonotic
 blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
+blacklist ${HOME}/Arduino
 blacklist ${HOME}/wallet.dat
 blacklist /tmp/ssh-*
 
@@ -418,6 +451,7 @@ blacklist ${HOME}/.cache/0ad
 blacklist ${HOME}/.cache/8pecxstudios
 blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/MusicBrainz
 blacklist ${HOME}/.cache/QuiteRss
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/borg
@@ -429,16 +463,21 @@ blacklist ${HOME}/.cache/cliqz
 blacklist ${HOME}/.cache/darktable
 blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/fossamail
 blacklist ${HOME}/.cache/gajim
 blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/google-chrome
 blacklist ${HOME}/.cache/google-chrome-beta
 blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/icedove
 blacklist ${HOME}/.cache/INRIA/Natron
 blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/iridium
 blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/midori
+noblacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/netsurf
@@ -458,6 +497,7 @@ blacklist ${HOME}/.cache/thunderbird
 blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
 blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xreader
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
index 7566e927b..fe72ee654 100644
--- a/etc/dolphin.profile
+++ b/etc/dolphin.profile
@@ -8,8 +8,8 @@ include /etc/firejail/globals.local
 # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
 
 noblacklist ${HOME}/.local/share/Trash
-noblacklist ~/.config/dolphinrc
-noblacklist ~/.local/share/dolphin
+# noblacklist ~/.config/dolphinrc - diable-programs.inc is disabled, see below
+# noblacklist ~/.local/share/dolphin
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 9f29b229b..e74c68f63 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -7,13 +7,12 @@ include /etc/firejail/globals.local
 
 noblacklist /var/mail
 noblacklist /var/spool/mail
-noblacklist ~/.bogofilter
+# noblacklist ~/.bogofilter
 noblacklist ~/.cache/evolution
 noblacklist ~/.config/evolution
 noblacklist ~/.gnupg
 noblacklist ~/.local/share/evolution
 noblacklist ~/.pki
-noblacklist ~/.pki/nssdb
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1f4106936..2423b149c 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -19,7 +19,7 @@ noblacklist ~/.kde4/share/apps/okular
 noblacklist ~/.kde4/share/config/kgetrc
 noblacklist ~/.kde4/share/config/okularpartrc
 noblacklist ~/.kde4/share/config/okularrc
-noblacklist ~/.local/share/gnome-shell/extensions
+# noblacklist ~/.local/share/gnome-shell/extensions
 noblacklist ~/.local/share/okular
 noblacklist ~/.local/share/qpdfview
 noblacklist ~/.mozilla
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index d63cc4500..166994374 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -5,6 +5,7 @@ include /etc/firejail/gnome-mplayer.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ~/.config/gnome-mplayer
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index b190e4326..d2929412b 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -6,6 +6,8 @@ include /etc/firejail/inkscape.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.inkscape
+noblacklist ${HOME}/.config/inkscape
+
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/krita.profile b/etc/krita.profile
index 52329eaab..0d2b62c5d 100644
--- a/etc/krita.profile
+++ b/etc/krita.profile
@@ -6,6 +6,7 @@ include /etc/firejail/krita.local
 include /etc/firejail/globals.local
 
 # blacklist /run/user/*/bus
+noblacklist ${HOME}/.config/kritarc
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index af1fa179b..5d6eba094 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -12,6 +12,7 @@ noblacklist ~/.config/katerc
 noblacklist ~/.config/kateschemarc
 noblacklist ~/.config/katesyntaxhighlightingrc
 noblacklist ~/.config/katevirc
+noblacklist ~/.config/kwriterc
 noblacklist ~/.local/share/kwrite
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index 734f16e92..1a3b26c10 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -5,7 +5,7 @@ include /etc/firejail/lximage-qt.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist .config/lximage-qt
+noblacklist ~/.config/lximage-qt
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index 8ddb37776..e8373b042 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -7,8 +7,8 @@ include /etc/firejail/globals.local
 
 noblacklist ~/.config/midori
 noblacklist ~/.local/share/midori
-noblacklist ~/.local/share/webkit
-noblacklist ~/.local/share/webkitgtk
+# noblacklist ~/.local/share/webkit
+# noblacklist ~/.local/share/webkitgtk
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 99c579c37..5bab7ce7d 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -6,7 +6,7 @@ include /etc/firejail/openbox.local
 include /etc/firejail/globals.local
 
