diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index 74b0b6ef6..0ab6465ca 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile @@ -6,24 +6,19 @@ include archiver-common.local blacklist ${RUNUSER} -# WARNING: Users can (un)restrict file access for **all** archivers by -# commenting/uncommenting the needed include file(s) here or by putting those -# into archiver-common.local. -# -# Another option is to do this **per archiver** in the relevant -# .local. Just beware that things tend to break when overtightening -# profiles. For example, because you only need to (un)compress files in -# ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. +# Comment/uncomment the relevant include file(s) in your archiver-common.local +# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver** +# in the relevant .local. Beware that things tend to break when overtightening +# profiles. For example, because you only need to (un)compress files in ${DOWNLOADS}, +# other applications may need access to ${HOME}/.local/share. -# Uncomment the next line (or put it into your archiver-common.local) if you -# don't need to compress files in disable-common.inc. +# Add the next line to your archiver-common.local if you don't need to compress files in disable-common.inc. #include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Uncomment the next line (or put it into your archiver-common.local) if you -# don't need to compress files in disable-programs.inc. +# Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index d2dcaace1..bef708bdc 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile @@ -40,9 +40,9 @@ seccomp shell none # disable-mnt -# Add your custom event hook commands to 'private-bin' in your aria2c.local +# Add your custom event hook commands to 'private-bin' in your aria2c.local. private-bin aria2c,gzip -# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) +# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). #private-cache private-dev private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile index 178e2dc9f..5c93f8be9 100644 --- a/etc/profile-a-l/bcompare.profile +++ b/etc/profile-a-l/bcompare.profile @@ -12,37 +12,25 @@ noblacklist ${HOME}/.config/bcompare # KDE's Gwenview to view images via right click -> Open With -> Associated Application noblacklist ${HOME}/.config/gwenviewrc -# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc +# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc. #include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc +# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc -# Uncommenting this breaks launch -# include disable-shell.inc +#include disable-shell.inc - breaks launch include disable-write-mnt.inc -# Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS} -# include disable-xdg.inc - -# include whitelist-common.inc -# include whitelist-runuser-common.inc -# include whitelist-usr-share-common.inc -# include whitelist-var-common.inc apparmor caps.drop all -# Uncommenting might break Pulse Audio -#machine-id net none no3d nodvd nogroups nonewprivs noroot -# Allow applications launched on sound files to play them -#nosound notv nou2f novideo @@ -53,9 +41,6 @@ tracelog private-cache private-dev -# see /usr/share/doc/firejail/profile.template for more common private-etc paths. -# private-etc alternatives,fonts,machine-id -# Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" private-tmp dbus-user none diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 3667c350d..e9bef8df7 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -30,12 +30,10 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc -# Uncomment the next line (or add it to your chromium-common.local) -# if your kernel allows unprivileged userns clone. +# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. #include chromium-common-hardened.inc.profile -# Uncomment or put in your chromium-common.local to allow screen sharing under -# wayland. +# Add the next line to your chromium-common.local to allow screen sharing under wayland. #whitelist ${RUNUSER}/pipewire-0 apparmor @@ -50,12 +48,10 @@ shell none disable-mnt private-cache ?BROWSER_DISABLE_U2F: private-dev -# problems with multiple browser sessions -#private-tmp +#private-tmp - issues when using multiple browser sessions -# prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector -# dbus-user none +#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. dbus-system none -# the file dialog needs to work without d-bus +# The file dialog needs to work without d-bus. ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index b4a8303a2..691657fa0 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile @@ -11,7 +11,7 @@ noblacklist ${HOME}/.claws-mail mkdir ${HOME}/.claws-mail whitelist ${HOME}/.claws-mail -# If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local) +# Add the below lines to your claws-mail.local if you use python-based plugins. # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc #include allow-python3.inc @@ -23,7 +23,7 @@ whitelist /usr/share/doc/claws-mail dbus-user filter dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.keyring.SystemPrompter -# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local) +# Add the next line to your claws-mail.local if you use the notification plugin. # dbus-user.talk org.freedesktop.Notifications # Redirect diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index dace5e83e..130d23522 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile @@ -42,6 +42,6 @@ private-cache private-dev private-tmp -# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it +# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. # dbus-user none # dbus-system none diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index f8b194044..9366edfa1 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile @@ -9,9 +9,9 @@ include globals.local # curl 7.74.0 introduces experimental support for HSTS cache # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ -# technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts -# if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local -# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact +# Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts. +# If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local +# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact. noblacklist ${HOME}/.curl-hsts noblacklist ${HOME}/.curlrc @@ -22,7 +22,7 @@ include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc -# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local +# Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. #include disable-xdg.