247 files changed, 1155 insertions, 143 deletions
diff --git a/README b/README
index 257bb20d5..6cfd03031 100644
--- a/README
+++ b/README
@@ -70,6 +70,7 @@ Adrian L. Shaw (https://github.com/adrianlshaw)
        - add barrirer profile
 Aidan Gauland (https://github.com/aidalgol)
        - added electron, riot-web and npm profiles
+        - whitelist Bohemia Interactive config dir for Steam
 Akhil Hans Maulloo (https://github.com/kouul)
        - xz profile
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
@@ -159,6 +160,11 @@ Bandie (https://github.com/Bandie)
        - fixed riot-desktop
 Barış Ekin Yıldırım (https://github.com/circuitshaker)
        - removing net none from code.profile
+bbhtt (https://github.com/bbhtt)
+        - improvements to balsa,fractal,gajim,trojita profiles
+        - improvements to nheko, spectral, feh, links, lynx profiles
+        - added alacartem com.github.bleakgrey.tootle, photoflare profiles
+        - add profiles for MS Edge dev build for Linux and Librewolf
 Benjamin Kampmann (https://github.com/ligthyear)
        - Forward exit code from child process
 bitfreak25 (https://github.com/bitfreak25)
@@ -178,6 +184,8 @@ Brad Ackerman
        - blacklist Bitwarden config in disable-passwdmgr.inc
 briaeros (https://github.com/briaeros)
        - fix command test in jail_prober.py
+botherer (https://github.com/botherder)
+        - add CoyIM profile
 Bruno Nova (https://github.com/brunonova)
        - whitelist fix
        - bash arguments fix
@@ -301,6 +309,8 @@ Fabian Würfl (https://github.com/BafDyce)
        - Liferea profile
 Felipe Barriga Richards (https://github.com/fbarriga)
        - --private-etc fix
+fenuks (https://github.com/fenuks)
+        - fix sound in games using FMOD
 Florian Begusch (https://github.com/florianbegusch)
        - (la)tex profiles
        - fixed transmission-common.profile
@@ -420,6 +430,8 @@ hawkey116477 (https://github.com/hawkeye116477)
        - updated Waterfox profile
 Helmut Grohne (https://github.com/helmutg)
        -  compiler support in the build system - Debian bug #869707
+hhzek0014 (https://github.com/hhzek0014)
+        - updated  bibletime.profile
 hlein (https://github.com/hlein)
        - strip out \r's from jail prober
 Holger Heinz (https://github.com/hheinz)
@@ -518,7 +530,11 @@ KellerFuchs (https://github.com/KellerFuchs)
        - fixed Cryptocat profile
        - make ~/.local read-only
 Kelvin (https://github.com/kmk3)
-        - disable ldns utilities
+        - disable ldns utilities, dnssec-*, khost, unbound-host
+        - sort DNS / RUNUSER paths
+        - improve bug_report.md
+        - fix keypassxc
+        - blacklist oksh shell in disable-shell.inc
 Kishore96in (https://github.com/Kishore96in)
        - added falkon profile
        - kxmlgui fixes
@@ -610,6 +626,7 @@ Neo00001 (https://github.com/Neo00001)
        - update virtualbox profile
        - update telegram profile
        - add spectacle profile
+        - add kdiff3 profile
 Nick Fox (https://github.com/njfox)
        - add a profile alias for code-oss
        - add code-oss config directory
@@ -620,6 +637,8 @@ Niklas Haas (https://github.com/haasn)
        - blacklisting for keybase.io's client
 Niklas Goerke (https://github.com/Niklas974)
        - update QOwnNotes profile
+Nikos Chantziaras (https://github.com/realnc)
+        - fix audio support for Discord
 nyancat18 (https://github.com/nyancat18)
        - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
@@ -732,6 +751,8 @@ RD PROJEKT (https://github.com/RDProjekt)
        - support AMD GPU by OpenCL in Blender
 rogshdo (https://github.com/rogshdo)
        - BitlBee profile
+rootalc (https://github.com/rootalc)
+        - add nolocal6.net filter
 Ruan (https://github.com/ruany)
        - fixed hexchat profile
 rusty-snake (https://github.com/rusty-snake)
diff --git a/README.md b/README.md
index 69e059bba..1dbfb88d1 100644
--- a/README.md
+++ b/README.md
@@ -170,29 +170,29 @@ $ ./profstats *.profile
 Warning: multiple caps in transmission-daemon.profile
 Stats:
-    profiles                    1031
+    profiles                    1064
-    include local profile       1031   (include profile-name.local)
+    include local profile       1064   (include profile-name.local)
-    include globals             1031   (include globals.local)
+    include globals             1064   (include globals.local)
-    blacklist ~/.ssh            1007   (include disable-common.inc)
+    blacklist ~/.ssh            959   (include disable-common.inc)
-    seccomp                     976
+    seccomp                     975
-    capabilities                1030
+    capabilities                1063
-    noexec                      901   (include disable-exec.inc)
+    noexec                      944   (include disable-exec.inc)
-    memory-deny-write-execute   221
+    memory-deny-write-execute   229
-    apparmor                    555
+    apparmor                    605
-    private-bin                 544
+    private-bin                 564
-    private-dev                 897
+    private-dev                 932
-    private-etc                 435
+    private-etc                 462
-    private-tmp                 785
+    private-tmp                 823
-    whitelist home directory    474
+    whitelist home directory    502
-    whitelist var               699   (include whitelist-var-common.inc)
+    whitelist var               744   (include whitelist-var-common.inc)
-    whitelist run/user          336   (include whitelist-runuser-common.inc
+    whitelist run/user          461   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         359   (include whitelist-usr-share-common.inc
+    whitelist usr/share         451   (include whitelist-usr-share-common.inc
-    net none                    333
+    net none                    345
-    dbus-user none              523
+    dbus-user none              564
-    dbus-system none            632
+    dbus-user filter            85
+    dbus-system none            696
+    dbus-system filter          7
 ```
 ### New profiles:
-spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
diff --git a/RELNOTES b/RELNOTES
index 705ef8500..fae29632d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,15 +1,16 @@
-firejail (0.9.65) baseline; urgency=low
+firejail (0.9.64.2) baseline; urgency=low
  * allow --tmpfs inside $HOME for unprivileged users
  * --disable-usertmpfs  compile time option
  * allow AF_BLUETOOTH via --protocol=bluetooth
  * Setup guide for new users: contrib/firejail-welcome.sh
  * implement netns in profiles
+  * added nolocal6.net IPv6 network filter
  * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
  * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
  * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
-  * new profiles: npm, marker
+  * new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
+  * new profiles: guvcview, pkglog, kdiff3, CoyIM
- -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 09:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Tue, 26 Jan 2021 09:00:00 -0500
 firejail (0.9.64) baseline; urgency=low
  * replaced --nowrap option with --wrap in firemon
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 26bcb987f..72b1c86fb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -191,6 +191,7 @@ blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/cower
+blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
@@ -253,6 +254,7 @@ blacklist ${HOME}/.config/google-chrome-unstable
 blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
+blacklist ${HOME}/.config/guvcview2
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
 blacklist ${HOME}/.config/homebank
@@ -274,6 +276,8 @@ blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kazam
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
+blacklist ${HOME}/.config/kdiff3fileitemactionrc
+blacklist ${HOME}/.config/kdiff3rc
 blacklist ${HOME}/.config/kfindrc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/kid3rc
@@ -468,10 +472,7 @@ blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gnome/gnome-schedule
-blacklist ${HOME}/.googleearth/Cache
+blacklist ${HOME}/.googleearth
-blacklist ${HOME}/.googleearth/Temp
-blacklist ${HOME}/.googleearth/myplaces.backup.kml
-blacklist ${HOME}/.googleearth/myplaces.kml
 blacklist ${HOME}/.gradle
 blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc
index 03f09fece..ca7731442 100644
--- a/etc/inc/firefox-common-addons.inc
+++ b/etc/inc/firefox-common-addons.inc
@@ -58,11 +58,12 @@ whitelist ${HOME}/.wine-pipelight64
 whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
-# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc)
+# GNOME Shell integration (chrome-gnome-shell) needs dbus and python
 noblacklist ${HOME}/.local/share/gnome-shell
 whitelist ${HOME}/.local/share/gnome-shell
 ignore dbus-user none
 ignore dbus-system none
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 # KeePassXC Browser Integration
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net
new file mode 100644
index 000000000..5a6678d03
--- /dev/null
+++ b/etc/net/nolocal6.net
@@ -0,0 +1,41 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+###################################################################
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox
+#
+###################################################################
+#allow all loopback traffic
+-A INPUT -i lo -j ACCEPT
+# no incoming connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# allow ping etc.
