profiles: fix commented code and eol comments

Main changes:

* Remove the space after `#` for commented code lines to distinguish
  them from normal comments
* Use `#` instead of `-` for comments at the end of the line so that
  commented code lines work after being uncommented

Commands used to search and replace:

    arg0="$(cat contrib/syntax/lists/profile_commands_arg0.list |
      LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
    arg1="$(cat contrib/syntax/lists/profile_commands_arg1.list |
      LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
    git ls-files -z -- etc/inc etc/profile* | xargs -0 -I '{}' \
      sh -c "printf '%s\n' \"\$(sed -E \
        -e 's/^# ($arg0)( [#-]-? .*)?\$/#\\1\\2/' \
        -e 's/^# ($arg1)( [^ ]*)?( [#-]-? .*)?\$/#\\1\\2\\3/' \
        -e 's/^# (whitelist \\$)/#\\1/' \
        -e 's/^(#[^ ].+) --? /\\1 # /' \
        '{}')\" >'{}'"

Commands used to check for leftover entries:

    arg0="$(cat contrib/syntax/lists/profile_commands_arg0.list |
      LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
    arg1="$(cat contrib/syntax/lists/profile_commands_arg1.list |
      LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
    git grep -E "^# ($arg0|$arg1)( +|$)" -- etc/inc etc/profile*

See also commit 30f9ad908 ("build: improve comments in firecfg.config",
2023-08-05) / PR #5942.

etc/inc/disable-common.inc

@@ -564,7 +564,7 @@ blacklist ${PATH}/bmon
 blacklist ${PATH}/fping
 blacklist ${PATH}/fping6
 blacklist ${PATH}/hostname
-# blacklist ${PATH}/ip - breaks --ip=dhcp
+#blacklist ${PATH}/ip # breaks --ip=dhcp
 blacklist ${PATH}/mtr
 blacklist ${PATH}/mtr-packet
 blacklist ${PATH}/netstat

etc/profile-a-l/abiword.profile

@@ -44,7 +44,7 @@ private-dev
 private-etc @x11
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/akonadi_control.profile

@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 # disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
 # this affects ubuntu and debian currently
 
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
@@ -42,17 +42,17 @@ no3d
 nodvd
 nogroups
 noinput
-# nonewprivs
+#nonewprivs
 noroot
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink
-# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
+#protocol unix,inet,inet6,netlink
+#seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 
 private-dev
-# private-tmp - breaks programs that depend on akonadi
+#private-tmp # breaks programs that depend on akonadi
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/akregator.profile

@@ -49,4 +49,4 @@ private-dev
 private-tmp
 
 deterministic-shutdown
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/alacarte.profile

@@ -49,7 +49,7 @@ seccomp.block-secondary
 tracelog
 
 disable-mnt
-# private-bin alacarte,bash,python*,sh
+#private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
 private-etc @tls-ca,@x11,mime.types

etc/profile-a-l/amarok.profile

@@ -26,11 +26,11 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
 
-# private-bin amarok
+#private-bin amarok
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
@@ -45,4 +45,4 @@ dbus-user.talk org.freedesktop.Notifications
 #dbus-user.talk org.kde.knotify
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/android-studio.profile

@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 
 private-cache
-# private-tmp
+#private-tmp
 
 # noexec /tmp breaks 'Android Profiler'
 #noexec /tmp

etc/profile-a-l/anki.profile

@@ -55,4 +55,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/arduino.profile

@@ -21,7 +21,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
-# nogroups
+#nogroups
 nonewprivs
 noroot
 nosound

etc/profile-a-l/aria2c.profile

@@ -39,7 +39,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 
-# disable-mnt
+#disable-mnt
 # Add your custom event hook commands to 'private-bin' in your aria2c.local.
 private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).

etc/profile-a-l/ark.profile

@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -42,7 +42,7 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/artha.profile

@@ -35,7 +35,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups

etc/profile-a-l/asunder.profile

@@ -26,7 +26,7 @@ apparmor
 caps.drop all
 netfilter
 no3d
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -44,5 +44,5 @@ dbus-user none
 dbus-system none
 
 # mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces

etc/profile-a-l/atom.profile

@@ -26,7 +26,7 @@ noblacklist ${HOME}/.config/Atom
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-# net none
+#net none
 nosound
 
