249 files changed, 1210 insertions, 28 deletions

diff --git a/etc/0ad.profile b/etc/0ad.profile
index 1e7c06879..84addc229 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/0ad.local
+
 # Firejail profile for 0ad.
 noblacklist ~/.cache/0ad
 noblacklist ~/.config/0ad
diff --git a/etc/7z.profile b/etc/7z.profile
index 319126540..102de44ee 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/7z.local
+
 # 7zip crompression tool profile
 quiet
 ignore noroot
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
index 3db34c03c..da7f93791 100644
--- a/etc/Cryptocat.profile
+++ b/etc/Cryptocat.profile
@@ -1,4 +1,8 @@
-# Firejail profile for 
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Cryptocat.local
+
+# Firejail profile for Cryptocat
 noblacklist ${HOME}/.config/Cryptocat
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
index 1f74606ce..bd2765bc7 100644
--- a/etc/Cyberfox.profile
+++ b/etc/Cyberfox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Cyberfox.local
+
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 
 include /etc/firejail/cyberfox.profile
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile
new file mode 100644
index 000000000..e0ba131ed
--- /dev/null
+++ b/etc/FossaMail.profile
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/FossaMail.local
+
+# Firejail profile for FossaMail
+include /etc/firejail/fossamail.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index e719f070f..2fe19c570 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Mathematica.local
+
 # Mathematica profile
 noblacklist ${HOME}/.Mathematica
 noblacklist ${HOME}/.Wolfram Research
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
index 2e0f97821..6ccda7929 100644
--- a/etc/Telegram.profile
+++ b/etc/Telegram.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Telegram.local
+
 # Telegram IRC profile
 include /etc/firejail/telegram.profile
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
new file mode 100644
index 000000000..5a27177e0
--- /dev/null
+++ b/etc/Thunar.profile
@@ -0,0 +1,23 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Thunar.local
+
+# Firejail profile for thunar
+noblacklist ~/.config/Thunar
+noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile
index ff0a4b6ef..5e011b1fc 100644
--- a/etc/VirtualBox.profile
+++ b/etc/VirtualBox.profile
@@ -1 +1,5 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/VirtualBox.local
+
 include /etc/firejail/virtualbox.profile
diff --git a/etc/Wire.profile b/etc/Wire.profile
index bd9645c7f..0895353d1 100644
--- a/etc/Wire.profile
+++ b/etc/Wire.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/Wire.local
+
 # wire messenger profile
 
 include /etc/firejail/wire.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index f25bbd94d..bdd56e42f 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/abrowser.local
+
 # Firejail profile for Abrowser
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 8d5b35d47..c2a400fe4 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/amarok.local
+
 # amarok profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/ark.profile b/etc/ark.profile
index 61b4c6f60..20a2d10e0 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ark.local
+
 # ark profile
 noblacklist ~/.config/arkrc
 
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
index fa0b316bb..4c50687aa 100644
--- a/etc/atom-beta.profile
+++ b/etc/atom-beta.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/atom-beta.local
+
 # Firejail profile for Atom Beta.
 noblacklist ~/.atom
 noblacklist ~/.config/Atom
diff --git a/etc/atom.profile b/etc/atom.profile
index 61930d5c1..fc0e1b69c 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/atom.local
+
 # Firejail profile for Atom.
 noblacklist ~/.atom
 noblacklist ~/.config/Atom
diff --git a/etc/atool.profile b/etc/atool.profile
index 578a88fc7..37a2e09e4 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/atool.local
+
 # atool profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/atril.profile b/etc/atril.profile
index fbcca0c1b..1125f4f3c 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/atril.local
+
 # Atril profile
 noblacklist ~/.config/atril
 noblacklist ~/.local/share
diff --git a/etc/audacious.profile b/etc/audacious.profile
index e5275213c..63ba9af9c 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -1,4 +1,9 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/audacious.local
+
 # Audacious media player profile
+noblacklist ~/.config/audacious
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 827fa4301..4394416ff 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/audacity.local
+
 # Audacity profile
 noblacklist ~/.audacity-data
 
diff --git a/etc/aweather.profile b/etc/aweather.profile
index fa8654f1e..b6ed0de51 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/aweather.local
+
 # Firejail profile for aweather.
 noblacklist ~/.config/aweather
 include /etc/firejail/disable-common.inc
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 87d2e843a..b056a54e3 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/bitlbee.local
+
 # BitlBee instant messaging profile
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 0a71db9f0..b406b9985 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/bleachbit.local
+
 # bleachbit profile
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-programs.inc
diff --git a/etc/bless.profile b/etc/bless.profile
index 752edadf7..b8325de39 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/bless.local
+
 #
 #Profile for bless
 #
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 66de6fa50..6d84b0ca5 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/brasero.local
+
 # brasero profile
 noblacklist ~/.config/brasero
 
diff --git a/etc/brave.profile b/etc/brave.profile
index 21ea7f908..d7678d5d5 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/brave.local
+
 # Profile for Brave browser
 noblacklist ~/.config/brave
 include /etc/firejail/disable-common.inc
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 139dec8ec..8d7585fb9 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cherrytree.local
+
 # cherrytree note taking application
 noblacklist /usr/bin/python2*
 noblacklist /usr/lib/python3*
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile
index d989b736b..e7dd5afe3 100644
--- a/etc/chromium-browser.profile
+++ b/etc/chromium-browser.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/chromium-browser.local
+
 # Chromium browser profile
 include /etc/firejail/chromium.profile
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7610d9b26..531f9156c 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/chromium.local
+
 # Chromium browser profile
 noblacklist ~/.config/chromium
 noblacklist ~/.cache/chromium
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 8921bb25e..3bffb9b0a 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/claws-mail.local
+
 # claws-mail profile
 noblacklist ~/.claws-mail
 noblacklist ~/.signature
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 5ce085358..f92413a36 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/clementine.local
+
 # Clementine media player profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 2e2a6940c..50bfbf7c8 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cmus.local
+
 # cmus profile
 noblacklist ${HOME}/.config/cmus
 
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index e82eeec4c..b87aa835d 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/conkeror.local
+
 # Firejail profile for Conkeror web browser profile
 noblacklist ${HOME}/.conkeror.mozdev.org
 include /etc/firejail/disable-common.inc
diff --git a/etc/corebird.profile b/etc/corebird.profile
index 6fb8219e8..a6514af5a 100644
--- a/etc/corebird.profile
+++ b/etc/corebird.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/corebird.local
+
 # Firejail corebird profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/cpio.profile b/etc/cpio.profile
index cf89acdac..d4b0e6d2d 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cpio.local
+
 # cpio profile
 # /sbin and /usr/sbin are visible inside the sandbox
 # /boot is not visible and /var is heavily modified 
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile
index 0d392b272..ea5c5c69b 100644
--- a/etc/cryptocat.profile
+++ b/etc/cryptocat.profile
@@ -1 +1,5 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cryptocat.local
+
 include /etc/Cryptocat.profile
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index f722915f0..3dffe187c 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/cyberfox.local
+
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 noblacklist ~/.8pecxstudios
 noblacklist ~/.cache/8pecxstudios
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 04abd0a92..603d6345c 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/deadbeef.local
+
 # DeaDBeeF media player profile
 noblacklist ${HOME}/.config/deadbeef
 
diff --git a/etc/default.profile b/etc/default.profile
index 603321316..66b04896f 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/default.local
+
 ################################
 # Generic GUI application profile
 ################################
diff --git a/etc/deluge.profile b/etc/deluge.profile
index c6ddec3ec..7b4a49db5 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/deluge.local
+
 # deluge bittorrernt client profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/dillo.profile b/etc/dillo.profile
index 108787920..f8a3e5252 100644
--- a/etc/dillo.profile
+++ b/etc/dillo.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dillo.local
+
 # Firejail profile for Dillo web browser
 noblacklist ~/.dillo
 include /etc/firejail/disable-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 22f54604a..79732b197 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install. 
+# Persistent customizations should go in a .local file.
+include /etc/firejail/disable-common.local
+
 # History files in $HOME
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
@@ -72,12 +76,9 @@ blacklist /etc/profile.d
 blacklist /etc/rc.local
 blacklist /etc/anacrontab
 
-# General startup files
+# Startup files
 read-only ${HOME}/.xinitrc
 read-only ${HOME}/.xserverrc
-read-only ${HOME}/.profile
-
-# Shell startup files
 read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
@@ -96,12 +97,21 @@ read-only ${HOME}/.tcshrc
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.csh_files
 read-only ${HOME}/.profile
+read-only ${HOME}/.forward
+read-only ${HOME}/.login
+read-only ${HOME}/.logout
+read-only ${HOME}/.pgpkey
+read-only ${HOME}/.plan
+read-only ${HOME}/.project
 
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/dotfiles
 read-only ${HOME}/.mailcap
+read-only ${HOME}/.muttrc
+read-only ${HOME}/.mutt/muttrc
+read-only ${HOME}/.msmtprc
 read-only ${HOME}/.exrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/.vimrc
@@ -118,8 +128,16 @@ read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
 
-# The user ~/bin directory can override commands such as ls
+# Make directories commonly found in $PATH read-only
 read-only ${HOME}/bin
+read-only ${HOME}/.gem
+read-only ${HOME}/.luarocks
+read-only ${HOME}/.npm-packages
+
+# Make the contents of ~/.local read-only,
+#  except the commonly-used ~/.local/share
+read-only  ${HOME}/.local
+read-write ${HOME}/.local/share
 
 # top secret
 blacklist ${HOME}/.ecryptfs
@@ -197,6 +215,8 @@ blacklist /usr/lib64/virtualbox
 
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
+# prevent tmux connecting to an existing session
+blacklist /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
 blacklist ${PATH}/gnome-terminal
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 2ac367f37..24c739b5b 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install. 
+# Persistent customizations should go in a .local file.
+include /etc/firejail/disable-devel.local
+
 # development tools
 
 # GCC
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
index 8f8aa1c2c..c4112d4d5 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/disable-passwdmgr.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install. 
+# Persistent customizations should go in a .local file.
+include /etc/firejail/disable-passwdmgr.local
+
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 69f0a2e1b..c59285e85 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install. 
+# Persistent customizations should go in a .local file.
+include /etc/firejail/disable-programs.local
+
 blacklist ${HOME}/.*coin
 blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.Atom
@@ -66,12 +70,14 @@ blacklist ${HOME}/.config/Mumble
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Slack
+blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
 blacklist ${HOME}/.config/arkrc
 blacklist ${HOME}/.config/atril
+blacklist ${HOME}/.config/audacious
 blacklist ${HOME}/.config/autostart
 blacklist ${HOME}/.config/autostart/dropbox.desktop
 blacklist ${HOME}/.config/aweather
@@ -145,6 +151,7 @@ blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/xchat
 blacklist ${HOME}/.config/xed
 blacklist ${HOME}/.config/xfburn
+blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
 blacklist ${HOME}/.config/xplayer
 blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
@@ -278,3 +285,5 @@ blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
 blacklist ${HOME}/wallet.dat
 blacklist /tmp/ssh-*
+blacklist ${HOME}/.kinorc
+blacklist ${HOME}/.kino-history
diff --git a/etc/display.profile b/etc/display.profile
index ec041bff7..83fbc965a 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/display.local
+
 # display (ImageMagick tool) image viewer profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 926b8bfcc..c69707181 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dnscrypt-proxy.local
+
 # security profile for dnscrypt-proxy
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 3bd43f144..0af4a3f62 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dnsmasq.local
+
 # dnsmasq profile
 noblacklist /sbin
 noblacklist /usr/sbin
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
index 09a86f811..2b7919083 100644
--- a/etc/dolphin.profile
+++ b/etc/dolphin.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dolphin.local
+
 # dolphin profile
 
 # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
index 45fbb712a..3ef6931fc 100644
--- a/etc/dosbox.profile
+++ b/etc/dosbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dosbox.local
+
 # Firejail profile for dosbox
 noblacklist ~/.dosbox
 
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 09cb73802..b6228fd41 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dragon.local
+
 # dragon player profile
 noblacklist ~/.config/dragonplayerrc
 
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index 40efd62b2..b58fa0ed1 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/dropbox.local
+
 # dropbox profile
 noblacklist ~/.config/autostart
 include /etc/firejail/disable-common.inc
diff --git a/etc/elinks.profile b/etc/elinks.profile
index ade15f203..1fad33d54 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/elinks.local
+
 # elinks profile
 noblacklist ~/.elinks
 
diff --git a/etc/emacs.profile b/etc/emacs.profile
index 2b9c5805c..21767402f 100644
--- a/etc/emacs.profile
+++ b/etc/emacs.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/emacs.local
+
 # emacs profile
 noblacklist ~/.emacs
 noblacklist ~/.emacs.d
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 2a0a6389c..4cf90908f 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/empathy.local
+
 # Empathy instant messaging profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/enchant.profile b/etc/enchant.profile
index cf8288919..8b1995a95 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/enchant.local
+
 # enchant profile
 noblacklist ~/.config/enchant
 
diff --git a/etc/eog.profile b/etc/eog.profile
index d463f3a97..c5afec7fa 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/eog.local
+
 # eog (gnome image viewer) profile
 noblacklist ~/.config/eog
 
diff --git a/etc/eom.profile b/etc/eom.profile
index dfcea82c1..a7e10ba9e 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/eom.local
+
 # Firejail profile for Eye of Mate (eom)
 noblacklist ~/.config/mate/eom
 