 # all applications started in OpenBox will run in this profile
-
+noblacklist ${HOME}/.config/openbox
 include /etc/firejail/disable-common.inc
 
 caps.drop all
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
index 7d2121710..03e7e450f 100644
--- a/etc/pcmanfm.profile
+++ b/etc/pcmanfm.profile
@@ -8,8 +8,8 @@ include /etc/firejail/globals.local
 # blacklist /run/user/*/bus
 
 noblacklist ${HOME}/.local/share/Trash
-noblacklist ~/.config/libfm
-noblacklist ~/.config/pcmanfm
+# noblacklist ~/.config/libfm - disable-programs.inc is disabled, see below
+# noblacklist ~/.config/pcmanfm
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/vlc.profile b/etc/vlc.profile
index c3a4d58d0..e906d738c 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -6,6 +6,7 @@ include /etc/firejail/vlc.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.local/share/vlc
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/vym.profile b/etc/vym.profile
index 4f60b2ada..b38d87fde 100644
--- a/etc/vym.profile
+++ b/etc/vym.profile
@@ -5,7 +5,7 @@ include /etc/firejail/vym.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist ./.config/InSilmaril
+noblacklist ~/.config/InSilmaril
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 9626c17aa..53543e97e 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -16,7 +16,7 @@ noblacklist ~/.kde/share/config/okularrc
 noblacklist ~/.kde4/share/apps/okular
 noblacklist ~/.kde4/share/config/okularpartrc
 noblacklist ~/.kde4/share/config/okularrc
-noblacklist ~/.local/share/gnome-shell/extensions
+# noblacklist ~/.local/share/gnome-shell/extensions
 noblacklist ~/.local/share/okular
 noblacklist ~/.local/share/qpdfview
 noblacklist ~/.mozilla
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index e283b6149..ba717cfe5 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -6,6 +6,8 @@ include /etc/firejail/wireshark.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.config/wireshark
+noblacklist ${HOME}/.wireshark
+
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/xreader.profile b/etc/xreader.profile
index 9583b6ee1..76fae9fed 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -7,7 +7,7 @@ include /etc/firejail/globals.local
 
 noblacklist ~/.cache/xreader
 noblacklist ~/.config/xreader
-noblacklist ~/.local/share
+# noblacklist ~/.local/share
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index ed2c9a566..addeb619e 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -183,10 +183,24 @@ static void disable_file(OPERATION op, const char *filename) {
 	free(fname);
 }
 
+// check noblacklist statements not matched by a proper blacklist in disable-*.inc files
+static int nbcheck_start = 0;
+static size_t nbcheck_size = 0;
+static int *nbcheck = NULL;
+
 // Treat pattern as a shell glob pattern and blacklist matching files
 static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) {
 	assert(pattern);
 
+	if (nbcheck_start == 0) {
+		nbcheck_start = 1;
+		nbcheck_size = noblacklist_len;
+		nbcheck = malloc(sizeof(int) * noblacklist_len);
+		if (nbcheck == NULL)
+			errExit("malloc");
+		memset(nbcheck, 0, sizeof(int) * noblacklist_len);
+	}
+
 	glob_t globbuf;
 	// Profiles contain blacklists for files that might not exist on a user's machine.
 	// GLOB_NOCHECK makes that okay.
@@ -212,6 +226,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 				continue;
 			else if (result == 0) {
 				okay_to_blacklist = false;
+				if (j < nbcheck_size)	// noblacklist checking
+					nbcheck[j] = 1;
 				break;
 			}
 			else {
@@ -403,8 +419,21 @@ void fs_blacklist(void) {
 	}
 
 	size_t i;
-	for (i = 0; i < noblacklist_c; i++) free(noblacklist[i]);
-        free(noblacklist);
+	// noblacklist checking
+	for (i = 0; i < nbcheck_size; i++)
+		if (!arg_quiet && !nbcheck[i])
+			printf("TESTING warning: noblacklist %s not matched by a proper blacklist command in disable*.inc\n",
+				 noblacklist[i]);
+
+	// free memory
+	if (nbcheck) {
+		free(nbcheck);
+		nbcheck = NULL;
+		nbcheck_size = 0;
+	}
+	for (i = 0; i < noblacklist_c; i++)
+		free(noblacklist[i]);
+	free(noblacklist);
 }
 
 static int get_mount_flags(const char *path, unsigned long *flags) {
-- 
cgit v1.2.3-70-g09d2