Artifact Content
Not logged in

Artifact b4a9b7b5cdda352e5796352d16caef3756e2f2a2:


<!--	This file is part of FirejailProfileGenerator.
  
	FirejailProfileGenerator is free software: you can redistribute it and/or modify
	it under the terms of the GNU General Public License as published by
	the Free Software Foundation, either version 2 of the License, or
	(at your option) any later version.

	FirejailProfileGenerator is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
	GNU General Public License for more details.

	You should have received a copy of the GNU General Public License
	along with FirejailProfileGenerator.  If not, see <http://www.gnu.org/licenses/>.
-->

<applications>

	<application>
		<name>default</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<genoptions>nodevel</genoptions>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>generic-5</name>
		<aliases>audacious # clementine # corebird</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>defaultw</name>
		<aliases>gnome-contacts # gnome-clocks # gnome-calendar # gnome-calculator # pithos # gnome-characters</aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>defaultnd</name>
		<aliases>pdfsam</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
	</application>

	<application>
		<name>server</name>
		<mode>blacklist</mode>
		<options>private # private-dev # nosound # private-tmp # seccomp # no3d</options>
		<genoptions>nodevel</genoptions>
		<noblacklistexplicit>/sbin # /usr/sbin</noblacklistexplicit>
	</application>

	<application>
		<name>snap</name>
		<mode>blacklist</mode>
		<options>caps.keep chown,sys_admin</options>
		<genoptions>nodevel</genoptions>
		<paths>${HOME}/snap # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>generic-13</name>
		<aliases>less # strings</aliases>
		<mode>blacklist</mode>
		<options>quiet # tracelog # net none # shell none # private-dev # nosound # caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
	</application>

	<application>
		<name>generic-compression</name>
		<aliases>tar # gtar # unrar # gzip # unzip # xz # xzdec # 7z</aliases>
		<mode>blacklist</mode>
		<options>quiet # tracelog # net none # shell none # private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,unrar,unzip,xzdec,7z # private-dev # private-etc passwd,group,localtime # hostname tar # nosound # caps.drop all # netfilter # nonewprivs # protocol unix,inet,inet6 # seccomp # no3d</options>
		<noblacklistexplicit>/sbin # /usr/sbin</noblacklistexplicit>
	</application>

	<application>
		<name>0ad</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-dev # private-tmp</options>
		<paths>${HOME}/.cache/0ad # ${HOME}/.config/0ad # ${HOME}/.local/share/0ad</paths>
	</application>

	<application>
		<name>atril</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nonewprivs # nogroups # noroot # nosound # protocol unix # seccomp # shell none # tracelog # private-bin atril, atril-previewer, atril-thumbnailer # private-dev # private-tmp</options>
		<paths>${HOME}/.config/atril</paths>
	</application>

	<application>
		<name>audacity</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # protocol unix # seccomp # shell none # tracelog # private-bin audacity # private-dev # private-tmp</options>
		<paths>${HOME}/.audacity-data</paths>
	</application>

	<application>
		<name>aweather</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # nosound # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin aweather # private-dev # private-tmp</options>
		<paths>${HOME}/.config/aweather</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>bitlbee</name>
		<mode>blacklist</mode>
		<options>netfilter # nonewprivs # private # private-dev # protocol unix,inet,inet6 # seccomp # nosound # read-write /var/lib/bitlbee</options>
		<noblacklistexplicit>/sbin # /usr/sbin</noblacklistexplicit>
	</application>

	<application>
		<name>brave</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp</options>
		<paths>${HOME}/.config/brave # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>cherrytree</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # nosound # seccomp # protocol unix,inet,inet6,netlink # tracelog</options>
		<noblacklistexplicit>/usr/bin/python2* # /usr/bin/python3*</noblacklistexplicit>
		<paths>${HOME}/.config/cherrytree</paths>
	</application>

	<application>
		<name>chromium</name>
		<aliases>chromium-browser</aliases>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<genoptions>nodevel</genoptions>
		<paths>${DOWNLOADS} # ${HOME}/.config/chromium # ${HOME}/.cache/chromium # ${HOME}/.pki</paths>
		<files>${HOME}/.config/chromium-flags.conf</files>
	</application>

	<application>
		<name>chromium-dev</name>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<genoptions>nodevel</genoptions>
		<paths>${DOWNLOADS} # ${HOME}/.config/chromium-dev # ${HOME}/.cache/chromium-dev # ${HOME}/.pki</paths>
		<files>${HOME}/.config/chromium-flags.conf</files>
	</application>

	<application>
		<name>cmus</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # private-bin cmus # private-etc group # shell none</options>
		<paths>${HOME}/.config/cmus</paths>
	</application>

	<application>
		<name>deadbeef</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.config/deadbeef</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>deluge</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # private-tmp # protocol unix,inet,inet6 # seccomp # shell none # private-dev # nosound</options>
		<genoptions>nodevel</genoptions>
	</application>

	<application>
		<name>dillo</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # tracelog</options>
		<paths>${HOME}/.dillo # ${HOME}/.fltk # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>dnscrypt-proxy</name>
		<mode>blacklist</mode>
		<options>no3d # private # private-dev # nosound # seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open</options>
		<noblacklistexplicit>/sbin # /usr/sbin</noblacklistexplicit>
	</application>

	<application>
		<name>mumble</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin mumble # private-tmp</options>
		<paths>${HOME}/.config/Mumble # ${HOME}/.local/share/data/Mumble # ${HOME}/.local/share/Mumble</paths>
	</application>