 # Redirect

etc/profile-a-l/atril.profile

@@ -22,7 +22,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
-# apparmor
+#apparmor
 caps.drop all
 machine-id
 no3d
@@ -44,7 +44,7 @@ private-dev
 private-etc
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
-#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
+#private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit
 private-tmp
 
 # webkit gtk killed by memory-deny-write-execute

etc/profile-a-l/audacious.profile

@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin audacious
+#private-bin audacious
 private-cache
 private-dev
 private-tmp

etc/profile-a-l/audacity.profile

@@ -54,7 +54,7 @@ private-etc @x11
 private-tmp
 
 # problems on Fedora 27
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/audio-recorder.profile

@@ -41,7 +41,7 @@ seccomp
 tracelog
 
 disable-mnt
-# private-bin audio-recorder
+#private-bin audio-recorder
 private-cache
 private-etc
 private-tmp
@@ -50,5 +50,5 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/authenticator.profile

@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
-# apparmor
+#apparmor
 caps.drop all
 netfilter
 no3d
@@ -31,19 +31,19 @@ noroot
 nosound
 notv
 nou2f
-# novideo
+#novideo
 protocol unix,inet,inet6
 seccomp
 
 disable-mnt
-# private-bin authenticator,python*
+#private-bin authenticator,python*
 private-dev
 private-etc @tls-ca
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/autokey-common.profile

@@ -38,5 +38,5 @@ private-cache
 private-dev
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/baloo_file.profile

@@ -7,10 +7,10 @@ include globals.local
 
 # Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-# mkdir ${HOME}/.local/share/baloo
-# read-only ${HOME}
-# read-write ${HOME}/.local/share/baloo
-# ignore read-write
+#mkdir ${HOME}/.local/share/baloo
+#read-only ${HOME}
+#read-write ${HOME}/.local/share/baloo
+#ignore read-write
 
 noblacklist ${HOME}/.config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloofilerc
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
@@ -46,7 +46,7 @@ novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
 seccomp !ioprio_set
-# x11 xorg
+#x11 xorg
 
 private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
 private-cache

etc/profile-a-l/baobab.profile

@@ -6,13 +6,13 @@ include baobab.local
 # Persistent global definitions
 include globals.local
 
-# include disable-common.inc
+#include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
-# include disable-xdg.inc
+#include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 
@@ -37,8 +37,8 @@ private-bin baobab
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 read-only ${HOME}
 restrict-namespaces

etc/profile-a-l/bcompare.profile

@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-#include disable-shell.inc - breaks launch
+#include disable-shell.inc # breaks launch
 include disable-write-mnt.inc
 
 apparmor

etc/profile-a-l/bibletime.profile

@@ -48,7 +48,7 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot
 
 disable-mnt
-# private-bin bibletime
+#private-bin bibletime
 private-cache
 private-dev
 private-etc @tls-ca,sword,sword.conf
@@ -57,4 +57,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/bijiben.profile

@@ -48,7 +48,7 @@ tracelog
 
 disable-mnt
 private-bin bijiben
-# private-cache -- access to .cache/tracker is required
+#private-cache # access to .cache/tracker is required
 private-dev
 private-etc @x11
 private-tmp

etc/profile-a-l/bitlbee.profile

@@ -10,7 +10,7 @@ ignore noexec ${HOME}
 
 noblacklist /sbin
 noblacklist /usr/sbin
-# noblacklist /var/log
+#noblacklist /var/log
 
 include disable-common.inc
 include disable-devel.inc

etc/profile-a-l/bleachbit.profile

@@ -18,7 +18,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 
 caps.drop all
 net none
@@ -36,11 +36,11 @@ protocol unix
 seccomp
 
 private-dev
-# private-tmp
+#private-tmp
 
 dbus-user none
 dbus-system none
 
 # memory-deny-write-execute breaks some systems, see issue #1850
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces

etc/profile-a-l/bless.profile

@@ -31,7 +31,7 @@ novideo
 protocol unix
 seccomp
 
-# private-bin bash,bless,mono,sh
+#private-bin bash,bless,mono,sh
 private-cache
 private-dev
 private-etc mono

etc/profile-a-l/brackets.profile

@@ -32,4 +32,4 @@ seccomp !chroot,!ioperm
 private-cache
 private-dev
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/brasero.profile

@@ -29,9 +29,9 @@ protocol unix
 seccomp
 tracelog
 
-# private-bin brasero
+#private-bin brasero
 private-cache
-# private-dev
-# private-tmp
+#private-dev
+#private-tmp
 
 restrict-namespaces

etc/profile-a-l/build-systems-common.profile

@@ -39,7 +39,7 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd

etc/profile-a-l/calibre.profile

@@ -36,4 +36,4 @@ seccomp !chroot
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/calligra.profile

@@ -15,7 +15,7 @@ include disable-programs.inc
 
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -32,9 +32,9 @@ seccomp.block-secondary
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
 private-dev
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
 restrict-namespaces

etc/profile-a-l/cameramonitor.profile

@@ -48,8 +48,8 @@ private-cache
 private-etc
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/cantata.profile

@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
@@ -34,7 +34,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 
-# private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
+#private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
 

etc/profile-a-l/catfish.profile

@@ -15,10 +15,10 @@ noblacklist ${HOME}/.config/catfish
 include allow-python2.inc
 include allow-python3.inc
 
-# include disable-common.inc
-# include disable-devel.inc
+#include disable-common.inc
+#include disable-devel.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
@@ -40,9 +40,9 @@ tracelog
 
 # These options work but are disabled in case
 # a users wants to search in these directories.
-# private-bin bash,catfish,env,locate,ls,mlocate,python*
-# private-dev
-# private-tmp
+#private-bin bash,catfish,env,locate,ls,mlocate,python*
+#private-dev
+#private-tmp
 
 dbus-user none
 dbus-system none

etc/profile-a-l/cawbird.profile

@@ -41,7 +41,7 @@ private-dev
 private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
-# dbus-user none
+#dbus-user none
 dbus-system none
 
 restrict-namespaces

etc/profile-a-l/chromium-browser-privacy.profile

@@ -13,7 +13,7 @@ mkdir ${HOME}/.config/ungoogled-chromium
 whitelist ${HOME}/.cache/ungoogled-chromium
 whitelist ${HOME}/.config/ungoogled-chromium
 
-# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+#private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
 
 # Redirect
 include chromium.profile

etc/profile-a-l/chromium-common.profile

@@ -33,7 +33,7 @@ include whitelist-run-common.inc
 ?BROWSER_DISABLE_U2F: nou2f
 
 ?BROWSER_DISABLE_U2F: private-dev
-#private-tmp - issues when using multiple browser sessions
+#private-tmp # issues when using multiple browser sessions
 
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget

etc/profile-a-l/chromium.profile

@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
 whitelist /usr/share/chromium
 
-# private-bin chromium,chromium-browser,chromedriver
+#private-bin chromium,chromium-browser,chromedriver
 
 # Redirect
 include chromium-common.profile

etc/profile-a-l/clac.profile

@@ -16,10 +16,10 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
-#include disable-X11.inc - x11 none
+#include disable-X11.inc # x11 none
 include disable-xdg.inc
 
-#include whitelist-common.inc - see #903
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc

etc/profile-a-l/claws-mail.profile

@@ -18,7 +18,7 @@ whitelist ${HOME}/.claws-mail
 
 whitelist /usr/share/doc/claws-mail
 
-# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
+#private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
 
 # Redirect
 include email-common.profile

etc/profile-a-l/clawsker.profile

@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/clementine.profile

@@ -37,6 +37,6 @@ private-dev
 private-tmp
 
 dbus-system none
-# dbus-user none
+#dbus-user none
 
 restrict-namespaces

etc/profile-a-l/clion.profile

@@ -37,7 +37,7 @@ seccomp
 
 private-cache
 private-dev
-# private-tmp
+#private-tmp
 
 noexec /tmp
 restrict-namespaces

etc/profile-a-l/clipgrab.profile

@@ -46,7 +46,7 @@ private-dev
 private-tmp
 
 # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/code.profile

@@ -35,7 +35,7 @@ nosound
 # Disabling noexec ${HOME} for now since it will
 # probably interfere with running some programmes
 # in VS Code
-# noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
 
 # Redirect

etc/profile-a-l/com.github.bleakgrey.tootle.profile

@@ -48,9 +48,9 @@ private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 # Settings are immutable
-# dbus-user filter
-# dbus-user.own com.github.bleakgrey.tootle
-# dbus-user.talk ca.desrt.dconf
+#dbus-user filter
+#dbus-user.own com.github.bleakgrey.tootle
+#dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 restrict-namespaces

etc/profile-a-l/cower.profile

@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 # This profile could be significantly strengthened by adding the following to cower.local
-# whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.config/cower
+#whitelist ${HOME}/<Your Build Folder>
+#whitelist ${HOME}/.config/cower
 
 caps.drop all
 ipc-namespace

etc/profile-a-l/curl.profile

@@ -50,10 +50,10 @@ protocol inet,inet6
 seccomp
 tracelog
 
-# private-bin curl
+#private-bin curl
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-etc @tls-ca
 private-tmp
 

etc/profile-a-l/cyberfox.profile

@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/8pecxstudios
 whitelist /usr/share/8pecxstudios
 whitelist /usr/share/cyberfox
 
-# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
+#private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cyberfox
 

etc/profile-a-l/d-feet.profile

@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
@@ -52,5 +52,5 @@ private-dev
 private-etc dbus-1
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/dconf-editor.profile

@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none - breaks application on older versions
+#net none # breaks application on older versions
 no3d
 nodvd
 nogroups

etc/profile-a-l/ddgtk.profile

@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/default.profile

@@ -9,54 +9,54 @@ include globals.local
 # depending on your usage, you can enable some of the commands below:
 
 include disable-common.inc
-# include disable-devel.inc
-# include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
-# include disable-write-mnt.inc
-# include disable-xdg.inc
+#include disable-shell.inc
+#include disable-write-mnt.inc
+#include disable-xdg.inc
 
-# include whitelist-common.inc
-# include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
+#include whitelist-common.inc
+#include whitelist-runuser-common.inc
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
 
-# apparmor
+#apparmor
 caps.drop all
-# ipc-namespace
-# machine-id
-# net none
+#ipc-namespace
+#machine-id
+#net none
 netfilter
-# no3d
-# nodvd
-# nogroups
+#no3d
+#nodvd
+#nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
-# nou2f
+#nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# tracelog
+#tracelog
 
-# disable-mnt
-# private
-# private-bin program
-# private-cache
+#disable-mnt
+#private
+#private-bin program
+#private-cache
 private-dev
 # see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives,fonts,machine-id
-# private-lib
-# private-opt none
+#private-etc alternatives,fonts,machine-id
+#private-lib
+#private-opt none
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# deterministic-shutdown
-# memory-deny-write-execute
-# read-only ${HOME}
+#deterministic-shutdown
+#memory-deny-write-execute
+#read-only ${HOME}
 restrict-namespaces

etc/profile-a-l/deluge.profile

@@ -13,7 +13,7 @@ include allow-python2.inc
 include allow-python3.inc
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc

etc/profile-a-l/devhelp.profile

@@ -23,7 +23,7 @@ include whitelist-usr-share-common.inc
 
 apparmor
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 nodvd
 nogroups
 noinput
@@ -45,9 +45,9 @@ private-etc @tls-ca,@x11
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 read-only ${HOME}
 restrict-namespaces

etc/profile-a-l/dig.profile

@@ -14,13 +14,13 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-#mkfile ${HOME}/.digrc - see #903
+#mkfile ${HOME}/.digrc # see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc

etc/profile-a-l/digikam.profile

@@ -43,7 +43,7 @@ seccomp !chroot
 #private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/display.profile

@@ -34,7 +34,7 @@ notv
 nou2f
 protocol unix
 seccomp
-# x11 xorg - problems on kubuntu 17.04
+#x11 xorg # problems on kubuntu 17.04
 
 private-bin display,python*
 private-dev

etc/profile-a-l/dolphin-emu.profile

@@ -36,7 +36,7 @@ apparmor
 caps.drop all
 ipc-namespace
 # Add the next line to your dolphin-emu.local if you do not need NetPlay support.
-# net none
+#net none
 netfilter
 # Add the next line to your dolphin-emu.local if you do not need disc support.
 #nodvd

etc/profile-a-l/drawio.profile

@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp !chroot
-# tracelog - breaks on Arch
+#tracelog # breaks on Arch
 
 private-bin drawio
 private-cache
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
-# restrict-namespaces
+#memory-deny-write-execute # breaks on Arch
+#restrict-namespaces

etc/profile-a-l/drill.profile

@@ -13,9 +13,9 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 

etc/profile-a-l/easystroke.profile

@@ -49,8 +49,8 @@ private-etc
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 memory-deny-write-execute
 restrict-namespaces

etc/profile-a-l/electrum.profile

@@ -49,7 +49,7 @@ private-dev
 private-etc @tls-ca,@x11
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/email-common.profile

@@ -75,7 +75,7 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
 private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone

etc/profile-a-l/engrampa.profile

@@ -35,9 +35,9 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# private-bin engrampa
+#private-bin engrampa
 private-dev
-# private-tmp
+#private-tmp
 
 dbus-user filter
 dbus-user.talk ca.desrt.dconf

etc/profile-a-l/enpass.profile

@@ -58,5 +58,5 @@ private-dev
 private-opt Enpass
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/ephemeral.profile

@@ -59,7 +59,7 @@ private-cache
 private-tmp
 
 # breaks preferences
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/etr.profile

@@ -48,7 +48,7 @@ disable-mnt
 private-bin etr
 private-cache
 private-dev
-# private-etc alternatives,drirc,machine-id,openal,passwd
+#private-etc alternatives,drirc,machine-id,openal,passwd
 private-etc @games,@x11
 private-tmp
 

etc/profile-a-l/evince.profile

@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 
 caps.drop all
 machine-id
-# net none - breaks AppArmor on Ubuntu systems
+#net none # breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd

etc/profile-a-l/falkon.profile

@@ -41,17 +41,17 @@ nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
 seccomp !chroot
-# tracelog
+#tracelog
 
 disable-mnt
-# private-bin falkon
+#private-bin falkon
 private-cache
 private-dev
 private-etc @tls-ca,@x11,adobe,mailcap,mime.types
 private-tmp
 
-# dbus-user filter
-# dbus-user.own org.kde.Falkon
+#dbus-user filter
+#dbus-user.own org.kde.Falkon
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/fdns.profile

@@ -24,7 +24,7 @@ include disable-xdg.inc
 apparmor /usr/bin/fdns
 caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
 ipc-namespace
-# netfilter /etc/firejail/webserver.net
+#netfilter /etc/firejail/webserver.net
 no3d
 nodvd
 nogroups
@@ -43,7 +43,7 @@ private-bin bash,fdns,sh
 private-cache
 #private-dev
 private-etc @tls-ca,fdns
-# private-lib
+#private-lib
 private-tmp
 
 memory-deny-write-execute

etc/profile-a-l/feedreader.profile

@@ -29,13 +29,13 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo

etc/profile-a-l/ferdi.profile

@@ -45,4 +45,4 @@ disable-mnt
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/ffmpeg.profile

@@ -53,5 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - it breaks old versions of ffmpeg
+#memory-deny-write-execute # it breaks old versions of ffmpeg
 restrict-namespaces

etc/profile-a-l/file-roller.profile

@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - breaks on older Ubuntu versions
+#net none # breaks on older Ubuntu versions
 netfilter
 no3d
 nodvd
@@ -44,7 +44,7 @@ private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dp
 private-cache
 private-dev
 private-etc @x11
-# private-tmp
+#private-tmp
 
 dbus-user filter
 dbus-user.own org.gnome.ArchiveManager1

etc/profile-a-l/font-manager.profile

@@ -33,7 +33,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - issues on older versions
+#net none # issues on older versions
 no3d
 nodvd
 nogroups
@@ -53,5 +53,5 @@ private-bin font-manager,python*,yelp
 private-dev
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/franz.profile

@@ -45,4 +45,4 @@ disable-mnt
 private-dev
 private-tmp
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/frozen-bubble.profile

@@ -41,7 +41,7 @@ seccomp
 tracelog
 
 disable-mnt
-# private-bin frozen-bubble
+#private-bin frozen-bubble
 private-dev
 private-etc @games,@x11
 private-tmp

etc/profile-a-l/funnyboat.profile

@@ -16,7 +16,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.funnyboat
@@ -41,7 +41,7 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
-# tracelog
+#tracelog
 
 disable-mnt
 private-cache

etc/profile-a-l/galculator.profile

@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/geary.profile

@@ -53,7 +53,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#ipc-namespace - may cause issues with X11
+#ipc-namespace # may cause issues with X11
 #machine-id
 netfilter
 no3d
@@ -71,7 +71,7 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# disable-mnt
+#disable-mnt
 #private-bin geary,sh
 private-cache
 private-dev

etc/profile-a-l/gedit.profile

@@ -13,18 +13,18 @@ noblacklist ${HOME}/.config/gedit
 include allow-common-devel.inc
 
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -40,14 +40,14 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# private-bin gedit
+#private-bin gedit
 private-dev
 # private-lib breaks python plugins - add the next line to your gedit.local if you don't use them.
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/geekbench.profile

@@ -43,7 +43,7 @@ seccomp
 tracelog
 
 disable-mnt
-#private-bin bash,geekbench*,sh -- #4576
+#private-bin bash,geekbench*,sh # #4576
 private-cache
 private-dev
 private-etc lsb-release

etc/profile-a-l/geeqie.profile

@@ -32,7 +32,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 
-# private-bin geeqie
+#private-bin geeqie
 private-dev
 
 restrict-namespaces

etc/profile-a-l/gfeeds.profile

@@ -58,7 +58,7 @@ tracelog
 
 disable-mnt
 private-bin gfeeds,python3*
-# private-cache -- feeds are stored in ~/.cache
+#private-cache # feeds are stored in ~/.cache
 private-dev
 private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services
 private-tmp

etc/profile-a-l/ghostwriter.profile

@@ -45,7 +45,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
 seccomp.block-secondary
-#tracelog -- breaks
+#tracelog # breaks
 
 private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache

etc/profile-a-l/github-desktop.profile

@@ -29,14 +29,14 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
-# no3d
+#no3d
 nosound
 
-# private-bin github-desktop
+#private-bin github-desktop
 ?HAS_APPIMAGE: ignore private-dev
-# private-lib
+#private-lib
 
-# memory-deny-write-execute
+#memory-deny-write-execute
 
 # Redirect
 include electron-common.profile

etc/profile-a-l/gjs.profile

@@ -38,9 +38,9 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
+#private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 
 restrict-namespaces

etc/profile-a-l/gmpc.profile

@@ -51,5 +51,5 @@ dbus-user filter
 dbus-user.talk org.mpris.MediaPlayer2.mpd
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/gnome-books.profile

@@ -39,7 +39,7 @@ protocol unix
 seccomp
 tracelog
 
-# private-bin gjs,gnome-books
+#private-bin gjs,gnome-books
 private-dev
 private-tmp
 

etc/profile-a-l/gnome-calculator.profile

@@ -24,7 +24,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-#net none -- breaks currency conversion
+#net none # breaks currency conversion
 netfilter
 no3d
 nodvd

etc/profile-a-l/gnome-characters.profile

@@ -52,8 +52,8 @@ private-etc @x11,gconf,mime.types
 private-tmp
 
 # Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 read-only ${HOME}
 restrict-namespaces

etc/profile-a-l/gnome-contacts.profile

@@ -21,7 +21,7 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-#no3d - breaks on Arch
+#no3d # breaks on Arch
 nodvd
 noinput
 nonewprivs

etc/profile-a-l/gnome-keyring.profile

@@ -55,7 +55,7 @@ private-dev
 #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
 private-tmp
 
-# dbus-user none
+#dbus-user none
 dbus-system none
 
 memory-deny-write-execute

etc/profile-a-l/gnome-maps.profile

@@ -61,7 +61,7 @@ tracelog
 
 disable-mnt
 private-bin gjs,gnome-maps
-# private-cache -- gnome-maps cache all maps/satelite-images
+#private-cache # gnome-maps cache all maps/satelite-images
 private-dev
 private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services
 private-tmp

etc/profile-a-l/gnome-mplayer.profile

@@ -26,7 +26,7 @@ nou2f
 protocol unix,inet,inet6
 seccomp
 
-# private-bin gnome-mplayer,mplayer
+#private-bin gnome-mplayer,mplayer
 private-cache
 private-dev
 private-tmp

etc/profile-a-l/gnome-nettool.profile

@@ -14,7 +14,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 whitelist /usr/share/gnome-nettool
-#include whitelist-common.inc -- see #903
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

etc/profile-a-l/gnome-photos.profile

@@ -36,7 +36,7 @@ seccomp
 seccomp.block-secondary
 tracelog
 
-# private-bin gjs,gnome-photos
+#private-bin gjs,gnome-photos
 private-dev
 private-tmp