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
+# required for ipv6
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT
+# accept dns requests going out to a server on the local network
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+# drop all local network traffic
+-A OUTPUT -d FC00::/7 -j DROP
+# drop multicast traffic
+# required for ipv6
+-A OUTPUT -d ff02::2 -j ACCEPT
+-A OUTPUT -d ff00::/8 -j DROP
+COMMIT
diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile
index 54b437441..a010e84dc 100644
--- a/etc/profile-a-l/Builder.profile
+++ b/etc/profile-a-l/Builder.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-builder
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Builder.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-builder.profile
diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile
index 5bb5064f0..e8020c3e1 100644
--- a/etc/profile-a-l/Cheese.profile
+++ b/etc/profile-a-l/Cheese.profile
@@ -1,6 +1,9 @@
 # Firejail profile for cheese
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Cheese.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include cheese.profile
diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile
index 26a4348c9..d26230b02 100644
--- a/etc/profile-a-l/Cyberfox.profile
+++ b/etc/profile-a-l/Cyberfox.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for cyberfox
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Cyberfox.local
 # Redirect
 include cyberfox.profile
diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile
index 171ab4357..94109e239 100644
--- a/etc/profile-a-l/Documents.profile
+++ b/etc/profile-a-l/Documents.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-documents
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Documents.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-documents.profile
diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile
index 9e1f61421..9c7826643 100644
--- a/etc/profile-a-l/FossaMail.profile
+++ b/etc/profile-a-l/FossaMail.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for fossamail
 # This file is overwritten after every install/update
+# Persistent local customizations
+include FossaMail.local
 # Redirect
 include fossamail.profile
diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile
index a8bcb6a54..f670d0d7f 100644
--- a/etc/profile-a-l/Gitter.profile
+++ b/etc/profile-a-l/Gitter.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for Gitter
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Gitter.local
 # Redirect
 include gitter.profile
diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile
index 431439f17..2d01ccb87 100644
--- a/etc/profile-a-l/Logs.profile
+++ b/etc/profile-a-l/Logs.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-logs
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Logs.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-logs.profile
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 98188d2a7..57b5e5d95 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -6,6 +6,7 @@ include alacarte.local
 # Persistent global definitions
 include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile
index 4ad8dd456..b81f01389 100644
--- a/etc/profile-a-l/ardour4.profile
+++ b/etc/profile-a-l/ardour4.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for ardour5
 # This file is overwritten after every install/update
+# Persistent local customizations
+include ardur4.local
 # Redirect
 include ardour5.profile
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 99e2802eb..235b84be3 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -26,6 +26,7 @@ whitelist ${HOME}/.bibletime
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.local/share/bibletime
 whitelist /usr/share/bibletime
+whitelist /usr/share/doc/bibletime
 whitelist /usr/share/sword
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 13e83493d..233f9a96f 100644
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@@ -6,7 +6,7 @@ include blackbox.local
 # Persistent global definitions
 include globals.local
-# all applications started in awesome will run in this profile
+# all applications started in blackbox will run in this profile
 noblacklist ${HOME}/.blackbox
 include disable-common.inc
diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile
index b7242c443..f8062d00e 100644
--- a/etc/profile-a-l/blender-2.8.profile
+++ b/etc/profile-a-l/blender-2.8.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for blender
 # This file is overwritten after every install/update
+# Persistent local customizations
+include blender-2.8.local
 # Redirect
 include blender.profile
diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile
index 528a6402d..bfea2c622 100644
--- a/etc/profile-a-l/brave-browser-beta.profile
+++ b/etc/profile-a-l/brave-browser-beta.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (beta channel)
 # This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser-beta.local
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile
index 4601de119..6c66c9697 100644
--- a/etc/profile-a-l/brave-browser-dev.profile
+++ b/etc/profile-a-l/brave-browser-dev.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (development channel)
 # This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser-dev.local
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile
index 43d3cc724..8812f06ba 100644
--- a/etc/profile-a-l/brave-browser-nightly.profile
+++ b/etc/profile-a-l/brave-browser-nightly.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (nightly channel)
 # This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser-nightly.local
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile
index 06d33dea4..f59e5763b 100644
--- a/etc/profile-a-l/brave-browser-stable.profile
+++ b/etc/profile-a-l/brave-browser-stable.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (release channel)
 # This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser-stable.local
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile
index e223ecf87..d9c9c45d7 100644
--- a/etc/profile-a-l/brave-browser.profile
+++ b/etc/profile-a-l/brave-browser.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave
 # This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser.local
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile
index 5271ee5d6..562ba4b65 100644
--- a/etc/profile-a-l/bsdcat.profile
+++ b/etc/profile-a-l/bsdcat.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for bsdtar
 # This file is overwritten after every install/update
+# Persistent local customizations
+include bsdcat.local
 # Redirect
 include bsdtar.profile
diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile
index 5271ee5d6..ed109957d 100644
--- a/etc/profile-a-l/bsdcpio.profile
+++ b/etc/profile-a-l/bsdcpio.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for bsdtar
 # This file is overwritten after every install/update
+# Persistent local customizations
+include bsdcpio.local
 # Redirect
 include bsdtar.profile
diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile
index 7804a3b97..bb555a70b 100644
--- a/etc/profile-a-l/calligraauthor.profile
+++ b/etc/profile-a-l/calligraauthor.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+# Persistent local customizations
+include calligraauthor.local
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile
index 7804a3b97..205087758 100644
--- a/etc/profile-a-l/calligraconverter.profile
+++ b/etc/profile-a-l/calligraconverter.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+# Persistent local customizations
+include calligraconverter.local
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile
index 7804a3b97..99e094016 100644
--- a/etc/profile-a-l/calligraflow.profile
+++ b/etc/profile-a-l/calligraflow.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+# Persistent local customizations
+include calligraflow.local
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
index 23dd61175..d8b18b238 100644
--- a/etc/profile-a-l/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+# Persistent local customizations
+include calligraplan.local
 noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
 # Redirect
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
index 1c283a3cb..0feb49a77 100644
--- a/etc/profile-a-l/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+# Persistent local customizations
+include calligraplanwork.local
 noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
 # Redirect
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
index 8ef75be71..0c45b6b54 100644
--- a/etc/profile-a-l/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+# Persistent local customizations
+include calligrasheets.local
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
 # Redirect
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
index d5c960248..a9db7e64b 100644
--- a/etc/profile-a-l/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+# Persistent local customizations
+include calligrastage.local
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
 # Redirect
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
index 5985b4250..1f62cb7ec 100644
--- a/etc/profile-a-l/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
+# Persistent local customizations
+include calligrawords.local
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
 # Redirect
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index d379651c7..6a76dc129 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -10,13 +10,13 @@ noblacklist ${HOME}/.config/celluloid
 noblacklist ${HOME}/.config/gnome-mpv
 noblacklist ${HOME}/.config/youtube-dl
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-# Allow lua (blacklisted by disable-interpreters.inc)
-include allow-lua.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 337117c4a..aca1f5876 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -19,7 +19,10 @@ include disable-xdg.inc
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /usr/share/gnome-video-effects
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
@@ -43,5 +46,6 @@ private-cache
 private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
 private-tmp
-dbus-user none
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile
index f83052d9a..c782a4d78 100644
--- a/etc/profile-a-l/chromium-browser.profile
+++ b/etc/profile-a-l/chromium-browser.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for chromium
 # This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-browser.local
 # Redirect
 include chromium.profile
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile
index a1de85afa..5d1f3c11c 100644
--- a/etc/profile-a-l/chromium-freeworld.profile
+++ b/etc/profile-a-l/chromium-freeworld.profile
@@ -1,5 +1,8 @@
 # Firejail profile for chromium-freeworld
 # This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-freeworld.local
 # Redirect
 include chromium.profile
diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile
index 88a65037e..823375049 100644
--- a/etc/profile-a-l/cinelerra.profile
+++ b/etc/profile-a-l/cinelerra.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for cin
 # This file is overwritten after every install/update
+# Persistent local customizations
+include cinelerra.local
 # Redirect
 include cin.profile
diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile
index 4c6c56c5f..1a89a927d 100644
--- a/etc/profile-a-l/clamdscan.profile
+++ b/etc/profile-a-l/clamdscan.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
+# Persistent local customizations
+include clamdscan.local
 # Redirect
 include clamav.profile
diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile
index 4c6c56c5f..96f68b8f6 100644
--- a/etc/profile-a-l/clamdtop.profile
+++ b/etc/profile-a-l/clamdtop.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
+# Persistent local customizations
+include clamdtop.local
 # Redirect
 include clamav.profile
diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile
index 4c6c56c5f..ec435a50a 100644
--- a/etc/profile-a-l/clamscan.profile
+++ b/etc/profile-a-l/clamscan.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
+# Persistent local customizations
+include clamscan.local
 # Redirect
 include clamav.profile
diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile
index da50e7d49..c180e6faa 100644
--- a/etc/profile-a-l/clocks.profile
+++ b/etc/profile-a-l/clocks.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-clocks
 # This file is overwritten after every install/update
+# Persistent local customizations
+include clocks.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-clocks.profile
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile
index 0628d3d01..26f99428c 100644
--- a/etc/profile-a-l/com.gitlab.newsflash.profile
+++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for newsflash
 # This file is overwritten after every install/update
+# Persistent local customizations
+include com.gitlab.newsflash.local
 # Redirect
 include newsflash.profile
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
new file mode 100644
index 000000000..75813c494
--- /dev/null
+++ b/etc/profile-a-l/coyim.profile
@@ -0,0 +1,49 @@
+# Firejail profile for coyim
+# Description: GTK Jabber client written in Go
+# This file is overwritten after every install/update
+# Persistent local customizations
+include coyim.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/coyim
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/coyim
+whitelist ${HOME}/.config/coyim
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl
+private-tmp
+dbus-user none
+dbus-system none
+#memory-deny-write-execute
diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile
index 39151865e..b384e42ae 100644
--- a/etc/profile-a-l/crawl-tiles.profile
+++ b/etc/profile-a-l/crawl-tiles.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for crawl
 # This file is overwritten after every install/update
+# Persistent local customizations
+include crawl-titles.local
 ignore no3d
 # Redirect
diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile
index 69aa39de2..b208b21a0 100644
--- a/etc/profile-a-l/cryptocat.profile
+++ b/etc/profile-a-l/cryptocat.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for Cryptocat
 # This file is overwritten after every install/update
+# Persistent local customizations
+include cryptocat.local
 # Redirect
 include Cryptocat.profile
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index e409eb044..31031edeb 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.dia
 noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile
index 70a21e11c..c21df94c5 100644
--- a/etc/profile-a-l/dooble-qt4.profile
+++ b/etc/profile-a-l/dooble-qt4.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for dooble
 # This file is overwritten after every install/update
+# Persistent local customizations
+include dooble-qt4.local
 # Redirect
 include dooble.profile
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
index 24339953b..face34c40 100644
--- a/etc/profile-a-l/file-manager-common.profile
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -15,7 +15,7 @@ ignore noexec ${HOME}
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
-# Allow perl
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 # Allow python (blacklisted by disable-interpreters.inc)
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index c296c0491..1210f365c 100644
--- a/etc/profile-a-l/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
@@ -6,7 +6,7 @@ include fluxbox.local
 # Persistent global definitions
 include globals.local
-# all applications started in awesome will run in this profile
+# all applications started in fluxbox will run in this profile
 noblacklist ${HOME}/.fluxbox
 include disable-common.inc
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index dc8d6e3ad..dede61b71 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.cache/fractal
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile
index 44bf62cfe..573029add 100644
--- a/etc/profile-a-l/freecadcmd.profile
+++ b/etc/profile-a-l/freecadcmd.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for freecad
 # This file is overwritten after every install/update
+# Persistent local customizations
+include freecadcms.local
 # Redirect
 include freecad.profile
diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile
index fa36459e7..d8d1592c5 100644
--- a/etc/profile-a-l/freeciv-gtk3.profile
+++ b/etc/profile-a-l/freeciv-gtk3.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for freeciv
 # This file is overwritten after every install/update
+# Persistent local customizations
+include freeciv-gtk3.local
 # Redirect
 include freeciv.profile
diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile
index fa36459e7..16bc87848 100644
--- a/etc/profile-a-l/freeciv-mp-gtk3.profile
+++ b/etc/profile-a-l/freeciv-mp-gtk3.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for freeciv
 # This file is overwritten after every install/update
+# Persistent local customizations
+include freeciv-mp-gtk3.local
 # Redirect
 include freeciv.profile
diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile
index 2ae6dd9d8..2f4f2c548 100644
--- a/etc/profile-a-l/gajim-history-manager.profile
+++ b/etc/profile-a-l/gajim-history-manager.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for gajim-history-manager
 # This file is overwritten after every install/update
+# Persistent local customizations
+include gajim-history-manager.local
 # Redirect
 include gajim.profile
diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile
index 1e7ce2350..809328448 100644
--- a/etc/profile-a-l/ghb.profile
+++ b/etc/profile-a-l/ghb.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for handbrake
 # This file is overwritten after every install/update
+# Persistent local customizations
+include ghb.local
 # Redirect
 include handbrake.profile
diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile
index dbf49ac22..89616a537 100644
--- a/etc/profile-a-l/gimp-2.10.profile
+++ b/etc/profile-a-l/gimp-2.10.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for gimp
 # This file is overwritten after every install/update
+# Persistent local customizations
+include gimp-2.10.local
 # Redirect
 include gimp.profile
diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile
index dbf49ac22..30449e6f4 100644
--- a/etc/profile-a-l/gimp-2.8.profile
+++ b/etc/profile-a-l/gimp-2.8.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for gimp
 # This file is overwritten after every install/update
+# Persistent local customizations
+include gimp-2.8.local
 # Redirect
 include gimp.profile
diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile
index f5d652732..2620d1558 100644
--- a/etc/profile-a-l/gnome-mpv.profile
+++ b/etc/profile-a-l/gnome-mpv.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for celluloid (formerly GNOME MPV)
 # This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mpv.local
 # Redirect
 include celluloid.profile
diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile
index a456e8d61..7c54a0888 100644
--- a/etc/profile-a-l/google-chrome-stable.profile
+++ b/etc/profile-a-l/google-chrome-stable.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for google-chrome
 # This file is overwritten after every install/update
+# Persistent local customizations
+include google-chrome-stable.local
 # Redirect
 include google-chrome.profile
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
index c1f919769..1240dc3b7 100644
--- a/etc/profile-a-l/google-earth-pro.profile
+++ b/etc/profile-a-l/google-earth-pro.profile
@@ -1,7 +1,30 @@
-# Firejail profile alias for google-earth
+# Firejail profile for google-earth-pro
 # This file is overwritten after every install/update
+# Persistent local customizations
+include google-earth-pro.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
-private-bin google-earth-pro
+# Google Earth Pro can show issues that make it unpleasant to use, even when running unsandboxed.
+# See https://wiki.archlinux.org/index.php/Google_Earth#Troubleshooting for details.
+# Firejailing this application will demand extra work, as there are issues only upstream can fix (see #3906).
+# As an alternative one could use the web version: https://earth.google.com/web/.
+# The desktop version from the AUR can be made to work with firejail by appending the below snippet
+# to /usr/bin/googleearth-pro:
+# <--- snippet --->
+# Post-shutdown cleaning
+#_lock_app_running="${HOME}/.googleearth/instance-running-lock"
+#[[ -L "$_lock_app_running" ]] && rm -f "${_lock_app_running:?}"
+#_lock_collada_cache="/tmp/geColladaModelCacheLock"
+#[[ -e "$_lock_collada_cache" ]] && rm -f "${_lock_collada_cache:?}"
+#_lock_icon_cache="/tmp/geIconCacheLock"
+#[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}"
+# <--- end of snippet --->
+# If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local
+#ignore private-bin
+private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings
 # Redirect
 include google-earth.profile
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index a331ef8d2..12b1cbafd 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -6,10 +6,7 @@ include google-earth.local
 include globals.local
 noblacklist ${HOME}/.config/Google
-noblacklist ${HOME}/.googleearth/Cache
+noblacklist ${HOME}/.googleearth
-noblacklist ${HOME}/.googleearth/Temp
-noblacklist ${HOME}/.googleearth/myplaces.backup.kml
-noblacklist ${HOME}/.googleearth/myplaces.kml
 include disable-common.inc
 include disable-devel.inc
@@ -19,15 +16,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.config/Google
-mkdir ${HOME}/.googleearth/Cache
+mkdir ${HOME}/.googleearth
-mkdir ${HOME}/.googleearth/Temp
-mkfile ${HOME}/.googleearth/myplaces.backup.kml
-mkfile ${HOME}/.googleearth/myplaces.kml
 whitelist ${HOME}/.config/Google
-whitelist ${HOME}/.googleearth/Cache
+whitelist ${HOME}/.googleearth
-whitelist ${HOME}/.googleearth/Temp
-whitelist ${HOME}/.googleearth/myplaces.backup.kml
-whitelist ${HOME}/.googleearth/myplaces.kml
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile
index 2391c121b..ccb97265e 100644
--- a/etc/profile-a-l/gtar.profile
+++ b/etc/profile-a-l/gtar.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for tar
 # This file is overwritten after every install/update
+# Persistent local customizations
+include gtar.local
 # Redirect
 include tar.profile
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile
index 40c268c46..2223c37a1 100644
--- a/etc/profile-a-l/gummi.profile
+++ b/etc/profile-a-l/gummi.profile
@@ -8,8 +8,13 @@ include globals.local
 noblacklist ${HOME}/.cache/gummi
 noblacklist ${HOME}/.config/gummi
+# Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
new file mode 100644
index 000000000..46fc06940
--- /dev/null
+++ b/etc/profile-a-l/guvcview.profile
@@ -0,0 +1,55 @@
+# Firejail profile for guvcview
+# Description: GTK+ base UVC Viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include guvcview.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/guvcview2
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/guvcview2
+whitelist ${HOME}/.config/guvcview2
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin guvcview
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile
index 1e7ce2350..317ebc99d 100644
--- a/etc/profile-a-l/handbrake-gtk.profile
+++ b/etc/profile-a-l/handbrake-gtk.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for handbrake
 # This file is overwritten after every install/update
+# Persistent local customizations
+include handbrake-gtk.local
 # Redirect
 include handbrake.profile
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index 86527aa1f..c60510260 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -8,13 +8,13 @@ include globals.local
 noblacklist ${HOME}/.config/hexchat
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-# Allow perl (blacklisted by disable-interpreters.inc)
-include allow-perl.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index c1ca0e413..e96b1843c 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -6,7 +6,7 @@ include i3.local
 # Persistent global definitions
 include globals.local
-# all applications started in awesome will run in this profile
+# all applications started in i3 will run in this profile
 noblacklist ${HOME}/.config/i3
 include disable-common.inc
diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile
index c7ee64d56..e83a1132d 100644
--- a/etc/profile-a-l/iridium-browser.profile
+++ b/etc/profile-a-l/iridium-browser.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for iridium
 # This file is overwritten after every install/update
+# Persistent local customizations
+include iridium-browser.local
 # Redirect
 include iridium.profile
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index b1852b015..8d391b90f 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -7,6 +7,7 @@ include jumpnbump-menu.local
 # added by included profile
 #include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 private-bin jumpnbump-menu,python3*
diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile
index d2394fe20..c7bd9c105 100644
--- a/etc/profile-a-l/kalgebramobile.profile
+++ b/etc/profile-a-l/kalgebramobile.profile
@@ -1,5 +1,8 @@
 # Firejail profile for kalgebramobile
 # This file is overwritten after every install/update
+# Persistent local customizations
+include kalgebramobile.local
 # Redirect
 include kalgebra.profile
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile
index d54d6d3d0..54d029c1a 100644
--- a/etc/profile-a-l/karbon.profile
+++ b/etc/profile-a-l/karbon.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for krita
 # This file is overwritten after every install/update
+# Persistent local customizations
+include karbon.local
 noblacklist ${HOME}/.local/share/kxmlgui5/karbon
 # Redirect
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 9c095e106..7d9f4c22f 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -12,6 +12,7 @@ noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 noblacklist ${HOME}/.config/kazam
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
new file mode 100644
index 000000000..8290e07f2
--- /dev/null
+++ b/etc/profile-a-l/kdiff3.profile
@@ -0,0 +1,52 @@
+# Firejail profile for kdiff3
+# Description: KDiff3 is a file and folder diff and merge tool.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdiff3.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/kdiff3fileitemactionrc
+noblacklist ${HOME}/.config/kdiff3rc
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+           
+include whitelist-runuser-common.inc
+# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.
+#include whitelist-usr-share-common.inc
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var.
+#include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin  kdiff3
+private-cache
+private-dev
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile
index aef236ccc..97fe987dd 100644
--- a/etc/profile-a-l/keepass2.profile
+++ b/etc/profile-a-l/keepass2.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for keepass
 # This file is overwritten after every install/update
+# Persistent local customizations
+include keepass2.local
 # Redirect
 include keepass.profile
diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile
index fdd27e9f9..ed3d6701a 100644
--- a/etc/profile-a-l/keepassx2.profile
+++ b/etc/profile-a-l/keepassx2.profile
@@ -2,5 +2,8 @@
 # Description: Cross platform password manager
 # This file is overwritten after every install/update
+# Persistent local customizations
+include keepassx2.local
 # Redirects
 include keepassx.profile
diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile
index 9137963c4..d599a80d0 100644
--- a/etc/profile-a-l/klatexformula_cmdl.profile
+++ b/etc/profile-a-l/klatexformula_cmdl.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for klatexformula_cmdl
 # This file is overwritten after every install/update
+# Persistent local customizations
+include klatexformula_cmdl.local
 # Redirect
 include klatexformula.profile
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index c64113c15..9cb5eff87 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -6,9 +6,9 @@ include krunner.local
 # Persistent global definitions
 include globals.local
-# - programs started in krunner run with this generic profile.
+# - programs started in krunner run with this generic profile
 # - when a file is opened in krunner, the file viewer runs in its own sandbox
-#   with its own profile, if it is sandboxed automatically.
+#   with its own profile, if it is sandboxed automatically
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile
index 338d8c8bb..822383ff4 100644
--- a/etc/profile-a-l/lbunzip2.profile
+++ b/etc/profile-a-l/lbunzip2.profile
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lbunzip2.local
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile
index 338d8c8bb..fe8badb58 100644
--- a/etc/profile-a-l/lbzcat.profile
+++ b/etc/profile-a-l/lbzcat.profile
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lbzcat.local
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile
index 338d8c8bb..3f986fa44 100644
--- a/etc/profile-a-l/lbzip2.profile
+++ b/etc/profile-a-l/lbzip2.profile
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lbzip2.local
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile
index 8348a57fe..51d76cae7 100644
--- a/etc/profile-a-l/lobase.profile
+++ b/etc/profile-a-l/lobase.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lobase.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile
index 8348a57fe..df48a320c 100644
--- a/etc/profile-a-l/localc.profile
+++ b/etc/profile-a-l/localc.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include localc.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile
index 8348a57fe..bf5c8c456 100644
--- a/etc/profile-a-l/lodraw.profile
+++ b/etc/profile-a-l/lodraw.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lodraw.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile
index 8348a57fe..5fbfdf443 100644
--- a/etc/profile-a-l/loffice.profile
+++ b/etc/profile-a-l/loffice.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include loffice.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile
index 8348a57fe..3decca6a8 100644
--- a/etc/profile-a-l/lofromtemplate.profile
+++ b/etc/profile-a-l/lofromtemplate.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lofromtemplate.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile
index 8348a57fe..cc812d9a4 100644
--- a/etc/profile-a-l/loimpress.profile
+++ b/etc/profile-a-l/loimpress.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include loimpress.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile
index 8348a57fe..20c316568 100644
--- a/etc/profile-a-l/lomath.profile
+++ b/etc/profile-a-l/lomath.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lomath.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile
index 8348a57fe..b44c545e8 100644
--- a/etc/profile-a-l/loweb.profile
+++ b/etc/profile-a-l/loweb.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include loweb.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile
index 8348a57fe..29f7cd89b 100644
--- a/etc/profile-a-l/lowriter.profile
+++ b/etc/profile-a-l/lowriter.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lowriter.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index ffde057d5..fa69463d1 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -11,8 +11,13 @@ ignore private-tmp
 noblacklist ${HOME}/.config/LyX
 noblacklist ${HOME}/.lyx
+# Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile
index d9c72407f..5370b0c0a 100644
--- a/etc/profile-a-l/lzcat.profile
+++ b/etc/profile-a-l/lzcat.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzcat.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile
index d9c72407f..2d963268e 100644
--- a/etc/profile-a-l/lzcmp.profile
+++ b/etc/profile-a-l/lzcmp.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzcmp.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile
index f7410b928..9baf94992 100644
--- a/etc/profile-a-l/lzdiff.profile
+++ b/etc/profile-a-l/lzdiff.profile
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lzdiff.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile
index d9c72407f..7ca4615c4 100644
--- a/etc/profile-a-l/lzegrep.profile
+++ b/etc/profile-a-l/lzegrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzegrep.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile
index d9c72407f..8d2e498fb 100644
--- a/etc/profile-a-l/lzfgrep.profile
+++ b/etc/profile-a-l/lzfgrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzfgrep.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile
index d9c72407f..b66b2fb17 100644
--- a/etc/profile-a-l/lzgrep.profile
+++ b/etc/profile-a-l/lzgrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzgrep.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile
index d9c72407f..a7341b012 100644
--- a/etc/profile-a-l/lzip.profile
+++ b/etc/profile-a-l/lzip.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzip.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile
index d9c72407f..5730a332f 100644
--- a/etc/profile-a-l/lzless.profile
+++ b/etc/profile-a-l/lzless.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzless.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile
index d9c72407f..051dbe546 100644
--- a/etc/profile-a-l/lzma.profile
+++ b/etc/profile-a-l/lzma.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzma.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile
index 0c5ec1b09..b82ce69ae 100644
--- a/etc/profile-a-l/lzmadec.profile
+++ b/etc/profile-a-l/lzmadec.profile
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+# Persistent local customizations
+include lzmadec.local
 # Redirect
 include xzdec.profile
diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile
index d9c72407f..0ab98429e 100644
--- a/etc/profile-a-l/lzmainfo.profile
+++ b/etc/profile-a-l/lzmainfo.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzmainfo.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile
index d9c72407f..df1867da0 100644
--- a/etc/profile-a-l/lzmore.profile
+++ b/etc/profile-a-l/lzmore.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include lzmore.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile
index c52d2f2da..109ce6859 100644
--- a/etc/profile-m-z/Maps.profile
+++ b/etc/profile-m-z/Maps.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-maps
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Maps.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-maps.profile
diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile
index 42c22bf67..7923d01a7 100644
--- a/etc/profile-m-z/Natron.profile
+++ b/etc/profile-m-z/Natron.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for natron
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Natron.local
 # Redirect
 include natron.profile
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile
index d4b083736..787ce8494 100644
--- a/etc/profile-m-z/Screenshot.profile
+++ b/etc/profile-m-z/Screenshot.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-screenshot
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Screenshot.local
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-screenshot.profile
diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile
index 310e0237e..7600b1aa6 100644
--- a/etc/profile-m-z/Telegram.profile
+++ b/etc/profile-m-z/Telegram.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for telegram
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Telegram.local
 # Redirect
 include telegram.profile
diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile
index 4c99ae9a3..4384b7647 100644
--- a/etc/profile-m-z/VirtualBox.profile
+++ b/etc/profile-m-z/VirtualBox.profile
@@ -2,5 +2,8 @@
 # Description: x86 virtualization solution
 # This file is overwritten after every install/update
+# Persistent local customizations
+include VirtualBox.local
 # Redirect
 include virtualbox.profile
diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile
index bb438f5f0..e8320df63 100644
--- a/etc/profile-m-z/mate-calculator.profile
+++ b/etc/profile-m-z/mate-calculator.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for mate-calc
 # This file is overwritten after every install/update
+# Persistent local customizations
+include mate-calculator.local
 # Redirect
 include mate-calc.profile
diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile
index 964060350..cee16eedc 100644
--- a/etc/profile-m-z/mathematica.profile
+++ b/etc/profile-m-z/mathematica.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for Mathematica
 # This file is overwritten after every install/update
+# Persistent local customizations
+include mathematica.local
 # Redirect
 include Mathematica.profile
diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile
index 02aad8084..304285915 100644
--- a/etc/profile-m-z/megaglest_editor.profile
+++ b/etc/profile-m-z/megaglest_editor.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for megaglest
 # This file is overwritten after every install/update
+# Persistent local customizations
+include megaglest_editor.local
 # Redirect
 include megaglest.profile
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 6ceeb867f..1a68cd37d 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -6,11 +6,11 @@ include meld.local
 # Persistent global definitions
 include globals.local
-# If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need
+# If you want to use meld as git mergetool (and maybe some other VCS integrations) you need
 # to bypass firejail, you can do this by removing the symlink or calling it by its absolute path
 # Removing the symlink:
 #  sudo rm /usr/local/bin/meld
-# Calling by its absolute path (example for git-mergetool):
+# Calling it by its absolute path (example for git mergetool):
 #  git config --global mergetool.meld.cmd /usr/bin/meld
 noblacklist ${HOME}/.config/meld
@@ -22,10 +22,9 @@ noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.subversion
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python3.inc
 # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions.
 #include allow-python2.inc
+include allow-python3.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 8a98209a2..e29e4bc70 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -6,6 +6,7 @@ include menulibre.local
 # Persistent global definitions
 include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 7130267e8..e0ebb4895 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/mirage
 noblacklist ${HOME}/.local/share/mirage
 noblacklist /sbin
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 7111febc2..1804389c3 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -30,6 +30,7 @@ noblacklist ${HOME}/.netrc
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile
index 338f494c9..bd9e3adce 100644
--- a/etc/profile-m-z/multimc.profile
+++ b/etc/profile-m-z/multimc.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for multimc5
 # This file is overwritten after every install/update
+# Persistent local customizations
+include multimc.local
 # Redirect
 include multimc5.profile
diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
index 59b3024ed..66500048e 100644
--- a/etc/profile-m-z/mypaint-ora-thumbnailer.profile
+++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for mypaint-ora-thumbnailer
 # This file is overwritten after every install/update
+# Persistent local customizations
+include mypaint-ora-thumbnailer.local
 # Redirect
 include mypaint.profile
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 6c363345e..3bf32a3db 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.nicotine
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include disable-common.inc
diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile
index d9cb2edc5..6e73afe9e 100644
--- a/etc/profile-m-z/nitroshare-cli.profile
+++ b/etc/profile-m-z/nitroshare-cli.profile
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare-cli.local
 # Redirect
 include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile
index d9cb2edc5..bda2c193d 100644
--- a/etc/profile-m-z/nitroshare-nmh.profile
+++ b/etc/profile-m-z/nitroshare-nmh.profile
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare-nmh.local
 # Redirect
 include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile
index d9cb2edc5..659742469 100644
--- a/etc/profile-m-z/nitroshare-send.profile
+++ b/etc/profile-m-z/nitroshare-send.profile
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare-send.local
 # Redirect
 include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile
index d9cb2edc5..ccda2b58b 100644
--- a/etc/profile-m-z/nitroshare-ui.profile
+++ b/etc/profile-m-z/nitroshare-ui.profile
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare-ui.local
 # Redirect
 include nitroshare.profile
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index f7cb8790b..152bd7ac5 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/onboard
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile
index 8348a57fe..ba8bdae01 100644
--- a/etc/profile-m-z/ooffice.profile
+++ b/etc/profile-m-z/ooffice.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include ooffice.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile
index 8348a57fe..4a9f434f7 100644
--- a/etc/profile-m-z/ooviewdoc.profile
+++ b/etc/profile-m-z/ooviewdoc.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include ooviewdoc.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile
index c529e7e11..f8dbf792d 100644
--- a/etc/profile-m-z/openarena_ded.profile
+++ b/etc/profile-m-z/openarena_ded.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for openarena
 # This file is overwritten after every install/update
+# Persistent local customizations
+include openarena_ded.local
 # Redirect
 include openarena.profile
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 1fb93c79c..b49fd9932 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -6,7 +6,7 @@ include openbox.local
 # Persistent global definitions
 include globals.local
-# all applications started in OpenBox will run in this profile
+# all applications started in openbox will run in this profile
 noblacklist ${HOME}/.config/openbox
 include disable-common.inc
diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile
index 8348a57fe..189867742 100644
--- a/etc/profile-m-z/openoffice.org.profile
+++ b/etc/profile-m-z/openoffice.org.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include openoffice.org.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile
index 2f886d2ac..833a375f6 100644
--- a/etc/profile-m-z/openshot-qt.profile
+++ b/etc/profile-m-z/openshot-qt.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for openshot
 # This file is overwritten after every install/update
+# Persistent local customizations
+include openshot-qt.local
 # Redirect
 include openshot.profile
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
new file mode 100644
index 000000000..cc4f016c5
--- /dev/null
+++ b/etc/profile-m-z/pkglog.profile
@@ -0,0 +1,59 @@
+# Firejail profile for pklog
+# Description: Reports log of package updates
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pkglog.local
+# Persistent global definitions
+include globals.local
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist /var/log/apt/history.log
+whitelist /var/log/dnf.rpm.log
+whitelist /var/log/pacman.log
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+disable-mnt
+private
+private-bin pkglog,python*
+private-cache
+private-dev
+private-etc alternatives
+private-opt none
+private-tmp
+writable-var-log
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+read-only ${HOME}
+read-only /var/log/apt/history.log
+read-only /var/log/dnf.rpm.log
+read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 0ebef226a..8e98905b5 100644
--- a/etc/profile-m-z/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
@@ -12,9 +12,12 @@ noblacklist ${HOME}/.PlayOnLinux
 # nc is needed to run playonlinux
 noblacklist ${PATH}/nc
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-include allow-perl.inc
 # Redirect
 include wine.profile
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 7ff59ea77..7f7ae4204 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -18,7 +18,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/PacmanLogViewer
 whitelist ${HOME}/.config/PacmanLogViewer
-whitelist /var/log/pacman*
+whitelist /var/log/pacman.log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
@@ -57,3 +57,4 @@ dbus-system none
 #memory-deny-write-execute - breaks opening file-chooser
 read-only ${HOME}
 read-write ${HOME}/.config/PacmanLogViewer
+read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index a14d0268b..72f9c2dc3 100644
--- a/etc/profile-m-z/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -1,6 +1,9 @@
 # Firejail profilen alias for pycharm-professional
 # This file is overwritten after every install/update
+# Persistent local customizations
+include pyucharm-professional.local
 noblacklist ${HOME}/.PyCharm*
 # Redirect
diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile
index ce9af3286..0c83e561c 100644
--- a/etc/profile-m-z/pzstd.profile
+++ b/etc/profile-m-z/pzstd.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
+# Persistent local customizations
+include pzstd.local
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile
index 64432c171..d4c4f9234 100644
--- a/etc/profile-m-z/runenpass.sh.profile
+++ b/etc/profile-m-z/runenpass.sh.profile
@@ -1,5 +1,8 @@
 # Firejail alias profile for enpass
 # This file is overwritten after every install/update
+# Persistent local customizations
+include runenpass.sh.local
 # Redirect
 include enpass.profile
diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile
index 532294950..accb0a750 100644
--- a/etc/profile-m-z/seamonkey-bin.profile
+++ b/etc/profile-m-z/seamonkey-bin.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for seamonkey
 # This file is overwritten after every install/update
+# Persistent local customizations
+include seamonkey-bin.local
 # Redirect
 include seamonkey.profile
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 8ffc47ff6..9d6db4cdb 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -10,7 +10,10 @@ noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.mplayer
+# Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile
index 8348a57fe..382030a9e 100644
--- a/etc/profile-m-z/soffice.profile
+++ b/etc/profile-m-z/soffice.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
+# Persistent local customizations
+include soffice.local
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile
index 47608ad28..c7cec55c7 100644
--- a/etc/profile-m-z/steam-native.profile
+++ b/etc/profile-m-z/steam-native.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for steam
 # This file is overwritten after every install/update
+# Persistent local customizations
+include steam-native.local
 # Redirect
 include steam.profile
diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile
index 47608ad28..d1cf6d7f0 100644
--- a/etc/profile-m-z/steam-runtime.profile
+++ b/etc/profile-m-z/steam-runtime.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for steam
 # This file is overwritten after every install/update
+# Persistent local customizations
+include steam-runtime.local
 # Redirect
 include steam.profile
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index 721ad38ee..2ae35d211 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -10,8 +10,13 @@ include globals.local
 noblacklist ${HOME}/.cache/straw-viewer
 noblacklist ${HOME}/.config/straw-viewer
+# Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile
index 79e879f36..d23de7c05 100644
--- a/etc/profile-m-z/studio.sh.profile
+++ b/etc/profile-m-z/studio.sh.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for Android Studio
 # This file is overwritten after every install/update
+# Persistent local customizations
+include studio.sh.local
 # Redirect
 include android-studio.profile
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index 0cfa7114b..bf3a1ca81 100644
--- a/etc/profile-m-z/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -2,5 +2,8 @@
 # Description: Official Telegram Desktop client
 # This file is overwritten after every install/update
+# Persistent local customizations
+include tekegram-desktop.local
 # Redirect
 include telegram.profile
diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile
index 19993016a..49492c88f 100644
--- a/etc/profile-m-z/thunar.profile
+++ b/etc/profile-m-z/thunar.profile
@@ -2,5 +2,8 @@
 # Description: Modern file manager for Xfce
 # This file is overwritten after every install/update
+# Persistent local customizations
+include thunar.local
 # Redirect
 include Thunar.profile
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 6450e40d6..cec98ce12 100644
--- a/etc/profile-m-z/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for thunderbird-beta
 # This file is overwritten after every install/update
+# Persistent local customizations
+include thunderbird-beta.local
 private-opt thunderbird-beta
 # Redirect
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
index 612b2d01b..7254d20fb 100644
--- a/etc/profile-m-z/tor-browser-ar.profile
+++ b/etc/profile-m-z/tor-browser-ar.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-ar.local
 noblacklist ${HOME}/.tor-browser-ar
 mkdir ${HOME}/.tor-browser-ar
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
index db70a7109..bf6bfc9f6 100644
--- a/etc/profile-m-z/tor-browser-ca.profile
+++ b/etc/profile-m-z/tor-browser-ca.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-ca.local
 noblacklist ${HOME}/.tor-browser-ca
 mkdir ${HOME}/.tor-browser-ca
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
index 77b271b68..caf8f32c7 100644
--- a/etc/profile-m-z/tor-browser-cs.profile
+++ b/etc/profile-m-z/tor-browser-cs.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-cs.local
 noblacklist ${HOME}/.tor-browser-cs
 mkdir ${HOME}/.tor-browser-cs
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
index 3b9fff9a4..965036212 100644
--- a/etc/profile-m-z/tor-browser-da.profile
+++ b/etc/profile-m-z/tor-browser-da.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-da.local
 noblacklist ${HOME}/.tor-browser-da
 mkdir ${HOME}/.tor-browser-da
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
index 3b4f7f94f..913dc4771 100644
--- a/etc/profile-m-z/tor-browser-de.profile
+++ b/etc/profile-m-z/tor-browser-de.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-de.local
 noblacklist ${HOME}/.tor-browser-de
 mkdir ${HOME}/.tor-browser-de
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
index b978b6042..c0a3b64ad 100644
--- a/etc/profile-m-z/tor-browser-el.profile
+++ b/etc/profile-m-z/tor-browser-el.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-el.local
 noblacklist ${HOME}/.tor-browser-el
 mkdir ${HOME}/.tor-browser-el
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
index db56dda1b..662bc6b18 100644
--- a/etc/profile-m-z/tor-browser-en-us.profile
+++ b/etc/profile-m-z/tor-browser-en-us.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-en-us.local
 noblacklist ${HOME}/.tor-browser-en-us
 mkdir ${HOME}/.tor-browser-en-us
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
index ad4110c0e..1bbd88f91 100644
--- a/etc/profile-m-z/tor-browser-en.profile
+++ b/etc/profile-m-z/tor-browser-en.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-en.local
 noblacklist ${HOME}/.tor-browser-en
 mkdir ${HOME}/.tor-browser-en
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
index 1aa586658..ac5aa1247 100644
--- a/etc/profile-m-z/tor-browser-es-es.profile
+++ b/etc/profile-m-z/tor-browser-es-es.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-es-es.local
 noblacklist ${HOME}/.tor-browser-es-es
 mkdir ${HOME}/.tor-browser-es-es
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
index a386e3387..8ff12eedf 100644
--- a/etc/profile-m-z/tor-browser-es.profile
+++ b/etc/profile-m-z/tor-browser-es.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-es.local
 noblacklist ${HOME}/.tor-browser-es
 mkdir ${HOME}/.tor-browser-es
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
index 7f847a7c2..f897c5708 100644
--- a/etc/profile-m-z/tor-browser-fa.profile
+++ b/etc/profile-m-z/tor-browser-fa.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-fa.local
 noblacklist ${HOME}/.tor-browser-fa
 mkdir ${HOME}/.tor-browser-fa
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
index bce470ec8..f4dcd579e 100644
--- a/etc/profile-m-z/tor-browser-fr.profile
+++ b/etc/profile-m-z/tor-browser-fr.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-fr.local
 noblacklist ${HOME}/.tor-browser-fr
 mkdir ${HOME}/.tor-browser-fr