	<application>
		<name>multimc5</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6</options>
		<paths>${HOME}/.multimc5 # ${HOME}/.local/share/multimc5</paths>
	</application>

	<application>
		<name>eog</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # nogroups # protocol unix # seccomp # shell none # private-bin eog # private-dev # private-etc fonts # private-tmp # nosound</options>
		<paths>${HOME}/.config/eog # ${HOME}/.cache/champlain</paths>
	</application>

	<application>
		<name>atom</name>
		<aliases>atom-beta</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # nosound # protocol unix,inet,inet6,netlink # seccomp # shell none # private-dev # private-tmp</options>
		<genoptions>nodevel</genoptions>
		<paths>${HOME}/.atom # ${HOME}/.config/Atom</paths>
	</application>

	<application>
		<name>libreoffice</name>
		<aliases>localc # lodraw # loffice # lofromtemplate # loimpress # lomath # loweb # lowriter # soffice</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # net none # nogroups # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # tracelog # private-dev</options>
		<paths>${HOME}/.config/libreoffice</paths>
		<noblacklistexplicit>/usr/local/sbin</noblacklistexplicit>
	</application>

	<application>
		<name>dnsmasq</name>
		<mode>blacklist</mode>
		<options>no3d # caps # netfilter # nonewprivs # private # private-dev # nosound # protocol unix,inet,inet6,netlink # seccomp</options>
		<noblacklistexplicit>/sbin # /usr/sbin</noblacklistexplicit>
	</application>

	<application>
		<name>dosbox</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin dosbox # private-dev # private-tmp</options>
		<paths>${HOME}/.dosbox</paths>
	</application>

	<application>
		<name>dropbox</name>
		<mode>whitelist</mode>
		<options>caps.drop all # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.config/autostart # ${HOME}/Dropbox # ${HOME}/.dropbox-dist</paths>
		<files>${HOME}/.config/autostart/dropbox.desktop</files>
	</application>

	<application>
		<name>eom</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # nosound # protocol unix # seccomp # shell none # tracelog # private-bin eom # private-dev # private-tmp</options>
		<paths>${HOME}/.config/mate/eom</paths>
	</application>

	<application>
		<name>epiphany</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.config/epiphany # ${HOME}/.cache/epiphany # ${HOME}/.local/share/epiphany # ${DOWNLOADS}</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>evince</name>
		<mode>blacklist</mode>
		<options>netfilter # caps.drop all # nonewprivs # nogroups # noroot # nosound # protocol unix # seccomp # shell none # private-etc fonts # private-bin evince,evince-previewer,evince-thumbnailer # private-dev # tracelog</options>
	</application>

	<application>
		<name>fbreader</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # shell none # private-tmp # private-bin fbreader,FBReader # private-dev # nosound</options>
		<paths>${HOME}/.FBReader</paths>
	</application>

	<application>
		<name>file</name>
		<mode>blacklist</mode>
		<options>no3d # private-tmp # quiet # tracelog # net none # shell none # private-bin file # private-dev # private-etc magic.mgc,magic,localtime # hostname file # nosound # caps.drop all # netfilter # nonewprivs # protocol unix,inet,inet6 # seccomp</options>
	</application>

	<application>
		<name>filezilla</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # shell none # private-tmp # private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp # private-dev # nosound</options>
		<paths>${HOME}/.filezilla # ${HOME}/.config/filezilla</paths>
	</application>

	<application>
		<name>firefox</name>
		<aliases>firefox-esr # iceweasel</aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog # private-dev # private-tmp</options>
		<paths>${DOWNLOADS} # ${HOME}/.mozilla # ${HOME}/.cache/mozilla # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>icecat</name>
		<aliases>icecat-launcher</aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${DOWNLOADS} # ${HOME}/.mozilla # ${HOME}/.cache/mozilla # ${HOME}/.pki </paths>
	</application>

	<application>
		<name>seamonkey</name>
		<aliases>seamonkey-bin</aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${DOWNLOADS} # ${HOME}/.mozilla/seamonkey # ${HOME}/.cache/mozilla # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>abrowser</name>
		<aliases></aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${DOWNLOADS} # ${HOME}/.mozilla # ${HOME}/.cache/mozilla # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>cyberfox</name>
		<aliases>Cyberfox</aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${DOWNLOADS} # ${HOME}/.pki # ${HOME}/.8pecxstudios # ${HOME}/.cache/8pecxstudios</paths>
	</application>

	<application>
		<name>palemoon</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${DOWNLOADS} # ${HOME}/.pki # ${HOME}/.moonchild productions # ${HOME}/.cache/moonchild productions</paths>
	</application>

	<application>
		<name>conkeror</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${DOWNLOADS} # ${HOME}/.pki # ${HOME}/.conkeror.mozdev.org </paths>
	</application>

	<application>
		<name>thunderbird</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${DOWNLOADS} # ${HOME}/.mozilla # ${HOME}/.cache/mozilla # ${HOME}/.pki # ${HOME}/.gnupg # ${HOME}/.thunderbird # ${HOME}/.cache/thunderbird</paths>
	</application>

	<application>
		<name>icedove</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${DOWNLOADS} # ${HOME}/.mozilla # ${HOME}/.cache/mozilla # ${HOME}/.pki # ${HOME}/.gnupg # ${HOME}/.icedove # ${HOME}/.cache/icedove</paths>
	</application>

