259 files changed, 1533 insertions, 86 deletions

diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc
new file mode 100644
index 000000000..d6c295414
--- /dev/null
+++ b/etc/inc/allow-bin-sh.inc
@@ -0,0 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-bin-sh.local
+
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/dash
+noblacklist ${PATH}/sh
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 7cd087b14..41643657d 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -11,6 +11,15 @@ noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.java
 
+# Node.js
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
 # Python
 noblacklist ${HOME}/.pylint.d
 noblacklist ${HOME}/.python-history
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
new file mode 100644
index 000000000..78a4bed80
--- /dev/null
+++ b/etc/inc/allow-nodejs.inc
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-nodejs.local
+
+noblacklist ${PATH}/node
+noblacklist /usr/include/node
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index d88506d90..0de539d57 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -310,6 +310,7 @@ read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
 read-only ${HOME}/.nano
+read-only ${HOME}/.npmrc
 read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.tmux.conf
@@ -318,6 +319,7 @@ read-only ${HOME}/.viminfo
 read-only ${HOME}/.vimrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
+read-only ${HOME}/.yarnrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index a2d45a98d..72b1c86fb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -254,6 +254,7 @@ blacklist ${HOME}/.config/google-chrome-unstable
 blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
+blacklist ${HOME}/.config/guvcview2
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
 blacklist ${HOME}/.config/homebank
@@ -275,6 +276,8 @@ blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kazam
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
+blacklist ${HOME}/.config/kdiff3fileitemactionrc
+blacklist ${HOME}/.config/kdiff3rc
 blacklist ${HOME}/.config/kfindrc
 blacklist ${HOME}/.config/kgetrc
 blacklist ${HOME}/.config/kid3rc
@@ -304,11 +307,13 @@ blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/matrix-mirage
 blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/Microsoft
+blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
 blacklist ${HOME}/.config/mono
@@ -356,6 +361,7 @@ blacklist ${HOME}/.config/psi
 blacklist ${HOME}/.config/psi+
 blacklist ${HOME}/.config/qBittorrent
 blacklist ${HOME}/.config/qBittorrentrc
+blacklist ${HOME}/.config/qnapi.ini
 blacklist ${HOME}/.config/qpdfview
 blacklist ${HOME}/.config/qupzilla
 blacklist ${HOME}/.config/qutebrowser
@@ -394,6 +400,8 @@ blacklist ${HOME}/.config/tox
 blacklist ${HOME}/.config/transgui
 blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tuta_integration
+blacklist ${HOME}/.config/tutanota-desktop
 blacklist ${HOME}/.config/tvbrowser
 blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/ungoogled-chromium
@@ -464,10 +472,7 @@ blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gnome/gnome-schedule
-blacklist ${HOME}/.googleearth/Cache
-blacklist ${HOME}/.googleearth/Temp
-blacklist ${HOME}/.googleearth/myplaces.backup.kml
-blacklist ${HOME}/.googleearth/myplaces.kml
+blacklist ${HOME}/.googleearth
 blacklist ${HOME}/.gradle
 blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
@@ -555,6 +560,7 @@ blacklist ${HOME}/.kino-history
 blacklist ${HOME}/.kinorc
 blacklist ${HOME}/.klatexformula
 blacklist ${HOME}/.kodi
+blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
 blacklist ${HOME}/.linphone-history.db
@@ -596,6 +602,7 @@ blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/bijiben
+blacklist ${HOME}/.local/share/bohemiainteractive
 blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cantata
 blacklist ${HOME}/.local/share/cdprojektred
@@ -672,6 +679,7 @@ blacklist ${HOME}/.local/share/lugaru
 blacklist ${HOME}/.local/share/lutris
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
+blacklist ${HOME}/.local/share/matrix-mirage
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/mirage
@@ -704,6 +712,7 @@ blacklist ${HOME}/.local/share/remmina
 blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/rtv
 blacklist ${HOME}/.local/share/scribus
+blacklist ${HOME}/.local/share/shotwell
 blacklist ${HOME}/.local/share/signal-cli
 blacklist ${HOME}/.local/share/sink
 blacklist ${HOME}/.local/share/smuxi
@@ -755,6 +764,9 @@ blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nicotine
+blacklist ${HOME}/.node-gyp
+blacklist ${HOME}/.npm
+blacklist ${HOME}/.npmrc
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena
@@ -841,6 +853,10 @@ blacklist ${HOME}/.xmr-stak
 blacklist ${HOME}/.xonotic
 blacklist ${HOME}/.xournalpp
 blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.yarn
+blacklist ${HOME}/.yarn-config
+blacklist ${HOME}/.yarncache
+blacklist ${HOME}/.yarnrc
 blacklist ${HOME}/.zoom
 blacklist /tmp/akonadi-*
 blacklist /tmp/ssh-*
@@ -941,9 +957,13 @@ blacklist ${HOME}/.cache/ksplashqml
 blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/lutris
 blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-dev
 blacklist ${HOME}/.cache/midori
 blacklist ${HOME}/.cache/minetest
 blacklist ${HOME}/.cache/mirage
@@ -959,7 +979,7 @@ blacklist ${HOME}/.cache/ms-skype-online
 blacklist ${HOME}/.cache/ms-word-online
 blacklist ${HOME}/.cache/mutt
 blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko/nheko
+blacklist ${HOME}/.cache/nheko
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/okular
 blacklist ${HOME}/.cache/opera
@@ -977,6 +997,7 @@ blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/shotwell
 blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
 blacklist ${HOME}/.cache/smuxi
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net
new file mode 100644
index 000000000..5a6678d03
--- /dev/null
+++ b/etc/net/nolocal6.net
@@ -0,0 +1,41 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+###################################################################
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox
+#
+###################################################################
+
+#allow all loopback traffic
+-A INPUT -i lo -j ACCEPT
+
+# no incoming connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ping etc.
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
+# required for ipv6
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT
+
+# accept dns requests going out to a server on the local network
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+
+# drop all local network traffic
+-A OUTPUT -d FC00::/7 -j DROP
+
+# drop multicast traffic
+# required for ipv6
+-A OUTPUT -d ff02::2 -j ACCEPT
+-A OUTPUT -d ff00::/8 -j DROP
+COMMIT
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
index 5e1c17b28..76492c339 100644
--- a/etc/profile-a-l/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -7,6 +7,5 @@ include 7z.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/bash
-noblacklist ${PATH}/sh
+ignore include disable-shell.inc
 include archiver-common.inc
diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile
index 54b437441..a010e84dc 100644
--- a/etc/profile-a-l/Builder.profile
+++ b/etc/profile-a-l/Builder.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-builder
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Builder.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-builder.profile
diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile
index 5bb5064f0..e8020c3e1 100644
--- a/etc/profile-a-l/Cheese.profile
+++ b/etc/profile-a-l/Cheese.profile
@@ -1,6 +1,9 @@
 # Firejail profile for cheese
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Cheese.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include cheese.profile
diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile
index 26a4348c9..d26230b02 100644
--- a/etc/profile-a-l/Cyberfox.profile
+++ b/etc/profile-a-l/Cyberfox.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for cyberfox
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Cyberfox.local
+
 # Redirect
 include cyberfox.profile
diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile
index 171ab4357..94109e239 100644
--- a/etc/profile-a-l/Documents.profile
+++ b/etc/profile-a-l/Documents.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-documents
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Documents.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-documents.profile
diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile
index 9e1f61421..9c7826643 100644
--- a/etc/profile-a-l/FossaMail.profile
+++ b/etc/profile-a-l/FossaMail.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for fossamail
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include FossaMail.local
+
 # Redirect
 include fossamail.profile
diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile
index a8bcb6a54..f670d0d7f 100644
--- a/etc/profile-a-l/Gitter.profile
+++ b/etc/profile-a-l/Gitter.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for Gitter
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Gitter.local
+
 # Redirect
 include gitter.profile
diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile
index 431439f17..2d01ccb87 100644
--- a/etc/profile-a-l/Logs.profile
+++ b/etc/profile-a-l/Logs.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-logs
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Logs.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-logs.profile
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
new file mode 100644
index 000000000..6d5dab41a
--- /dev/null
+++ b/etc/profile-a-l/agetpkg.profile
@@ -0,0 +1,60 @@
+# Firejail profile for agetpkg
+# Description: CLI tool to list/get/install packages from the Arch Linux Archive
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include agetpkg.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+hostname agetpkg
+ipc-namespace
+machine-id
+noautopulse
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin agetpkg,python3
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 8f7640ffe..98188d2a7 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -49,7 +49,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin alacarte,bash,python*,sh
+# private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 9c0b92598..4986ac63a 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -9,6 +9,9 @@ include globals.local
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile
index 4ad8dd456..b81f01389 100644
--- a/etc/profile-a-l/ardour4.profile
+++ b/etc/profile-a-l/ardour4.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for ardour5
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include ardur4.local
+
 # Redirect
 include ardour5.profile
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index f21a5febf..5f237ac59 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -25,7 +25,6 @@ noblacklist ${HOME}/.config/Atom
 include allow-common-devel.inc
 
 # net none
-netfilter
 nosound
 
 # Redirect
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index cda6b1aa0..d755fd803 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.balsa
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.signature
 noblacklist ${HOME}/mail
 noblacklist /var/mail
 noblacklist /var/spool/mail
@@ -24,10 +25,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.balsa
 mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
 whitelist ${HOME}/.balsa
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.signature
 whitelist ${HOME}/mail
 whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/balsa
@@ -58,9 +61,9 @@ shell none
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
-private-bin balsa,balsa-ab
+private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
@@ -71,8 +74,9 @@ writable-var
 dbus-user filter
 dbus-user.own org.desktop.Balsa
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 99e2802eb..235b84be3 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -26,6 +26,7 @@ whitelist ${HOME}/.bibletime
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.local/share/bibletime
 whitelist /usr/share/bibletime
+whitelist /usr/share/doc/bibletime
 whitelist /usr/share/sword
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 13e83493d..233f9a96f 100644
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@@ -6,7 +6,7 @@ include blackbox.local
 # Persistent global definitions
 include globals.local
 
