Fix comments in 88 profiles

There may actually be some other comments that were removed, but the bulk have been restored

etc/akregator.profile

@@ -30,6 +30,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nosound

etc/amarok.profile

@@ -17,12 +17,10 @@ nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
+# seccomp
 shell none
 
 # private-bin amarok
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# seccomp

etc/android-studio.profile

@@ -32,6 +32,3 @@ private-dev
 # private-tmp
 
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nosound

etc/caja.profile

@@ -5,6 +5,9 @@ include /etc/firejail/caja.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a caja process running on MATE desktops firejail will have no effect.
+
 noblacklist ~/.config/caja
 noblacklist ~/.local/share/Trash
 noblacklist ~/.local/share/caja-python
@@ -24,12 +27,8 @@ seccomp
 shell none
 tracelog
 
+# caja needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin caja
 # private-dev
 # private-etc fonts
 # private-tmp
-
-# CLOBBERED COMMENTS
-# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# caja needs to be able to start arbitrary applications so we cannot blacklist their files
-# is already a caja process running on MATE desktops firejail will have no effect.

etc/catfish.profile

@@ -5,6 +5,8 @@ include /etc/firejail/catfish.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# We can't blacklist much since catfish
+# is for finding files/content
 noblacklist ~/.config/catfish
 
 include /etc/firejail/disable-devel.inc
@@ -22,12 +24,8 @@ seccomp
 shell none
 tracelog
 
+# These options work but are disabled in case
+# a users wants to search in these directories.
 # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m
 # private-dev
 # private-tmp
-
-# CLOBBERED COMMENTS
-# These options work but are disabled in case
-# We can't blacklist much since catfish
-# a users wants to search in these directories.
-# is for finding files/content

etc/cherrytree.profile

@@ -32,6 +32,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# cherrytree note taking application

etc/chromium.profile

@@ -11,6 +11,7 @@ noblacklist ~/.config/chromium-flags.conf
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -34,8 +35,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# chromium is distributed with a perl script on Arch
-# disable-mnt
-# specific to Arch

etc/clementine.profile

@@ -16,7 +16,5 @@ nonewprivs
 noroot
 novideo
 protocol unix,inet,inet6
-seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
-
-# CLOBBERED COMMENTS
 # Clementine makes ioprio_set system calls, which are blacklisted by default.
+seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old

etc/cpio.profile

@@ -25,7 +25,3 @@ shell none
 tracelog
 
 private-dev
-
-# CLOBBERED COMMENTS
-# /boot is not visible and /var is heavily modified
-# /sbin and /usr/sbin are visible inside the sandbox

etc/cvlc.profile

@@ -22,11 +22,9 @@ seccomp
 shell none
 tracelog
 
+# clvc doesn't like private-bin
 # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
 
 memory-deny-write-execute
-
-# CLOBBERED COMMENTS
-# clvc doesn't like private-bin

etc/deluge.profile

@@ -27,9 +27,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
+# deluge is using python on Debian
 # private-bin deluge,sh,python,uname
 private-dev
 private-tmp
-
-# CLOBBERED COMMENTS
-# deluge is using python on Debian

etc/digikam.profile

@@ -21,6 +21,7 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 shell none
 
 # private-bin program
@@ -30,6 +31,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group

etc/dolphin.profile

@@ -5,6 +5,8 @@ include /etc/firejail/dolphin.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
+
 noblacklist ${HOME}/.local/share/Trash
 noblacklist ~/.config/dolphinrc
 noblacklist ~/.local/share/dolphin
@@ -23,11 +25,8 @@ protocol unix
 seccomp
 shell none
 
+# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin
 # private-dev
 # private-etc
 # private-tmp
-
-# CLOBBERED COMMENTS
-# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
-# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5

etc/etr.profile

@@ -28,7 +28,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound

etc/evince.profile

@@ -28,11 +28,9 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
 private-etc fonts
+# evince needs access to /tmp/mozilla* to work in firefox
 # private-tmp
 
 memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# evince needs access to /tmp/mozilla* to work in firefox

etc/file.profile

@@ -28,6 +28,3 @@ x11 none
 private-bin file
 private-dev
 private-etc magic.mgc,magic,localtime
-
-# CLOBBERED COMMENTS
-# noroot

etc/firefox.profile

@@ -68,6 +68,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# disable-mnt

etc/flashpeak-slimjet.profile

@@ -5,11 +5,17 @@ include /etc/firejail/flashpeak-slimjet.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# This is a whitelisted profile, the internal browser sandbox
+# is disabled because it requires sudo password. The command
+# to run it is as follows:
+#  firejail flashpeak-slimjet --no-sandbox
+
 noblacklist ~/.cache/slimjet
 noblacklist ~/.config/slimjet
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -28,9 +34,3 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
-
-# CLOBBERED COMMENTS
-#  firejail flashpeak-slimjet --no-sandbox
-# chromium is distributed with a perl script on Arch
-# is disabled because it requires sudo password. The command
-# to run it is as follows:

etc/franz.profile

@@ -37,6 +37,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# tracelog

etc/frozen-bubble.profile

@@ -28,7 +28,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound

etc/gajim.profile

@@ -40,7 +40,5 @@ disable-mnt
 private-dev
 # private-etc fonts
 # private-tmp
-read-only ${HOME}/.local/lib/python2.7/site-packages/
-
-# CLOBBERED COMMENTS
 # Allow the local python 2.7 site packages, in case any plugins are using these
+read-only ${HOME}/.local/lib/python2.7/site-packages/

etc/geary.profile

@@ -5,6 +5,9 @@ include /etc/firejail/geary.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Users have Geary set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+
 noblacklist ~/.gnupg
 noblacklist ~/.local/share/geary
 
@@ -21,9 +24,5 @@ ignore private-tmp
 read-only ~/.config/mimeapps.list
 read-only ~/.local/share/applications
 
-include /etc/firejail/firefox.profile
-
-# CLOBBERED COMMENTS
-# Users have Geary set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
 # allow browsers
+include /etc/firejail/firefox.profile

etc/gedit.profile

@@ -5,6 +5,8 @@ include /etc/firejail/gedit.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
+
 noblacklist ~/.config/gedit
 
 include /etc/firejail/disable-common.inc
@@ -31,6 +33,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gedit is started via gnome-shell, firejail is not applied because systemd will start it

etc/geeqie.profile

@@ -26,6 +26,3 @@ shell none
 # private-bin geeqie
 private-dev
 # private-etc X11
-
-# CLOBBERED COMMENTS
-# Experimental:

etc/ghb.profile

@@ -3,6 +3,3 @@
 
 
 include /etc/firejail/handbrake.profile
-
-# CLOBBERED COMMENTS
-# HandBrake

etc/gimp.profile

@@ -24,10 +24,7 @@ shell none
 private-dev
 private-tmp
 
-noexec /tmp
-
-# CLOBBERED COMMENTS
-# gimp
 # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory
 # if you are not using external plugins, you can enable noexec statement below
 # noexec ${HOME}
+noexec /tmp

etc/gjs.profile

@@ -5,6 +5,8 @@ include /etc/firejail/gjs.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.cache/libgweather
 noblacklist ~/.cache/org.gnome.Books
 noblacklist ~/.config/libreoffice
@@ -29,6 +31,3 @@ tracelog
 private-dev
 # private-etc fonts
 private-tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them

etc/gnome-2048.profile

@@ -31,6 +31,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nosound

etc/gnome-books.profile

@@ -5,6 +5,8 @@ include /etc/firejail/gnome-books.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.cache/org.gnome.Books
 
 include /etc/firejail/disable-common.inc
@@ -32,6 +34,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them

etc/gnome-calculator.profile

@@ -33,6 +33,3 @@ private-tmp
 memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# net none

etc/gnome-documents.profile

@@ -5,6 +5,8 @@ include /etc/firejail/gnome-documents.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.config/libreoffice
 
 include /etc/firejail/disable-common.inc
@@ -30,6 +32,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them

etc/gnome-maps.profile

@@ -5,6 +5,8 @@ include /etc/firejail/gnome-maps.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ${HOME}/.cache/champlain
 
 include /etc/firejail/disable-common.inc
@@ -32,6 +34,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them

etc/gnome-photos.profile

@@ -5,6 +5,8 @@ include /etc/firejail/gnome-photos.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.local/share/gnome-photos
 
 include /etc/firejail/disable-common.inc
@@ -30,6 +32,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them

etc/gnome-weather.profile

@@ -5,6 +5,8 @@ include /etc/firejail/gnome-weather.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.cache/libgweather
 
 include /etc/firejail/disable-common.inc
@@ -33,6 +35,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them

etc/google-chrome-beta.profile

@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-beta
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -32,7 +33,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# chromium is distributed with a perl script on Arch
-# disable-mnt

etc/google-chrome-unstable.profile

@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-unstable
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -32,7 +33,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# chromium is distributed with a perl script on Arch
-# disable-mnt

etc/google-chrome.profile

@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -32,7 +33,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# chromium is distributed with a perl script on Arch
-# disable-mnt

etc/google-play-music-desktop-player.profile

@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+# whitelist ~/.config/pulse
+# whitelist ~/.pulse
 whitelist ~/.config/Google Play Music Desktop Player
 include /etc/firejail/whitelist-common.inc
 
@@ -32,7 +34,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# whitelist ~/.config/pulse
-# whitelist ~/.pulse

etc/gwenview.profile

@@ -34,6 +34,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# Experimental:

etc/handbrake-gtk.profile

@@ -3,6 +3,3 @@
 
 
 include /etc/firejail/handbrake.profile
-
-# CLOBBERED COMMENTS
-# HandBrake

etc/hexchat.profile

@@ -6,6 +6,8 @@ include /etc/firejail/hexchat.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.config/hexchat
+# noblacklist /usr/lib/python2*
+# noblacklist /usr/lib/python3*
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -29,15 +31,10 @@ shell none
 tracelog
 
 disable-mnt
+# debug note: private-bin requires perl, python, etc on some systems
 private-bin hexchat
 private-dev
 private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# Currently in testing (may not work for all users)
-# debug note: private-bin requires perl, python, etc on some systems
-# noblacklist /usr/lib/python2*
-# noblacklist /usr/lib/python3*

etc/icedove.profile

@@ -5,6 +5,9 @@ include /etc/firejail/icedove.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Users have icedove set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+
 noblacklist ~/.cache/icedove
 noblacklist ~/.gnupg
 noblacklist ~/.icedove
@@ -19,9 +22,5 @@ include /etc/firejail/whitelist-common.inc
 
 ignore private-tmp
 
-include /etc/firejail/firefox.profile
-
-# CLOBBERED COMMENTS
-# Users have icedove set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
 # allow browsers
+include /etc/firejail/firefox.profile

etc/idea.sh.profile

@@ -32,6 +32,3 @@ private-dev
 # private-tmp
 
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nosound

etc/inkscape.profile

@@ -28,6 +28,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# inkscape

etc/iridium.profile

@@ -9,6 +9,7 @@ noblacklist ~/.cache/iridium
 noblacklist ~/.config/iridium
 
 include /etc/firejail/disable-common.inc
+# chromium/iridium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -22,6 +23,3 @@ whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 netfilter
-
-# CLOBBERED COMMENTS
-# chromium/iridium is distributed with a perl script on Arch

etc/kodi.profile

@@ -27,6 +27,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# novideo

etc/kwrite.profile

@@ -22,6 +22,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+# nosound - KWrite is using ALSA!
 protocol unix
 seccomp
 shell none
@@ -31,6 +32,3 @@ tracelog
 private-dev
 # private-etc fonts
 private-tmp
-
-# CLOBBERED COMMENTS
-# nosound - KWrite is using ALSA!

etc/libreoffice.profile

@@ -28,6 +28,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# whitelist /tmp/.X11-unix/

etc/liferea.profile

@@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
+# no3d
 nogroups
 nonewprivs
 noroot
+# nosound
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -38,7 +40,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# no3d
-# nosound

etc/luminance-hdr.profile

@@ -29,6 +29,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# luminance-hdr

etc/lxterminal.profile

@@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+# noroot - somehow this breaks on Debian Jessie!
 protocol unix,inet,inet6
 seccomp
-
-# CLOBBERED COMMENTS
-# noroot - somehow this breaks on Debian Jessie!

etc/midori.profile

@@ -36,9 +36,7 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
 nonewprivs
+# noroot - problems on Ubuntu 14.04
 protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-
-# CLOBBERED COMMENTS
-# noroot - porblems on Ubuntu 14.04

etc/mplayer.profile

@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+# nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
@@ -26,6 +27,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nogroups

etc/mpv.profile

@@ -25,6 +25,3 @@ tracelog
 
 private-bin mpv,youtube-dl,python,python2.7,python3.6,env
 private-dev
-
-# CLOBBERED COMMENTS
-# to test

etc/multimc5.profile

@@ -27,6 +27,7 @@ nonewprivs
 noroot
 novideo
 protocol unix,inet,inet6
+# seccomp
 shell none
 
 disable-mnt
@@ -35,6 +36,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# seccomp

etc/mupdf.profile

@@ -19,6 +19,7 @@ noroot
 nosound
 protocol unix
 seccomp
+# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
 shell none
 tracelog
 
@@ -26,9 +27,5 @@ tracelog
 private-dev
 private-etc fonts
 private-tmp
-read-only ${HOME}
-