profiles: Miscellaneous cleanups (#5918)

2026-05-15 14:16:14 -06:00 · 2023-07-25 19:32:12 +00:00 · 2023-07-25 19:32:12 +00:00 · 63b306179f
commit 63b306179f
parent 67f5ae8a4f
18 changed files with 42 additions and 42 deletions
--- a/etc/firejail.config
+++ b/etc/firejail.config
@ -163,12 +163,12 @@
 # Xpra server command extra parameters. None by default; this is an example.
 # xpra-extra-params --dpi 96

-# Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
+# Screen size for --x11=xvfb, default 800x600x24. The third dimension is
 # color depth; use 24 unless you know exactly what you're doing.
 # xvfb-screen 640x480x24
 # xvfb-screen 800x600x24
 # xvfb-screen 1024x768x24
 # xvfb-screen 1280x1024x24

-# Xvfb command extra parameters.  None by default; this is an example.
+# Xvfb command extra parameters. None by default; this is an example.
 # xvfb-extra-params -pixdepths 8 24 32
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@ -44,8 +44,7 @@ blacklist /usr/share/perl*
 # it is needed so that Firefox can run applications with Terminal=true in
 # their .desktop file (depending on what is installed). The reason is that
 # this is done via glib, which currently uses a hardcoded list of terminal
-# emulators:
-#   https://gitlab.gnome.org/GNOME/glib/-/issues/338
+# emulators: https://gitlab.gnome.org/GNOME/glib/-/issues/338.
 # And in this list, rxvt comes before xterm.
 blacklist ${PATH}/rxvt

--- a/etc/profile-a-l/1password.profile
+++ b/etc/profile-a-l/1password.profile
@ -13,7 +13,7 @@ whitelist ${HOME}/.config/1Password

 private-etc @tls-ca

-# Needed for keychain things, talking to Firefox, possibly other things?  Not sure how to narrow down
+# Needed for keychain things, talking to Firefox, possibly other things?
 ignore dbus-user none

 # Redirect
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@ -9,8 +9,8 @@ include globals.local
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
 # TOR is installed in ${HOME}.
-# NOTE: chromium-common.profile enables apparmor. To keep that intact
-# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
+# Note: chromium-common.profile enables apparmor. To keep that intact,
+# uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
 # Causes slow starts (#4604)
--- a/etc/profile-a-l/cachy-browser.profile
+++ b/etc/profile-a-l/cachy-browser.profile
@ -20,14 +20,14 @@ whitelist /usr/share/cachy-browser
 #whitelist ${HOME}/.mozilla

 # To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
-# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them.
+# Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

 # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,cachy-browser,sh
 # Add the next line to your cachy-browser.local to enable private-etc.
-# NOTE: private-etc must first be enabled in firefox-common.local.
+# Note: private-etc must first be enabled in firefox-common.local.
 #private-etc cachy-browser

 dbus-user filter
--- a/etc/profile-a-l/discord-ptb.profile
+++ b/etc/profile-a-l/discord-ptb.profile
@ -1,17 +1,17 @@
-# Firejail profile for discord-ptb   
+# Firejail profile for discord-ptb
 # This file is overwritten after every install/update
 # Persistent local customizations
-include discord-ptb.local   
+include discord-ptb.local
 # Persistent global definitions
 include globals.local

-noblacklist ${HOME}/.config/discordptb   
+noblacklist ${HOME}/.config/discordptb

-mkdir ${HOME}/.config/discordptb   
-whitelist ${HOME}/.config/discordptb   
+mkdir ${HOME}/.config/discordptb
+whitelist ${HOME}/.config/discordptb

-private-bin discord-ptb,DiscordPTB   
-private-opt discord-ptb,DiscordPTB   
+private-bin discord-ptb,DiscordPTB
+private-opt discord-ptb,DiscordPTB

 # Redirect
 include discord-common.profile
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@ -6,7 +6,7 @@ include firefox.local
 # Persistent global definitions
 include globals.local

-# NOTE: sandboxing web browsers is as important as it is complex. Users might be
+# Note: Sandboxing web browsers is as important as it is complex. Users might be
 # interested in creating custom profiles depending on use case (e.g. one for
 # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
 # info. Here are a few links to get you going.
@ -30,7 +30,7 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla

 # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
-# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
+# Note: Start KeePassXC before Firefox and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@ -53,7 +53,7 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.evolution.dataserver.*
 #dbus-user.talk org.gnome.OnlineAccounts
 #dbus-user.talk org.gnome.ControlCenter
-# NOTE: dbus-system none fails, filter without rules works.
+# Note: dbus-system none fails, filter without rules works.
 dbus-system filter
 #dbus-system.talk org.freedesktop.timedate1
 #dbus-system.talk org.freedesktop.login1
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@ -6,9 +6,9 @@ include krunner.local
 # Persistent global definitions
 include globals.local

-# - programs started in krunner run with this generic profile
-# - when a file is opened in krunner, the file viewer runs in its own sandbox
-#   with its own profile, if it is sandboxed automatically
+# Programs started in krunner run with this generic profile.
+# When a file is opened in krunner, the file viewer runs in its own sandbox
+# with its own profile, if it is sandboxed automatically.

 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@ -19,7 +19,7 @@ whitelist ${HOME}/.librewolf
 #whitelist ${HOME}/.mozilla

 # To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
-# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them.
+# Note: Start KeePassXC before Librewolf and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

@ -28,7 +28,7 @@ whitelist /usr/share/librewolf
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,librewolf,sh
 # Add the next line to your librewolf.local to enable private-etc.
-# NOTE: private-etc must first be enabled in firefox-common.local.
+# Note: private-etc must first be enabled in firefox-common.local.
 #private-etc librewolf

 dbus-user filter
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@ -6,8 +6,9 @@ include minetest.local
 # Persistent global definitions
 include globals.local

-# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
-#   screenshot_path = /home/<USER>/.minetest/screenshots
+# In order to save in-game screenshots to a persistent location,
+# edit ~/.minetest/minetest.conf:
+# screenshot_path = /home/<USER>/.minetest/screenshots

 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@ -9,7 +9,7 @@ include globals.local

 # In order to save screenshots to a persistent location,
 # edit ~/.config/mpv/foobar.conf:
-#    screenshot-directory=~/Pictures
+# screenshot-directory=~/Pictures

 # mpv has a powerful Lua API and some of the Lua scripts interact with
 # external resources which are blocked by firejail. In such cases you need to
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local

-# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
--- a/etc/profile-m-z/noprofile.profile
+++ b/etc/profile-m-z/noprofile.profile
@ -1,17 +1,16 @@
 # This is the weakest possible firejail profile.
-# If a program still fail with this profile, it is incompatible with firejail.
+# If a program still fails with this profile, it is incompatible with firejail.
 # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
 #
 # Usage:
-#   1. download
-#   2. firejail --profile=noprofile.profile /path/to/program
+# $ firejail --profile=noprofile.profile /path/to/program

 # Keep in mind that even with this profile some things are done
-# which can break the program.
-# - some env-vars are cleared
-# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
-# - a new private pid-namespace is created
-# - a minimal hardcoded blacklist is applied
+# which can break the program:
+# - some env-vars are cleared;
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes';
+# - a new private pid-namespace is created;
+# - a minimal hardcoded blacklist is applied;
 # - ...

 noblacklist /sys/fs
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@ -23,8 +23,9 @@ include disable-xdg.inc

 mkdir ${HOME}/.pingus
 whitelist ${HOME}/.pingus
+# Debian keeps games data under /usr/share/games
+whitelist /usr/share/games/pingus
 whitelist /usr/share/pingus
-whitelist /usr/share/games/pingus      # Debian keeps games data under /usr/share/games
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
--- a/etc/profile-m-z/rtin.profile
+++ b/etc/profile-m-z/rtin.profile
@ -1,6 +1,6 @@
 # Firejail profile for rtin
 # Description: ncurses-based Usenet newsreader
-#              symlink to tin, same as `tin -r`
+# symlink to tin, same as `tin -r`
 # This file is overwritten after every install/update
 # Persistent local customizations
 include rtin.local
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@ -133,9 +133,9 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc

-# NOTE: The following were intentionally left out as they are alternative
+# Note: The following were intentionally left out as they are alternative
 # (i.e.: unnecessary and/or legacy) paths whose existence may potentially
-# clobber other paths (see #4225).  If you use any, either add the entry to
+# clobber other paths (see #4225). If you use any, either add the entry to
 # steam.local or move the contents to a path listed above (or open an issue if
 # it's missing above).
 #mkdir ${HOME}/.config/RogueLegacyStorageContainer
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@ -24,8 +24,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.tin
 mkfile ${HOME}/.newsrc
 # Note: files/directories directly in ${HOME} can't be whitelisted, as
-#       tin saves .newsrc by renaming a temporary file, which is not possible for
-#       bind-mounted files.
+# tin saves .newsrc by renaming a temporary file, which is not possible for
+# bind-mounted files.
 #whitelist ${HOME}/.newsrc
 #whitelist ${HOME}/.tin
 #include whitelist-common.inc