profiles: split commands that increase/reduce access (template)

This should clarify which commands do what (increase/reduce access) and also make etc/templates/profile.template more consistent with etc/profile-m-z/noprofile.profile. This is a follow-up to #6660. See also the discussion at [1]. [1] https://github.com/netblue30/firejail/pull/6660#discussion_r1975233984
2026-05-15 14:16:14 -06:00 · 2025-02-27 16:37:00 -03:00 · 2025-02-27 16:37:00 -03:00 · c90f4600e4
commit c90f4600e4
parent e15db30859
1 changed files with 8 additions and 5 deletions
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@ -154,7 +154,15 @@ include globals.local
 ##landlock.fs.execute PATH
 #include landlock-common.inc

+# Commands that increase access to resources.
 ##allusers
+##keep-dev-ntsync
+##writable-etc
+##writable-run-user
+##writable-var
+##writable-var-log
+
+# Commands that reduce access to resources.
 #apparmor
 #caps.drop all
 ##caps.keep CAPS
@ -195,7 +203,6 @@ include globals.local
 ##x11 none

 #disable-mnt
-##keep-dev-ntsync
 ##private
 # It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
 #private-bin PROGRAMS
@ -224,10 +231,6 @@ include globals.local
 ##  - use 'private-opt NAME'
 ##private-opt NAME
 #private-tmp
-##writable-etc
-##writable-run-user
-##writable-var
-##writable-var-log

 # Since 0.9.63 also a more granular control of dbus is supported.
 # To get the dbus-addresses an application needs access to you can