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 0e898f02b..1bf259440 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/epiphany.local
+
 # Epiphany browser profile
 noblacklist ${HOME}/.config/epiphany
 noblacklist ${HOME}/.cache/epiphany
diff --git a/etc/evince.profile b/etc/evince.profile
index 1ec384947..94cefdd8b 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/evince.local
+
 # evince pdf reader profile
 noblacklist ~/.config/evince
 
diff --git a/etc/evolution.profile b/etc/evolution.profile
index ab6dd7a4a..cb6615716 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/evolution.local
+
 # evolution profile
 noblacklist ~/.config/evolution
 noblacklist ~/.local/share/evolution
@@ -6,6 +10,9 @@ noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
 
+noblacklist /var/spool/mail
+noblacklist /var/mail
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 1cae8c093..356735421 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/exiftool.local
+
 # exiftool profile
 noblacklist /usr/bin/perl
 noblacklist /usr/share/perl*
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index ec098d5fe..77bf89f35 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/fbreader.local
+
 # fbreader ebook reader profile
 noblacklist ${HOME}/.FBReader
 
diff --git a/etc/feh.profile b/etc/feh.profile
index 2812effc9..e00b6a821 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/feh.local
+
 # feh image viewer profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 6116389db..804d20ce1 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/file-roller.local
+
 # file-roller profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/file.profile b/etc/file.profile
index d145fe12a..2f972212e 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/file.local
+
 # file profile
 quiet
 include /etc/firejail/disable-common.inc
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index a40fceec1..5f2636bf5 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/filezilla.local
+
 # FileZilla ftp profile
 noblacklist ${HOME}/.filezilla
 noblacklist ${HOME}/.config/filezilla
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
index d2fde9a3f..753f64526 100644
--- a/etc/firefox-esr.profile
+++ b/etc/firefox-esr.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/firefox-esr.local
+
 # Firejail profile for Mozilla Firefox ESR
 include /etc/firejail/firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index c3a9b2a62..5f891ea3c 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -1,9 +1,14 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/firefox.local
+
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
 noblacklist ~/.config/qpdfview
 noblacklist ~/.local/share/qpdfview
 noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -30,6 +35,7 @@ whitelist ~/.pentadactyl
 whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
+mkdir ~/.pki
 whitelist ~/.pki
 whitelist ~/.config/qpdfview
 whitelist ~/.local/share/qpdfview
diff --git a/etc/firejail.config b/etc/firejail.config
index 824e3f503..766802a7d 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -20,6 +20,12 @@
 # Enable Firejail green prompt in terminal, default disabled
 # firejail-prompt no
 
+# Follow symlink as user. While using --whitelist feature,
+# symlinks pointing outside home directory are followed only
+# if both the link and the real file are owned by the user.
+# Enabled by default
+# follow-symlink-as-user yes
+
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
@@ -79,6 +85,6 @@
 # Firejail window title in Xephyr, default enabled.
 # xephyr-window-title yes
 
-# Xephyr command extra parameters. None by default, and the declaration is commented out.
+# Xephyr command extra parameters. None by default; these are examples.
 # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
 # xephyr-extra-params -grayscale
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 3c23ff6f6..56437ba06 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/flashpeak-slimjet.local
+
 # SlimJet browser profile
 # This is a whitelisted profile, the internal browser sandbox
 # is disabled because it requires sudo password. The command
@@ -7,6 +11,7 @@
 #
 noblacklist ~/.config/slimjet
 noblacklist ~/.cache/slimjet
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
index 12afdb0aa..e60417081 100644
--- a/etc/flowblade.profile
+++ b/etc/flowblade.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/flowblade.local
+
 # FlowBlade profile
 noblacklist ${HOME}/.flowblade
 noblacklist ${HOME}/.config/flowblade
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
new file mode 100644
index 000000000..3caaad71c
--- /dev/null
+++ b/etc/fossamail.profile
@@ -0,0 +1,19 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/fossamail.local
+
+# Firejail profile for FossaMail
+
+noblacklist ~/.gnupg
+mkdir ~/.gnupg
+whitelist ~/.gnupg
+
+noblacklist ~/.fossamail
+mkdir ~/.fossamail
+whitelist ~/.fossamail
+
+noblacklist ~/.cache/fossamail
+mkdir ~/.cache/fossamail
+whitelist ~/.cache/fossamail
+
+include /etc/firejail/firefox.profile
diff --git a/etc/franz.profile b/etc/franz.profile
index 0b3be551b..05ff72a47 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/franz.local
+
 # Franz profile
 noblacklist ~/.config/Franz
 noblacklist ~/.cache/Franz
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/gajim.profile b/etc/gajim.profile
index eb60f858b..bac6cc466 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gajim.local
+
 # Firejail profile for Gajim
 noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.local/share/gajim
diff --git a/etc/gedit.profile b/etc/gedit.profile
index a25286bfa..9f4eee9b3 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gedit.local
+
 # gedit profile
 
 # when gedit is started via gnome-shell, firejail is not applied because systemd will start it
diff --git a/etc/gimp.profile b/etc/gimp.profile
index cb441fc9d..d07398a41 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gimp.local
+
 # gimp
 noblacklist ${HOME}/.gimp*
 include /etc/firejail/disable-common.inc
diff --git a/etc/git.profile b/etc/git.profile
index 80e534e20..5fbacd7fa 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/git.local
+
 # git profile
 quiet
 noblacklist ~/.gitconfig
diff --git a/etc/gitter.profile b/etc/gitter.profile
index f43f5f199..054d859f8 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gitter.local
+
 # Firejail profile for Gitter
 noblacklist ~/.config/Gitter
 include /etc/firejail/disable-common.inc
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 8d71728a2..24ec70e86 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gjs.local
+
 # gjs (gnome javascript bindings) profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
index f9982da61..95c0daccd 100644
--- a/etc/gnome-2048.profile
+++ b/etc/gnome-2048.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-2048.local
+
 #
 #Profile for gnome-2048
 #
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 10b06e173..692e32896 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-books.local
+
 # gnome-books profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 49e068171..714a97650 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-calculator.local
+
 #
 #Profile for gnome-calculator
 #
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 4db485ea7..3dcc98b72 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-chess.local
+
 # Firejail profile for gnome-chess
 noblacklist ~/.local/share/gnome-chess
 
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 6cccf9d32..30598f348 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-clocks.local
+
 # gnome-clocks profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index 9dc25b26c..b61cd3c74 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-contacts.local
+
 #
 #Profile for gnome-contacts
 #
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index c5def7aff..9d3b8172b 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-documents.local
+
 # gnome-documents profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index f1451506e..54c0eb99c 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-maps.local
+
 # gnome-maps profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 488c7e0b8..cd268aed7 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-mplayer.local
+
 # GNOME MPlayer profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -12,6 +16,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-private-bin gnome-mplayer,mplayer
+# private-bin gnome-mplayer,mplayer
 private-dev
 private-tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 4a8adeb22..9136015e9 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-music.local
+
 # gnome-music profile
 noblacklist ~/.local/share/gnome-music
 
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 8f9d60cb5..d1636e02e 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-photos.local
+
 # gnome-photos profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 9f93b8f15..925420a5a 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gnome-weather.local
+
 # gnome-weather profile
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 8990943fc..6aaec1354 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/goobox.local
+
 # goobox profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 3d483967c..2f09edb7a 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-chrome-beta.local
+
 # Google Chrome beta browser profile
 noblacklist ~/.config/google-chrome-beta
 noblacklist ~/.cache/google-chrome-beta
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile
index 78c8ca6e5..b8d9d6917 100644
--- a/etc/google-chrome-stable.profile
+++ b/etc/google-chrome-stable.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-chrome-stable.local
+
 # Google Chrome browser profile
 include /etc/firejail/google-chrome.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index 0189ce40b..e0dc37034 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-chrome-unstable.local
+
 # Google Chrome unstable browser profile
 noblacklist ~/.config/google-chrome-unstable
 noblacklist ~/.cache/google-chrome-unstable
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 3083c2afd..dfb30dc7e 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-chrome.local
+
 # Google Chrome browser profile
 noblacklist ~/.config/google-chrome
 noblacklist ~/.cache/google-chrome
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index b4cf8d9ac..dbe07cfee 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/google-play-music-desktop-player.local
+
 # Google Play Music desktop player profile
 noblacklist ~/.config/Google Play Music Desktop Player
 
diff --git a/etc/gpa.profile b/etc/gpa.profile
index 7d7277190..7618fdd41 100644
--- a/etc/gpa.profile
+++ b/etc/gpa.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gpa.local
+
 # gpa profile
 noblacklist ~/.gnupg
 
@@ -18,6 +22,4 @@ shell none
 tracelog
 
 # private-bin gpa,gpg
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 59c7383d7..7beaca6f2 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gpg-agent.local
+
 # gpg-agent profile
 noblacklist ~/.gnupg
 
@@ -11,7 +15,7 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix
+protocol unix,inet,inet6
 seccomp
 netfilter
 no3d
@@ -21,6 +25,4 @@ tracelog
 blacklist /tmp/.X11-unix
 
 # private-bin gpg-agent,gpg
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/gpg.profile b/etc/gpg.profile
index d711c6f3e..92e42cc4b 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gpg.local
+
 # gpg profile
 noblacklist ~/.gnupg
 
@@ -11,10 +15,9 @@ nogroups
 nonewprivs
 noroot
 nosound
-protocol unix
+protocol unix,inet,inet6
 seccomp
 netfilter
-net none
 no3d
 shell none
 tracelog
@@ -22,6 +25,4 @@ tracelog
 blacklist /tmp/.X11-unix
 
 # private-bin gpg,gpg-agent
-private-tmp
 private-dev
-# private-etc none
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 801304c18..9e8af2016 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gpredict.local
+
 # Firejail profile for gpredict.
 noblacklist ~/.config/Gpredict
 include /etc/firejail/disable-common.inc
diff --git a/etc/gtar.profile b/etc/gtar.profile
index 2f675cd9d..2fcdbaa83 100644
--- a/etc/gtar.profile
+++ b/etc/gtar.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gtar.local
+
 # gtar profile
 quiet
 include /etc/firejail/tar.profile
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
index 055d78935..d8c438181 100644
--- a/etc/gthumb.profile
+++ b/etc/gthumb.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gthumb.local
+
 # gthumb profile
 noblacklist ${HOME}/.config/gthumb
 
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile
index 0c6ad00be..3c8da9e46 100644
--- a/etc/guayadeque.profile
+++ b/etc/guayadeque.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/guayadeque.local
+
 noblacklist ${HOME}/.guayadeque
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index c866c9e63..f636792f0 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gwenview.local
+
 # KDE gwenview profile
 noblacklist ~/.kde/share/apps/gwenview
 noblacklist ~/.kde/share/config/gwenviewrc
diff --git a/etc/gzip.profile b/etc/gzip.profile
index feb27c150..2eca4d8b6 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gzip.local
+
 # gzip profile
 quiet
 ignore noroot
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 7910b7eb0..4e469bd42 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/hedgewars.local
+
 # whitelist profile for Hedgewars (game)
 noblacklist ${HOME}/.hedgewars
 
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 5cefe45b5..53f447f7e 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/hexchat.local
+
 # HexChat instant messaging profile
 # Currently in testing (may not work for all users)
 noblacklist ${HOME}/.config/hexchat
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 4bab18349..446a3fbb7 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/highlight.local
+
 # highlight profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 038afc876..144f5c4eb 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/icecat.local
+
 # Firejail profile for GNU Icecat
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/icedove.profile b/etc/icedove.profile
index 310684bdb..b5265e992 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/icedove.local
+
 # Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable)
 # Users have icedove set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
index e9b32846a..d5c29a5ce 100644
--- a/etc/iceweasel.profile
+++ b/etc/iceweasel.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/iceweasel.local
+
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 include /etc/firejail/firefox.profile
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index d55a31cd0..15692b2b0 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/img2txt.local
+
 # img2txt profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index a0e86b6c9..000a35fd9 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/inkscape.local
+
 # inkscape
 noblacklist ${HOME}/.inkscape
 include /etc/firejail/disable-common.inc
diff --git a/etc/inox.profile b/etc/inox.profile
index 6f6d140e2..8e95208ab 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/inox.local
+
 # Inox browser profile
 noblacklist ~/.config/inox
 noblacklist ~/.cache/inox
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile
new file mode 100644
index 000000000..7a2f889dc
--- /dev/null
+++ b/etc/iridium-browser.profile
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/iridium-browser.local
+
+include /etc/firejail/iridium.profile
+
diff --git a/etc/iridium.profile b/etc/iridium.profile
new file mode 100644
index 000000000..69ea483aa
--- /dev/null
+++ b/etc/iridium.profile
@@ -0,0 +1,33 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/iridium.local
+
+# Iridium browser profile
+noblacklist ~/.config/iridium
+noblacklist ~/.cache/iridium
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+
+# chromium/iridium is distributed with a perl script on Arch
+# include /etc/firejail/disable-devel.inc
+#
+
+netfilter
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config/iridium
+whitelist ~/.config/iridium
+mkdir ~/.cache/iridium
+whitelist ~/.cache/iridium
+mkdir ~/.pki
+whitelist ~/.pki
+
+# lastpass, keepass
+# for keepass we additionally need to whitelist our .kdbx password database
+whitelist ~/.keepass
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
+whitelist ~/.lastpass
+whitelist ~/.config/lastpass
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
index 1d6eb41f8..2ba1a4380 100644
--- a/etc/jd-gui.profile
+++ b/etc/jd-gui.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/jd-gui.local
+
 #
 #Profile for jd-gui
 #
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index 046499abe..5d502fffe 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/jitsi.local
+
 # Firejail profile for jitsi
 noblacklist ~/.jitsi
 include /etc/firejail/disable-common.inc
diff --git a/etc/k3b.profile b/etc/k3b.profile
index 8a5fff0c6..68b825c5e 100644
--- a/etc/k3b.profile
+++ b/etc/k3b.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/k3b.local
+
 # k3b profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/kate.profile b/etc/kate.profile
index 4b07ea6cb..466786e61 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/kate.local
+
 # kate profile
 noblacklist ~/.local/share/kate
 noblacklist ~/.config/katerc
diff --git a/etc/keepass.profile b/etc/keepass.profile
index eb7d92a7c..d269c3e8a 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/keepass.local
+
 # keepass password manager profile
 noblacklist ${HOME}/.keepass
 noblacklist ${HOME}/.config/keepass
diff --git a/etc/keepass2.profile b/etc/keepass2.profile
index 1ee2644d5..dbf7a4180 100644
--- a/etc/keepass2.profile
+++ b/etc/keepass2.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/keepass2.local
+
 # keepass password manager profile
 include /etc/firejail/keepass.profile
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index bb74bb629..379b8a668 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/keepassx.local
+
 # keepassx password manager profile
 noblacklist ${HOME}/.config/keepassx
 noblacklist ${HOME}/.keepassx
@@ -10,14 +14,17 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+net none
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
-netfilter
 shell none
+tracelog
 
+private-bin keepassx
+private-etc fonts
+private-dev
 private-tmp
-private-dev 
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
index bb74bb629..a21caf3f1 100644
--- a/etc/keepassx2.profile
+++ b/etc/keepassx2.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/keepassx2.local
+
 # keepassx password manager profile
 noblacklist ${HOME}/.config/keepassx
 noblacklist ${HOME}/.keepassx
@@ -10,14 +14,16 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+net none
 nogroups
 nonewprivs
 noroot
 nosound
 protocol unix
 seccomp
-netfilter
 shell none
 
+private-bin keepassx2
+private-etc fonts
+private-dev
 private-tmp
-private-dev 
diff --git a/etc/kino.profile b/etc/kino.profile
new file mode 100644
index 000000000..70269e75a
--- /dev/null
+++ b/etc/kino.profile
@@ -0,0 +1,30 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/kino.local
+
+################################
+# Generic GUI application profile
+################################
+noblacklist ~/.kinorc
+noblacklist ~/.kino-history
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+# nogroups
+# shell none
+# private-bin program
+# private-etc none
+# private-dev
+# private-tmp
+
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 410ff36c6..b930f6e48 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/kmail.local
+
 # kmail profile
 noblacklist ${HOME}/.gnupg
 
diff --git a/etc/konversation.profile b/etc/konversation.profile
index c00b91c18..0b920bd6a 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/konversation.local
+
 # Firejail konversation profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/less.profile b/etc/less.profile
index c01dfc466..23fbc4ba2 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/less.local
+
 # less profile
 quiet
 ignore noroot
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index d6aceb7a8..685073e7c 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/libreoffice.local
+
 # Firejail profile for LibreOffice
 noblacklist ~/.config/libreoffice
 noblacklist /usr/local/sbin
diff --git a/etc/localc.profile b/etc/localc.profile
index fecd08822..14c34c722 100644
--- a/etc/localc.profile
+++ b/etc/localc.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/localc.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
index fecd08822..5be66c5de 100644
--- a/etc/lodraw.profile
+++ b/etc/lodraw.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lodraw.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/loffice.profile b/etc/loffice.profile
index fecd08822..5f931502c 100644
--- a/etc/loffice.profile
+++ b/etc/loffice.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/loffice.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
index fecd08822..9899ddf58 100644
--- a/etc/lofromtemplate.profile
+++ b/etc/lofromtemplate.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lofromtemplate.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/login.users b/etc/login.users
index bc6ac4b09..81f12c6b1 100644
--- a/etc/login.users
+++ b/etc/login.users
@@ -9,6 +9,12 @@
 #
 #       netblue:--net=none --protocol=unix
 #
+# Wildcard patterns are accepted in the user name field:
+#
+#       user*: --private
+#
+# The example will do --private for user1, user2, and so on.
+#
 # The extra arguments are inserted into program command line if firejail
 # was started as a login shell.
 
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
index fecd08822..4de330d67 100644
--- a/etc/loimpress.profile
+++ b/etc/loimpress.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/loimpress.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 41a662bca..06ed415d6 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lollypop.local
+
 #
 #Profile for lollypop
 #
diff --git a/etc/lomath.profile b/etc/lomath.profile
index fecd08822..cbe13f474 100644
--- a/etc/lomath.profile
+++ b/etc/lomath.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lomath.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/loweb.profile b/etc/loweb.profile
index fecd08822..f5e13db02 100644
--- a/etc/loweb.profile
+++ b/etc/loweb.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/loweb.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
index fecd08822..b6c6ed407 100644
--- a/etc/lowriter.profile
+++ b/etc/lowriter.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lowriter.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index 76e864e0c..1b06b27c3 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/luminance-hdr.local
+
 # luminance-hdr
 noblacklist ${HOME}/.config/Luminance
 include /etc/firejail/disable-common.inc
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index 12765c299..5d76adf4c 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lxterminal.local
+
 # lxterminal (LXDE) profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 3e8d72103..de428c214 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/lynx.local
+
 # lynx profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/mathematica.profile b/etc/mathematica.profile
index 9410054ae..c880b1daa 100644
--- a/etc/mathematica.profile
+++ b/etc/mathematica.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mathematica.local
+
 # Mathematica profile
 include /etc/firejail/Mathematica.profile
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index 48b46dba0..87e672501 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mcabber.local
+
 # mcabber profile
 noblacklist ${HOME}/.mcabber
 noblacklist ${HOME}/.mcabberrc
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 65d12c49e..9b4adc26f 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mediainfo.local
+
 # mediainfo profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index 046c45d94..44e5e7417 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/midori.local
+
 # Midori browser profile
 noblacklist ${HOME}/.config/midori
 include /etc/firejail/disable-common.inc
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 80f8de54a..d7a8d37e8 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mpv.local
+
 # mpv media player profile
 noblacklist ${HOME}/.config/mpv
 
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index cc310f294..6b8946be3 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/multimc5.local
+
 #
 #Profile for multimc5
 #
diff --git a/etc/mumble.profile b/etc/mumble.profile
index ddd70822d..d5405a6ae 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mumble.local
+
 # mumble profile
 noblacklist ${HOME}/.config/Mumble
 noblacklist ${HOME}/.local/share/data/Mumble
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 7f9261d8b..712552965 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mupdf.local
+
 # mupdf reader profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index acb13e6b9..80e75e836 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mupen64plus.local
+
 # mupen64plus profile
 # manually whitelist ROM files
 noblacklist ${HOME}/.config/mupen64plus
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 5a714de4a..2f0809f02 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mutt.local
+
 # mutt email client profile
 noblacklist ~/.muttrc
 noblacklist ~/.mutt
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 264ee0b9d..85f9ab7d7 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/nautilus.local
+
 # nautilus profile
 
 # Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect.
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
index 644a1605b..4c10a3e98 100644
--- a/etc/netsurf.profile
+++ b/etc/netsurf.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/netsurf.local
+
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 noblacklist ~/.config/netsurf
 noblacklist ~/.cache/netsurf
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index c4e28f70e..3880895f3 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/odt2txt.local
+
 # odt2txt profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/okular.profile b/etc/okular.profile
index 22e223cea..2875d2ef5 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/okular.local
+
 # KDE okular profile
 noblacklist ~/.kde/share/apps/okular
 noblacklist ~/.kde/share/config/okularrc
diff --git a/etc/openbox.profile b/etc/openbox.profile
index f812768a1..7e074f5b5 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/openbox.local
+
 #######################################
 # OpenBox window manager profile
 # - all applications started in OpenBox will run in this profile
diff --git a/etc/openshot.profile b/etc/openshot.profile
index f12bd7d11..25e9a4066 100644
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/openshot.local
+
 # OpenShot profile
 noblacklist ${HOME}/.openshot
 noblacklist ${HOME}/.openshot_qt
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 4cdb0a9eb..dba7cf68c 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/opera-beta.local
+
 # Opera-beta browser profile
 noblacklist ~/.config/opera-beta
 noblacklist ~/.cache/opera-beta
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/opera.profile b/etc/opera.profile
index a337ccc5b..57395ea72 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -1,7 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/opera.local
+
 # Opera browser profile
 noblacklist ~/.config/opera
 noblacklist ~/.cache/opera
 noblacklist ~/.opera
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 1476369a1..41eef8d91 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/palemoon.local
+
 # Firejail profile for Pale Moon
 noblacklist ~/.moonchild productions/pale moon
 noblacklist ~/.cache/moonchild productions/pale moon
@@ -23,6 +27,7 @@ shell none
 tracelog
 
 private-bin palemoon
+private-opt palemoon
 private-tmp
 
 # These are uncommented in the Firefox profile. If you run into trouble you may
diff --git a/etc/parole.profile b/etc/parole.profile
index 1440a9ef7..58a9f2c6c 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/parole.local
+
 # Profile for Parole, the default XFCE4 media player
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
index 6e50f37cf..37adabb39 100644
--- a/etc/pdfsam.profile
+++ b/etc/pdfsam.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pdfsam.local
+
 #
 #Profile for pdfsam
 #
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index fe9e9e3cd..ce19f1760 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pdftotext.local
+
 # pdftotext profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 850706145..5c5cb0a5b 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pidgin.local
+
 # Pidgin profile
 noblacklist ${HOME}/.purple
 
diff --git a/etc/pithos.profile b/etc/pithos.profile
index 8270b8bee..500e35989 100644
--- a/etc/pithos.profile
+++ b/etc/pithos.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pithos.local
+
 #
 #Profile for pithos
 #
diff --git a/etc/pix.profile b/etc/pix.profile
index dc8192b01..c36a5f96e 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pix.local
+
 # Firejail profile for pix
 noblacklist ${HOME}/.config/pix
 noblacklist ${HOME}/.local/share/pix
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 895cc2369..719a26928 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/pluma.local
+
 # Firejail profile for Xed
 noblacklist ${HOME}/.config/pluma
 
diff --git a/etc/polari.profile b/etc/polari.profile
index ac9530c40..834a8b3d6 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/polari.local
+
 # Polari IRC profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index e4e69b9f6..45cb22ee4 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/psi-plus.local
+
 # Firejail profile for Psi+
 noblacklist ${HOME}/.config/psi+
 noblacklist ${HOME}/.local/share/psi+
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 89e0e4c78..4a454d2f6 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qbittorrent.local
+
 # qbittorrent bittorrent profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
@@ -6,6 +10,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile
index f9c8e6345..328f1a30d 100644
--- a/etc/qemu-launcher.profile
+++ b/etc/qemu-launcher.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qemu-launcher.local
+
 # qemu-launcher profile
 noblacklist ~/.qemu-launcher
 
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
index 65e1e44ea..16e822901 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/qemu-system-x86_64.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qemu-system-x86_64.local
+
 # qemu profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 06c0db206..97f06f848 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qpdfview.local
+
 # qpdfview profile
 noblacklist ${HOME}/.config/qpdfview
 noblacklist ${HOME}/.local/share/qpdfview
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 81d8aa10e..40a959d05 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qtox.local
+
 # qTox instant messaging profile
 noblacklist ${HOME}/.config/tox
 include /etc/firejail/disable-common.inc
diff --git a/etc/quassel.profile b/etc/quassel.profile
index f92dfeb9f..6fd438073 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/quassel.local
+
 # Quassel IRC profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 47ab77675..f4e4f96d3 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/quiterss.local
+
 noblacklist ${HOME}/.cache/QuiteRss
 noblacklist ${HOME}/.config/QuiteRss
 noblacklist ${HOME}/.config/QuiteRssrc
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index 387ddeffa..3f5cb60c0 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qupzilla.local
+
 # Firejail profile for Qupzilla web browser
 noblacklist ${HOME}/.config/qupzilla
 noblacklist ${HOME}/.cache/qupzilla
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index dcacd4f29..f43307ef9 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/qutebrowser.local
+
 # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
 noblacklist ~/.config/qutebrowser
 noblacklist ~/.cache/qutebrowser
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 3538f3eb2..0cabca11e 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ranger.local
+
 # ranger file manager profile
 noblacklist /usr/bin/perl
 #noblacklist /usr/bin/cpan*
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index e5e192486..0f7a3fa5b 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/rhythmbox.local
+
 # Rhythmbox media player profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 55bfcd77f..2f8a527cc 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/rtorrent.local
+
 # rtorrent bittorrent profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile
index fff8c1258..ff8936014 100644
--- a/etc/seamonkey-bin.profile
+++ b/etc/seamonkey-bin.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/seamonkey-bin.local
+
 # Firejail profile for Seamonkey based off Mozilla Firefox
 include /etc/firejail/seamonkey.profile
 
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index 5d817acce..bfcdf5873 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -1,6 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/seamonkey.local
+
 # Firejail profile for Seamoneky based off Mozilla Firefox
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
+noblacklist ~/.pki
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/server.profile b/etc/server.profile
index b8a34feb2..d1d7dffa9 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/server.local
+
 # generic server profile
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 noblacklist /sbin
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 03089482b..ee7e50ba7 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/simple-scan.local
+
 # simple-scan profile
 noblacklist ~/.cache/simple-scan
 
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 667b775c8..b1b4b5a96 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/skanlite.local
+
 # skanlite profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/skype.profile b/etc/skype.profile
index 9cbcd5117..169a1dd51 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/skype.local
+
 # Skype profile
 noblacklist ${HOME}/.Skype
 include /etc/firejail/disable-common.inc
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
index 3f0a274f9..d3bbf3e53 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/skypeforlinux.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/skypeforlinux.local
+
 # skypeforlinux profile
 noblacklist ${HOME}/.config/skypeforlinux
 include /etc/firejail/disable-common.inc
diff --git a/etc/slack.profile b/etc/slack.profile
index a85a28f03..6a2dae253 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/slack.local
+
 # Firejail profile for Slack
 noblacklist ${HOME}/.config/Slack
 noblacklist ${HOME}/Downloads
diff --git a/etc/snap.profile b/etc/snap.profile
index e2ada3a99..085ce8e2a 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/snap.local
+
 ################################
 # Generic Ubuntu snap application profile
 ################################
diff --git a/etc/soffice.profile b/etc/soffice.profile
index fecd08822..737419a8f 100644
--- a/etc/soffice.profile
+++ b/etc/soffice.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/soffice.local
+
 ################################
 # LibreOffice profile
 ################################
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 6dbcc03ee..843038a2b 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/spotify.local
+
 # Spotify media player profile
 noblacklist ${HOME}/.config/spotify
 noblacklist ${HOME}/.cache/spotify
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index bea3a6061..43d9f62fa 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ssh-agent.local
+
 # ssh-agent
 quiet
 noblacklist ~/.ssh
diff --git a/etc/ssh.profile b/etc/ssh.profile
index b7a8ed2b9..b1ef6b27e 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ssh.local
+
 # ssh client
 quiet
 noblacklist ~/.ssh
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index ee19cee25..c13f85a66 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/start-tor-browser.local
+
 # Firejail profile for the Tor Brower Bundle
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -14,7 +18,7 @@ seccomp
 shell none
 tracelog
 
-private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
+private-bin bash,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
 private-etc fonts
 private-dev
 private-tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 5dc5e80ff..b527589de 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/steam.local
+
 # Steam profile (applies to games/apps launched from Steam as well)
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.local/share/steam
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index d57c9e5f7..fc952be34 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/stellarium.local
+
 # Firejail profile for Stellarium.
 noblacklist ~/.stellarium
 noblacklist ~/.config/stellarium
diff --git a/etc/strings.profile b/etc/strings.profile
index 2bbab1366..bfa089bd0 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/strings.local
+
 # strings profile
 quiet
 ignore noroot
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 69b2a0db2..636b09bd0 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/synfigstudio.local
+
 # synfigstudio
 noblacklist ${HOME}/.config/synfig
 noblacklist ${HOME}/.synfig
diff --git a/etc/tar.profile b/etc/tar.profile
index 3addb02fb..0162be718 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/tar.local
+
 # tar profile
 quiet
 ignore noroot
diff --git a/etc/telegram.profile b/etc/telegram.profile
index 7615c8eef..c5e72fe76 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/telegram.local
+
 # Telegram IRC profile
 noblacklist ${HOME}/.TelegramDesktop
 include /etc/firejail/disable-common.inc
diff --git a/etc/thunar.profile b/etc/thunar.profile
new file mode 100644
index 000000000..868f80912
--- /dev/null
+++ b/etc/thunar.profile
@@ -0,0 +1 @@
+include /etc/firejail/Thunar.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 568343ba6..88ab7501e 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/thunderbird.local
+
 # Firejail profile for Mozilla Thunderbird
 # Users have thunderbird set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
diff --git a/etc/totem.profile b/etc/totem.profile
index 252b46979..0b3942cf0 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/totem.local
+
 # Totem media player profile
 noblacklist ~/.config/totem
 noblacklist ~/.local/share/totem
diff --git a/etc/tracker.profile b/etc/tracker.profile
index 7f4f371eb..56528785a 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/tracker.local
+
 # tracker profile
 
 # Tracker is started by systemd on most systems. Therefore it is not firejailed by default
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 6cbc3415c..dbcc8d041 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/transmission-cli.local
+
 # transmission-cli bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index fa54ea81b..dcd3317ef 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/transmission-gtk.local
+
 # transmission-gtk bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 100fadc27..ed63f7cff 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/transmission-qt.local
+
 # transmission-qt bittorrent profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 5e5284b34..0b88789b1 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/transmission-show.local
+
 # transmission-show profile
 noblacklist ${HOME}/.config/transmission
 noblacklist ${HOME}/.cache/transmission
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 3ba28f772..cc5d4dda5 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/uget-gtk.local
+
 # uGet profile
 noblacklist ${HOME}/.config/uGet
 
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 5e2cb5f65..0bd46b7f4 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/unbound.local
+
 # security profile for unbound (https://unbound.net)
 noblacklist /sbin
 noblacklist /usr/sbin
@@ -9,5 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc
 private
 private-dev
 nosound
+no3d
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
 
diff --git a/etc/unrar.profile b/etc/unrar.profile
index bde6f4e22..da187bfef 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/unrar.local
+
 # unrar profile
 quiet
 ignore noroot
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 8c10d11a0..24767c86f 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/unzip.local
+
 # unzip profile
 quiet
 ignore noroot
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index d5b750a13..5f41188af 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -1,9 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/uudeview.local
+
 # uudeview profile
 quiet
 ignore noroot
 include /etc/firejail/default.profile
 
-blacklist /etc
 
 hostname uudeview
 net none
@@ -13,3 +16,4 @@ tracelog
 
 private-bin uudeview
 private-dev
+private-etc ld.so.preload
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
new file mode 100644
index 000000000..ce0b0d0a5
--- /dev/null
+++ b/etc/uzbl-browser.profile
@@ -0,0 +1,33 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/uzbl-browser.local
+
+# Firejail profile for uzbl-browser
+
+noblacklist ~/.config/uzbl
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+mkdir ~/.config/uzbl
+whitelist ~/.config/uzbl
+mkdir ~/.local/share/uzbl
+whitelist ~/.local/share/uzbl
+
+whitelist ${DOWNLOADS}
+
+mkdir ~/.gnupg
+whitelist ~/.gnupg
+mkdir ~/.password-store
+whitelist ~/.password-store
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/vim.profile b/etc/vim.profile
index b161fcbb0..e89104e17 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/vim.local
+
 # vim profile
 noblacklist ~/.vim
 noblacklist ~/.vimrc
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 1e765b89b..57ead818e 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/virtualbox.local
+
 # virtualbox profile
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile
index 5426c4a2d..3b7c7d2b4 100644
--- a/etc/vivaldi-beta.profile
+++ b/etc/vivaldi-beta.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/vivaldi-beta.local
+
 # Vivaldi Beta browser profile
 include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index b3a096069..0667c4114 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/vivaldi.local
+
 # Vivaldi browser profile
 noblacklist ~/.config/vivaldi
 noblacklist ~/.cache/vivaldi
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 2fd763f25..9d1cdb4c8 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/vlc.local
+
 # VLC media player profile
 noblacklist ${HOME}/.config/vlc
 
@@ -8,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nogroups
+# nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 7ee91bb70..45546440a 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/w3m.local
+
 # w3m profile
 noblacklist ~/.w3m
 
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 7c7efade8..702097d98 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/warzone2100.local
+
 # Firejail profile for warzone2100
 # Currently supports warzone2100-3.1
 noblacklist ~/.warzone2100-3.1
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile
index 4a92f0b34..345196dfb 100644
--- a/etc/weechat-curses.profile
+++ b/etc/weechat-curses.profile
@@ -1,2 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/weechat-curses.local
+
 # Weechat IRC profile (Debian)
 include /etc/firejail/weechat.profile
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 410061278..870e02677 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/weechat.local
+
 # Weechat IRC profile
 noblacklist ${HOME}/.weechat
 include /etc/firejail/disable-common.inc
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index bb489ddeb..212466f5a 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wesnoth.local
+
 # Whitelist-based profile for "Battle for Wesnoth" (game).
 noblacklist ${HOME}/.config/wesnoth
 noblacklist ${HOME}/.cache/wesnoth
diff --git a/etc/wget.profile b/etc/wget.profile
index ff4b92bae..cd156a376 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wget.local
+
 # wget profile
 quiet
 include /etc/firejail/disable-common.inc
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index d4e69948e..cf7797100 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,3 +1,6 @@
+# Local customizations come here
+include /etc/firejail/whitelist-common.local
+
 # common whitelist for all profiles
 
 whitelist ~/.XCompose
diff --git a/etc/wine.profile b/etc/wine.profile
index 18e5346af..c732d6edf 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wine.local
+
 # wine profile
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.local/share/steam
diff --git a/etc/wire.profile b/etc/wire.profile
index ec8ed8771..79ac893a9 100644
--- a/etc/wire.profile
+++ b/etc/wire.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wire.local
+
 # wire messenger profile
 noblacklist ~/.config/Wire
 noblacklist ~/.config/wire
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 898fc787e..90909edf1 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/wireshark.local
+
 # Firejail profile for 
 noblacklist ${HOME}/.config/wireshark
 
@@ -6,17 +10,21 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-caps.drop all
+# 
+# The profile allows users to run wireshark as root
+#
+#caps.drop all
+#noroot 
+#protocol unix,inet,inet6,netlink
+
 netfilter
 nogroups
 nonewprivs
-noroot
 nosound
-protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 
-private-bin wireshark
+#private-bin wireshark
 private-dev
 private-tmp
diff --git a/etc/xchat.profile b/etc/xchat.profile
index 1f2865cab..0571746b3 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xchat.local
+
 # XChat IRC profile
 noblacklist ${HOME}/.config/xchat
 
diff --git a/etc/xed.profile b/etc/xed.profile
index 051710a70..c8076923a 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xed.local
+
 # Firejail profile for Xed
 noblacklist ${HOME}/.config/xed
 
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index 1dd24aa61..a05d844d0 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xfburn.local
+
 # xfburn profile
 noblacklist ~/.config/xfburn
 
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index b7fb6ecf3..7522c00d7 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xiphos.local
+
 # Firejail profile for xiphos
 noblacklist ~/.sword
 noblacklist ~/.xiphos
diff --git a/etc/xmms.profile b/etc/xmms.profile
new file mode 100644
index 000000000..b33727c2c
--- /dev/null
+++ b/etc/xmms.profile
@@ -0,0 +1,23 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xmms.local
+
+# Firejail profile for XMMS
+noblacklist ${HOME}/.xmms
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+no3d
+
+private-bin xmms
+private-dev
diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile
index b255ffdbb..2f57340de 100644
--- a/etc/xonotic-glx.profile
+++ b/etc/xonotic-glx.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xonotic-glx.local
+
 #
 #Profile for xonotic:xonotic-glx
 #
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile
index 783667304..9af845958 100644
--- a/etc/xonotic-sdl.profile
+++ b/etc/xonotic-sdl.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xonotic-sdl.local
+
 #
 #Profile for xonotic:xonotic-sdl
 #
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 75d649619..f2690c6c3 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xonotic.local
+
 #
 #Profile for xonotic
 #
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 7ea368bbe..b77bc76ac 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xpdf.local
+
 ################################
 # xpdf application profile
 ################################
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 191d2f67f..d5b80fbc0 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xplayer.local
+
 # Xplayer profile
 noblacklist ~/.config/xplayer
 noblacklist ~/.local/share/xplayer
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 32be90b19..d0fff2ebf 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xpra.local
+
 # xpra profile
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
diff --git a/etc/xreader.profile b/etc/xreader.profile
index d2a000bd0..2e6015aef 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xreader.local
+
 # Xreader profile
 noblacklist ~/.config/xreader
 noblacklist ~/.cache/xreader
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index ca380b4c7..d784ddfb3 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xviewer.local
+
 # xviewer profile
 noblacklist ~/.config/xviewer
 
diff --git a/etc/xz.profile b/etc/xz.profile
index 5b29f7338..2f7d9cae5 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xz.local
+
 # xz profile
 quiet
 include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 6164e3200..e938b81ec 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/xzdec.local
+
 # xzdec profile
 quiet
 ignore noroot
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 6c93a2480..f75541dad 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/zathura.local
+
 # zathura document viewer profile
 noblacklist ~/.config/zathura
 noblacklist ~/.local/share/zathura
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 4c08868cf..809356d95 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/zoom.local
+
 # Firejail profile for zoom.us
 noblacklist ~/.config/zoomus.conf