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
index 994897a87..6dddef637 100644
--- a/etc/profile-m-z/tor-browser-ga-ie.profile
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-ga-ie.local
 noblacklist ${HOME}/.tor-browser-ga-ie
 mkdir ${HOME}/.tor-browser-ga-ie
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
index 6367b4c0a..c3e2dd11c 100644
--- a/etc/profile-m-z/tor-browser-he.profile
+++ b/etc/profile-m-z/tor-browser-he.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-he.local
 noblacklist ${HOME}/.tor-browser-he
 mkdir ${HOME}/.tor-browser-he
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
index 68e79833e..469db7374 100644
--- a/etc/profile-m-z/tor-browser-hu.profile
+++ b/etc/profile-m-z/tor-browser-hu.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-hu.local
 noblacklist ${HOME}/.tor-browser-hu
 mkdir ${HOME}/.tor-browser-hu
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
index 85b455ba2..db111c92c 100644
--- a/etc/profile-m-z/tor-browser-id.profile
+++ b/etc/profile-m-z/tor-browser-id.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-id.local
 noblacklist ${HOME}/.tor-browser-id
 mkdir ${HOME}/.tor-browser-id
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
index 48e88db71..32a8c9ca7 100644
--- a/etc/profile-m-z/tor-browser-is.profile
+++ b/etc/profile-m-z/tor-browser-is.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-is.local
 noblacklist ${HOME}/.tor-browser-is
 mkdir ${HOME}/.tor-browser-is
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
index 3c239ca29..d53dd9136 100644
--- a/etc/profile-m-z/tor-browser-it.profile
+++ b/etc/profile-m-z/tor-browser-it.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-it.local
 noblacklist ${HOME}/.tor-browser-it
 mkdir ${HOME}/.tor-browser-it
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
index c52e0f64e..8886d3ff0 100644
--- a/etc/profile-m-z/tor-browser-ja.profile
+++ b/etc/profile-m-z/tor-browser-ja.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-ja.local
 noblacklist ${HOME}/.tor-browser-ja
 mkdir ${HOME}/.tor-browser-ja
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
index 173b85e5c..d3d36c426 100644
--- a/etc/profile-m-z/tor-browser-ka.profile
+++ b/etc/profile-m-z/tor-browser-ka.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-ka.local
 noblacklist ${HOME}/.tor-browser-ka
 mkdir ${HOME}/.tor-browser-ka
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
index 8faa5afa1..59f9f966f 100644
--- a/etc/profile-m-z/tor-browser-ko.profile
+++ b/etc/profile-m-z/tor-browser-ko.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-ko.local
 noblacklist ${HOME}/.tor-browser-ko
 mkdir ${HOME}/.tor-browser-ko
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
index d1352dd80..c133ca673 100644
--- a/etc/profile-m-z/tor-browser-nb.profile
+++ b/etc/profile-m-z/tor-browser-nb.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-nb.local
 noblacklist ${HOME}/.tor-browser-nb
 mkdir ${HOME}/.tor-browser-nb
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
index d4443cca2..1bebc1ffb 100644
--- a/etc/profile-m-z/tor-browser-nl.profile
+++ b/etc/profile-m-z/tor-browser-nl.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-nl.local
 noblacklist ${HOME}/.tor-browser-nl
 mkdir ${HOME}/.tor-browser-nl
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
index 08ddd4ae7..a83c0b6f3 100644
--- a/etc/profile-m-z/tor-browser-pl.profile
+++ b/etc/profile-m-z/tor-browser-pl.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-pl.local
 noblacklist ${HOME}/.tor-browser-pl
 mkdir ${HOME}/.tor-browser-pl
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
index 9942a3fe8..7c0ba0879 100644
--- a/etc/profile-m-z/tor-browser-pt-br.profile
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-pt-br.local
 noblacklist ${HOME}/.tor-browser-pt-br
 mkdir ${HOME}/.tor-browser-pt-br
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
index 6294f8ca0..374caa4fe 100644
--- a/etc/profile-m-z/tor-browser-ru.profile
+++ b/etc/profile-m-z/tor-browser-ru.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-ru.local
 noblacklist ${HOME}/.tor-browser-ru
 mkdir ${HOME}/.tor-browser-ru
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
index c8544262f..41dbaf792 100644
--- a/etc/profile-m-z/tor-browser-sv-se.profile
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-sv-se.local
 noblacklist ${HOME}/.tor-browser-sv-se
 mkdir ${HOME}/.tor-browser-sv-se
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
index 2343fa8de..0981caa73 100644
--- a/etc/profile-m-z/tor-browser-tr.profile
+++ b/etc/profile-m-z/tor-browser-tr.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-tr.local
 noblacklist ${HOME}/.tor-browser-tr
 mkdir ${HOME}/.tor-browser-tr
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
index 734c38698..3d321787a 100644
--- a/etc/profile-m-z/tor-browser-vi.profile
+++ b/etc/profile-m-z/tor-browser-vi.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-vi.local
 noblacklist ${HOME}/.tor-browser-vi
 mkdir ${HOME}/.tor-browser-vi
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
index 21e813e45..977993f26 100644
--- a/etc/profile-m-z/tor-browser-zh-cn.profile
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-zh-cn.local
 noblacklist ${HOME}/.tor-browser-zh-cn
 mkdir ${HOME}/.tor-browser-zh-cn
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
index 6fe09c6c1..e589dc552 100644
--- a/etc/profile-m-z/tor-browser-zh-tw.profile
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser-zh-tw.local
 noblacklist ${HOME}/.tor-browser-zh-tw
 mkdir ${HOME}/.tor-browser-zh-tw
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 0cd84abf5..f7c3a5d24 100644
--- a/etc/profile-m-z/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser.local
 noblacklist ${HOME}/.tor-browser
 mkdir ${HOME}/.tor-browser
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
index 1e1f5ce35..86839a849 100644
--- a/etc/profile-m-z/tor-browser_ar.profile
+++ b/etc/profile-m-z/tor-browser_ar.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_ar.local
 noblacklist ${HOME}/.tor-browser_ar
 mkdir ${HOME}/.tor-browser_ar
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
index e114b6051..9d9fc8d31 100644
--- a/etc/profile-m-z/tor-browser_ca.profile
+++ b/etc/profile-m-z/tor-browser_ca.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_ca.local
 noblacklist ${HOME}/.tor-browser_ca
 mkdir ${HOME}/.tor-browser_ca
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
index 498068bc6..25d676537 100644
--- a/etc/profile-m-z/tor-browser_cs.profile
+++ b/etc/profile-m-z/tor-browser_cs.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_cs.local
 noblacklist ${HOME}/.tor-browser_cs
 mkdir ${HOME}/.tor-browser_cs
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
index 5c25c03c8..885a00979 100644
--- a/etc/profile-m-z/tor-browser_da.profile
+++ b/etc/profile-m-z/tor-browser_da.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_da.local
 noblacklist ${HOME}/.tor-browser_da
 mkdir ${HOME}/.tor-browser_da
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
index d530e7dbe..505161073 100644
--- a/etc/profile-m-z/tor-browser_de.profile
+++ b/etc/profile-m-z/tor-browser_de.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_de.local
 noblacklist ${HOME}/.tor-browser_de
 mkdir ${HOME}/.tor-browser_de
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
index 67d5ab440..4efbbef4d 100644
--- a/etc/profile-m-z/tor-browser_el.profile
+++ b/etc/profile-m-z/tor-browser_el.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_el.local
 noblacklist ${HOME}/.tor-browser_el
 mkdir ${HOME}/.tor-browser_el
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
index b298ab2b8..faa6979be 100644
--- a/etc/profile-m-z/tor-browser_en-US.profile
+++ b/etc/profile-m-z/tor-browser_en-US.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_en-US.local
 noblacklist ${HOME}/.tor-browser_en-US
 mkdir ${HOME}/.tor-browser_en-US
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
index 6bb0616b1..579af4be1 100644
--- a/etc/profile-m-z/tor-browser_en.profile
+++ b/etc/profile-m-z/tor-browser_en.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_en.local
 noblacklist ${HOME}/.tor-browser_en
 mkdir ${HOME}/.tor-browser_en
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
index 78f57ffe5..7d2f28844 100644
--- a/etc/profile-m-z/tor-browser_es-ES.profile
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_es-ES.local
 noblacklist ${HOME}/.tor-browser_es-ES
 mkdir ${HOME}/.tor-browser_es-ES
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
index ea34a07c9..c3d5695ce 100644
--- a/etc/profile-m-z/tor-browser_es.profile
+++ b/etc/profile-m-z/tor-browser_es.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_es.local
 noblacklist ${HOME}/.tor-browser_es
 mkdir ${HOME}/.tor-browser_es
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
index fbc416ce5..5d2a81976 100644
--- a/etc/profile-m-z/tor-browser_fa.profile
+++ b/etc/profile-m-z/tor-browser_fa.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_fa.local
 noblacklist ${HOME}/.tor-browser_fa
 mkdir ${HOME}/.tor-browser_fa
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
index caea6db5b..10a1cd054 100644
--- a/etc/profile-m-z/tor-browser_fr.profile
+++ b/etc/profile-m-z/tor-browser_fr.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_fr.local
 noblacklist ${HOME}/.tor-browser_fr
 mkdir ${HOME}/.tor-browser_fr
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
index 6342daebf..c2f3e6f91 100644
--- a/etc/profile-m-z/tor-browser_ga-IE.profile
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_ga-IE.local
 noblacklist ${HOME}/.tor-browser_ga-IE
 mkdir ${HOME}/.tor-browser_ga-IE
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
index cc4150620..2415a0ebd 100644
--- a/etc/profile-m-z/tor-browser_he.profile
+++ b/etc/profile-m-z/tor-browser_he.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_he.local
 noblacklist ${HOME}/.tor-browser_he
 mkdir ${HOME}/.tor-browser_he
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
index 952a0b68a..d356c2b74 100644
--- a/etc/profile-m-z/tor-browser_hu.profile
+++ b/etc/profile-m-z/tor-browser_hu.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_hu.local
 noblacklist ${HOME}/.tor-browser_hu
 mkdir ${HOME}/.tor-browser_hu
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
index a006b27c0..0551bef1c 100644
--- a/etc/profile-m-z/tor-browser_id.profile
+++ b/etc/profile-m-z/tor-browser_id.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_id.local
 noblacklist ${HOME}/.tor-browser_id
 mkdir ${HOME}/.tor-browser_id
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
index 038e0fabb..a9adf462d 100644
--- a/etc/profile-m-z/tor-browser_is.profile
+++ b/etc/profile-m-z/tor-browser_is.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_is.local
 noblacklist ${HOME}/.tor-browser_is
 mkdir ${HOME}/.tor-browser_is
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
index 3d2566994..2237e2267 100644
--- a/etc/profile-m-z/tor-browser_it.profile
+++ b/etc/profile-m-z/tor-browser_it.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_it.local
 noblacklist ${HOME}/.tor-browser_it
 mkdir ${HOME}/.tor-browser_it
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
index 08c942bcd..494af455a 100644
--- a/etc/profile-m-z/tor-browser_ja.profile
+++ b/etc/profile-m-z/tor-browser_ja.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_ja.local
 noblacklist ${HOME}/.tor-browser_ja
 mkdir ${HOME}/.tor-browser_ja
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
index 97664be4d..7a32fc6f7 100644
--- a/etc/profile-m-z/tor-browser_ka.profile
+++ b/etc/profile-m-z/tor-browser_ka.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_ka.local
 noblacklist ${HOME}/.tor-browser_ka
 mkdir ${HOME}/.tor-browser_ka
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
index 98cf1e3e1..b7725270f 100644
--- a/etc/profile-m-z/tor-browser_ko.profile
+++ b/etc/profile-m-z/tor-browser_ko.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_ko.local
 noblacklist ${HOME}/.tor-browser_ko
 mkdir ${HOME}/.tor-browser_ko
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
index 6df840573..b781e05a8 100644
--- a/etc/profile-m-z/tor-browser_nb.profile
+++ b/etc/profile-m-z/tor-browser_nb.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_nb.local
 noblacklist ${HOME}/.tor-browser_nb
 mkdir ${HOME}/.tor-browser_nb
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
index 3f545f888..67df58d8c 100644
--- a/etc/profile-m-z/tor-browser_nl.profile
+++ b/etc/profile-m-z/tor-browser_nl.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_nl.local
 noblacklist ${HOME}/.tor-browser_nl
 mkdir ${HOME}/.tor-browser_nl
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
index 4e04dc027..3caa90133 100644
--- a/etc/profile-m-z/tor-browser_pl.profile
+++ b/etc/profile-m-z/tor-browser_pl.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_pl.local
 noblacklist ${HOME}/.tor-browser_pl
 mkdir ${HOME}/.tor-browser_pl
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
index 7f864886c..01e8651d5 100644
--- a/etc/profile-m-z/tor-browser_pt-BR.profile
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_pt-BR.local
 noblacklist ${HOME}/.tor-browser_pt-BR
 mkdir ${HOME}/.tor-browser_pt-BR
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
index 2fae6fbe7..fd6f2047d 100644
--- a/etc/profile-m-z/tor-browser_ru.profile
+++ b/etc/profile-m-z/tor-browser_ru.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_ru.local
 noblacklist ${HOME}/.tor-browser_ru
 mkdir ${HOME}/.tor-browser_ru
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
index 2157f8d2b..029f1edea 100644
--- a/etc/profile-m-z/tor-browser_sv-SE.profile
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_sv-SE.local
 noblacklist ${HOME}/.tor-browser_sv-SE
 mkdir ${HOME}/.tor-browser_sv-SE
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
index 20ac246ca..7707e3454 100644
--- a/etc/profile-m-z/tor-browser_tr.profile
+++ b/etc/profile-m-z/tor-browser_tr.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_tr.local
 noblacklist ${HOME}/.tor-browser_tr
 mkdir ${HOME}/.tor-browser_tr
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
index 4faa06ff6..b277343dc 100644
--- a/etc/profile-m-z/tor-browser_vi.profile
+++ b/etc/profile-m-z/tor-browser_vi.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_vi.local
 noblacklist ${HOME}/.tor-browser_vi
 mkdir ${HOME}/.tor-browser_vi
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
index e4d8215e6..e614d00ae 100644
--- a/etc/profile-m-z/tor-browser_zh-CN.profile
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_zh-CN.local
 noblacklist ${HOME}/.tor-browser_zh-CN
 mkdir ${HOME}/.tor-browser_zh-CN
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
index 8a28015a6..21c3445c9 100644
--- a/etc/profile-m-z/tor-browser_zh-TW.profile
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
+# Persistent global definitions
+include tor-browser_zh-TW.local
 noblacklist ${HOME}/.tor-browser_zh-TW
 mkdir ${HOME}/.tor-browser_zh-TW
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 36495064e..90c45c7d0 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -6,7 +6,8 @@ include totem.local
 # Persistent global definitions
 include globals.local
-# Allow lua (required for youtube video)
+# Allow lua (blacklisted by disable-interpreters.inc)
+# required for youtube video
 include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index a5cefb47a..af5442672 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -2,5 +2,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include tshark.local
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile
index d9c72407f..d7f187e5c 100644
--- a/etc/profile-m-z/unlzma.profile
+++ b/etc/profile-m-z/unlzma.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include unlzma.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile
index d9c72407f..d93fc3cb3 100644
--- a/etc/profile-m-z/unxz.profile
+++ b/etc/profile-m-z/unxz.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include unxz.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile
index ce9af3286..698301131 100644
--- a/etc/profile-m-z/unzstd.profile
+++ b/etc/profile-m-z/unzstd.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
+# Persistent local customizations
+include unzstd.local
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 493c53936..d841d50b7 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -26,7 +26,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-caps.keep chown,net_raw,sys_nice,sys_rawio
+caps.keep chown,net_raw,sys_nice
 netfilter
 nogroups
 notv
@@ -34,6 +34,7 @@ shell none
 tracelog
 #disable-mnt
-#private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index b4728fb72..e329e77ad 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for Visual Studio Code
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vscodium.local
 noblacklist ${HOME}/.VSCodium
 # Redirect
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
index 2e9078a7b..8c46c8aef 100644
--- a/etc/profile-m-z/vulturesclaw.profile
+++ b/etc/profile-m-z/vulturesclaw.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for nethack-vultures
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vulturesclaw.local
 noblacklist /var/games/vulturesclaw
 whitelist /var/games/vulturesclaw
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
index 44c263cfc..a9d49dae2 100644
--- a/etc/profile-m-z/vultureseye.profile
+++ b/etc/profile-m-z/vultureseye.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for nethack-vultures
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vultureseye.local
 noblacklist /var/games/vultureseye
 whitelist /var/games/vultureseye
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 369c9cc1d..06a7c3412 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-# mkdir ${HOME}/.warzone2100-3.1
+mkdir ${HOME}/.warzone2100-3.1
-# mkdir ${HOME}/.warzone2100-3.2
+mkdir ${HOME}/.warzone2100-3.2
 whitelist ${HOME}/.warzone2100-3.1
 whitelist ${HOME}/.warzone2100-3.2
 whitelist /usr/share/games
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile
index 4719b9788..cd99c4730 100644
--- a/etc/profile-m-z/weechat-curses.profile
+++ b/etc/profile-m-z/weechat-curses.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for weechat
 # This file is overwritten after every install/update
+# Persistent local customizations
+include weechat-curses.local
 # Redirect
 include weechat.profile
diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile
index 3e2e1807e..409f2a8b5 100644
--- a/etc/profile-m-z/wireshark-gtk.profile
+++ b/etc/profile-m-z/wireshark-gtk.profile
@@ -2,5 +2,8 @@
 # Description: Network protocol analyzer
 # This file is overwritten after every install/update
+# Persistent local customizations
+include wireshark-gtk.local
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile
index 3e2e1807e..809108af7 100644
--- a/etc/profile-m-z/wireshark-qt.profile
+++ b/etc/profile-m-z/wireshark-qt.profile
@@ -2,5 +2,8 @@
 # Description: Network protocol analyzer
 # This file is overwritten after every install/update
+# Persistent local customizations
+include wireshark-qt.local
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile
index abb91e1ec..57af3a8e4 100644
--- a/etc/profile-m-z/xonotic-glx.profile
+++ b/etc/profile-m-z/xonotic-glx.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for xonotic
 # This file is overwritten after every install/update
+# Persistent local customizations
+include xonotic-glx.local
 # Redirect
 include xonotic.profile
diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile
index abb91e1ec..a2511a9da 100644
--- a/etc/profile-m-z/xonotic-sdl.profile
+++ b/etc/profile-m-z/xonotic-sdl.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for xonotic
 # This file is overwritten after every install/update
+# Persistent local customizations
+include xonotic-sdl.local
 # Redirect
 include xonotic.profile
diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile
index d9c72407f..0310743c7 100644
--- a/etc/profile-m-z/xz.profile
+++ b/etc/profile-m-z/xz.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include xz.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile
index d9c72407f..1c6851189 100644
--- a/etc/profile-m-z/xzcat.profile
+++ b/etc/profile-m-z/xzcat.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include xzcat.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile
index d9c72407f..214f714ce 100644
--- a/etc/profile-m-z/xzcmp.profile
+++ b/etc/profile-m-z/xzcmp.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include xzcmp.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile
index d9c72407f..19a4c853f 100644
--- a/etc/profile-m-z/xzdiff.profile
+++ b/etc/profile-m-z/xzdiff.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include xzdiff.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile
index d9c72407f..998fab02c 100644
--- a/etc/profile-m-z/xzegrep.profile
+++ b/etc/profile-m-z/xzegrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include xzegrep.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile
index d9c72407f..4301f5c96 100644
--- a/etc/profile-m-z/xzfgrep.profile
+++ b/etc/profile-m-z/xzfgrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include xzfgrep.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile
index f7410b928..2def07549 100644
--- a/etc/profile-m-z/xzgrep.profile
+++ b/etc/profile-m-z/xzgrep.profile
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+# Persistent local customizations
+include xzgrep.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile
index f7410b928..d55a4c6c9 100644
--- a/etc/profile-m-z/xzless.profile
+++ b/etc/profile-m-z/xzless.profile
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+# Persistent local customizations
+include xzless.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile
index d9c72407f..f847c7006 100644
--- a/etc/profile-m-z/xzmore.profile
+++ b/etc/profile-m-z/xzmore.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
+# Persistent local customizations
+include xzmore.local
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index a3a2afa29..e8fe4a360 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -9,7 +9,10 @@ include globals.local
 noblacklist ${HOME}/.config/youtube-viewer
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile
index ce9af3286..e7c37f58c 100644
--- a/etc/profile-m-z/zstdcat.profile
+++ b/etc/profile-m-z/zstdcat.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
+# Persistent local customizations
+include zstdcat.local
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile
index ce9af3286..604e3524e 100644
--- a/etc/profile-m-z/zstdgrep.profile
+++ b/etc/profile-m-z/zstdgrep.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
+# Persistent local customizations
+include zstdgrep.local
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile
index ce9af3286..efe688856 100644
--- a/etc/profile-m-z/zstdless.profile
+++ b/etc/profile-m-z/zstdless.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
+# Persistent local customizations
+include zstdless.local
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile
index ce9af3286..cdd93f688 100644
--- a/etc/profile-m-z/zstdmt.profile
+++ b/etc/profile-m-z/zstdmt.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
+# Persistent local customizations
+include zstdmt.local
 # Redirect
 include zstd.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 3d37fc827..8b44b0bc0 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -158,6 +158,7 @@ include globals.local
 ##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
 #seccomp.block-secondary
+##seccomp-error-action log (Only for debugging seccomp issues)
 #shell none
 #tracelog
 # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
diff --git a/mkdeb.sh.in b/mkdeb.sh.in
index a19dee620..5b68175fd 100755
--- a/mkdeb.sh.in
+++ b/mkdeb.sh.in
@@ -64,7 +64,7 @@ chmod 644 $DEBIAN_CTRL_DIR/conffiles
 find $INSTALL_DIR  -type d | xargs chmod 755
 cd $CODE_DIR
 fakeroot dpkg-deb --build debian
-lintian debian.deb
+lintian --no-tag-display-limit debian.deb
 mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
 cd ..
 rm -fr $CODE_DIR
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 0a4a61e2a..e65501d6d 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -111,7 +111,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
        }
        // open destination
-        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755);
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR);
        if (dst < 0) {
                if (!arg_quiet)
                        fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname);
@@ -132,7 +132,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
                        done += rv;
                }
        }
-        fflush(0);
+        if (len < 0)
+                goto errexit;
        if (fchown(dst, uid, gid) == -1)
                goto errexit;
@@ -179,7 +180,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid,
        // if the link is already there, don't create it
        struct stat s;
-        if (stat(linkpath, &s) == 0)
+        if (lstat(linkpath, &s) == 0)
               return;
        char *rp = realpath(target, NULL);
@@ -413,25 +414,19 @@ int main(int argc, char **argv) {
        warn_dumpable();
-        // trim trailing chars
-        if (src[strlen(src) - 1] == '/')
-                src[strlen(src) - 1] = '\0';
-        if (dest[strlen(dest) - 1] == '/')
-                dest[strlen(dest) - 1] = '\0';
        // check the two files; remove ending /
-        int len = strlen(src);
+        size_t len = strlen(src);
-        if (src[len - 1] == '/')
+        while (len > 1 && src[len - 1] == '/')
-                src[len - 1] = '\0';
+                src[--len] = '\0';
-        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) {
+        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) {
                fprintf(stderr, "Error fcopy: invalid source file name %s\n", src);
                exit(1);
        }
        len = strlen(dest);
-        if (dest[len - 1] == '/')
+        while (len > 1 && dest[len - 1] == '/')
-                dest[len - 1] = '\0';
+                dest[--len] = '\0';
-        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) {
+        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) {
                fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest);
                exit(1);
        }
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 109f89f39..e924ef2ec 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -149,6 +149,7 @@ conkeror
 conky
 conplay
 corebird
+coyim
 crawl
 crawl-tiles
 crow
@@ -390,6 +391,7 @@ kazam
 kcalc
 # kdeinit4
 kdenlive
+kdiff3
 keepass
 keepass2
 keepassx
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index a5c005931..b8c1b21b1 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -33,6 +33,52 @@ extern void fslib_install_system(void);
 static int lib_cnt = 0;
 static int dir_cnt = 0;
+char *find_in_path(const char *program) {
+        EUID_ASSERT();
+        if (arg_debug)
+                printf("Searching $PATH for %s\n", program);
+        char self[MAXBUF];
+        ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1);
+        if (len < 0)
+                errExit("readlink");
+        self[len] = '\0';
+        char *path = getenv("PATH");
+        if (!path)
+                return NULL;
+        char *dup = strdup(path);
+        if (!dup)
+                errExit("strdup");
+        char *tok = strtok(dup, ":");
+        while (tok) {
+                char *fname;
+                if (asprintf(&fname, "%s/%s", tok, program) == -1)
+                        errExit("asprintf");
+                if (arg_debug)
+                        printf("trying #%s#\n", fname);
+                struct stat s;
+                if (stat(fname, &s) == 0) {
+                        // but skip links created by firecfg
+                        char *rp = realpath(fname, NULL);
+                        if (!rp)
+                                errExit("realpath");
+                        if (strcmp(self, rp) != 0) {
+                                free(rp);
+                                free(dup);
+                                return fname;
+                        }
+                        free(rp);
+                }
+                free(fname);
+                tok = strtok(NULL, ":");
+        }
+        free(dup);
+        return NULL;
+}
 static void report_duplication(const char *full_path) {
        char *fname = strrchr(full_path, '/');
        if (fname && *(++fname) != '\0') {
@@ -337,20 +383,39 @@ void fs_private_lib(void) {
        timetrace_start();
        // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
+        if (arg_debug || arg_debug_private_lib)
+                printf("Installing Firejail libraries\n");
        fslib_install_list(PATH_FIREJAIL);
        // bring in firejail directory
-        fslib_install_list("firejail");
+        fslib_install_list(LIBDIR "/firejail");
-        // for dhclient
+        // bring in dhclient libraries
-        if (any_dhcp())
+        if (any_dhcp()) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Installing dhclient libraries\n");
                fslib_install_list(RUN_MNT_DIR "/dhclient");
+        }
+        fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
+        timetrace_start();
        // copy the libs in the new lib directory for the main exe
        if (cfg.original_program_index > 0) {
                if (arg_debug || arg_debug_private_lib)
                        printf("Installing sandboxed program libraries\n");
-                fslib_install_list(cfg.original_argv[cfg.original_program_index]);
+                if (strchr(cfg.original_argv[cfg.original_program_index], '/'))
+                        fslib_install_list(cfg.original_argv[cfg.original_program_index]);
+                else { // search executable in $PATH
+                        EUID_USER();
+                        char *fname = find_in_path(cfg.original_argv[cfg.original_program_index]);
+                        EUID_ROOT();
+                        if (fname) {
+                                fslib_install_list(fname);
+                                free(fname);
+                        }
+                }
        }
        // for the shell
@@ -379,7 +444,7 @@ void fs_private_lib(void) {
        }
        fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());
-        // install the reset of the system libraries
+        // install the rest of the system libraries
        if (arg_debug || arg_debug_private_lib)
                printf("Installing system libraries\n");
        fslib_install_system();
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 758e079a4..95e10ee05 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -108,18 +108,13 @@ void fslib_install_stdc(void) {
        // install standard C libraries
        timetrace_start();
        struct stat s;
-        char *stdclib = "/lib64";                 // CentOS, Fedora, Arch
        if (stat("/lib/x86_64-linux-gnu", &s) == 0) {   // Debian & friends
-                // PT_INTERP
-                fslib_duplicate("/lib64/ld-linux-x86-64.so.2");
                mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
                selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu");
-                stdclib = "/lib/x86_64-linux-gnu";
+                stdc("/lib/x86_64-linux-gnu");
        }
-        stdc(stdclib);
+        stdc("/lib64"); // CentOS, Fedora, Arch, ld-linux.so in Debian & friends
        // install locale
        if (stat("/usr/lib/locale", &s) == 0)
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index ea3889024..b38cc0ca6 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -22,6 +22,8 @@
 #include <sys/stat.h>
 #include <unistd.h>
+extern char *find_in_path(const char *program);
 void run_symlink(int argc, char **argv, int run_as_is) {
        EUID_ASSERT();
@@ -40,54 +42,17 @@ void run_symlink(int argc, char **argv, int run_as_is) {
                errExit("setresuid");
        // find the real program by looking in PATH
-        char *p = getenv("PATH");
+        if (!getenv("PATH")) {
-        if (!p) {
                fprintf(stderr, "Error: PATH environment variable not set\n");
                exit(1);
        }
-        char *path = strdup(p);
+        char *p = find_in_path(program);
-        if (!path)
+        if (!p) {
-                errExit("strdup");
-        char *selfpath = realpath("/proc/self/exe", NULL);
-        if (!selfpath)
-                errExit("realpath");
-        // look in path for our program
-        char *tok = strtok(path, ":");
-        int found = 0;
-        while (tok) {
-                char *name;
-                if (asprintf(&name, "%s/%s", tok, program) == -1)
-                        errExit("asprintf");
-                struct stat s;
-                if (stat(name, &s) == 0) {
-                        /* coverity[toctou] */
-                        char* rp = realpath(name, NULL);
-                        if (!rp)
-                                errExit("realpath");
-                        if (strcmp(selfpath, rp) != 0) {
-                                program = strdup(name);
-                                found = 1;
-                                free(rp);
-                                break;
-                        }
-                        free(rp);
-                }
-                free(name);
-                tok = strtok(NULL, ":");
-        }
-        if (!found) {
                fprintf(stderr, "Error: cannot find the program in the path\n");
                exit(1);
        }
+        program = p;
-        free(selfpath);
        // restore original umask
        umask(orig_umask);
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e72ef48c2..8958dfaee 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1317,7 +1317,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
 .br
 .br
-.B nolocal.net
+.B nolocal.net/nolocal6.net
 is a desktop client firewall that disable access to local network. Example:
 .br
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 4c1221464..68f62831b 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -30,6 +30,8 @@ static int cnt_seccomp = 0;
 static int cnt_caps = 0;
 static int cnt_dbus_system_none = 0;
 static int cnt_dbus_user_none = 0;
+static int cnt_dbus_system_filter = 0;
+static int cnt_dbus_user_filter = 0;
 static int cnt_dotlocal = 0;
 static int cnt_globalsdotlocal = 0;
 static int cnt_netnone = 0;
@@ -107,6 +109,7 @@ void process_file(const char *fname) {
                return;
        }
+        int have_include_local = 0;
        char buf[MAXBUF];
        while (fgets(buf, MAXBUF, fp)) {
                char *ptr = strchr(buf, '\n');
@@ -152,11 +155,16 @@ void process_file(const char *fname) {
                        cnt_privateetc++;
                else if (strncmp(ptr, "dbus-system none", 16) == 0)
                        cnt_dbus_system_none++;
+                else if (strncmp(ptr, "dbus-system", 11) == 0)
+                        cnt_dbus_system_filter++;
                else if (strncmp(ptr, "dbus-user none", 14) == 0)
                        cnt_dbus_user_none++;
+                else if (strncmp(ptr, "dbus-user", 9) == 0)
+                        cnt_dbus_user_filter++;
                else if (strncmp(ptr, "include ", 8) == 0) {
                        // not processing .local files
                        if (strstr(ptr, ".local")) {
+                                have_include_local = 1;
 //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
                                if (strstr(ptr, "globals.local"))
                                        cnt_globalsdotlocal++;
@@ -174,6 +182,8 @@ void process_file(const char *fname) {
        }
        fclose(fp);
+        if (!have_include_local)
+                printf("No include .local found in %s\n", fname);
        level--;
 }
@@ -257,7 +267,9 @@ int main(int argc, char **argv) {
                int whitelistrunuser = cnt_whitelistrunuser;
                int whitelistusrshare = cnt_whitelistusrshare;
                int dbussystemnone = cnt_dbus_system_none;
+                int dbussystemfilter = cnt_dbus_system_filter;
                int dbususernone = cnt_dbus_user_none;
+                int dbususerfilter = cnt_dbus_user_filter;
                int ssh = cnt_ssh;
                int mdwx = cnt_mdwx;
@@ -278,6 +290,16 @@ int main(int argc, char **argv) {
                        cnt_globalsdotlocal = globalsdotlocal + 1;
                if (cnt_whitelistrunuser > (whitelistrunuser + 1))
                        cnt_whitelistrunuser = whitelistrunuser + 1;
+                if (cnt_seccomp > (seccomp + 1))
+                        cnt_seccomp = seccomp + 1;
+                if (cnt_dbus_user_none > (dbususernone + 1))
+                        cnt_dbus_user_none = dbususernone + 1;
+                if (cnt_dbus_user_filter > (dbususerfilter + 1))
+                        cnt_dbus_user_filter = dbususerfilter + 1;
+                if (cnt_dbus_system_none > (dbussystemnone + 1))
+                        cnt_dbus_system_none = dbussystemnone + 1;
+                if (cnt_dbus_system_filter > (dbussystemfilter + 1))
+                        cnt_dbus_system_filter = dbussystemfilter + 1;
                if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
                        printf("No dbus-system none found in %s\n", argv[i]);
@@ -337,7 +359,9 @@ int main(int argc, char **argv) {
        printf("    whitelist usr/share\t\t%d   (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
        printf("    net none\t\t\t%d\n", cnt_netnone);
        printf("    dbus-user none \t\t%d\n", cnt_dbus_user_none);
+        printf("    dbus-user filter \t\t%d\n", cnt_dbus_user_filter);
        printf("    dbus-system none \t\t%d\n", cnt_dbus_system_none);
+        printf("    dbus-system filter \t\t%d\n", cnt_dbus_system_filter);
        printf("\n");
        return 0;
 }
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 91fcfb85d..04819d95d 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -3,6 +3,16 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
+# not currently covered
+#  --disable-suid          install as a non-SUID executable
+#  --enable-fatal-warnings -W -Wall -Werror
+#  --enable-gcov           Gcov instrumentation
+#  --enable-contrib-install
+#                          install contrib scripts
+#  --enable-analyzer       enable GCC 10 static analyzer
 arr[1]="TEST 1: standard compilation"
 arr[2]="TEST 2: compile dbus proxy disabled"
 arr[3]="TEST 3: compile chroot disabled"
@@ -18,7 +28,9 @@ arr[12]="TEST 12: compile apparmor"
 arr[13]="TEST 13: compile busybox"
 arr[14]="TEST 14: compile overlayfs disabled"
 arr[15]="TEST 15: compile private-home disabled"
-arr[15]="TEST 16: compile disable manpages"
+arr[16]="TEST 16: compile disable manpages"
+arr[17]="TEST 17: disable tmpfs as regular user"
+arr[18]="TEST 18: disable private home"
 # remove previous reports and output file
 cleanup() {
@@ -334,6 +346,40 @@ cp output-make om16
 rm output-configure output-make
 #*****************************************************************
+# TEST 17
+#*****************************************************************
+# - disable tmpfs as regular user"
+#*****************************************************************
+print_title "${arr[17]}"
+cd firejail
+make distclean
+./configure --prefix=/usr  --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test17
+grep Error output-configure output-make >> ./report-test17
+cp output-configure oc17
+cp output-make om17
+rm output-configure output-make
+#*****************************************************************
+# TEST 18
+#*****************************************************************
+# - disable private home feature
+#*****************************************************************
+print_title "${arr[18]}"
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test18
+grep Error output-configure output-make >> ./report-test18
+cp output-configure oc18
+cp output-make om18
+rm output-configure output-make
+#*****************************************************************
 # PRINT REPORTS
 #*****************************************************************
 echo
@@ -363,3 +409,5 @@ echo ${arr[13]}
 echo ${arr[14]}
 echo ${arr[15]}
 echo ${arr[16]}
+echo ${arr[17]}
+echo ${arr[18]}