	<application>
		<name>slimjet</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp</options>
		<genoptions>nodevel</genoptions>
		<paths>${DOWNLOADS} # ${HOME}/.config/slimjet # ${HOME}/.cache/slimjet # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>franz</name>
		<mode>blacklist</mode>
		<options>caps.drop all # seccomp # protocol unix,inet,inet6,netlink # netfilter # #tracelog # nonewprivs # noroot</options>
		<paths>${HOME}/.config/Franz # ${HOME}/.cache/Franz # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>gitter</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # nosound # protocol unix,inet,inet6,netlink # seccomp # shell none # private-bin gitter # private-dev # private-tmp</options>
		<paths>${HOME}/.config/Gitter</paths>
	</application>

	<application>
		<name>gnome-chess</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # nosound # protocol unix # seccomp # shell none # tracelog # private-bin fairymax,gnome-chess,hoichess # private-dev # private-etc fonts,gnome-chess # private-tmp</options>
		<paths>${HOME}/.local/share/gnome-chess</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>gnome-mplayer</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # shell none # private-bin gnome-mplayer # private-dev # private-tmp</options>
	</application>

	<application>
		<name>google-chrome</name>
		<aliases>google-chrome-stable</aliases>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<genoptions>nodevel</genoptions>
		<paths>${DOWNLOADS} # ${HOME}/.config/google-chrome # ${HOME}/.cache/google-chrome # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>google-chrome-beta</name>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<genoptions>nodevel</genoptions>
		<paths>${DOWNLOADS} # ${HOME}/.config/google-chrome-beta # ${HOME}/.cache/google-chrome-beta # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>google-chrome-unstable</name>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<genoptions>nodevel</genoptions>
		<paths>${DOWNLOADS} # ${HOME}/.config/google-chrome-unstable # ${HOME}/.cache/google-chrome-unstable # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>google-play-music-desktop-player</name>
		<mode>whitelist</mode>
		<options>caps.drop all # nonewprivs # noroot # netfilter # protocol unix,inet,inet6,netlink # seccomp</options>
		<paths>${HOME}/.config/Google Play Music Desktop Player</paths>
	</application>

	<application>
		<name>gpredict</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin gpredict # private-etc fonts,resolv.conf # private-dev # private-tmp</options>
		<paths>${HOME}/.config/Gpredict</paths>
	</application>

	<application>
		<name>gthumb</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # nosound # protocol unix # seccomp # shell none # tracelog # private-bin gthumb # private-dev # private-tmp</options>
		<paths>${HOME}/.config/gthumb</paths>
	</application>

	<application>
		<name>gwenview</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nonewprivs # noroot # nogroups # private-dev # protocol unix # seccomp # nosound</options>
		<paths>${HOME}/.kde/share/apps/gwenview</paths>
		<files>${HOME}/.kde/share/config/gwenviewrc</files>
	</application>

	<application>
		<name>hedgewars</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # seccomp # tracelog # private-dev # private-tmp</options>
		<paths>${HOME}/.hedgewars</paths>
	</application>

	<application>
		<name>hexchat</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin hexchat # private-dev # private-tmp</options>
		<paths>${HOME}/.config/hexchat</paths>
	</application>

	<application>
		<name>gajim</name>
		<mode>whitelist</mode>
		<options>read-only ${HOME}/.local/lib/python2.7/site-packages # caps.drop all # netfilter # nonewprivs # nogroups # noroot # protocol unix,inet,inet6 # seccomp # shell none # private-dev</options>
		<paths>${HOME}/.cache/gajim # ${HOME}/.local/share/gajim # ${HOME}/.config/gajim # ${DOWNLOADS} # ${HOME}/.local/lib/python2.7/site-packages</paths>
	</application>

	<application>
		<name>inox</name>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<genoptions>nodevel</genoptions>
		<paths>${DOWNLOADS} # ${HOME}/.config/inox # ${HOME}/.cache/inox # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>jitsi</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nonewprivs # nogroups # noroot # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-tmp</options>
		<paths>${HOME}/.jitsi</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>kmail</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog # private-dev</options>
		<paths>${HOME}/.gnupg</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>konversation</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nogroups # noroot # seccomp # protocol unix,inet,inet6 # private-tmp</options>
	</application>

	<application>
		<name>lxterminal</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # protocol unix,inet,inet6 # seccomp</options>
		<genoptions>nodevel</genoptions>
	</application>

	<application>
		<name>Mathematica</name>
		<aliases>mathematica</aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # nonewprivs # noroot # seccomp</options>
		<paths>${HOME}/.Mathematica # ${HOME}/.Wolfram Research # ${HOME}/Documents/Wolfram Mathematica</paths>
	</application>

	<application>
		<name>mcabber</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol inet,inet6 # seccomp # private-bin mcabber # private-etc null # private-dev # shell none # nosound</options>
		<paths>${HOME}/.mcabber</paths>
		<files>${HOME}/.mcabberrc</files>
	</application>

	<application>
		<name>midori</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.config/midori # ${HOME}/.cache/midori # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>mpv</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # shell none # private-bin mpv,youtube-dl,python2.7</options>
		<paths>${HOME}/.config/mpv</paths>
	</application>

	<application>
		<name>mupen64plus</name>
		<mode>whitelist</mode>
		<options>caps.drop all # net none # nonewprivs # noroot # seccomp</options>
		<paths>${HOME}/.config/mupen64plus # ${HOME}/.local/share/mupen64plus</paths>
	</application>

	<application>
		<name>netsurf</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${HOME}/.config/netsurf # ${HOME}/.cache/netsurf # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>okular</name>
		<mode>blacklist</mode>
		<options>read-only ${HOME}/.kde/share/config/kdeglobals # caps.drop all # nonewprivs # nogroups # noroot # private-dev # protocol unix # seccomp # nosound</options>
		<paths>${HOME}/.kde/share/apps/okular</paths>
		<files>${HOME}/.kde/share/config/okularrc # ${HOME}/.kde/share/config/okularpartrc</files>
	</application>

	<application>
		<name>opera</name>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<paths>${HOME}/.opera # ${HOME}/.cache/opera # ${HOME}/.config/opera # ${DOWNLOADS} # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>opera-beta</name>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<paths>${HOME}/.opera-beta # ${HOME}/.cache/opera-beta # ${HOME}/.config/opera-beta # ${DOWNLOADS} # ${HOME}/.pki</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>parole</name>
		<mode>blacklist</mode>
		<options>private-etc passwd,group,fonts # private-bin parole,dbus-launch # caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # shell none</options>
	</application>

	<application>
		<name>pidgin</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin pidgin # private-dev # private-tmp</options>
		<paths>${HOME}/.purple</paths>
	</application>

	<application>
		<name>pix</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nonewprivs # nogroups # noroot # nosound # protocol unix # seccomp # shell none # tracelog # private-bin pix # private-dev # private-tmp</options>
		<paths>${HOME}/.config/pix # ${HOME}/.local/share/pix</paths>
	</application>

	<application>
		<name>empathy</name>
		<mode>whitelist</mode>
		<options>caps.drop all # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # nogroups</options>
		<paths>${DOWNLOADS} # ${HOME}/.cache/champlain # ${HOME}/.local/share/Empathy # ${HOME}/.local/share/telepathy # ${HOME}/.local/share/TpLogger # ${HOME}/.config/telepathy-account-widgets # ${HOME}/.cache/telepathy # ${HOME}/.purple</paths>
	</application>

	<application>
		<name>polari</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${DOWNLOADS} # ${HOME}/.local/share/Empathy # ${HOME}/.local/share/telepathy # ${HOME}/.local/share/TpLogger # ${HOME}/.config/telepathy-account-widgets # ${HOME}/.cache/telepathy # ${HOME}/.purple</paths>
	</application>

	<application>
		<name>psi-plus</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${DOWNLOADS} # ${HOME}/.config/psi+ # ${HOME}/.local/share/psi+</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>qbittorrent</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # private-dev # nosound # private-tmp</options>
	</application>

	<application>
		<name>qtox</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin qtox # private-tmp</options>
		<paths>${HOME}/.config/tox # ${DOWNLOADS}</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>quassel</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nonewprivs # noroot # netfilter # protocol unix,inet,inet6 # seccomp</options>
	</application>

	<application>
		<name>quiterss</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # private-bin quiterss # private-dev # nosound # protocol unix,inet,inet6 # seccomp # shell none # tracelog</options>
		<paths>${HOME}/.config/QuiteRss # ${HOME}/.config/QuiteRssrc # ${HOME}/.cache/QuiteRss # ${HOME}/.local/share/QuiteRss</paths>
		<files>${HOME}/quiterssfeeds.opml</files>
	</application>

	<application>
		<name>qutebrowser</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # tracelog</options>
		<paths>${HOME}/.config/qutebrowser # ${HOME}/.cache/qutebrowser # ${DOWNLOADS}</paths>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>rhythmbox</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin rhythmbox # private-dev # private-tmp</options>
	</application>

	<!--TODO ADD PATHS (EVEN IN BLACKLIST, IT PREVENTS OTHER FIREJAILED APPS FROM ACCESSING)-->
	<application>
		<name>rtorrent</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # shell none # private-bin rtorrent # private-dev # nosound # private-tmp</options>
	</application>

	<application>
		<name>skype</name>
		<mode>whitelist</mode>
		<options>noexec ${HOME}/ # noexec /tmp/ # caps.drop all # protocol inet,inet6,unix # seccomp # noroot # private-etc resolv.conf,hosts,fonts,pulse # private-bin skype,bash # ipc-namespace</options>
		<paths>${HOME}/.Skype # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>skypeforlinux</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # noroot # seccomp # protocol unix,inet,inet6,netlink</options>
		<genoptions>nodevel</genoptions>
		<paths>${HOME}/.config/skypeforlinux</paths>
	</application>

	<application>
		<name>slack</name>
		<mode>whitelist</mode>
		<options>protocol unix,inet,inet6,netlink # private-dev # private-tmp # private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime # name slack # blacklist /var # caps.drop all # seccomp # netfilter # nonewprivs # nogroups # noroot # shell none # private-bin slack</options>
		<paths>${HOME}/.config/Slack # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>spotify</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # shell none # private-bin spotify # private-etc fonts,machine-id,pulse,resolv.conf # private-dev # private-tmp # blacklist ${HOME}/.Xauthority # blacklist ${HOME}/.bashrc # blacklist /boot # blacklist /lost+found # blacklist /media # blacklist /mnt # blacklist /opt # blacklist /root # blacklist /sbin # blacklist /srv # blacklist /sys # blacklist /var</options>
		<paths>${HOME}/.config/spotify # ${HOME}/.cache/spotify # ${HOME}/.local/share/spotify</paths>
	</application>