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 80d97a31f..b99b31df8 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile @@ -21,7 +21,7 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -#mkfile ${HOME}/.digrc -- see #903 +#mkfile ${HOME}/.digrc - see #903 whitelist ${HOME}/.digrc include whitelist-common.inc include whitelist-usr-share-common.inc @@ -49,7 +49,7 @@ tracelog disable-mnt private-bin bash,dig,sh private-dev -# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) +# Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038). #private-lib private-tmp diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile index fc920a065..49feec32e 100644 --- a/etc/profile-a-l/dolphin-emu.profile +++ b/etc/profile-a-l/dolphin-emu.profile @@ -6,7 +6,7 @@ include dolphin-emu.local # Persistent global definitions include globals.local -# Note: you must whitelist your games folder in a dolphin-emu.local +# Note: you must whitelist your games folder in your dolphin-emu.local. noblacklist ${HOME}/.cache/dolphin-emu noblacklist ${HOME}/.config/dolphin-emu @@ -36,10 +36,10 @@ include whitelist-var-common.inc apparmor caps.drop all ipc-namespace -# uncomment the following line if you do not need NetPlay support +# Add the next line to your dolphin-emu.local if you do not need NetPlay support. # net none netfilter -# uncomment the following line if you do not need disc support +# Add the next line to your dolphin-emu.local if you do not need disc support. #nodvd nogroups nonewprivs @@ -54,7 +54,7 @@ tracelog private-bin bash,dolphin-emu,dolphin-emu-x11,sh private-cache -# uncomment the following line if you do not need controller support +# Add the next line to your dolphin-emu.local if you do not need controller support. #private-dev private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg private-opt none diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 79b449ab1..8785a192c 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile @@ -18,8 +18,7 @@ include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc -# Uncomment the next line (or add it to your chromium-common.local) -# if your kernel allows unprivileged userns clone. +# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. #include chromium-common-hardened.inc.profile apparmor diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile index 226237b5b..55bf743ef 100644 --- a/etc/profile-a-l/emacs.profile +++ b/etc/profile-a-l/emacs.profile @@ -8,8 +8,7 @@ include globals.local noblacklist ${HOME}/.emacs noblacklist ${HOME}/.emacs.d -# if you need gpg uncomment the following line -# or put it into your emacs.local +# Add the next line to your emacs.local if you need gpg support. #noblacklist ${HOME}/.gnupg # Allows files commonly used by IDEs diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 25d5196fc..eeccb81be 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile @@ -6,8 +6,8 @@ include evince.local # Persistent global definitions include globals.local -# Uncomment this line and the bottom ones to use bookmarks -# NOTE: This possibly exposes information, including file history from other programs. +# WARNING: using bookmarks possibly exposes information, including file history from other programs. +# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below). #noblacklist ${HOME}/.local/share/gvfs-metadata noblacklist ${HOME}/.config/evince @@ -57,9 +57,9 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* private-tmp -# might break two-page-view on some systems +# dbus-user filtering might break two-page-view on some systems dbus-user filter -# Also uncomment these two lines if you want to use bookmarks +# Add the next two lines to your evince.local if you need bookmarks support. #dbus-user.talk org.gtk.vfs.Daemon #dbus-user.talk org.gtk.vfs.Metadata dbus-system none diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index 30135d4bc..b6741d701 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile @@ -42,8 +42,9 @@ shell none tracelog x11 none -# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. -# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. +# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool +# to /usr/bin/exiftool and add the below to your exiftool.local. +# Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening. #private-bin exiftool,perl private-cache private-dev diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 4d6a0c33a..68ce0da61 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile @@ -15,10 +15,8 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc -# This profile disables network access -# In order to enable network access, -# uncomment the following or put it in your feh.local: -# include feh-network.inc.profile +# Add the next line to your feh.local to enable network access. +#include feh-network.inc.profile caps.drop all net none diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index a955722c8..b0ead7590 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -9,7 +9,7 @@ include firefox-common.local # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} -# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. +# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. #include firefox-common-addons.profile noblacklist ${HOME}/.pki @@ -32,7 +32,7 @@ include whitelist-var-common.inc apparmor caps.drop all -# machine-id breaks pulse audio; it should work fine in setups where sound is not required. +# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. #machine-id netfilter nodvd @@ -52,10 +52,11 @@ shell none disable-mnt ?BROWSER_DISABLE_U2F: private-dev # private-etc below works fine on most distributions. There are some problems on CentOS. +# Add it to your firefox-common.local if you want to enable it. #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp -# breaks various desktop integration features -# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma +# 'dbus-user none' breaks various desktop integration features like global menus, native notifications, +# Gnome connector, KDE connect and power management on KDE Plasma. dbus-user none dbus-system none diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 68dd350ca..cefba93d4 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -14,8 +14,8 @@ mkdir ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla -# Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin -# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them +# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. +# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them. #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer @@ -27,31 +27,30 @@ whitelist /usr/share/mozilla whitelist /usr/share/webext include whitelist-usr-share-common.inc -# firefox requires a shell to launch on Arch. +# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which -# Fedora use shell scripts to launch firefox, at least this is required +# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin. #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname -# private-etc must first be enabled in firefox-common.profile +# Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too. #private-etc firefox dbus-user filter dbus-user.own org.mozilla.Firefox.* dbus-user.own org.mozilla.firefox.* dbus-user.own org.mpris.MediaPlayer2.firefox.* -# Uncomment or put in your firefox.local to enable native notifications. +# Add the next line to your firefox.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications -# Uncomment or put in your firefox.local to allow to inhibit screensavers +# Add the next line to your firefox.local to allow inhibiting screensavers. #dbus-user.talk org.freedesktop.ScreenSaver -# Uncomment or put in your firefox.local for plasma browser integration +# Add the next lines to your firefox.local for plasma browser integration. #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver -# Uncomment or put in your firefox.local to allow screen sharing under wayland. +# Add the next two lines to your firefox.local to allow screen sharing under wayland. #whitelist ${RUNUSER}/pipewire-0 #dbus-user.talk org.freedesktop.portal.* -# Also uncomment or put in your firefox.local if screen sharing sharing still -# does not work with the above lines (might depend on the portal -# implementation) +# Add the next line to your firefox.local if screen sharing sharing still does not work +# with the above lines (might depend on the portal implementation). #ignore noroot ignore dbus-user none diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index 125ddf79c..e2da1747e 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile @@ -21,7 +21,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc -# Comment the following line if you need to whitelist folders other than ~/Downloads +# Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads. include disable-xdg.inc mkdir ${HOME}/.gnupg @@ -73,7 +73,7 @@ dbus-user.talk org.kde.kwalletd5 dbus-user.talk org.mpris.MediaPlayer2.* dbus-system filter dbus-system.talk org.freedesktop.login1 -# Uncomment for location plugin support +# Add the next line to your gajim.local to enable location plugin support. #dbus-system.talk org.freedesktop.GeoClue2 join-or-start gajim diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index e339f6abb..5e1b024fe 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile @@ -51,8 +51,8 @@ private-dev private-etc none private-tmp -# Uncomment (or add to your gapplcation.local) the next line to filter D-Bus names. -# You might need to add additional dbus-user.talk rules. see 'gapplication list-apps'. +# Add the next line to your gapplication.local to filter D-Bus names. +# You might need to add additional dbus-user.talk rules (see 'gapplication list-apps'). #dbus-user filter dbus-user.talk org.gnome.Boxes dbus-user.talk org.gnome.Builder diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 30251fbe5..d61bea6c4 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile @@ -43,7 +43,7 @@ tracelog # private-bin gedit private-dev -# private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them. +# private-lib breaks python plugins - add the next line to your gedit.local if you don't use them. #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* private-tmp diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index bc5ef966c..e26fadca2 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile @@ -6,7 +6,7 @@ include gimp.local # Persistent global definitions include globals.local -# Uncomment or add to gimp.local in order to support scanning via xsane (see #3640). +# Add the next lines to your gimp.local in order to support scanning via xsane (see #3640). # TODO: Replace 'ignore seccomp' with a less permissive option. #ignore seccomp #ignore dbus-system @@ -15,8 +15,7 @@ include globals.local # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory -# if you are not using external plugins, you can comment 'ignore noexec' statement below -# or put 'noexec ${HOME}' in your gimp.local +# If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. ignore noexec ${HOME} noblacklist ${HOME}/.cache/babl diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 312655b9b..7894e4d8d 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -14,8 +14,8 @@ noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.subversion noblacklist ${HOME}/.config/git noblacklist ${HOME}/.config/git-cola -# Put your editor,diff viewer config path below and uncomment to load settings -# noblacklist ${HOME}/ +# Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings. +#noblacklist ${HOME}/ # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc @@ -34,7 +34,7 @@ include disable-xdg.inc whitelist ${RUNUSER}/gnupg whitelist ${RUNUSER}/keyring -# Whitelist your editor, diff viewer, gnupg path below in /usr/share/ +# Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer. whitelist /usr/share/git whitelist /usr/share/git-cola whitelist /usr/share/git-core @@ -65,8 +65,8 @@ seccomp shell none tracelog -# Add your own diff viewer,editor,pinentry program -# pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg +# Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local. +#private-bin pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed private-cache private-dev @@ -74,13 +74,14 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitc private-tmp writable-run-user -# Breaks meld as diff viewer -# dbus-user filter -# Uncomment if you need keyring access -# dbus-user.talk org.freedesktop.secrets +# dbus-user filtering breaks meld as diff viewer +# Add the next line to your git-cola.local if you don't use meld. +#dbus-user filter +# Add the next line to your git-cola.local if you need keyring access +#dbus-user.talk org.freedesktop.secrets dbus-system none read-only ${HOME}/.git-credentials -# Comment if you need to allow hosts +# Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. read-only ${HOME}/.ssh diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 93b90eb9e..7b6820a81 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile @@ -59,6 +59,6 @@ private-tmp dbus-user filter dbus-user.own org.gnome.gitg dbus-user.talk ca.desrt.dconf -# Uncomment (or put in your gitg.local) if you need keyring access. +# Add the next line to your gitg.local if you need keyring access. #dbus-user.talk org.freedesktop.secrets dbus-system none diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index 4d53a67dd..048fad65c 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile @@ -44,8 +44,7 @@ shell none tracelog disable-mnt -# Uncomment the next line (or add it to your gnome-characters.local) -# if you don't need recently used chars +# Add the next line to your gnome-characters.local if you don't need access to recently used chars. #private private-bin gjs,gnome-characters private-cache @@ -53,8 +52,7 @@ private-dev private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg private-tmp -# Uncomment the next lines (or add it to your gnome-characters.local) -# if you don't need recently used chars +# Add the next lines to your gnome-characters.local if you don't need access to recently used chars. # dbus-user none # dbus-system none diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile index 1240dc3b7..249ae187d 100644 --- a/etc/profile-a-l/google-earth-pro.profile +++ b/etc/profile-a-l/google-earth-pro.profile @@ -22,8 +22,7 @@ include google-earth-pro.local #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" # <--- end of snippet ---> -# If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local -#ignore private-bin +# If you see errors about missing commands, add 'ignore private-bin' to your google-earth-pro.local. private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings # Redirect diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile index 2f684349d..1633cc3ee 100644 --- a/etc/profile-a-l/hasher-common.profile +++ b/etc/profile-a-l/hasher-common.profile @@ -6,24 +6,23 @@ include hasher-common.local blacklist ${RUNUSER} -# WARNING: -# Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed -# include file(s) here or by putting those into hasher-common.local. -# Another option is to do this **per hasher** in the relevant .local. -# Just beware that things tend to break when overtightening profiles. For example, because you only -# need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. +# Comment/uncomment the relevant include file(s) in your hasher-common.local +# to (un)restrict file access for **all** hashers. Another option is to do this **per hasher** +# in the relevant .local. Beware that things tend to break when overtightening +# profiles. For example, because you only need to hash/check files in ${DOWNLOADS}, +# other applications may need access to ${HOME}/.local/share. -# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc. +# Add the next line to your hasher-common.local if you don't need to hash files in disable-common.inc. #include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc. +# Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc -# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc. +# Add the next line to your hasher-common.local if you don't need to hash files in disable-xdg.inc. #include disable-xdg.inc apparmor @@ -47,10 +46,10 @@ shell none tracelog x11 none -# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. +# Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache. #private-cache private-dev -# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. +# Add the next line to your hasher-common.local if you don't need to hash files in /tmp. #private-tmp dbus-user none diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index 9ffdb9e9b..d95d53b7a 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile @@ -9,16 +9,16 @@ include globals.local # Notice: default browser will most likely not be able to automatically open, due to sandbox. # Auto-opening default browser can be disabled in the I2P router console. # This profile will not currently work with any Arch User Repository I2P packages, -# use the distro-independent official I2P java installer instead +# use the distro-independent official I2P java installer instead. -# Only needed if i2prouter binary is in home directory, official I2P java installer does this +# Only needed when i2prouter binary resides in home directory (official I2P java installer does so). ignore noexec ${HOME} noblacklist ${HOME}/.config/i2p noblacklist ${HOME}/.i2p noblacklist ${HOME}/.local/share/i2p noblacklist ${HOME}/i2p -# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this +# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). noblacklist /usr/sbin # Allow java (blacklisted by disable-devel.inc) @@ -40,13 +40,14 @@ whitelist ${HOME}/.config/i2p whitelist ${HOME}/.i2p whitelist ${HOME}/.local/share/i2p whitelist ${HOME}/i2p -# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this +# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). whitelist /usr/sbin/wrapper* include whitelist-common.inc -# May break I2P if wrapper is placed in the home directory; official I2P java installer does this -# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ +# May break I2P if wrapper resides in the home directory (official I2P java installer does so). +# When using the Ubuntu official I2P PPA it should be fine to add 'apparmor' to your i2prouter.local, +# as it places the wrapper in /usr/sbin/ #apparmor caps.drop all ipc-namespace diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 5786a4687..eb1e219ab 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile @@ -9,8 +9,8 @@ include globals.local noblacklist ${HOME}/.config/kdiff3fileitemactionrc noblacklist ${HOME}/.config/kdiff3rc -# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc. -# by default we deny access only to .ssh and .gnupg +# Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc. +# By default we deny access only to .ssh and .gnupg. #include disable-common.inc blacklist ${HOME}/.ssh blacklist ${HOME}/.gnupg @@ -19,15 +19,15 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc. +# Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc include disable-xdg.inc include whitelist-runuser-common.inc -# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share. +# Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. #include whitelist-usr-share-common.inc -# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var. +# Add the next line to your kdiff3.local if you don't need to compare files in /var. #include whitelist-var-common.inc apparmor diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 3ad779a12..11c279911 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -30,11 +30,11 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines. -# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx +# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local. +# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx. #mkdir ${HOME}/Documents/KeePassXC #whitelist ${HOME}/Documents/KeePassXC -# Needed for KeePassXC-Browser +# Needed for KeePassXC-Browser. #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json @@ -89,12 +89,12 @@ dbus-user.talk org.freedesktop.login1.Session dbus-user.talk org.gnome.ScreenSaver dbus-user.talk org.gnome.SessionManager dbus-user.talk org.gnome.SessionManager.Presence -# Uncomment or add to your keepassxc.local to allow Notifications. +# Add the next line to your keepassxc.local to allow notifications. #dbus-user.talk org.freedesktop.Notifications -# Uncomment or add to your keepassxc.local to allow Tray. +# Add the next line to your keepassxc.local to allow the tray menu. #dbus-user.talk org.kde.StatusNotifierWatcher #dbus-user.own org.kde.* dbus-system none -# Mutex is stored in /tmp by default, which is broken by private-tmp +# Mutex is stored in /tmp by default, which is broken by private-tmp. join-or-start keepassxc diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 5208cb979..8e891a930 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -14,14 +14,15 @@ mkdir ${HOME}/.librewolf whitelist ${HOME}/.cache/librewolf whitelist ${HOME}/.librewolf -# Uncomment (or add to librewolf.local) the following lines if you want to -# use the migration wizard. +# Add the next lines to your librewolf.local if you want to use the migration wizard. #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla # librewolf requires a shell to launch on Arch. We can possibly remove sh though. +# Add the next line to your librewolf.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which -# private-etc must first be enabled in firefox-common.profile +# Add the next line to your librewolf.local to enable private-etc. Note +# that private-etc must first be enabled in firefox-common.local. #private-etc librewolf # Redirect diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile index a122e9bbc..1b10f0934 100644 --- a/etc/profile-a-l/liferea.profile +++ b/etc/profile-a-l/liferea.profile @@ -55,8 +55,8 @@ private-tmp dbus-user filter dbus-user.own net.sourceforge.liferea dbus-user.talk ca.desrt.dconf -# Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local +# Add the next line to your liferea.local if you use the 'Popup Notifications' plugin. #dbus-user.talk org.freedesktop.Notifications -# Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local +# Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. #dbus-user.talk org.freedesktop.secrets dbus-system none diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index ccc77f274..272bc4f3a 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile @@ -17,8 +17,8 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# you may want to noblacklist files/directories blacklisted in -# disable-programs.inc and used as associated programs +# Additional noblacklist files/directories (blacklisted in disable-programs.inc) +# used as associated programs can be added in your links.local. include disable-programs.inc include disable-xdg.inc @@ -30,19 +30,19 @@ include whitelist-var-common.inc caps.drop all ipc-namespace -# comment machine-id (or put 'ignore machine-id' in your links.local) if you want -# to allow access only to user-configured associated media player +# Add 'ignore machine-id' to your links.local if you want to restrict access to +# the user-configured associated media player. machine-id netfilter -# comment no3d (or put 'ignore no3d' in your links.local) if you want -# to allow access only to user-configured associated media player +# Add 'ignore no3d' to your links.local if you want to restrict access to +# the user-configured associated media player. no3d nodvd nogroups nonewprivs noroot -# comment nosound (or put 'ignore nosound' in your links.local) if you want -# to allow access only to user-configured associated media player +# Add 'ignore nosound' to your links.local if you want to restrict access to +# the user-configured associated media player. nosound notv nou2f @@ -53,14 +53,12 @@ shell none tracelog disable-mnt -# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local -# or append 'PROGRAM1,PROGRAM2' to this private-bin line +# Add 'private-bin PROGRAM1,PROGRAM2' to your links.local if you want to use user-configured programs. private-bin links,sh private-cache private-dev private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl -# Uncomment the following line (or put it in your links.local) allow external -# media players +# Add the next line to your links.local to allow external media players. # private-etc alsa,asound.conf,machine-id,openal,pulse private-tmp diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile index 5d05631ec..d750e5fcd 100644 --- a/etc/profile-a-l/lutris.profile +++ b/etc/profile-a-l/lutris.profile @@ -66,8 +66,8 @@ protocol unix,inet,inet6,netlink seccomp shell none -# uncomment the following line if you do not need controller support -# private-dev +# Add the next line to your lutris.local if you do not need controller support. +#private-dev private-tmp dbus-user none diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile index b2687ba3c..e678b7204 100644 --- a/etc/profile-m-z/PCSX2.profile +++ b/etc/profile-m-z/PCSX2.profile @@ -6,7 +6,7 @@ include PCSX2.local # Persistent global definitions include globals.local -# Note: you must whitelist your games folder in a PCSX2.local +# Note: you must whitelist your games folder in your PCSX2.local. noblacklist ${HOME}/.config/PCSX2 @@ -32,7 +32,7 @@ caps.drop all ipc-namespace net none netfilter -# Uncomment the following line if not loading games from disc +# Add the next line to your PCSX2.local if you're not loading games from disc. #nodvd nogroups nonewprivs @@ -47,7 +47,7 @@ shell none private-bin PCSX2 private-cache -# uncomment the following line if you do not need controller support +# Add the next line to your PCSX2.local if you do not need controller support. #private-dev private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg private-opt none diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 70e5c72cf..84039aca3 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile @@ -6,7 +6,7 @@ include marker.local # Persistent global definitions include globals.local -# Uncomment (or add to your marker.local) if you need internet access. +# Add the next lines to your marker.local if you need internet access. #ignore net none #protocol unix,inet,inet6 #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index d76522fce..900523b81 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile @@ -7,11 +7,11 @@ include meld.local include globals.local # If you want to use meld as git mergetool (and maybe some other VCS integrations) you need -# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path +# to bypass firejail. You can do this by removing the symlink or by calling it by its absolute path. # Removing the symlink: -# sudo rm /usr/local/bin/meld +# $ sudo rm /usr/local/bin/meld # Calling it by its absolute path (example for git mergetool): -# git config --global mergetool.meld.cmd /usr/bin/meld +# $ git config --global mergetool.meld.cmd /usr/bin/meld noblacklist ${HOME}/.config/meld noblacklist ${HOME}/.config/git @@ -21,30 +21,31 @@ noblacklist ${HOME}/.local/share/meld noblacklist ${HOME}/.subversion # Allow python (blacklisted by disable-interpreters.inc) -# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. +# Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks +# but want to keep Python 2 support for older meld versions. #include allow-python2.inc include allow-python3.inc # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. +# Add the next line to your meld.local if you don't need to compare files in disable-common.inc. #include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. +# Add the next line to your meld.