-# all applications started in awesome will run in this profile
+# all applications started in blackbox will run in this profile
 noblacklist ${HOME}/.blackbox
 include disable-common.inc
 
diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile
index b7242c443..f8062d00e 100644
--- a/etc/profile-a-l/blender-2.8.profile
+++ b/etc/profile-a-l/blender-2.8.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for blender
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include blender-2.8.local
+
 # Redirect
 include blender.profile
diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile
index 528a6402d..bfea2c622 100644
--- a/etc/profile-a-l/brave-browser-beta.profile
+++ b/etc/profile-a-l/brave-browser-beta.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (beta channel)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser-beta.local
+
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile
index 4601de119..6c66c9697 100644
--- a/etc/profile-a-l/brave-browser-dev.profile
+++ b/etc/profile-a-l/brave-browser-dev.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (development channel)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser-dev.local
+
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile
index 43d3cc724..8812f06ba 100644
--- a/etc/profile-a-l/brave-browser-nightly.profile
+++ b/etc/profile-a-l/brave-browser-nightly.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (nightly channel)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser-nightly.local
+
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile
index 06d33dea4..f59e5763b 100644
--- a/etc/profile-a-l/brave-browser-stable.profile
+++ b/etc/profile-a-l/brave-browser-stable.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave (release channel)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser-stable.local
+
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile
index e223ecf87..d9c9c45d7 100644
--- a/etc/profile-a-l/brave-browser.profile
+++ b/etc/profile-a-l/brave-browser.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for brave
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include brave-browser.local
+
 # Redirect
 include brave.profile
diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile
index 5271ee5d6..562ba4b65 100644
--- a/etc/profile-a-l/bsdcat.profile
+++ b/etc/profile-a-l/bsdcat.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for bsdtar
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include bsdcat.local
+
 # Redirect
 include bsdtar.profile
diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile
index 5271ee5d6..ed109957d 100644
--- a/etc/profile-a-l/bsdcpio.profile
+++ b/etc/profile-a-l/bsdcpio.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for bsdtar
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include bsdcpio.local
+
 # Redirect
 include bsdtar.profile
diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile
index 7804a3b97..bb555a70b 100644
--- a/etc/profile-a-l/calligraauthor.profile
+++ b/etc/profile-a-l/calligraauthor.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraauthor.local
+
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile
index 7804a3b97..205087758 100644
--- a/etc/profile-a-l/calligraconverter.profile
+++ b/etc/profile-a-l/calligraconverter.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraconverter.local
+
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile
index 7804a3b97..99e094016 100644
--- a/etc/profile-a-l/calligraflow.profile
+++ b/etc/profile-a-l/calligraflow.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraflow.local
+
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
index 23dd61175..d8b18b238 100644
--- a/etc/profile-a-l/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraplan.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
 
 # Redirect
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
index 1c283a3cb..0feb49a77 100644
--- a/etc/profile-a-l/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligraplanwork.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
 
 # Redirect
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
index 8ef75be71..0c45b6b54 100644
--- a/etc/profile-a-l/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligrasheets.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
 
 # Redirect
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
index d5c960248..a9db7e64b 100644
--- a/etc/profile-a-l/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligrastage.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
 
 # Redirect
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
index 5985b4250..1f62cb7ec 100644
--- a/etc/profile-a-l/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include calligrawords.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
 
 # Redirect
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 337117c4a..aca1f5876 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -19,7 +19,10 @@ include disable-xdg.inc
 
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /usr/share/gnome-video-effects
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -43,5 +46,6 @@ private-cache
 private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile
index f83052d9a..c782a4d78 100644
--- a/etc/profile-a-l/chromium-browser.profile
+++ b/etc/profile-a-l/chromium-browser.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for chromium
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include chromium-browser.local
+
 # Redirect
 include chromium.profile
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile
index a1de85afa..5d1f3c11c 100644
--- a/etc/profile-a-l/chromium-freeworld.profile
+++ b/etc/profile-a-l/chromium-freeworld.profile
@@ -1,5 +1,8 @@
 # Firejail profile for chromium-freeworld
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include chromium-freeworld.local
+
 # Redirect
 include chromium.profile
diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile
index 88a65037e..823375049 100644
--- a/etc/profile-a-l/cinelerra.profile
+++ b/etc/profile-a-l/cinelerra.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for cin
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include cinelerra.local
+
 # Redirect
 include cin.profile
diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile
index 4c6c56c5f..1a89a927d 100644
--- a/etc/profile-a-l/clamdscan.profile
+++ b/etc/profile-a-l/clamdscan.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include clamdscan.local
+
 # Redirect
 include clamav.profile
diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile
index 4c6c56c5f..96f68b8f6 100644
--- a/etc/profile-a-l/clamdtop.profile
+++ b/etc/profile-a-l/clamdtop.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include clamdtop.local
+
 # Redirect
 include clamav.profile
diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile
index 4c6c56c5f..ec435a50a 100644
--- a/etc/profile-a-l/clamscan.profile
+++ b/etc/profile-a-l/clamscan.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include clamscan.local
+
 # Redirect
 include clamav.profile
diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile
index da50e7d49..c180e6faa 100644
--- a/etc/profile-a-l/clocks.profile
+++ b/etc/profile-a-l/clocks.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-clocks
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include clocks.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-clocks.profile
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile
index 0628d3d01..26f99428c 100644
--- a/etc/profile-a-l/com.gitlab.newsflash.profile
+++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for newsflash
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include com.gitlab.newsflash.local
+
 # Redirect
 include newsflash.profile
diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile
index 39151865e..b384e42ae 100644
--- a/etc/profile-a-l/crawl-tiles.profile
+++ b/etc/profile-a-l/crawl-tiles.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for crawl
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include crawl-titles.local
+
 ignore no3d
 
 # Redirect
diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile
index 69aa39de2..b208b21a0 100644
--- a/etc/profile-a-l/cryptocat.profile
+++ b/etc/profile-a-l/cryptocat.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for Cryptocat
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include cryptocat.local
+
 # Redirect
 include Cryptocat.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index e6edbd7eb..b583f1a1d 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -23,7 +23,7 @@ whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
 
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile
index 70a21e11c..c21df94c5 100644
--- a/etc/profile-a-l/dooble-qt4.profile
+++ b/etc/profile-a-l/dooble-qt4.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for dooble
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include dooble-qt4.local
+
 # Redirect
 include dooble.profile
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 2d56369cd..48a826f2e 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -7,6 +7,8 @@ include element-desktop.local
 # added by included profile
 #include globals.local
 
+ignore dbus-user none
+
 noblacklist ${HOME}/.config/Element
 
 mkdir ${HOME}/.config/Element
@@ -15,5 +17,8 @@ whitelist /opt/Element
 
 private-opt Element
 
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+
 # Redirect
 include riot-desktop.profile
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index c0c16e929..25d5196fc 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,6 +6,10 @@ include evince.local
 # Persistent global definitions
 include globals.local
 
+# Uncomment this line and the bottom ones to use bookmarks
+# NOTE: This possibly exposes information, including file history from other programs.
+#noblacklist ${HOME}/.local/share/gvfs-metadata
+
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
 
@@ -54,5 +58,8 @@ private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf
 private-tmp
 
 # might break two-page-view on some systems
-dbus-user none
+dbus-user filter
+# Also uncomment these two lines if you want to use bookmarks
+#dbus-user.talk org.gtk.vfs.Daemon
+#dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 3ee07e559..8ac7755de 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -1,6 +1,7 @@
 # Firejail profile for feh
 # Description: imlib2 based image viewer
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include feh.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index c296c0491..1210f365c 100644
--- a/etc/profile-a-l/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
@@ -6,7 +6,7 @@ include fluxbox.local
 # Persistent global definitions
 include globals.local
 
-# all applications started in awesome will run in this profile
+# all applications started in fluxbox will run in this profile
 noblacklist ${HOME}/.fluxbox
 include disable-common.inc
 
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index c3af29e15..dc8d6e3ad 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.cache/fractal
 
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -49,6 +52,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Fractal
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile
index 44bf62cfe..573029add 100644
--- a/etc/profile-a-l/freecadcmd.profile
+++ b/etc/profile-a-l/freecadcmd.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for freecad
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include freecadcms.local
+
 # Redirect
 include freecad.profile
diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile
index fa36459e7..d8d1592c5 100644
--- a/etc/profile-a-l/freeciv-gtk3.profile
+++ b/etc/profile-a-l/freeciv-gtk3.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for freeciv
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include freeciv-gtk3.local
+
 # Redirect
 include freeciv.profile
diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile
index fa36459e7..16bc87848 100644
--- a/etc/profile-a-l/freeciv-mp-gtk3.profile
+++ b/etc/profile-a-l/freeciv-mp-gtk3.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for freeciv
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include freeciv-mp-gtk3.local
+
 # Redirect
 include freeciv.profile
diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile
index 2ae6dd9d8..2f4f2c548 100644
--- a/etc/profile-a-l/gajim-history-manager.profile
+++ b/etc/profile-a-l/gajim-history-manager.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for gajim-history-manager
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gajim-history-manager.local
+
 # Redirect
 include gajim.profile
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 85d9b9bd9..125ddf79c 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -6,6 +6,7 @@ include gajim.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.config/gajim
 noblacklist ${HOME}/.local/share/gajim
@@ -20,19 +21,27 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# Comment the following line if you need to whitelist other folders than ~/Downloads
+# Comment the following line if you need to whitelist folders other than ~/Downloads
 include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/.local/share/gajim
+whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.cache/gajim
 whitelist ${HOME}/.config/gajim
 whitelist ${HOME}/.local/share/gajim
 whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -47,9 +56,24 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh
+private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
+private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.own org.gajim.Gajim
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.kde.kwalletd5
+dbus-user.talk org.mpris.MediaPlayer2.*
+dbus-system filter
+dbus-system.talk org.freedesktop.login1
+# Uncomment for location plugin support
+#dbus-system.talk org.freedesktop.GeoClue2
 
