profiles: fix commented code and eol comments

Main changes:

* Remove the space after `#` for commented code lines to distinguish
  them from normal comments
* Use `#` instead of `-` for comments at the end of the line so that
  commented code lines work after being uncommented

Commands used to search and replace:

    arg0="$(cat contrib/syntax/lists/profile_commands_arg0.list |
      LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
    arg1="$(cat contrib/syntax/lists/profile_commands_arg1.list |
      LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
    git ls-files -z -- etc/inc etc/profile* | xargs -0 -I '{}' \
      sh -c "printf '%s\n' \"\$(sed -E \
        -e 's/^# ($arg0)( [#-]-? .*)?\$/#\\1\\2/' \
        -e 's/^# ($arg1)( [^ ]*)?( [#-]-? .*)?\$/#\\1\\2\\3/' \
        -e 's/^# (whitelist \\$)/#\\1/' \
        -e 's/^(#[^ ].+) --? /\\1 # /' \
        '{}')\" >'{}'"

Commands used to check for leftover entries:

    arg0="$(cat contrib/syntax/lists/profile_commands_arg0.list |
      LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
    arg1="$(cat contrib/syntax/lists/profile_commands_arg1.list |
      LC_ALL=C sort -u | tr '\n' '|' | sed -e 's/|$//' -e 's/\./\\./g')"
    git grep -E "^# ($arg0|$arg1)( +|$)" -- etc/inc etc/profile*

See also commit 30f9ad9 ("build: improve comments in firecfg.config",
2023-08-05) / PR netblue30#5942.

etc/inc/disable-common.inc

@@ -564,7 +564,7 @@ blacklist ${PATH}/bmon
 blacklist ${PATH}/fping
 blacklist ${PATH}/fping6
 blacklist ${PATH}/hostname
-# blacklist ${PATH}/ip - breaks --ip=dhcp
+#blacklist ${PATH}/ip # breaks --ip=dhcp
 blacklist ${PATH}/mtr
 blacklist ${PATH}/mtr-packet
 blacklist ${PATH}/netstat

etc/profile-a-l/abiword.profile

@@ -44,7 +44,7 @@ private-dev
 private-etc @x11
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/akonadi_control.profile

@@ -34,25 +34,25 @@ include whitelist-var-common.inc
 # disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
 # this affects ubuntu and debian currently
 
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
 no3d
 nodvd
 nogroups
 noinput
-# nonewprivs
+#nonewprivs
 noroot
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink
-# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
+#protocol unix,inet,inet6,netlink
+#seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 
 private-dev
-# private-tmp - breaks programs that depend on akonadi
+#private-tmp # breaks programs that depend on akonadi
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/akregator.profile

@@ -49,4 +49,4 @@ private-dev
 private-tmp
 
 deterministic-shutdown
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/alacarte.profile

@@ -49,7 +49,7 @@ seccomp.block-secondary
 tracelog
 
 disable-mnt
-# private-bin alacarte,bash,python*,sh
+#private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
 private-etc @tls-ca,@x11,mime.types

etc/profile-a-l/amarok.profile

@@ -26,11 +26,11 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
 
-# private-bin amarok
+#private-bin amarok
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
@@ -45,4 +45,4 @@ dbus-user.talk org.freedesktop.Notifications
 #dbus-user.talk org.kde.knotify
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/android-studio.profile

@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 
 private-cache
-# private-tmp
+#private-tmp
 
 # noexec /tmp breaks 'Android Profiler'
 #noexec /tmp

etc/profile-a-l/anki.profile

@@ -55,4 +55,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/arduino.profile

@@ -21,7 +21,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
-# nogroups
+#nogroups
 nonewprivs
 noroot
 nosound

etc/profile-a-l/aria2c.profile

@@ -39,7 +39,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 
-# disable-mnt
+#disable-mnt
 # Add your custom event hook commands to 'private-bin' in your aria2c.local.
 private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).

etc/profile-a-l/ark.profile

@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -42,7 +42,7 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/artha.profile

@@ -35,7 +35,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups

etc/profile-a-l/asunder.profile

@@ -26,7 +26,7 @@ apparmor
 caps.drop all
 netfilter
 no3d
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -44,5 +44,5 @@ dbus-user none
 dbus-system none
 
 # mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces

etc/profile-a-l/atom.profile

@@ -26,7 +26,7 @@ noblacklist ${HOME}/.config/Atom
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-# net none
+#net none
 nosound
 
 # Redirect

etc/profile-a-l/atril.profile

@@ -22,7 +22,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
-# apparmor
+#apparmor
 caps.drop all
 machine-id
 no3d
@@ -44,7 +44,7 @@ private-dev
 private-etc
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
-#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
+#private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit
 private-tmp
 
 # webkit gtk killed by memory-deny-write-execute

etc/profile-a-l/audacious.profile

@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
 
-# private-bin audacious
+#private-bin audacious
 private-cache
 private-dev
 private-tmp

etc/profile-a-l/audacity.profile

@@ -54,7 +54,7 @@ private-etc @x11
 private-tmp
 
 # problems on Fedora 27
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 restrict-namespaces

etc/profile-a-l/audio-recorder.profile

@@ -41,7 +41,7 @@ seccomp
 tracelog
 
 disable-mnt
-# private-bin audio-recorder
+#private-bin audio-recorder
 private-cache
 private-etc
 private-tmp
@@ -50,5 +50,5 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/authenticator.profile

@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
-# apparmor
+#apparmor
 caps.drop all
 netfilter
 no3d
@@ -31,19 +31,19 @@ noroot
 nosound
 notv
 nou2f
-# novideo
+#novideo
 protocol unix,inet,inet6
 seccomp
 
 disable-mnt
-# private-bin authenticator,python*
+#private-bin authenticator,python*
 private-dev
 private-etc @tls-ca
 private-tmp
 
 # makes settings immutable
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/autokey-common.profile

@@ -38,5 +38,5 @@ private-cache
 private-dev
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/baloo_file.profile

@@ -7,10 +7,10 @@ include globals.local
 
 # Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-# mkdir ${HOME}/.local/share/baloo
-# read-only ${HOME}
-# read-write ${HOME}/.local/share/baloo
-# ignore read-write
+#mkdir ${HOME}/.local/share/baloo
+#read-only ${HOME}
+#read-write ${HOME}/.local/share/baloo
+#ignore read-write
 
 noblacklist ${HOME}/.config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloofilerc
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
@@ -46,7 +46,7 @@ novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
 seccomp !ioprio_set
-# x11 xorg
+#x11 xorg
 
 private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
 private-cache

etc/profile-a-l/baobab.profile

@@ -6,13 +6,13 @@ include baobab.local
 # Persistent global definitions
 include globals.local
 
-# include disable-common.inc
+#include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
-# include disable-xdg.inc
+#include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 
@@ -37,8 +37,8 @@ private-bin baobab
 private-dev
 private-tmp
 
-# dbus-user none
-# dbus-system none
+#dbus-user none
+#dbus-system none
 
 read-only ${HOME}
 restrict-namespaces

etc/profile-a-l/bcompare.profile

@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-#include disable-shell.inc - breaks launch
+#include disable-shell.inc # breaks launch
 include disable-write-mnt.inc
 
 apparmor

etc/profile-a-l/bibletime.profile

@@ -48,7 +48,7 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot
 
 disable-mnt
-# private-bin bibletime
+#private-bin bibletime
 private-cache
 private-dev
 private-etc @tls-ca,sword,sword.conf
@@ -57,4 +57,4 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# restrict-namespaces
+#restrict-namespaces

etc/profile-a-l/bijiben.profile

@@ -48,7 +48,7 @@ tracelog
 
 disable-mnt
 private-bin bijiben
-# private-cache -- access to .cache/tracker is required
+#private-cache # access to .cache/tracker is required
 private-dev
 private-etc @x11
 private-tmp

etc/profile-a-l/bitlbee.profile

@@ -10,7 +10,7 @@ ignore noexec ${HOME}
 
 noblacklist /sbin
 noblacklist /usr/sbin
-# noblacklist /var/log
+#noblacklist /var/log
 
 include disable-common.inc
 include disable-devel.inc

etc/profile-a-l/bleachbit.profile

@@ -18,7 +18,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 
 caps.drop all
 net none
@@ -36,11 +36,11 @@ protocol unix
 seccomp
 
 private-dev
-# private-tmp
+#private-tmp
 
 dbus-user none
 dbus-system none
 
 # memory-deny-write-execute breaks some systems, see issue #1850
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces