refactor yt-dlp

etc/profile-a-l/gallery-dl.profile

@@ -15,4 +15,4 @@ private-bin gallery-dl
 private-etc gallery-dl.conf
 
 # Redirect
-include youtube-dl.profile
+include yt-dlp.profile

etc/profile-m-z/youtube-dl.profile

@@ -5,63 +5,17 @@ quiet
 # Persistent local customizations
 include youtube-dl.local
 # Persistent global definitions
-include globals.local
-
-# breaks when installed under ${HOME} via `pip install --user` (see #2833)
-ignore noexec ${HOME}
+# added by included profile
+#include globals.local
 
 noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.netrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
-include allow-python3.inc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+private-bin youtube-dl
+private-etc youtube-dl.conf
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-tracelog
-
-private-bin env,ffmpeg,python*,youtube-dl
-private-cache
-private-dev
-private-etc @tls-ca,mime.types,youtube-dl.conf
-private-tmp
-
-dbus-user none
-dbus-system none
-
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
-restrict-namespaces
+# Redirect
+include yt-dlp.profile

etc/profile-m-z/yt-dlp.profile

@@ -5,17 +5,73 @@ quiet
 # Persistent local customizations
 include yt-dlp.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# If you installed via pip under ${HOME}
+# add 'ignore noexec ${HOME}' in yt-dlp.local.
+# AppArmor needs to allow it too,
+# add 'ignore apparmor' in yt-dlp.local
+# OR in /etc/apparmor.d/local/firejail-default add:
+# 'owner @HOME/.local/bin/** ix,'
+# 'owner @HOME/.local/lib/python*/** ix,'
+# then run the command
+# 'sudo apparmor_parser -r /etc/apparmor.d/firejail-default'
 
 noblacklist ${HOME}/.cache/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf.txt
+noblacklist ${HOME}/.netrc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
 
-private-bin ffprobe,yt-dlp
-private-etc yt-dlp.conf
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
 
-# Redirect
-include youtube-dl.profile
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+private-bin env,ffmpeg,ffprobe,python*,yt-dlp
+private-cache
+private-dev
+private-etc @tls-ca,mime.types,yt-dlp.conf
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+
+restrict-namespaces