 join-or-start gajim
diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile
index 1e7ce2350..809328448 100644
--- a/etc/profile-a-l/ghb.profile
+++ b/etc/profile-a-l/ghb.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for handbrake
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include ghb.local
+
 # Redirect
 include handbrake.profile
diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile
index dbf49ac22..89616a537 100644
--- a/etc/profile-a-l/gimp-2.10.profile
+++ b/etc/profile-a-l/gimp-2.10.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for gimp
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gimp-2.10.local
+
 # Redirect
 include gimp.profile
diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile
index dbf49ac22..30449e6f4 100644
--- a/etc/profile-a-l/gimp-2.8.profile
+++ b/etc/profile-a-l/gimp-2.8.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for gimp
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gimp-2.8.local
+
 # Redirect
 include gimp.profile
diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile
index f5d652732..2620d1558 100644
--- a/etc/profile-a-l/gnome-mpv.profile
+++ b/etc/profile-a-l/gnome-mpv.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for celluloid (formerly GNOME MPV)
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gnome-mpv.local
+
 # Redirect
 include celluloid.profile
diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile
index a456e8d61..7c54a0888 100644
--- a/etc/profile-a-l/google-chrome-stable.profile
+++ b/etc/profile-a-l/google-chrome-stable.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for google-chrome
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include google-chrome-stable.local
+
 # Redirect
 include google-chrome.profile
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
index c1f919769..a0e4f6d86 100644
--- a/etc/profile-a-l/google-earth-pro.profile
+++ b/etc/profile-a-l/google-earth-pro.profile
@@ -1,7 +1,14 @@
-# Firejail profile alias for google-earth
+# Firejail profile for google-earth-pro
 # This file is overwritten after every install/update
+# Persistent local customizations
+include google-earth-pro.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 
-private-bin google-earth-pro
+# If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local
+#ignore private-bin
+private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,which,xdg-mime,xdg-settings
 
 # Redirect
 include google-earth.profile
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index a331ef8d2..12b1cbafd 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -6,10 +6,7 @@ include google-earth.local
 include globals.local
 
 noblacklist ${HOME}/.config/Google
-noblacklist ${HOME}/.googleearth/Cache
-noblacklist ${HOME}/.googleearth/Temp
-noblacklist ${HOME}/.googleearth/myplaces.backup.kml
-noblacklist ${HOME}/.googleearth/myplaces.kml
+noblacklist ${HOME}/.googleearth
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,15 +16,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Google
-mkdir ${HOME}/.googleearth/Cache
-mkdir ${HOME}/.googleearth/Temp
-mkfile ${HOME}/.googleearth/myplaces.backup.kml
-mkfile ${HOME}/.googleearth/myplaces.kml
+mkdir ${HOME}/.googleearth
 whitelist ${HOME}/.config/Google
-whitelist ${HOME}/.googleearth/Cache
-whitelist ${HOME}/.googleearth/Temp
-whitelist ${HOME}/.googleearth/myplaces.backup.kml
-whitelist ${HOME}/.googleearth/myplaces.kml
+whitelist ${HOME}/.googleearth
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile
index 2391c121b..ccb97265e 100644
--- a/etc/profile-a-l/gtar.profile
+++ b/etc/profile-a-l/gtar.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for tar
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include gtar.local
+
 # Redirect
 include tar.profile
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
new file mode 100644
index 000000000..46fc06940
--- /dev/null
+++ b/etc/profile-a-l/guvcview.profile
@@ -0,0 +1,55 @@
+# Firejail profile for guvcview
+# Description: GTK+ base UVC Viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include guvcview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/guvcview2
+
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/guvcview2
+whitelist ${HOME}/.config/guvcview2
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin guvcview
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile
index 1e7ce2350..317ebc99d 100644
--- a/etc/profile-a-l/handbrake-gtk.profile
+++ b/etc/profile-a-l/handbrake-gtk.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for handbrake
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include handbrake-gtk.local
+
 # Redirect
 include handbrake.profile
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index c1ca0e413..e96b1843c 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -6,7 +6,7 @@ include i3.local
 # Persistent global definitions
 include globals.local
 
-# all applications started in awesome will run in this profile
+# all applications started in i3 will run in this profile
 noblacklist ${HOME}/.config/i3
 include disable-common.inc
 
diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile
index c7ee64d56..e83a1132d 100644
--- a/etc/profile-a-l/iridium-browser.profile
+++ b/etc/profile-a-l/iridium-browser.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for iridium
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include iridium-browser.local
+
 # Redirect
 include iridium.profile
diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile
index d2394fe20..c7bd9c105 100644
--- a/etc/profile-a-l/kalgebramobile.profile
+++ b/etc/profile-a-l/kalgebramobile.profile
@@ -1,5 +1,8 @@
 # Firejail profile for kalgebramobile
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include kalgebramobile.local
+
 # Redirect
 include kalgebra.profile
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile
index d54d6d3d0..54d029c1a 100644
--- a/etc/profile-a-l/karbon.profile
+++ b/etc/profile-a-l/karbon.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for krita
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include karbon.local
+
 noblacklist ${HOME}/.local/share/kxmlgui5/karbon
 
 # Redirect
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
new file mode 100644
index 000000000..8290e07f2
--- /dev/null
+++ b/etc/profile-a-l/kdiff3.profile
@@ -0,0 +1,52 @@
+# Firejail profile for kdiff3
+# Description: KDiff3 is a file and folder diff and merge tool.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdiff3.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kdiff3fileitemactionrc
+noblacklist ${HOME}/.config/kdiff3rc
+
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+           
+include whitelist-runuser-common.inc
+# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.
+#include whitelist-usr-share-common.inc
+# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var.
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin  kdiff3
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile
index aef236ccc..97fe987dd 100644
--- a/etc/profile-a-l/keepass2.profile
+++ b/etc/profile-a-l/keepass2.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for keepass
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include keepass2.local
+
 # Redirect
 include keepass.profile
diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile
index fdd27e9f9..ed3d6701a 100644
--- a/etc/profile-a-l/keepassx2.profile
+++ b/etc/profile-a-l/keepassx2.profile
@@ -2,5 +2,8 @@
 # Description: Cross platform password manager
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include keepassx2.local
+
 # Redirects
 include keepassx.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 58db056b2..a3a1b500a 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -54,7 +54,7 @@ notv
 nou2f
 novideo
 protocol unix,netlink
-seccomp
+seccomp !name_to_handle_at
 seccomp.block-secondary
 shell none
 tracelog
@@ -73,12 +73,11 @@ dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.gnome.SessionManager.Presence
-# Uncomment or add to your keepassxc.local to allow Notifications/Tray.
+# Uncomment or add to your keepassxc.local to allow Notifications.
 #dbus-user.talk org.freedesktop.Notifications
+# Uncomment or add to your keepassxc.local to allow Tray.
 #dbus-user.talk org.kde.StatusNotifierWatcher
-# These numbers seems to be not stable, see #3713. Play around with them.
-#dbus-user.own org.kde.StatusNotifierItem-2-2
-#dbus-user.own org.kde.StatusNotifierItem-10-2
+#dbus-user.own org.kde.*
 dbus-system none
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile
index 9137963c4..d599a80d0 100644
--- a/etc/profile-a-l/klatexformula_cmdl.profile
+++ b/etc/profile-a-l/klatexformula_cmdl.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for klatexformula_cmdl
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include klatexformula_cmdl.local
+
 # Redirect
 include klatexformula.profile
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index c64113c15..9cb5eff87 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -6,9 +6,9 @@ include krunner.local
 # Persistent global definitions
 include globals.local
 
-# - programs started in krunner run with this generic profile.
+# - programs started in krunner run with this generic profile
 # - when a file is opened in krunner, the file viewer runs in its own sandbox
-#   with its own profile, if it is sandboxed automatically.
+#   with its own profile, if it is sandboxed automatically
 
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile
index 338d8c8bb..822383ff4 100644
--- a/etc/profile-a-l/lbunzip2.profile
+++ b/etc/profile-a-l/lbunzip2.profile
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lbunzip2.local
+
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile
index 338d8c8bb..fe8badb58 100644
--- a/etc/profile-a-l/lbzcat.profile
+++ b/etc/profile-a-l/lbzcat.profile
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lbzcat.local
+
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile
index 338d8c8bb..3f986fa44 100644
--- a/etc/profile-a-l/lbzip2.profile
+++ b/etc/profile-a-l/lbzip2.profile
@@ -2,5 +2,8 @@
 # Description: GNU compression utilities
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lbzip2.local
+
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
new file mode 100644
index 000000000..5208cb979
--- /dev/null
+++ b/etc/profile-a-l/librewolf.profile
@@ -0,0 +1,28 @@
+# Firejail profile for Librewolf
+# Description: Firefox fork based on privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include librewolf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/librewolf
+noblacklist ${HOME}/.librewolf
+
+mkdir ${HOME}/.cache/librewolf
+mkdir ${HOME}/.librewolf
+whitelist ${HOME}/.cache/librewolf
+whitelist ${HOME}/.librewolf
+
+# Uncomment (or add to librewolf.local) the following lines if you want to
+# use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
+#private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
+# private-etc must first be enabled in firefox-common.profile
+#private-etc librewolf
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 7cfd4fc10..a122e9bbc 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -42,7 +42,7 @@ noroot
 # nosound
 notv
 nou2f
-# novideo
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -51,3 +51,12 @@ tracelog
 disable-mnt
 private-dev
 private-tmp
+
+dbus-user filter
+dbus-user.own net.sourceforge.liferea
+dbus-user.talk ca.desrt.dconf
+# Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local
+#dbus-user.talk org.freedesktop.Notifications
+# Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index b2f94d3cf..ccc77f274 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -1,6 +1,7 @@
 # Firejail profile for links
 # Description: Text WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include links.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile
index 8348a57fe..51d76cae7 100644
--- a/etc/profile-a-l/lobase.profile
+++ b/etc/profile-a-l/lobase.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lobase.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile
index 8348a57fe..df48a320c 100644
--- a/etc/profile-a-l/localc.profile
+++ b/etc/profile-a-l/localc.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include localc.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile
index 8348a57fe..bf5c8c456 100644
--- a/etc/profile-a-l/lodraw.profile
+++ b/etc/profile-a-l/lodraw.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lodraw.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile
index 8348a57fe..5fbfdf443 100644
--- a/etc/profile-a-l/loffice.profile
+++ b/etc/profile-a-l/loffice.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include loffice.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile
index 8348a57fe..3decca6a8 100644
--- a/etc/profile-a-l/lofromtemplate.profile
+++ b/etc/profile-a-l/lofromtemplate.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lofromtemplate.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile
index 8348a57fe..cc812d9a4 100644
--- a/etc/profile-a-l/loimpress.profile
+++ b/etc/profile-a-l/loimpress.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include loimpress.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile
index 8348a57fe..20c316568 100644
--- a/etc/profile-a-l/lomath.profile
+++ b/etc/profile-a-l/lomath.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lomath.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile
index 8348a57fe..b44c545e8 100644
--- a/etc/profile-a-l/loweb.profile
+++ b/etc/profile-a-l/loweb.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include loweb.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile
index 8348a57fe..29f7cd89b 100644
--- a/etc/profile-a-l/lowriter.profile
+++ b/etc/profile-a-l/lowriter.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lowriter.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-a-l/lsar.profile b/etc/profile-a-l/lsar.profile
new file mode 100644
index 000000000..faf5bb7f9
--- /dev/null
+++ b/etc/profile-a-l/lsar.profile
@@ -0,0 +1,13 @@
+# Firejail profile for lsar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lsar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin lsar
+
+# Redirect
+include ar.profile
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index dbd0a61e5..76a0e7ed0 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -1,6 +1,7 @@
 # Firejail profile for lynx
 # Description: Classic non-graphical (text-mode) web browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include lynx.local
 # Persistent global definitions
diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile
index d9c72407f..5370b0c0a 100644
--- a/etc/profile-a-l/lzcat.profile
+++ b/etc/profile-a-l/lzcat.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzcat.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile
index d9c72407f..2d963268e 100644
--- a/etc/profile-a-l/lzcmp.profile
+++ b/etc/profile-a-l/lzcmp.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzcmp.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile
index f7410b928..9baf94992 100644
--- a/etc/profile-a-l/lzdiff.profile
+++ b/etc/profile-a-l/lzdiff.profile
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lzdiff.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile
index d9c72407f..7ca4615c4 100644
--- a/etc/profile-a-l/lzegrep.profile
+++ b/etc/profile-a-l/lzegrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzegrep.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile
index d9c72407f..8d2e498fb 100644
--- a/etc/profile-a-l/lzfgrep.profile
+++ b/etc/profile-a-l/lzfgrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzfgrep.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile
index d9c72407f..b66b2fb17 100644
--- a/etc/profile-a-l/lzgrep.profile
+++ b/etc/profile-a-l/lzgrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzgrep.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile
index d9c72407f..a7341b012 100644
--- a/etc/profile-a-l/lzip.profile
+++ b/etc/profile-a-l/lzip.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzip.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile
index d9c72407f..5730a332f 100644
--- a/etc/profile-a-l/lzless.profile
+++ b/etc/profile-a-l/lzless.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzless.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile
index d9c72407f..051dbe546 100644
--- a/etc/profile-a-l/lzma.profile
+++ b/etc/profile-a-l/lzma.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzma.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile
index 0c5ec1b09..b82ce69ae 100644
--- a/etc/profile-a-l/lzmadec.profile
+++ b/etc/profile-a-l/lzmadec.profile
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include lzmadec.local
+
 # Redirect
 include xzdec.profile
diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile
index d9c72407f..0ab98429e 100644
--- a/etc/profile-a-l/lzmainfo.profile
+++ b/etc/profile-a-l/lzmainfo.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzmainfo.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile
index d9c72407f..df1867da0 100644
--- a/etc/profile-a-l/lzmore.profile
+++ b/etc/profile-a-l/lzmore.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include lzmore.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile
index c52d2f2da..109ce6859 100644
--- a/etc/profile-m-z/Maps.profile
+++ b/etc/profile-m-z/Maps.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-maps
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Maps.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-maps.profile
diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile
index 42c22bf67..7923d01a7 100644
--- a/etc/profile-m-z/Natron.profile
+++ b/etc/profile-m-z/Natron.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for natron
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Natron.local
+
 # Redirect
 include natron.profile
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile
index d4b083736..787ce8494 100644
--- a/etc/profile-m-z/Screenshot.profile
+++ b/etc/profile-m-z/Screenshot.profile
@@ -1,6 +1,9 @@
 # Firejail profile for gnome-screenshot
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Screenshot.local
+
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
 # Redirect
 include gnome-screenshot.profile
diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile
index 310e0237e..7600b1aa6 100644
--- a/etc/profile-m-z/Telegram.profile
+++ b/etc/profile-m-z/Telegram.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for telegram
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include Telegram.local
+
 # Redirect
 include telegram.profile
diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile
index 4c99ae9a3..4384b7647 100644
--- a/etc/profile-m-z/VirtualBox.profile
+++ b/etc/profile-m-z/VirtualBox.profile
@@ -2,5 +2,8 @@
 # Description: x86 virtualization solution
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include VirtualBox.local
+
 # Redirect
 include virtualbox.profile
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
new file mode 100644
index 000000000..55865fe72
--- /dev/null
+++ b/etc/profile-m-z/marker.profile
@@ -0,0 +1,59 @@
+# Firejail profile for marker
+# Description: Marker is a markdown editor for Linux made with Gtk+-3.0
+# This file is overwritten after every install/update
+# Persistent local customizations
+include marker.local
+# Persistent global definitions
+include globals.local
+
+# Uncomment (or add to your marker.local) if you need internet access.
+#ignore net none
+#protocol unix,inet,inet6
+#private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
+
+noblacklist ${HOME}/.cache/marker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/com.github.fabiocolacio.marker
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin marker
+private-cache
+private-dev
+private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.fabiocolacio.marker
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile
index bb438f5f0..e8320df63 100644
--- a/etc/profile-m-z/mate-calculator.profile
+++ b/etc/profile-m-z/mate-calculator.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for mate-calc
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include mate-calculator.local
+
 # Redirect
 include mate-calc.profile
diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile
index 964060350..cee16eedc 100644
--- a/etc/profile-m-z/mathematica.profile
+++ b/etc/profile-m-z/mathematica.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for Mathematica
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include mathematica.local
+
 # Redirect
 include Mathematica.profile
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile
new file mode 100644
index 000000000..b3080df88
--- /dev/null
+++ b/etc/profile-m-z/matrix-mirage.profile
@@ -0,0 +1,24 @@
+# Firejail profile for matrix-mirage
+# Description: Debian name for mirage binary/package
+# This file is overwritten after every install/update
+# Persistent local customizations
+include matrix-mirage.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/matrix-mirage
+noblacklist ${HOME}/.config/matrix-mirage
+noblacklist ${HOME}/.local/share/matrix-mirage
+
+mkdir ${HOME}/.cache/matrix-mirage
+mkdir ${HOME}/.config/matrix-mirage
+mkdir ${HOME}/.local/share/matrix-mirage
+whitelist ${HOME}/.cache/matrix-mirage
+whitelist ${HOME}/.config/matrix-mirage
+whitelist ${HOME}/.local/share/matrix-mirage
+
+private-bin matrix-mirage
+
+# Redirect
+include mirage.profile
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
index e4487c8aa..3c2bf4fa3 100644
--- a/etc/profile-m-z/mattermost-desktop.profile
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -5,42 +5,25 @@ include mattermost-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/Mattermost
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-passwdmgr.inc
 include disable-shell.inc
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/Mattermost
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Mattermost
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-notv
-nou2f
-novideo
-shell none
 
-disable-mnt
-private-cache
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
-private-tmp
 
 # Not tested
 #dbus-user filter
 #dbus-user.own com.mattermost.Desktop
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
new file mode 100644
index 000000000..fb97daa27
--- /dev/null
+++ b/etc/profile-m-z/mdr.profile
@@ -0,0 +1,55 @@
+# Firejail profile for mdr
+# Description: A standalone Markdown renderer for the terminal
+# Persistent local customizations
+include mdr.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname mdr
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin mdr
+private-cache
+private-dev
+private-etc none
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile
index 02aad8084..304285915 100644
--- a/etc/profile-m-z/megaglest_editor.profile
+++ b/etc/profile-m-z/megaglest_editor.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for megaglest
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include megaglest_editor.local
+
 # Redirect
 include megaglest.profile
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
new file mode 100644
index 000000000..039cd36a8
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Dev
+# Description: Web browser from Microsoft,dev channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-dev.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge-dev
+noblacklist ${HOME}/.config/microsoft-edge-dev
+
+mkdir ${HOME}/.cache/microsoft-edge-dev
+mkdir ${HOME}/.config/microsoft-edge-dev
+whitelist ${HOME}/.cache/microsoft-edge-dev
+whitelist ${HOME}/.config/microsoft-edge-dev
+
+private-opt microsoft
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
new file mode 100644
index 000000000..f427507d1
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -0,0 +1,11 @@
+# Firejail profile for Microsoft Edge
+# Description: Web browser from Microsoft
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include microsoft-edge-dev.profile
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 55c11be29..7130267e8 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.cache/mirage
 noblacklist ${HOME}/.config/mirage
 noblacklist ${HOME}/.local/share/mirage
+noblacklist /sbin
 
 include allow-python2.inc
 include allow-python3.inc
@@ -49,7 +50,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin mirage
+private-bin ldconfig,mirage
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 1d87eeb48..7111febc2 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -21,7 +21,7 @@ include globals.local
 #  - ...
 #
 # Often these scripts require a shell:
-#noblacklist ${PATH}/sh
+#include allow-bin-sh.inc
 #private-bin sh
 
 noblacklist ${HOME}/.config/mpv
diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile
index 338f494c9..bd9e3adce 100644
--- a/etc/profile-m-z/multimc.profile
+++ b/etc/profile-m-z/multimc.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for multimc5
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include multimc.local
+
 # Redirect
 include multimc5.profile
diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
index 59b3024ed..66500048e 100644
--- a/etc/profile-m-z/mypaint-ora-thumbnailer.profile
+++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for mypaint-ora-thumbnailer
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include mypaint-ora-thumbnailer.local
+
 # Redirect
 include mypaint.profile
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index a7bac6286..85b780ced 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -38,10 +38,10 @@ seccomp
 shell none
 
 disable-mnt
-private-bin newsboat
+private-bin gzip,lynx,newsboat,sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
+private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 701098f4b..42e7e92fc 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -7,7 +7,7 @@ include nheko.local
 include globals.local
 
 noblacklist ${HOME}/.config/nheko
-noblacklist ${HOME}/.cache/nheko/nheko
+noblacklist ${HOME}/.cache/nheko
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,14 +16,19 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
 whitelist ${HOME}/.config/nheko
-whitelist ${HOME}/.cache/nheko/nheko
+whitelist ${HOME}/.cache/nheko
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -38,5 +43,14 @@ tracelog
 
 disable-mnt
 private-bin nheko
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
+dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile
index d9cb2edc5..6e73afe9e 100644
--- a/etc/profile-m-z/nitroshare-cli.profile
+++ b/etc/profile-m-z/nitroshare-cli.profile
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include nitroshare-cli.local
+
 # Redirect
 include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile
index d9cb2edc5..bda2c193d 100644
--- a/etc/profile-m-z/nitroshare-nmh.profile
+++ b/etc/profile-m-z/nitroshare-nmh.profile
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include nitroshare-nmh.local
+
 # Redirect
 include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile
index d9cb2edc5..659742469 100644
--- a/etc/profile-m-z/nitroshare-send.profile
+++ b/etc/profile-m-z/nitroshare-send.profile
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include nitroshare-send.local
+
 # Redirect
 include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile
index d9cb2edc5..ccda2b58b 100644
--- a/etc/profile-m-z/nitroshare-ui.profile
+++ b/etc/profile-m-z/nitroshare-ui.profile
@@ -2,5 +2,8 @@
 # Description: Network File Transfer Application
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include nitroshare-ui.local
+
 # Redirect
 include nitroshare.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
new file mode 100644
index 000000000..c12fc9a78
--- /dev/null
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -0,0 +1,52 @@
+# Firejail profile for Node.js
+# Description: Common profile for npm/yarn
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nodejs-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+ignore noexec ${HOME}
+
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
new file mode 100644
index 000000000..e95e875be
--- /dev/null
+++ b/etc/profile-m-z/npm.profile
@@ -0,0 +1,29 @@
+# Firejail profile for npm
+# Description: The Node.js Package Manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npm.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
+
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+
+# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
+# and uncomment the lines below.
+#mkdir ${HOME}/.node-gyp
+#mkdir ${HOME}/.npm
+#mkfile ${HOME}/.npmrc
+#whitelist ${HOME}/.node-gyp
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile
index 8348a57fe..ba8bdae01 100644
--- a/etc/profile-m-z/ooffice.profile
+++ b/etc/profile-m-z/ooffice.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include ooffice.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile
index 8348a57fe..4a9f434f7 100644
--- a/etc/profile-m-z/ooviewdoc.profile
+++ b/etc/profile-m-z/ooviewdoc.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include ooviewdoc.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile
index c529e7e11..f8dbf792d 100644
--- a/etc/profile-m-z/openarena_ded.profile
+++ b/etc/profile-m-z/openarena_ded.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for openarena
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include openarena_ded.local
+
 # Redirect
 include openarena.profile
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 1fb93c79c..b49fd9932 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -6,7 +6,7 @@ include openbox.local
 # Persistent global definitions
 include globals.local
 
-# all applications started in OpenBox will run in this profile
+# all applications started in openbox will run in this profile
 noblacklist ${HOME}/.config/openbox
 include disable-common.inc
 
diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile
index 8348a57fe..189867742 100644
--- a/etc/profile-m-z/openoffice.org.profile
+++ b/etc/profile-m-z/openoffice.org.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include openoffice.org.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile
index 2f886d2ac..833a375f6 100644
--- a/etc/profile-m-z/openshot-qt.profile
+++ b/etc/profile-m-z/openshot-qt.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for openshot
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include openshot-qt.local
+
 # Redirect
 include openshot.profile
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index e1839c724..ac960345a 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -19,6 +19,10 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist /usr/share/blender
+whitelist /usr/share/inkscape
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -32,11 +36,14 @@ notv
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
+private-bin blender,inkscape,openshot,openshot-qt,python3*
+private-cache
 private-dev
 private-tmp
 
-dbus-user none
+dbus-user filter
 dbus-system none
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
new file mode 100644
index 000000000..7d43dd08f
--- /dev/null
+++ b/etc/profile-m-z/pkglog.profile
@@ -0,0 +1,59 @@
+# Firejail profile for pklog
+# Description: Reports log of package updates
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pkglog.local
+# Persistent global definitions
+include globals.local
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /var/log/apt/history.log
+whitelist /var/log/dnf.rpm.log
+whitelist /var/log/pacman.log
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin pkglog,python*
+private-cache
+private-dev
+private-etc alternatives
+private-opt none
+private-tmp
+writable-var-log
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+read-only /var/log/apt/history.log
+read-only /var/log/dnf.rpm.log
+read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 7ff59ea77..7f7ae4204 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -18,7 +18,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/PacmanLogViewer
 whitelist ${HOME}/.config/PacmanLogViewer
-whitelist /var/log/pacman*
+whitelist /var/log/pacman.log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
@@ -57,3 +57,4 @@ dbus-system none
 #memory-deny-write-execute - breaks opening file-chooser
 read-only ${HOME}
 read-write ${HOME}/.config/PacmanLogViewer
+read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index a14d0268b..72f9c2dc3 100644
--- a/etc/profile-m-z/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -1,6 +1,9 @@
 # Firejail profilen alias for pycharm-professional
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include pyucharm-professional.local
+
 noblacklist ${HOME}/.PyCharm*
 
 # Redirect
diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile
index ce9af3286..0c83e561c 100644
--- a/etc/profile-m-z/pzstd.profile
+++ b/etc/profile-m-z/pzstd.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include pzstd.local
+
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
new file mode 100644
index 000000000..0d1f9c3de
--- /dev/null
+++ b/etc/profile-m-z/qnapi.profile
@@ -0,0 +1,55 @@
+# Firejail profile for qnapi
+# Description: Qt client for downloading movie subtitles from NapiProjekt, OpenSubtitles and Napisy24
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qnapi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/qnapi.ini
+
+ignore noexec /tmp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.config/qnapi.ini
+whitelist ${HOME}/.config/qnapi.ini
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin 7z,qnapi
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile
index 64432c171..d4c4f9234 100644
--- a/etc/profile-m-z/runenpass.sh.profile
+++ b/etc/profile-m-z/runenpass.sh.profile
@@ -1,5 +1,8 @@
 # Firejail alias profile for enpass
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include runenpass.sh.local
+
 # Redirect
 include enpass.profile
diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile
index 532294950..accb0a750 100644
--- a/etc/profile-m-z/seamonkey-bin.profile
+++ b/etc/profile-m-z/seamonkey-bin.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for seamonkey
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include seamonkey-bin.local
+
 # Redirect
 include seamonkey.profile
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
new file mode 100644
index 000000000..749029530
--- /dev/null
+++ b/etc/profile-m-z/shotwell.profile
@@ -0,0 +1,60 @@
+# Firejail profile for shotwell
+# Description: A digital photo organizer designed for the GNOME desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shotwell.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/shotwell
+noblacklist ${HOME}/.local/share/shotwell
+
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/shotwell
+mkdir ${HOME}/.local/share/shotwell
+whitelist ${HOME}/.cache/shotwell
+whitelist ${HOME}/.local/share/shotwell
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin shotwell
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-opt none
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Shotwell
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
+dbus-system none
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 08e1c1f03..666a37def 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -21,8 +21,6 @@ noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
-include disable-exec.inc
-
 mkdir ${HOME}/.config/Signal
 whitelist ${HOME}/.config/Signal
 
diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile
index 8348a57fe..382030a9e 100644
--- a/etc/profile-m-z/soffice.profile
+++ b/etc/profile-m-z/soffice.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for libreoffice
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include soffice.local
+
 # Redirect
 include libreoffice.profile
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 66e917432..093661d8c 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -50,4 +50,8 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,
 private-tmp
 