	<application>
		<name>ssh</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # quiet</options>
		<paths>${HOME}/.ssh # /tmp/ssh-*</paths>
	</application>

	<!-- TODO ADD MORE GAMES AND CONVERT TO WHITELIST -->
	<application>
		<name>steam</name>
		<aliases>steam-native</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp</options>
		<paths>${HOME}/.steampath # ${HOME}/.steampid # ${HOME}/.steam # ${HOME}/.local/share/Steam # ${HOME}/.local/share/steam # ${HOME}/My Games # ${HOME}/.killingfloor # ${HOME}/.local/share/aspyr-media # ${HOME}/.local/share/feral-interactive # ${HOME}/.local/share/3909/PapersPlease # ${HOME}/.local/share/SuperHexagon # ${HOME}/.local/share/vulkan # ${HOME}/.local/share/vpltd # ${HOME}/.nv # ${HOME}/.local/share/Terraria # ${HOME}/.local/share/cdprojektred</paths>
	</application>

	<application>
		<name>stellarium</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # nosound # protocol unix,inet,inet6,netlink # seccomp # shell none # tracelog # private-bin stellarium # private-dev # private-tmp</options>
		<paths>${HOME}/.stellarium # ${HOME}/.config/stellarium</paths>
	</application>

	<application>
		<name>telegram</name>
		<aliases>Telegram</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.TelegramDesktop</paths>
	</application>

	<application>
		<name>totem</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nonewprivs # noroot # netfilter # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.config/totem # ${HOME}/.local/share/totem</paths>
	</application>

	<application>
		<name>transmission-cli</name>
		<aliases>transmission-qt # transmission-gtk</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-dev # private-tmp</options>
		<paths>${HOME}/.config/transmission # ${HOME}/.cache/transmission</paths>
	</application>

	<application>
		<name>uget-gtk</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # shell none # private-bin uget-gtk # private-dev # nosound # private-tmp</options>
		<paths>${HOME}/.config/uGet # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>unbound</name>
		<mode>blacklist</mode>
		<options>private # private-dev # nosound # seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open</options>
		<noblacklistexplicit>/sbin # /usr/sbin</noblacklistexplicit>
	</application>

	<application>
		<name>vivaldi</name>
		<aliases>vivaldi-beta</aliases>
		<mode>whitelist</mode>
		<options>netfilter</options>
		<paths>${DOWNLOADS} # ${HOME}/.config/vivaldi # ${HOME}/.cache/vivaldi # ${HOME}/.pki</paths>
	</application>

	<application>
		<name>vlc</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # shell none # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc # private-dev # private-tmp</options>
		<paths>${HOME}/.config/vlc</paths>
	</application>

	<application>
		<name>warzone2100</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # protocol unix,inet,inet6,netlink # seccomp # shell none # tracelog # private-bin warzone2100 # private-dev # private-tmp</options>
		<paths>${HOME}/.warzone2100-3.1</paths>
	</application>

	<application>
		<name>weechat</name>
		<aliases>weechat-curses</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.weechat</paths>
	</application>

	<application>
		<name>wesnoth</name>
		<mode>whitelist</mode>
		<options>caps.drop all # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # private-dev</options>
		<paths>${HOME}/.config/wesnoth # ${HOME}/.cache/wesnoth # ${HOME}/.local/share/wesnoth</paths>
	</application>

	<application>
		<name>wine</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # seccomp</options>
		<paths>${HOME}/.wine # ${HOME}/.wine64</paths>
	</application>

	<application>
		<name>xchat</name>
		<mode>whitelist</mode>
		<options>caps.drop all # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.config/xchat # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>xplayer</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer # private-dev # private-tmp</options>
		<paths>${HOME}/.config/xplayer # ${HOME}/.local/share/xplayer</paths>
	</application>

	<application>
		<name>xreader</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # nosound # protocol unix # seccomp # shell none # tracelog # private-bin xreader, xreader-previewer, xreader-thumbnailer # private-dev # private-tmp</options>
		<paths>${HOME}/.config/xreader # ${HOME}/.cache/xreader # ${HOME}/.local/share/xreader</paths>
	</application>

	<application>
		<name>xviewer</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # nosound # protocol unix # seccomp # shell none # tracelog # private-dev # private-bin xviewer # private-tmp</options>
		<paths>${HOME}/.config/xviewer</paths>
	</application>

	<application>
		<name>uudeview</name>
		<mode>blacklist</mode>
		<options>quiet # tracelog # net none # shell none # private-bin uudeview # private-dev # private-etc nonexisting_fakefile_for_empty_etc # hostname uudeview # nosound # caps.drop all # netfilter # nonewprivs # protocol unix,inet,inet6 # seccomp</options>
	</application>

	<application>
		<name>teamspeak3</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.ts3client # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>linphone</name>
		<mode>whitelist</mode>
		<options>caps.drop all # noroot # seccomp</options>
		<paths>${DOWNLOADS}</paths>
		<files>${HOME}/.linphonerc # ${HOME}/.linphone-history.db</files>
	</application>

	<application>
		<name>mpd</name>
		<mode>blacklist</mode>
		<options>private-dev # private-bin mpd,bash # caps.drop all # noroot # seccomp</options>
		<files>${HOME}/.mpdconf</files>
	</application>

	<application>
		<name>openshot</name>
		<mode>blacklist</mode>
		<options>private-bin openshot,python # private-dev # noroot # protocol unix # shell none # seccomp # caps.drop all # nonewprivs # noroot</options>
		<paths>${HOME}/.openshot # ${HOME}/.openshot_qt</paths>
	</application>

	<application>
		<name>scribus</name>
		<mode>blacklist</mode>
		<options>private-bin scribus,gs # private-dev # noroot # protocol unix # shell none # seccomp # caps.drop all</options>
		<paths>${HOME}/.scribus</paths>
	</application>

	<application>
		<name>virtualbox</name>
		<mode>blacklist</mode>
		<options>caps.drop all</options>
		<paths>${HOME}/.config/VirtualBox # ${HOME}/.VirtualBox # ${HOME}/VirtualBox VMs</paths>
		<noblacklistexplicit>/dev/vboxdrv # /dev/vboxdrvu # /dev/vboxnetctl # /usr/bin/virtualbox</noblacklistexplicit>
	</application>

	<application>
		<name>gnome-2048</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.local/share/gnome-2048</paths>
	</application>

	<application>
		<name>gnome-maps</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.cache/champlain</paths>
		<files>${HOME}/.local/.share/maps-places.json</files>
	</application>

	<application>
		<name>gnome-music</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.local/share/gnome-music</paths>
	</application>

	<application>
		<name>lollypop</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.local/share/lollypop</paths>
	</application>

	<application>
		<name>gnome-weather</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.cache/libgweather</paths>
	</application>

	<application>
		<name>xonotic</name>
		<aliases>xonotic-sdl # xonotic-glx</aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.xonotic</paths>
	</application>

	<application>
		<name>arduino</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/Arduino # ${HOME}/.arduino15</paths>
	</application>

	<application>
		<name>bless</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<paths>${HOME}/.config/bless</paths>
	</application>

	<application>
		<name>jd-gui</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<files>${HOME}/.config/jd-gui.cfg</files>
	</application>

	<application>
		<name>redshift</name>
		<aliases>redshift-gtk</aliases>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp</options>
		<files>${HOME}/.config/redshift.conf</files>
	</application>

	<application>
		<name>mupdf</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # nosound # protocol unix # seccomp # netfilter # shell none # tracelog # private-bin mupdf,sh,tempfile,rm # private-tmp # private-dev # read-only ${HOME}</options>
	</application>

	<application>
		<name>qpdfview</name>
		<mode>blacklist</mode>
		<options>caps.drop all # ipc-namespace # net none # noexec ${HOME} # noexec /tmp # nogroups # nonewprivs # noroot # nosound # private-bin qpdfview # private-dev # private-etc fonts,X11,alternatives # private-tmp # protocol unix # </options>
		<paths>${HOME}/.config/qpdfview # ${HOME}/.local/share/qpdfview</paths>
	</application>

	<application>
		<name>luminance-hdr</name>
		<aliases>luminance-hdr-cli</aliases>
		<mode>blacklist</mode>
		<genoptions>nodevel</genoptions>
		<options>caps.drop all # ipc-namespace # net none # noexec ${HOME} # noexec /tmp # nogroups # noroot # nosound # private-bin luminance-hdr,luminance-hdr-cli,align_image_stack # private-dev # private-etc fonts,X11,alternatives # seccomp # shell none</options>
		<paths>${HOME}/.LuminanceHDR # ${HOME}/.config/Luminance</paths>
	</application>

	<application>
		<name>synfigstudio</name>
		<mode>blacklist</mode>
		<options>caps.drop all # ipc-namespace # net none # noexec ${HOME} # noexec /tmp # noroot # private-bin synfigstudio # private-dev # private-etc fonts,X11,synfig,synfig_modules.cfg # seccomp # shell none</options>
		<paths>${HOME}/.synfig</paths>
	</application>

	<application>
		<name>brackets</name>
		<mode>blacklist</mode>
		<options>private-bin bash,brackets,readlink,dirname,google-chrome,cat # private-dev</options>
		<noblacklistexplicit>/opt/brackets # /opt/google</noblacklistexplicit>
		<paths>${HOME}/.config/Brackets</paths>
	</application>

	<application>
		<name>gimp</name>
		<mode>blacklist</mode>
		<genoptions>nodevel</genoptions>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix # seccomp # private-dev # private-tmp # noexec ${HOME} # noexec /tmp # nogroups # nosound</options>
		<paths>${HOME}/.gimp*</paths>
	</application>

	<application>
		<name>inkscape</name>
		<mode>blacklist</mode>
		<genoptions>nodevel</genoptions>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix # seccomp # private-dev # private-tmp # noexec ${HOME} # noexec /tmp # nogroups # nosound</options>
		<paths>${HOME}/.inkscape</paths>
	</application>

	<application>
		<name>lmms</name>
		<mode>blacklist</mode>
		<options>private-dev # private-etc fonts,pulse # noexec /home # noexec /tmp # shell none # seccomp # caps.drop all # net none # noroot # nogroups # ipc-namespace</options>
		<files>${HOME}/.lmmsrc.xml</files>
	</application>

	<application>
		<name>cin</name>
		<mode>blacklist</mode>
		<options>caps.drop all # ipc-namespace # net none # noexec /home # noexec /tmp # nogroups # noroot # private-bin cin # private-dev # private-etc fonts,pulse # seccomp # shell none</options>
		<paths>${HOME}/.bcast5</paths>
	</application>

	<application>
		<name>feh</name>
		<mode>blacklist</mode>
		<options>caps.drop all # seccomp # protocol unix # netfilter # net none # nonewprivs # noroot # nogroups # nosound # shell none # private-bin feh # private-dev # private-etc feh # private-tmp</options>
	</application>

	<application>
		<name>zathura</name>
		<mode>blacklist</mode>
		<options>caps.drop all # seccomp # protocol unix # netfilter # nonewprivs # noroot # nogroups # nosound # net none # private-tmp # shell none # private-bin zathura # private-dev # private-etc fonts # whitelist /tmp/.X11-unix # read-only ~/ # read-write ~/.local/share/zathura/</options>
		<paths>${HOME}/.config/zathura # ${HOME}/.local/share/zathura</paths>
	</application>

	<application>
		<name>ranger</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # net none # nonewprivs # noroot # nogroups # protocol unix # seccomp # nosound # private-tmp # private-dev</options>
		<noblacklistexplicit>/usr/bin/perl # /usr/share/perl* # /usr/lib/perl*</noblacklistexplicit>
	</application>

	<application>
		<name>keepass</name>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # netfilter # shell none # private-tmp # private-dev</options>
		<paths>${HOME}/.config/keepass # ${HOME}/.keepass</paths>
	</application>

	<application>
		<name>keepassx</name>
		<aliases>keepassx2</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # nogroups # nonewprivs # noroot # nosound # protocol unix # seccomp # netfilter # shell none # private-tmp # private-dev </options>
		<paths>${HOME}/.config/keepassx # ${HOME}/.keepassx</paths>
	</application>

	<application>
		<name>calligra</name>
		<aliases>calligraauthor # calligraconverter # calligraflow # calligraplan # calligraplanwork # calligrasheets # calligrastage # calligrawords</aliases>
		<mode>blacklist</mode>
		<options>private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch # private-dev # private-etc fonts,passwd,alternatives,X11 # noexec /home # noexec /tmp # shell none # seccomp # caps.drop all # net none # noroot # nogroups # ipc-namespace</options>
		<noblacklistexplicit>/tmp/dbus_session_socket</noblacklistexplicit>
	</application>

	<application>
		<name>blender</name>
		<mode>blacklist</mode>
		<options>private-bin blender # private-dev # private-etc pulse # noexec /home # noexec /tmp # shell none # seccomp # caps.drop all # net none # noroot # nogroups # ipc-namespace</options>
		<paths>${HOME}/.config/blender</paths>
	</application>

	<application>
		<name>google-earth</name>
		<mode>whitelist</mode>
		<options>private-bin google-earth,sh,grep,sed,ls,dirname # private-dev # private-etc fonts,resolv.conf,X11,alternatives,pulse # noexec /home # noexec /tmp # shell none # seccomp # caps.drop all # noroot # nogroups # ipc-namespace</options>
		<paths>${HOME}/.googleearth/Cache/ # ${HOME}/.googleearth/Temp/ # ${HOME}/.config/Google</paths>
		<files>${HOME}/.googleearth/myplaces.kml # ${HOME}/.googleearth/myplaces.backup.kml</files>
	</application>

	<application>
		<name>flowblade</name>
		<mode>blacklist</mode>
		<options>private-bin python,flowblade # private-dev # private-etc pulse,fonts,alternatives,X11 # noexec /home # noexec /tmp # shell none # seccomp # caps.drop all # net none # noroot # nogroups # ipc-namespace # nonewprivs</options>
		<paths>${HOME}/.flowblade # ${HOME}/.config/flowblade</paths>
	</application>

	<application>
		<name>kdenlive</name>
		<mode>blacklist</mode>
		<options>private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper # private-dev # private-etc fonts,alternatives,X11,pulse,passwd # shell none # seccomp # caps.drop all # net none # noroot # nogroups</options>
		<noblacklistexplicit>/tmp/dbus_session_socket</noblacklistexplicit>
	</application>

	<application>
		<name>natron</name>
		<mode>blacklist</mode>
		<options>private-bin natron # private-etc fonts,X11,pulse # whitelist /tmp/.X11-unix/ # noexec ${HOME} # noexec /tmp # shell none # ipc-namespace</options>
		<paths>${HOME}/.Natron # ${HOME}/.cache/INRIA # ${HOME}/.config/INRIA</paths>
		<noblacklistexplicit>/opt/natron/</noblacklistexplicit>
	</application>

	<application>
		<name>darktable</name>
		<mode>blacklist</mode>
		<options>private-bin darktable # private-dev # private-etc fonts,X11,alternatives # noexec ${HOME} # noexec /tmp # shell none # seccomp # caps.drop all # net none # noroot # nosound # nogroups # ipc-namespace</options>
		<paths>${HOME}/.config/darktable # ${HOME}/.cache/darktable</paths>
	</application>

	<application>
		<name>zart</name>
		<mode>blacklist</mode>
		<options>private-bin zart,ffmpeg,melt,ffprobe,ffplay # private-etc fonts,X11 # private-dev # noexec ${HOME} # noexec /tmp # shell none # noroot # ipc-namespace # net none # seccomp # caps.drop all</options>
	</application>

	<application>
		<name>shotcut</name>
		<mode>blacklist</mode>
		<options>private-bin shotcut,melt,qmelt,nice # private-dev # private-etc X11,alternatives,pulse,fonts # noexec ${HOME} # noexec /tmp # shell none # seccomp # caps.drop all # net none # noroot # nogroups</options>
		<paths>${HOME}/.config/Meltytech</paths>
	</application>

	<application>
		<name>mutt</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # shell none # private-dev</options>
		<paths>${HOME}/.cache/mutt</paths>
		<files>${HOME}/.mutt # ${HOME}/.muttrc # ${DOWNLOADS}</files>
		<noblacklistexplicit>${HOME}/.mail # ${HOME}/.mailcap # ${HOME}/.gnupg</noblacklistexplicit>
	</application>

	<application>
		<name>claws-mail</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # nogroups # nosound # protocol unix,inet,inet6 # seccomp # shell none # private-dev # private-tmp</options>
		<paths>${HOME}/.claws-mail # ${DOWNLOADS}</paths>
		<noblacklistexplicit>${HOME}/.signature # ${HOME}/.gnupg</noblacklistexplicit>
	</application>

	<application>
		<name>git</name>
		<mode>blacklist</mode>
		<options>quiet # caps.drop all # netfilter # nonewprivs # noroot # nogroups # nosound # protocol unix,inet,inet6 # seccomp # shell none # private-dev</options>
		<noblacklistexplicit>${HOME}/.gitconfig # ${HOME}/.ssh # ${HOME}/.gnupg</noblacklistexplicit>
	</application>

	<application>
		<name>ricochet</name>
		<mode>whitelist</mode>
		<options>private-bin ricochet,tor # private-dev # private-etc fonts,tor,X11,alternatives # noexec /home # noexec /tmp # shell none # seccomp # caps.drop all # noroot # nogroups # ipc-namespace</options>
		<paths>${HOME}/.local/share/Ricochet # ${DOWNLOADS}</paths>
	</application>

	<application>
		<name>xpdf</name>
		<mode>blacklist</mode>
		<options>caps.drop all # shell none # nonewprivs # noroot # protocol unix # seccomp # private-dev # private-tmp # net none</options>
		<files>${HOME}/.xpdfrc</files>
	</application>

	<application>
		<name>evolution</name>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # nogroups # protocol unix,inet,inet6 # seccomp # shell none # private-dev # private-tmp # nosound</options>
		<paths>${DOWNLOADS} # ${HOME}/.config/evolution # ${HOME}/.local/share/evolution # ${HOME}/.cache/evolution # ${HOME}/.pki # ${HOME}/.gnupg</paths>
	</application>

	<application>
		<name>ardour5</name>
		<aliases>ardour4</aliases>
		<mode>whitelist</mode>
		<options>blacklist /usr/local/bin # blacklist /boot # blacklist /media # blacklist /mnt # blacklist /opt # private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm # private-dev # private-etc pulse,X11,alternatives,ardour4,ardour5,fonts # private-tmp # noexec /home # noexec /tmp # shell none # seccomp # caps.drop all # net none # noroot # nogroups # ipc-namespace</options>
		<paths>${DOWNLOADS} # ${HOME}/Documents # ${HOME}/.config/ardour4 # ${HOME}/.config/ardour5 # ${HOME}/.lv2 # ${HOME}/.vst</paths>
	</application>

	<application>
		<name>torbrowser-launcher</name>
		<aliases>start-tor-browser</aliases>
		<mode>whitelist</mode>
		<options>blacklist /usr/local/bin # blacklist /boot # blacklist /media # blacklist /mnt # blacklist /opt # private-bin bash,grep,sed,tail,torbrowser-launcher,python,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,zenity,kdialog,xmessage,gxmessage,getconf,file,expr # whitelist /dev/dri # whitelist /dev/full # whitelist /dev/null # whitelist /dev/ptmx # whitelist /dev/pts # whitelist /dev/random # whitelist /dev/shm # whitelist /dev/snd # whitelist /dev/tty # whitelist /dev/urandom # whitelist /dev/video0 # whitelist /dev/zero # private-etc X11,alternatives,pulse,resolv.conf,fonts,ssl # private-tmp # noexec /tmp # shell none # seccomp # noroot # caps.drop all</options>
		<paths>${DOWNLOADS} # ${HOME}/.local/share/torbrowser # ${HOME}/.config/torbrowser # ${HOME}/.cache/torbrowser</paths>
	</application>

	<application>
		<name>xiphos</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nogroups # nonewprivs # noroot # nosound # protocol unix,inet,inet6 # seccomp # shell none # tracelog # private-bin xiphos # private-etc fonts,resolv.conf,sword # private-dev # private-tmp</options>
		<paths>${HOME}/.sword # ${HOME}/.xiphos</paths>
	</application>

	<application>
		<name>display</name>
		<mode>blacklist</mode>
		<options>caps.drop all # seccomp # protocol unix # netfilter # net none # nonewprivs # noroot # nogroups # nosound # shell none # x11 xorg # private-bin display  # private-tmp # private-dev # private-etc none # </options>
	</application>

	<application>
		<name>wire</name>
		<aliases>Wire</aliases>
		<mode>blacklist</mode>
		<options>caps.drop all # netfilter # nonewprivs # nogroups # noroot # protocol unix,inet,inet6,netlink # seccomp # shell none # private-tmp # private-dev</options>
		<paths>${DOWNLOADS} # ${HOME}/.config/Wire # ${HOME}/.config/wire</paths>
	</application>

	<application>
		<name>zoom</name>
		<mode>whitelist</mode>
		<options>caps.drop all # netfilter # nonewprivs # noroot # protocol unix,inet,inet6 # seccomp # private-tmp</options>
		<paths>${HOME}/.zoom</paths>
		<files>${HOME}/.config/zoomus.conf</files>
	</application>

</applications>