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc include disable-shell.inc include whitelist-runuser-common.inc -# Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. +# Add the next lines to your meld.local if you don't need to compare files in /usr/share. #whitelist /usr/share/meld #include whitelist-usr-share-common.inc -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var. +# Add the next line to your meld.local if you don't need to compare files in /var. #include whitelist-var-common.inc apparmor @@ -70,9 +71,9 @@ tracelog private-bin bzr,cvs,git,hg,meld,python*,svn private-cache private-dev -# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. +# Add the next line to your meld.local if you don't need to compare files in /etc. #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion -# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551) +# Add 'ignore private-tmp' to your meld.local if you want to use it as difftool (#3551). private-tmp read-only ${HOME}/.ssh diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 24782c033..2c6e047d8 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -38,8 +38,7 @@ noblacklist ${HOME}/sent blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* -# Uncomment or put them in mutt.local for oauth.py,S/MIME - +# Add the next lines to your mutt.local for oauth.py,S/MIME support. #include allow-perl.inc #include allow-python2.inc #include allow-python3.inc diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index 4e7c902d9..53dd3a05a 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile @@ -9,7 +9,7 @@ include globals.local noblacklist ${HOME}/Nextcloud noblacklist ${HOME}/.config/Nextcloud noblacklist ${HOME}/.local/share/Nextcloud -# Uncomment or put in your nextcloud.local to allow sync with more directories. +# Add the next lines to your nextcloud.local to allow sync in more directories. #noblacklist ${DOCUMENTS} #noblacklist ${MUSIC} #noblacklist ${PICTURES} @@ -30,7 +30,7 @@ mkdir ${HOME}/.local/share/Nextcloud whitelist ${HOME}/Nextcloud whitelist ${HOME}/.config/Nextcloud whitelist ${HOME}/.local/share/Nextcloud -# Uncomment or put in your nextcloud.local to allow sync with more directories. +# Add the next lines to your nextcloud.local to allow sync in more directories. #whitelist ${DOCUMENTS} #whitelist ${MUSIC} #whitelist ${PICTURES} diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 2fbbef832..1b5da8d27 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile @@ -51,9 +51,11 @@ private-dev private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp + +# Add the next lines to your nheko.local to enable notification support. +#ignore dbus-user none +#dbus-user filter +#dbus-user.talk org.freedesktop.Notifications +#dbus-user.talk org.kde.StatusNotifierWatcher dbus-user none -# Comment the above line and uncomment below lines for notification popups -# dbus-user filter -# dbus-user.talk org.freedesktop.Notifications -# dbus-user.talk org.kde.StatusNotifierWatcher dbus-system none diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index e95e875be..f51d58782 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile @@ -15,7 +15,7 @@ noblacklist ${HOME}/.npm noblacklist ${HOME}/.npmrc # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory -# and uncomment the lines below. +# and add the next lines to your npm.local. #mkdir ${HOME}/.node-gyp #mkdir ${HOME}/.npm #mkfile ${HOME}/.npmrc diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index ae18cfff9..be3618e31 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile @@ -26,7 +26,7 @@ apparmor caps.drop all ipc-namespace # net none - breaks update functionality and AppArmor on Ubuntu systems -# uncomment (or put 'net none' in your ocenaudio.local) when needed +# Add 'net none' to your ocenaudio.local when you want that functionality. #net none netfilter no3d diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile index 270d64c1e..89b146619 100644 --- a/etc/profile-m-z/openmw.profile +++ b/etc/profile-m-z/openmw.profile @@ -22,8 +22,8 @@ include disable-xdg.inc mkdir ${HOME}/.config/openmw mkdir ${HOME}/.local/share/openmw whitelist ${HOME}/.config/openmw -# Copy Morrowind data files into the following directory or load it from /mnt -# or whitelist it in a openmw.local +# Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt. +# Alternatively you can whitelist custom paths in your openmw.local. whitelist ${HOME}/.local/share/openmw whitelist /usr/share/openmw include whitelist-common.inc @@ -36,7 +36,7 @@ caps.drop all ipc-namespace net none netfilter -# Uncomment the following line if installing from disc +# Add 'ignore nodvd' to your openmw.local when installing from disc. nodvd nogroups nonewprivs diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile index c25c4ae66..a6dab2a9a 100644 --- a/etc/profile-m-z/pcsxr.profile +++ b/etc/profile-m-z/pcsxr.profile @@ -6,7 +6,7 @@ include pcsxr.local # Persistent global definitions include globals.local -# Note: you must whitelist your games folder in a pcsxr.local +# Note: you must whitelist your games folder in your pcsxr.local noblacklist ${HOME}/.pcsxr @@ -32,7 +32,7 @@ caps.drop all ipc-namespace net none netfilter -# Uncomment the following line if not loading games from disc +# Add the next line to your pcsxr.local when not loading games from disc. #nodvd nogroups nonewprivs @@ -47,7 +47,7 @@ tracelog private-bin pcsxr private-cache -# uncomment the following line if you do not need controller support +# Add the next line to your pcsxr.local if you do not need controller support. #private-dev private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg private-opt none diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index 263d99c83..1f73c1d89 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile @@ -6,7 +6,7 @@ include ppsspp.local # Persistent global definitions include globals.local -# Note: you must whitelist your games folder in a ppsspp.local +# Note: you must whitelist your games folder in your ppsspp.local. noblacklist ${HOME}/.config/ppsspp @@ -42,7 +42,7 @@ seccomp shell none private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL -# uncomment the following line if you do not need controller support +# Add the next line to your ppsspp.local if you do not need controller support. #private-dev private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-opt ppsspp diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index d3112ae95..376743b8d 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile @@ -6,8 +6,8 @@ include psi.local # Persistent global definitions include globals.local -# Uncomment for GPG -# noblacklist ${HOME}/.gnupg +# Add the next line to your psi.local to enable GPG support. +#noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.cache/psi noblacklist ${HOME}/.cache/Psi noblacklist ${HOME}/.config/psi @@ -23,28 +23,28 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -# Uncomment for GPG -# mkdir ${HOME}/.gnupg +# Add the next line to your psi.local to enable GPG support. +#mkdir ${HOME}/.gnupg mkdir ${HOME}/.cache/psi mkdir ${HOME}/.cache/Psi mkdir ${HOME}/.config/psi mkdir ${HOME}/.local/share/psi mkdir ${HOME}/.local/share/Psi -# Uncomment for GPG -# whitelist ${HOME}/.gnupg +# Add the next line to your psi.local to enable GPG support. +#whitelist ${HOME}/.gnupg whitelist ${HOME}/.cache/psi whitelist ${HOME}/.cache/Psi whitelist ${HOME}/.config/psi whitelist ${HOME}/.local/share/psi whitelist ${HOME}/.local/share/Psi whitelist ${DOWNLOADS} -# Uncomment for GPG -# whitelist /usr/share/gnupg -# whitelist /usr/share/gnupg2 +# Add the next lines to your psi.local to enable GPG support. +#whitelist /usr/share/gnupg +#whitelist /usr/share/gnupg2 whitelist /usr/share/psi -# Uncomment for GPG -# whitelist ${RUNUSER}/gnupg -# whitelist ${RUNUSER}/keyring +# Add the next lines to your psi.local to enable GPG support. +#whitelist ${RUNUSER}/gnupg +#whitelist ${RUNUSER}/keyring include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -63,11 +63,11 @@ nou2f protocol unix,inet,inet6,netlink seccomp !chroot shell none -# breaks on Arch -# tracelog +#tracelog - breaks on Arch disable-mnt -# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG +# Add the next line to your psi.local to enable GPG support. +#private-bin gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet private-bin getopt,psi private-cache private-dev diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index 78159527a..4bce35d16 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile @@ -7,9 +7,8 @@ include rsync.local # Persistent global definitions include globals.local -# Warning: This profile is writte to use rsync as an client for downloading, -# it is not writen to use rsync as an daemon (rsync --daemon) or to create backups. - +# WARNING: this profile is designed to use rsync as a client for downloading, +# not as a daemon (rsync --daemon) nor to create backups. # Usage: firejail --profile=rsync-download_only rsync blacklist /tmp/.X11-unix @@ -24,7 +23,7 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -# Uncomment or add to rsync.local to enable extra hardening +# Add the next line to your rsync-download_only.local to enable extra hardening. #whitelist ${DOWNLOADS} include whitelist-var-common.inc diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 6f971b96b..970545ff6 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile @@ -16,10 +16,9 @@ noblacklist ${HOME}/.local/share/rtv include allow-python2.inc include allow-python3.inc -# You can configure rtv to open different type of links -# in external applications. Configuration here: -# https://github.com/michael-lazar/rtv#viewing-media-links -# Uncomment or put in rtv.local for external application support +# You can configure rtv to open different type of links in external applications. +# Configuration: https://github.com/michael-lazar/rtv#viewing-media-links. +# Add the next line to your rtv.local to enable external application support. #include rtv-addons.profile include disable-common.inc include disable-devel.inc diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 065409e78..2b82e5d06 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -22,7 +22,7 @@ include disable-programs.inc include disable-xdg.inc # whitelisting in ${HOME} breaks file encryption feature of nautilus. -# once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile +# Once #2882 is fixed this can be activated here and nowhitelisted in seahorse-tool.profile. #mkdir ${HOME}/.gnupg #mkdir ${HOME}/.ssh #whitelist ${HOME}/.gnupg diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile index 65da5d0de..dc3fdaf34 100644 --- a/etc/profile-m-z/servo.profile +++ b/etc/profile-m-z/servo.profile @@ -17,7 +17,8 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -# Add a whitelist for the directory where servo is installed and uncomment the lines below. +# Add the next lines to your servo.local to turn this into a whitelisting profile. +# You will need to add a whitelist for the directory where servo is installed. #whitelist ${DOWNLOADS} #include whitelist-common.inc include whitelist-runuser-common.inc diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index 73d2556ac..144763332 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile @@ -6,7 +6,7 @@ include spectacle.local # Persistent global definitions include globals.local -# Uncomment the following lines to use sharing services. +# Add the next lines to your spectacle.local to use sharing services. #netfilter #ignore net none #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index 093661d8c..bf0f9f3a1 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile @@ -50,8 +50,9 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts, private-tmp dbus-user none -# Comment the above line and uncomment below lines for notification popups -# dbus-user filter -# dbus-user.talk org.freedesktop.Notifications -# dbus-user.talk org.kde.StatusNotifierWatcher +# Add the next lines to your spectral.local to enable notification support. +#ignore dbus-user none +#dbus-user filter +#dbus-user.talk org.freedesktop.Notifications +#dbus-user.talk org.kde.StatusNotifierWatcher dbus-system none diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 1b20f5d3d..6a0ed46e0 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile @@ -50,7 +50,7 @@ tracelog disable-mnt private-bin supertuxkart private-cache -# uncomment the following line if you do not need controller support +# Add the next line to your supertuxkart.local if you do not need controller support. #private-dev private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl private-tmp diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 50506d100..328812b04 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile @@ -19,7 +19,7 @@ dbus-user filter dbus-user.talk ca.desrt.dconf dbus-user.talk org.freedesktop.secrets dbus-user.talk org.gnome.keyring.SystemPrompter -# Uncomment below for notifications (or put them in your sylpheed.local) +# Add the next line to your sylpheed.local to enable notifications. # dbus-user.talk org.freedesktop.Notifications # Redirect diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 5cb5caf8d..3cbfe8d8b 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile @@ -37,7 +37,7 @@ include whitelist-var-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc -# Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local. +# Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support. # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need # to be uncommented too for this to work as expected. #apparmor @@ -53,8 +53,7 @@ novideo protocol unix,inet,inet6 seccomp !chroot shell none -# tracelog may cause issues, see github issue #1930 -#tracelog +#tracelog - may cause issues, see #1930 disable-mnt private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile index 0117af376..0cb6d34d2 100644 --- a/etc/profile-m-z/vmware-view.profile +++ b/etc/profile-m-z/vmware-view.profile @@ -37,9 +37,8 @@ nonewprivs noroot notv nou2f -# Comment novideo (or add 'ignore novideo' to your vmware-view.local) if you need your webcam +# Add 'ignore novideo' to your vmware-view.local if you need your webcam. novideo -# protocol produces a lot error messages but nothing seems to be broken protocol unix,inet,inet6 seccomp !iopl seccomp.block-secondary @@ -50,8 +49,7 @@ disable-mnt private-cache private-dev private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg -# Logs are "stored" in /tmp, comment (or add 'ignore private-tmp' to your vmware-view.local) -# if you need them without joining the sandbox. +# Logs are kept in /tmp. Add 'ignore private-tmp' to your vmware-view.local if you need them without joining the sandbox. private-tmp dbus-user none diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index d00e16fef..5241e27b3 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile @@ -21,7 +21,7 @@ mkdir ${HOME}/.cache/vmware mkdir ${HOME}/.vmware whitelist ${HOME}/.cache/vmware whitelist ${HOME}/.vmware -# Uncomment the following if you need to use "shared VM" +# Add the next lines to your vmware.local if you need to use "shared VM". #whitelist /var/lib/vmware #writable-var include whitelist-common.inc @@ -37,6 +37,7 @@ shell none tracelog #disable-mnt +# Add the next line to your vmware.local to enable private-bin. #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix dbus-user none diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index 0e172333a..a43835944 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile @@ -7,7 +7,7 @@ include w3m.local # Persistent global definitions include globals.local -# Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole +# Add the next lines to your w3m.local if you want to use w3m-img on a vconsole. #ignore nogroups #ignore private-dev #ignore private-etc diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index c6c940fa3..18f1ca79a 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile @@ -13,14 +13,15 @@ mkdir ${HOME}/.waterfox whitelist ${HOME}/.cache/waterfox whitelist ${HOME}/.waterfox -# Uncomment (or add to watefox.local) the following lines if you want to -# use the migration wizard. +# Add the next lines to your watefox.local if you want to use the migration wizard. #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla # waterfox requires a shell to launch on Arch. We can possibly remove sh though. +# Add the next line to your waterfox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which -# private-etc must first be enabled in firefox-common.profile +# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be +# enabled in your firefox-common.local. #private-etc waterfox # Redirect diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index f67d28618..8a7042f59 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile @@ -21,7 +21,7 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc -# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local +# Depending on workflow you can add the next line to your wget.local. #include disable-xdg.inc include whitelist-usr-share-common.inc @@ -50,7 +50,7 @@ tracelog private-bin wget private-cache private-dev -# depending on workflow you can uncomment the below or put this private-etc in your wget.local +# Depending on workflow you can add the next line to your wget.local. #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc #private-tmp diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 6ac74b9da..67427209f 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile @@ -24,8 +24,7 @@ include disable-programs.inc # include whitelist-usr-share-common.inc include whitelist-var-common.inc -# some applications don't need allow-debuggers, comment the next line -# if it is not necessary (or put 'ignore allow-debuggers' in your wine.local) +# Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. allow-debuggers caps.drop all # net none diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile index 6e4a313e3..2b97d5b0a 100644 --- a/etc/profile-m-z/wps.profile +++ b/etc/profile-m-z/wps.profile @@ -23,7 +23,7 @@ include whitelist-var-common.inc apparmor caps.drop all machine-id -# Uncomment the next line (or add to wps.local) if you don't use network features. +# Add the next line to your wps.local if you don't use network features. #net none netfilter no3d @@ -36,7 +36,7 @@ notv nou2f novideo protocol unix,inet,inet6 -# seccomp cause some minor issues, if you can live with them enable it. +# seccomp causes some minor issues. Add the next line to your wps.local if you can live with those. #seccomp shell none tracelog diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile index f20225050..360bd8442 100644 --- a/etc/profile-m-z/yarn.profile +++ b/etc/profile-m-z/yarn.profile @@ -13,7 +13,8 @@ noblacklist ${HOME}/.yarn-config noblacklist ${HOME}/.yarncache noblacklist ${HOME}/.yarnrc -# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. +# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and +# add the next lines to you yarn.local. #mkdir ${HOME}/.yarn #mkdir ${HOME}/.yarn-config #mkdir ${HOME}/.yarncache diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 479582b2a..a08a30b52 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile @@ -33,14 +33,14 @@ include whitelist-var-common.inc apparmor caps.drop all -# machine-id breaks sound - uncomment here or put it in your yelp.local if you don't need it +# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support. #machine-id net none nodvd nogroups nonewprivs noroot -# nosound - uncomment here or put it in your yelp.local if you don't need it +# nosound - add the next line to your yelp.local if you don't need sound support. #nosound notv nou2f @@ -66,11 +66,11 @@ dbus-system none # read-only ${HOME} breaks some features: # 1. yelp --editor-mode # 2. saving the window geometry -# comment the line below or put 'ignore read-only ${HOME}' into your yelp.local if you need these features +# add 'ignore read-only ${HOME}' to your yelp.local if you need these features. read-only ${HOME} read-write ${HOME}/.cache # 3. printing to PDF in ${DOCUMENTS} -# additionally uncomment the lines below or put 'noblacklist ${DOCUMENTS}' and -# 'whitelist ${DOCUMENTS}' into your yelp.local if you need printing to PDF support +# additionally add 'noblacklist ${DOCUMENTS}' and 'whitelist ${DOCUMENTS}' to +# your yelp.local if you need PDF printing support. #noblacklist ${DOCUMENTS} #whitelist ${DOCUMENTS} diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index e8cd64c93..ac615d861 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile @@ -6,14 +6,14 @@ include zoom.local # Persistent global definitions include globals.local -# Disabled until someone reported positive feedback +# Disabled until someone reports positive feedback. ignore apparmor ignore novideo ignore dbus-user none ignore dbus-system none # nogroups breaks webcam access on non-systemd systems (see #3711). -# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local +# If you use such a system, add 'ignore nogroups' to your zoom.local. #ignore nogroups noblacklist ${HOME}/.config/zoomus.conf