 dbus-user none
+# Comment the above line and uncomment below lines for notification popups
+# dbus-user filter
+# dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index d873a5672..e3e2b4541 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -19,8 +19,8 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist ${RUNUSER}/keyring/ssh
 whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
+whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile
index 47608ad28..c7cec55c7 100644
--- a/etc/profile-m-z/steam-native.profile
+++ b/etc/profile-m-z/steam-native.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for steam
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include steam-native.local
+
 # Redirect
 include steam.profile
diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile
index 47608ad28..d1cf6d7f0 100644
--- a/etc/profile-m-z/steam-runtime.profile
+++ b/etc/profile-m-z/steam-runtime.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for steam
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include steam-runtime.local
+
 # Redirect
 include steam.profile
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 55078d993..758b37815 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/bohemiainteractive
 noblacklist ${HOME}/.local/share/cdprojektred
 noblacklist ${HOME}/.local/share/FasterThanLight
 noblacklist ${HOME}/.local/share/feral-interactive
@@ -45,6 +46,7 @@ mkdir ${HOME}/.config/unity3d
 mkdir ${HOME}/.killingfloor
 mkdir ${HOME}/.local/share/3909/PapersPlease
 mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/bohemiainteractive
 mkdir ${HOME}/.local/share/cdprojektred
 mkdir ${HOME}/.local/share/FasterThanLight
 mkdir ${HOME}/.local/share/feral-interactive
@@ -64,6 +66,7 @@ whitelist ${HOME}/.config/unity3d
 whitelist ${HOME}/.killingfloor
 whitelist ${HOME}/.local/share/3909/PapersPlease
 whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/bohemiainteractive
 whitelist ${HOME}/.local/share/cdprojektred
 whitelist ${HOME}/.local/share/FasterThanLight
 whitelist ${HOME}/.local/share/feral-interactive
diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile
index 79e879f36..d23de7c05 100644
--- a/etc/profile-m-z/studio.sh.profile
+++ b/etc/profile-m-z/studio.sh.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for Android Studio
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include studio.sh.local
+
 # Redirect
 include android-studio.profile
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index 0cfa7114b..bf3a1ca81 100644
--- a/etc/profile-m-z/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -2,5 +2,8 @@
 # Description: Official Telegram Desktop client
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include tekegram-desktop.local
+
 # Redirect
 include telegram.profile
diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile
index 19993016a..49492c88f 100644
--- a/etc/profile-m-z/thunar.profile
+++ b/etc/profile-m-z/thunar.profile
@@ -2,5 +2,8 @@
 # Description: Modern file manager for Xfce
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include thunar.local
+
 # Redirect
 include Thunar.profile
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 6450e40d6..cec98ce12 100644
--- a/etc/profile-m-z/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for thunderbird-beta
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include thunderbird-beta.local
+
 private-opt thunderbird-beta
 
 # Redirect
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
index 612b2d01b..7254d20fb 100644
--- a/etc/profile-m-z/tor-browser-ar.profile
+++ b/etc/profile-m-z/tor-browser-ar.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ar.local
+
 noblacklist ${HOME}/.tor-browser-ar
 
 mkdir ${HOME}/.tor-browser-ar
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
index db70a7109..bf6bfc9f6 100644
--- a/etc/profile-m-z/tor-browser-ca.profile
+++ b/etc/profile-m-z/tor-browser-ca.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ca.local
+
 noblacklist ${HOME}/.tor-browser-ca
 
 mkdir ${HOME}/.tor-browser-ca
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
index 77b271b68..caf8f32c7 100644
--- a/etc/profile-m-z/tor-browser-cs.profile
+++ b/etc/profile-m-z/tor-browser-cs.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-cs.local
+
 noblacklist ${HOME}/.tor-browser-cs
 
 mkdir ${HOME}/.tor-browser-cs
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
index 3b9fff9a4..965036212 100644
--- a/etc/profile-m-z/tor-browser-da.profile
+++ b/etc/profile-m-z/tor-browser-da.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-da.local
+
 noblacklist ${HOME}/.tor-browser-da
 
 mkdir ${HOME}/.tor-browser-da
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
index 3b4f7f94f..913dc4771 100644
--- a/etc/profile-m-z/tor-browser-de.profile
+++ b/etc/profile-m-z/tor-browser-de.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-de.local
+
 noblacklist ${HOME}/.tor-browser-de
 
 mkdir ${HOME}/.tor-browser-de
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
index b978b6042..c0a3b64ad 100644
--- a/etc/profile-m-z/tor-browser-el.profile
+++ b/etc/profile-m-z/tor-browser-el.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-el.local
+
 noblacklist ${HOME}/.tor-browser-el
 
 mkdir ${HOME}/.tor-browser-el
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
index db56dda1b..662bc6b18 100644
--- a/etc/profile-m-z/tor-browser-en-us.profile
+++ b/etc/profile-m-z/tor-browser-en-us.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-en-us.local
+
 noblacklist ${HOME}/.tor-browser-en-us
 
 mkdir ${HOME}/.tor-browser-en-us
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
index ad4110c0e..1bbd88f91 100644
--- a/etc/profile-m-z/tor-browser-en.profile
+++ b/etc/profile-m-z/tor-browser-en.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-en.local
+
 noblacklist ${HOME}/.tor-browser-en
 
 mkdir ${HOME}/.tor-browser-en
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
index 1aa586658..ac5aa1247 100644
--- a/etc/profile-m-z/tor-browser-es-es.profile
+++ b/etc/profile-m-z/tor-browser-es-es.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-es-es.local
+
 noblacklist ${HOME}/.tor-browser-es-es
 
 mkdir ${HOME}/.tor-browser-es-es
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
index a386e3387..8ff12eedf 100644
--- a/etc/profile-m-z/tor-browser-es.profile
+++ b/etc/profile-m-z/tor-browser-es.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-es.local
+
 noblacklist ${HOME}/.tor-browser-es
 
 mkdir ${HOME}/.tor-browser-es
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
index 7f847a7c2..f897c5708 100644
--- a/etc/profile-m-z/tor-browser-fa.profile
+++ b/etc/profile-m-z/tor-browser-fa.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-fa.local
+
 noblacklist ${HOME}/.tor-browser-fa
 
 mkdir ${HOME}/.tor-browser-fa
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
index bce470ec8..f4dcd579e 100644
--- a/etc/profile-m-z/tor-browser-fr.profile
+++ b/etc/profile-m-z/tor-browser-fr.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-fr.local
+
 noblacklist ${HOME}/.tor-browser-fr
 
 mkdir ${HOME}/.tor-browser-fr
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
index 994897a87..6dddef637 100644
--- a/etc/profile-m-z/tor-browser-ga-ie.profile
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ga-ie.local
+
 noblacklist ${HOME}/.tor-browser-ga-ie
 
 mkdir ${HOME}/.tor-browser-ga-ie
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
index 6367b4c0a..c3e2dd11c 100644
--- a/etc/profile-m-z/tor-browser-he.profile
+++ b/etc/profile-m-z/tor-browser-he.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-he.local
+
 noblacklist ${HOME}/.tor-browser-he
 
 mkdir ${HOME}/.tor-browser-he
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
index 68e79833e..469db7374 100644
--- a/etc/profile-m-z/tor-browser-hu.profile
+++ b/etc/profile-m-z/tor-browser-hu.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-hu.local
+
 noblacklist ${HOME}/.tor-browser-hu
 
 mkdir ${HOME}/.tor-browser-hu
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
index 85b455ba2..db111c92c 100644
--- a/etc/profile-m-z/tor-browser-id.profile
+++ b/etc/profile-m-z/tor-browser-id.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-id.local
+
 noblacklist ${HOME}/.tor-browser-id
 
 mkdir ${HOME}/.tor-browser-id
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
index 48e88db71..32a8c9ca7 100644
--- a/etc/profile-m-z/tor-browser-is.profile
+++ b/etc/profile-m-z/tor-browser-is.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-is.local
+
 noblacklist ${HOME}/.tor-browser-is
 
 mkdir ${HOME}/.tor-browser-is
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
index 3c239ca29..d53dd9136 100644
--- a/etc/profile-m-z/tor-browser-it.profile
+++ b/etc/profile-m-z/tor-browser-it.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-it.local
+
 noblacklist ${HOME}/.tor-browser-it
 
 mkdir ${HOME}/.tor-browser-it
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
index c52e0f64e..8886d3ff0 100644
--- a/etc/profile-m-z/tor-browser-ja.profile
+++ b/etc/profile-m-z/tor-browser-ja.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ja.local
+
 noblacklist ${HOME}/.tor-browser-ja
 
 mkdir ${HOME}/.tor-browser-ja
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
index 173b85e5c..d3d36c426 100644
--- a/etc/profile-m-z/tor-browser-ka.profile
+++ b/etc/profile-m-z/tor-browser-ka.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ka.local
+
 noblacklist ${HOME}/.tor-browser-ka
 
 mkdir ${HOME}/.tor-browser-ka
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
index 8faa5afa1..59f9f966f 100644
--- a/etc/profile-m-z/tor-browser-ko.profile
+++ b/etc/profile-m-z/tor-browser-ko.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ko.local
+
 noblacklist ${HOME}/.tor-browser-ko
 
 mkdir ${HOME}/.tor-browser-ko
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
index d1352dd80..c133ca673 100644
--- a/etc/profile-m-z/tor-browser-nb.profile
+++ b/etc/profile-m-z/tor-browser-nb.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-nb.local
+
 noblacklist ${HOME}/.tor-browser-nb
 
 mkdir ${HOME}/.tor-browser-nb
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
index d4443cca2..1bebc1ffb 100644
--- a/etc/profile-m-z/tor-browser-nl.profile
+++ b/etc/profile-m-z/tor-browser-nl.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-nl.local
+
 noblacklist ${HOME}/.tor-browser-nl
 
 mkdir ${HOME}/.tor-browser-nl
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
index 08ddd4ae7..a83c0b6f3 100644
--- a/etc/profile-m-z/tor-browser-pl.profile
+++ b/etc/profile-m-z/tor-browser-pl.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-pl.local
+
 noblacklist ${HOME}/.tor-browser-pl
 
 mkdir ${HOME}/.tor-browser-pl
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
index 9942a3fe8..7c0ba0879 100644
--- a/etc/profile-m-z/tor-browser-pt-br.profile
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-pt-br.local
+
 noblacklist ${HOME}/.tor-browser-pt-br
 
 mkdir ${HOME}/.tor-browser-pt-br
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
index 6294f8ca0..374caa4fe 100644
--- a/etc/profile-m-z/tor-browser-ru.profile
+++ b/etc/profile-m-z/tor-browser-ru.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-ru.local
+
 noblacklist ${HOME}/.tor-browser-ru
 
