profiles: safeguard single line comments

etc/inc/disable-common.inc

@@ -33,7 +33,7 @@ blacklist-nolog ${HOME}/.viminfo
 blacklist-nolog /tmp/clipmenu*
 
 # X11 session autostart
-# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
+#blacklist ${HOME}/.xpra # this will kill --x11=xpra cmdline option for all programs
 blacklist ${HOME}/.Xsession
 blacklist ${HOME}/.blackbox
 blacklist ${HOME}/.config/autostart
@@ -241,8 +241,9 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
-# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
-# every sandbox, unless --writable-var-log switch is activated
+# A virtual /var/log directory (mostly empty) is build up by default for
+# every sandbox, unless --writable-var-log switch is activated.
+#blacklist /var/log
 blacklist /var/mail
 blacklist /var/opt
 blacklist /var/run/acpid.socket
@@ -560,7 +561,7 @@ blacklist ${PATH}/bmon
 blacklist ${PATH}/fping
 blacklist ${PATH}/fping6
 blacklist ${PATH}/hostname
-# blacklist ${PATH}/ip - breaks --ip=dhcp
+#blacklist ${PATH}/ip # breaks --ip=dhcp
 blacklist ${PATH}/mtr
 blacklist ${PATH}/mtr-packet
 blacklist ${PATH}/netstat
@@ -588,8 +589,7 @@ blacklist /tmp/tmux-*
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
 blacklist ${PATH}/kgx
-# blacklist ${PATH}/konsole
-# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
+#blacklist ${PATH}/konsole # doesn't seem to have this problem (last tested on Ubuntu 16.04)
 blacklist ${PATH}/lilyterm
 blacklist ${PATH}/lxterminal
 blacklist ${PATH}/mate-terminal

etc/inc/disable-devel.inc

@@ -8,8 +8,7 @@ include disable-devel.local
 blacklist ${PATH}/clang*
 blacklist ${PATH}/lldb*
 blacklist ${PATH}/llvm*
-# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
-# blacklist /usr/lib/llvm*
+#blacklist /usr/lib/llvm* # breaks hardware acceleration in Firefox on Radeon GPU (see #2106)
 
 # GCC
 blacklist ${PATH}/as
@@ -26,8 +25,7 @@ blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
 blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
-# seems to create problems on Gentoo
-#blacklist /usr/lib/gcc
+#blacklist /usr/lib/gcc # seems to create problems on Gentoo
 
 #Go
 blacklist ${PATH}/gccgo

etc/profile-a-l/akonadi_control.profile

@@ -53,6 +53,6 @@ novideo
 tracelog
 
 private-dev
-# private-tmp - breaks programs that depend on akonadi
+# private-tmp # breaks programs that depend on akonadi
 
 # restrict-namespaces

etc/profile-a-l/artha.profile

@@ -35,7 +35,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+# net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups

etc/profile-a-l/atril.profile

@@ -44,7 +44,7 @@ private-dev
 private-etc
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
-#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
+#private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit
 private-tmp
 
 # webkit gtk killed by memory-deny-write-execute

etc/profile-a-l/audio-recorder.profile

@@ -50,5 +50,5 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+# memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/authenticator.profile

@@ -45,5 +45,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/autokey-common.profile

@@ -38,5 +38,5 @@ private-cache
 private-dev
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/bcompare.profile

@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-#include disable-shell.inc - breaks launch
+#include disable-shell.inc # breaks launch
 include disable-write-mnt.inc
 
 apparmor

etc/profile-a-l/cameramonitor.profile

@@ -51,5 +51,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+# memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/chromium-common.profile

@@ -33,13 +33,13 @@ include whitelist-run-common.inc
 ?BROWSER_DISABLE_U2F: nou2f
 
 ?BROWSER_DISABLE_U2F: private-dev
-#private-tmp - issues when using multiple browser sessions
+#private-tmp # issues when using multiple browser sessions
 
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget
 blacklist ${PATH}/wget2
 
-#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
+#dbus-user none # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
 
 # The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1

etc/profile-a-l/clac.profile

@@ -16,10 +16,10 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
-#include disable-X11.inc - x11 none
+#include disable-X11.inc # x11 none
 include disable-xdg.inc
 
-#include whitelist-common.inc - see #903
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc

etc/profile-a-l/clawsker.profile

@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/clipgrab.profile

@@ -45,7 +45,7 @@ private-cache
 private-dev
 private-tmp
 
-# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
+# 'dbus-user none' breaks tray menu. Add 'dbus-user none' to your clipgrab.local if you don't need it.
 # dbus-user none
 # dbus-system none
 

etc/profile-a-l/d-feet.profile

@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
@@ -52,5 +52,5 @@ private-dev
 private-etc dbus-1
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/dconf-editor.profile

@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# net none - breaks application on older versions
+#net none # breaks application on older versions
 no3d
 nodvd
 nogroups

etc/profile-a-l/ddgtk.profile

@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/devhelp.profile

@@ -23,7 +23,7 @@ include whitelist-usr-share-common.inc
 
 apparmor
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 nodvd
 nogroups
 noinput
@@ -48,6 +48,6 @@ private-tmp
 # dbus-user none
 # dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 read-only ${HOME}
 restrict-namespaces

etc/profile-a-l/dig.profile

@@ -20,7 +20,7 @@ include disable-exec.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-#mkfile ${HOME}/.digrc - see #903
+#mkfile ${HOME}/.digrc # see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc

etc/profile-a-l/digikam.profile

@@ -37,7 +37,7 @@ protocol unix,inet,inet6,netlink
 # QtWebengine needs chroot to set up its own sandbox
 seccomp !chroot
 
-# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+#private-dev # prevents libdc1394 loading; this lib is used to connect to a camera device
 # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 

etc/profile-a-l/display.profile

@@ -34,7 +34,7 @@ notv
 nou2f
 protocol unix
 seccomp
-# x11 xorg - problems on kubuntu 17.04
+#x11 xorg # problems on kubuntu 17.04
 
 private-bin display,python*
 private-dev

etc/profile-a-l/drawio.profile

@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp !chroot
-# tracelog - breaks on Arch
+#tracelog # breaks on Arch
 
 private-bin drawio
 private-cache
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 # restrict-namespaces

etc/profile-a-l/enpass.profile

@@ -58,5 +58,5 @@ private-dev
 private-opt Enpass
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/evince.profile

@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 
 caps.drop all
 machine-id
-# net none - breaks AppArmor on Ubuntu systems
+#net none # breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd

etc/profile-a-l/ffmpeg.profile

@@ -53,5 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-# memory-deny-write-execute - it breaks old versions of ffmpeg
+#memory-deny-write-execute # breaks older versions
 restrict-namespaces

etc/profile-a-l/file-roller.profile

@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - breaks on older Ubuntu versions
+#net none # breaks on older Ubuntu versions
 netfilter
 no3d
 nodvd

etc/profile-a-l/filezilla.profile

@@ -37,7 +37,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 
-# private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin
+# private-bin breaks --join if the user has zsh set as $SHELL
 private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh
 private-dev
 private-tmp

etc/profile-a-l/firefox.profile

@@ -39,9 +39,9 @@ whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
 whitelist ${RUNUSER}/*firefox*
 whitelist ${RUNUSER}/psd/*firefox*
 
-# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
+# Firefox requires a shell to launch on Arch. Add the next line to your firefox.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
-# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
+# Fedora uses shell scripts to launch Firefox. Add the next line to your firefox.local to enable private-bin.
 #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
 private-etc firefox
 

etc/profile-a-l/font-manager.profile

@@ -33,7 +33,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - issues on older versions
+#net none # issues on older versions
 no3d
 nodvd
 nogroups
@@ -53,5 +53,5 @@ private-bin font-manager,python*,yelp
 private-dev
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/galculator.profile

@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces

etc/profile-a-l/geary.profile

@@ -53,7 +53,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#ipc-namespace - may cause issues with X11
+#ipc-namespace # may cause issues with X11
 #machine-id
 netfilter
 no3d

etc/profile-a-l/gedit.profile

@@ -21,10 +21,10 @@ include disable-programs.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -46,8 +46,7 @@ private-dev
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 
-# makes settings immutable
-# dbus-user none
+#dbus-user none # makes settings immutable
 # dbus-system none
 
 restrict-namespaces

etc/profile-a-l/gmpc.profile

@@ -50,5 +50,5 @@ writable-run-user
 # dbus-user none
 # dbus-system none
 
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces

etc/profile-a-l/gnome-contacts.profile

@@ -21,7 +21,7 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-#no3d - breaks on Arch
+#no3d # breaks on Arch
 nodvd
 noinput
 nonewprivs

etc/profile-a-l/gnome-pie.profile

@@ -16,7 +16,7 @@ include disable-exec.inc
 
 caps.drop all
 ipc-namespace
-# net none - breaks dbus
+#net none # breaks dbus
 no3d
 nodvd
 nogroups