 mkdir ${HOME}/.tor-browser-ru
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
index c8544262f..41dbaf792 100644
--- a/etc/profile-m-z/tor-browser-sv-se.profile
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-sv-se.local
+
 noblacklist ${HOME}/.tor-browser-sv-se
 
 mkdir ${HOME}/.tor-browser-sv-se
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
index 2343fa8de..0981caa73 100644
--- a/etc/profile-m-z/tor-browser-tr.profile
+++ b/etc/profile-m-z/tor-browser-tr.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-tr.local
+
 noblacklist ${HOME}/.tor-browser-tr
 
 mkdir ${HOME}/.tor-browser-tr
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
index 734c38698..3d321787a 100644
--- a/etc/profile-m-z/tor-browser-vi.profile
+++ b/etc/profile-m-z/tor-browser-vi.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-vi.local
+
 noblacklist ${HOME}/.tor-browser-vi
 
 mkdir ${HOME}/.tor-browser-vi
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
index 21e813e45..977993f26 100644
--- a/etc/profile-m-z/tor-browser-zh-cn.profile
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-zh-cn.local
+
 noblacklist ${HOME}/.tor-browser-zh-cn
 
 mkdir ${HOME}/.tor-browser-zh-cn
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
index 6fe09c6c1..e589dc552 100644
--- a/etc/profile-m-z/tor-browser-zh-tw.profile
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser-zh-tw.local
+
 noblacklist ${HOME}/.tor-browser-zh-tw
 
 mkdir ${HOME}/.tor-browser-zh-tw
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 0cd84abf5..f7c3a5d24 100644
--- a/etc/profile-m-z/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser.local
+
 noblacklist ${HOME}/.tor-browser
 
 mkdir ${HOME}/.tor-browser
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
index 1e1f5ce35..86839a849 100644
--- a/etc/profile-m-z/tor-browser_ar.profile
+++ b/etc/profile-m-z/tor-browser_ar.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ar.local
+
 noblacklist ${HOME}/.tor-browser_ar
 
 mkdir ${HOME}/.tor-browser_ar
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
index e114b6051..9d9fc8d31 100644
--- a/etc/profile-m-z/tor-browser_ca.profile
+++ b/etc/profile-m-z/tor-browser_ca.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ca.local
+
 noblacklist ${HOME}/.tor-browser_ca
 
 mkdir ${HOME}/.tor-browser_ca
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
index 498068bc6..25d676537 100644
--- a/etc/profile-m-z/tor-browser_cs.profile
+++ b/etc/profile-m-z/tor-browser_cs.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_cs.local
+
 noblacklist ${HOME}/.tor-browser_cs
 
 mkdir ${HOME}/.tor-browser_cs
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
index 5c25c03c8..885a00979 100644
--- a/etc/profile-m-z/tor-browser_da.profile
+++ b/etc/profile-m-z/tor-browser_da.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_da.local
+
 noblacklist ${HOME}/.tor-browser_da
 
 mkdir ${HOME}/.tor-browser_da
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
index d530e7dbe..505161073 100644
--- a/etc/profile-m-z/tor-browser_de.profile
+++ b/etc/profile-m-z/tor-browser_de.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_de.local
+
 noblacklist ${HOME}/.tor-browser_de
 
 mkdir ${HOME}/.tor-browser_de
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
index 67d5ab440..4efbbef4d 100644
--- a/etc/profile-m-z/tor-browser_el.profile
+++ b/etc/profile-m-z/tor-browser_el.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_el.local
+
 noblacklist ${HOME}/.tor-browser_el
 
 mkdir ${HOME}/.tor-browser_el
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
index b298ab2b8..faa6979be 100644
--- a/etc/profile-m-z/tor-browser_en-US.profile
+++ b/etc/profile-m-z/tor-browser_en-US.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_en-US.local
+
 noblacklist ${HOME}/.tor-browser_en-US
 
 mkdir ${HOME}/.tor-browser_en-US
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
index 6bb0616b1..579af4be1 100644
--- a/etc/profile-m-z/tor-browser_en.profile
+++ b/etc/profile-m-z/tor-browser_en.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_en.local
+
 noblacklist ${HOME}/.tor-browser_en
 
 mkdir ${HOME}/.tor-browser_en
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
index 78f57ffe5..7d2f28844 100644
--- a/etc/profile-m-z/tor-browser_es-ES.profile
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_es-ES.local
+
 noblacklist ${HOME}/.tor-browser_es-ES
 
 mkdir ${HOME}/.tor-browser_es-ES
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
index ea34a07c9..c3d5695ce 100644
--- a/etc/profile-m-z/tor-browser_es.profile
+++ b/etc/profile-m-z/tor-browser_es.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_es.local
+
 noblacklist ${HOME}/.tor-browser_es
 
 mkdir ${HOME}/.tor-browser_es
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
index fbc416ce5..5d2a81976 100644
--- a/etc/profile-m-z/tor-browser_fa.profile
+++ b/etc/profile-m-z/tor-browser_fa.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_fa.local
+
 noblacklist ${HOME}/.tor-browser_fa
 
 mkdir ${HOME}/.tor-browser_fa
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
index caea6db5b..10a1cd054 100644
--- a/etc/profile-m-z/tor-browser_fr.profile
+++ b/etc/profile-m-z/tor-browser_fr.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_fr.local
+
 noblacklist ${HOME}/.tor-browser_fr
 
 mkdir ${HOME}/.tor-browser_fr
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
index 6342daebf..c2f3e6f91 100644
--- a/etc/profile-m-z/tor-browser_ga-IE.profile
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ga-IE.local
+
 noblacklist ${HOME}/.tor-browser_ga-IE
 
 mkdir ${HOME}/.tor-browser_ga-IE
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
index cc4150620..2415a0ebd 100644
--- a/etc/profile-m-z/tor-browser_he.profile
+++ b/etc/profile-m-z/tor-browser_he.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_he.local
+
 noblacklist ${HOME}/.tor-browser_he
 
 mkdir ${HOME}/.tor-browser_he
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
index 952a0b68a..d356c2b74 100644
--- a/etc/profile-m-z/tor-browser_hu.profile
+++ b/etc/profile-m-z/tor-browser_hu.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_hu.local
+
 noblacklist ${HOME}/.tor-browser_hu
 
 mkdir ${HOME}/.tor-browser_hu
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
index a006b27c0..0551bef1c 100644
--- a/etc/profile-m-z/tor-browser_id.profile
+++ b/etc/profile-m-z/tor-browser_id.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_id.local
+
 noblacklist ${HOME}/.tor-browser_id
 
 mkdir ${HOME}/.tor-browser_id
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
index 038e0fabb..a9adf462d 100644
--- a/etc/profile-m-z/tor-browser_is.profile
+++ b/etc/profile-m-z/tor-browser_is.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_is.local
+
 noblacklist ${HOME}/.tor-browser_is
 
 mkdir ${HOME}/.tor-browser_is
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
index 3d2566994..2237e2267 100644
--- a/etc/profile-m-z/tor-browser_it.profile
+++ b/etc/profile-m-z/tor-browser_it.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_it.local
+
 noblacklist ${HOME}/.tor-browser_it
 
 mkdir ${HOME}/.tor-browser_it
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
index 08c942bcd..494af455a 100644
--- a/etc/profile-m-z/tor-browser_ja.profile
+++ b/etc/profile-m-z/tor-browser_ja.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ja.local
+
 noblacklist ${HOME}/.tor-browser_ja
 
 mkdir ${HOME}/.tor-browser_ja
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
index 97664be4d..7a32fc6f7 100644
--- a/etc/profile-m-z/tor-browser_ka.profile
+++ b/etc/profile-m-z/tor-browser_ka.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ka.local
+
 noblacklist ${HOME}/.tor-browser_ka
 
 mkdir ${HOME}/.tor-browser_ka
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
index 98cf1e3e1..b7725270f 100644
--- a/etc/profile-m-z/tor-browser_ko.profile
+++ b/etc/profile-m-z/tor-browser_ko.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ko.local
+
 noblacklist ${HOME}/.tor-browser_ko
 
 mkdir ${HOME}/.tor-browser_ko
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
index 6df840573..b781e05a8 100644
--- a/etc/profile-m-z/tor-browser_nb.profile
+++ b/etc/profile-m-z/tor-browser_nb.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_nb.local
+
 noblacklist ${HOME}/.tor-browser_nb
 
 mkdir ${HOME}/.tor-browser_nb
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
index 3f545f888..67df58d8c 100644
--- a/etc/profile-m-z/tor-browser_nl.profile
+++ b/etc/profile-m-z/tor-browser_nl.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_nl.local
+
 noblacklist ${HOME}/.tor-browser_nl
 
 mkdir ${HOME}/.tor-browser_nl
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
index 4e04dc027..3caa90133 100644
--- a/etc/profile-m-z/tor-browser_pl.profile
+++ b/etc/profile-m-z/tor-browser_pl.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_pl.local
+
 noblacklist ${HOME}/.tor-browser_pl
 
 mkdir ${HOME}/.tor-browser_pl
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
index 7f864886c..01e8651d5 100644
--- a/etc/profile-m-z/tor-browser_pt-BR.profile
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_pt-BR.local
+
 noblacklist ${HOME}/.tor-browser_pt-BR
 
 mkdir ${HOME}/.tor-browser_pt-BR
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
index 2fae6fbe7..fd6f2047d 100644
--- a/etc/profile-m-z/tor-browser_ru.profile
+++ b/etc/profile-m-z/tor-browser_ru.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_ru.local
+
 noblacklist ${HOME}/.tor-browser_ru
 
 mkdir ${HOME}/.tor-browser_ru
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
index 2157f8d2b..029f1edea 100644
--- a/etc/profile-m-z/tor-browser_sv-SE.profile
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_sv-SE.local
+
 noblacklist ${HOME}/.tor-browser_sv-SE
 
 mkdir ${HOME}/.tor-browser_sv-SE
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
index 20ac246ca..7707e3454 100644
--- a/etc/profile-m-z/tor-browser_tr.profile
+++ b/etc/profile-m-z/tor-browser_tr.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_tr.local
+
 noblacklist ${HOME}/.tor-browser_tr
 
 mkdir ${HOME}/.tor-browser_tr
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
index 4faa06ff6..b277343dc 100644
--- a/etc/profile-m-z/tor-browser_vi.profile
+++ b/etc/profile-m-z/tor-browser_vi.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_vi.local
+
 noblacklist ${HOME}/.tor-browser_vi
 
 mkdir ${HOME}/.tor-browser_vi
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
index e4d8215e6..e614d00ae 100644
--- a/etc/profile-m-z/tor-browser_zh-CN.profile
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_zh-CN.local
+
 noblacklist ${HOME}/.tor-browser_zh-CN
 
 mkdir ${HOME}/.tor-browser_zh-CN
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
index 8a28015a6..21c3445c9 100644
--- a/etc/profile-m-z/tor-browser_zh-TW.profile
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
 
+# Persistent global definitions
+include tor-browser_zh-TW.local
+
 noblacklist ${HOME}/.tor-browser_zh-TW
 
 mkdir ${HOME}/.tor-browser_zh-TW
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index a8641af85..b82aadd13 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -57,7 +57,8 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
 read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index a5cefb47a..af5442672 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -2,5 +2,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include tshark.local
+
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
new file mode 100644
index 000000000..d2cb0cc8a
--- /dev/null
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -0,0 +1,31 @@
+# Firejail profile for tutanota-desktop
+# Description: Encrypted email client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tutanota-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/tuta_integration
+noblacklist ${HOME}/.config/tutanota-desktop
+
+ignore noexec /tmp
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/tuta_integration
+mkdir ${HOME}/.config/tutanota-desktop
+whitelist ${HOME}/.config/tuta_integration
+whitelist ${HOME}/.config/tutanota-desktop
+
+# These lines are needed to allow Firefox to open links
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+?HAS_APPIMAGE: ignore private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-opt tutanota-desktop
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/unar.profile b/etc/profile-m-z/unar.profile
new file mode 100644
index 000000000..0226a7de8
--- /dev/null
+++ b/etc/profile-m-z/unar.profile
@@ -0,0 +1,13 @@
+# Firejail profile for unar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin unar
+
+# Redirect
+include ar.profile
diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile
index d9c72407f..d7f187e5c 100644
--- a/etc/profile-m-z/unlzma.profile
+++ b/etc/profile-m-z/unlzma.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include unlzma.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile
index d9c72407f..d93fc3cb3 100644
--- a/etc/profile-m-z/unxz.profile
+++ b/etc/profile-m-z/unxz.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include unxz.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile
index ce9af3286..698301131 100644
--- a/etc/profile-m-z/unzstd.profile
+++ b/etc/profile-m-z/unzstd.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include unzstd.local
+
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 493c53936..d841d50b7 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -26,7 +26,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-caps.keep chown,net_raw,sys_nice,sys_rawio
+caps.keep chown,net_raw,sys_nice
 netfilter
 nogroups
 notv
@@ -34,6 +34,7 @@ shell none
 tracelog
 
 #disable-mnt
-#private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index b4728fb72..e329e77ad 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for Visual Studio Code
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include vscodium.local
+
 noblacklist ${HOME}/.VSCodium
 
 # Redirect
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
index 2e9078a7b..8c46c8aef 100644
--- a/etc/profile-m-z/vulturesclaw.profile
+++ b/etc/profile-m-z/vulturesclaw.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for nethack-vultures
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include vulturesclaw.local
+
 noblacklist /var/games/vulturesclaw
 whitelist /var/games/vulturesclaw
 
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
index 44c263cfc..a9d49dae2 100644
--- a/etc/profile-m-z/vultureseye.profile
+++ b/etc/profile-m-z/vultureseye.profile
@@ -1,6 +1,9 @@
 # Firejail profile alias for nethack-vultures
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include vultureseye.local
+
 noblacklist /var/games/vultureseye
 whitelist /var/games/vultureseye
 
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile
index 4719b9788..cd99c4730 100644
--- a/etc/profile-m-z/weechat-curses.profile
+++ b/etc/profile-m-z/weechat-curses.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for weechat
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include weechat-curses.local
+
 # Redirect
 include weechat.profile
diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile
index 3e2e1807e..409f2a8b5 100644
--- a/etc/profile-m-z/wireshark-gtk.profile
+++ b/etc/profile-m-z/wireshark-gtk.profile
@@ -2,5 +2,8 @@
 # Description: Network protocol analyzer
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include wireshark-gtk.local
+
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile
index 3e2e1807e..809108af7 100644
--- a/etc/profile-m-z/wireshark-qt.profile
+++ b/etc/profile-m-z/wireshark-qt.profile
@@ -2,5 +2,8 @@
 # Description: Network protocol analyzer
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include wireshark-qt.local
+
 # Redirect
 include wireshark.profile
diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile
index abb91e1ec..57af3a8e4 100644
--- a/etc/profile-m-z/xonotic-glx.profile
+++ b/etc/profile-m-z/xonotic-glx.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for xonotic
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include xonotic-glx.local
+
 # Redirect
 include xonotic.profile
diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile
index abb91e1ec..a2511a9da 100644
--- a/etc/profile-m-z/xonotic-sdl.profile
+++ b/etc/profile-m-z/xonotic-sdl.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for xonotic
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include xonotic-sdl.local
+
 # Redirect
 include xonotic.profile
diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile
index d9c72407f..0310743c7 100644
--- a/etc/profile-m-z/xz.profile
+++ b/etc/profile-m-z/xz.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xz.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile
index d9c72407f..1c6851189 100644
--- a/etc/profile-m-z/xzcat.profile
+++ b/etc/profile-m-z/xzcat.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzcat.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile
index d9c72407f..214f714ce 100644
--- a/etc/profile-m-z/xzcmp.profile
+++ b/etc/profile-m-z/xzcmp.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzcmp.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile
index d9c72407f..19a4c853f 100644
--- a/etc/profile-m-z/xzdiff.profile
+++ b/etc/profile-m-z/xzdiff.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzdiff.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile
index d9c72407f..998fab02c 100644
--- a/etc/profile-m-z/xzegrep.profile
+++ b/etc/profile-m-z/xzegrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzegrep.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile
index d9c72407f..4301f5c96 100644
--- a/etc/profile-m-z/xzfgrep.profile
+++ b/etc/profile-m-z/xzfgrep.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzfgrep.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile
index f7410b928..2def07549 100644
--- a/etc/profile-m-z/xzgrep.profile
+++ b/etc/profile-m-z/xzgrep.profile
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include xzgrep.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile
index f7410b928..d55a4c6c9 100644
--- a/etc/profile-m-z/xzless.profile
+++ b/etc/profile-m-z/xzless.profile
@@ -2,5 +2,8 @@
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include xzless.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile
index d9c72407f..f847c7006 100644
--- a/etc/profile-m-z/xzmore.profile
+++ b/etc/profile-m-z/xzmore.profile
@@ -3,5 +3,8 @@
 # This file is overwritten after every install/update
 quiet
 
+# Persistent local customizations
+include xzmore.local
+
 # Redirect
 include cpio.profile
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
new file mode 100644
index 000000000..f20225050
--- /dev/null
+++ b/etc/profile-m-z/yarn.profile
@@ -0,0 +1,29 @@
+# Firejail profile for yarn
+# Description: Fast, reliable, and secure dependency management
+quiet
+# Persistent local customizations
+include yarn.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.yarnrc
+
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
+# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below.
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/zcat.profile b/etc/profile-m-z/zcat.profile
index bbac50712..5de13ab90 100644
--- a/etc/profile-m-z/zcat.profile
+++ b/etc/profile-m-z/zcat.profile
@@ -8,6 +8,7 @@ include zcat.local
 #include globals.local
 
 # Allow running kernel config check
+ignore include disable-shell.inc
 noblacklist /proc/config.gz
 
 # Redirect
diff --git a/etc/profile-m-z/zgrep.profile b/etc/profile-m-z/zgrep.profile
index 0e7151400..f63dc871f 100644
--- a/etc/profile-m-z/zgrep.profile
+++ b/etc/profile-m-z/zgrep.profile
@@ -8,6 +8,7 @@ include zgrep.local
 #include globals.local
 
 # Allow running kernel config check
+ignore include disable-shell.inc
 noblacklist /proc/config.gz
 
 # Redirect
diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile
index ce9af3286..e7c37f58c 100644
--- a/etc/profile-m-z/zstdcat.profile
+++ b/etc/profile-m-z/zstdcat.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include zstdcat.local
+
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile
index ce9af3286..604e3524e 100644
--- a/etc/profile-m-z/zstdgrep.profile
+++ b/etc/profile-m-z/zstdgrep.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include zstdgrep.local
+
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile
index ce9af3286..efe688856 100644
--- a/etc/profile-m-z/zstdless.profile
+++ b/etc/profile-m-z/zstdless.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include zstdless.local
+
 # Redirect
 include zstd.profile
diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile
index ce9af3286..cdd93f688 100644
--- a/etc/profile-m-z/zstdmt.profile
+++ b/etc/profile-m-z/zstdmt.profile
@@ -1,5 +1,8 @@
 # Firejail profile alias for zstd
 # This file is overwritten after every install/update
 
+# Persistent local customizations
+include zstdmt.local
+
 # Redirect
 include zstd.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 3d37fc827..8b44b0bc0 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -158,6 +158,7 @@ include globals.local
 ##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
 #seccomp.block-secondary
+##seccomp-error-action log (Only for debugging seccomp issues)
 #shell none
 #tracelog
 # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index c454887dd..ebc648548 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -35,7 +35,7 @@ Definition of groups
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
 @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
-@default-keep=execve,prctl
+@default-keep=execveat,execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
 @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
 @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget