Fix comments in 88 profiles

There may actually be some other comments that were removed, but the bulk have been restored

86 files changed, 123 insertions, 323 deletions

diff --git a/etc/akregator.profile b/etc/akregator.profile
index 77868dac7..36886b961 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -30,6 +30,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nosound
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 69f41bb1b..28398e2c1 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -17,12 +17,10 @@ nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
+# seccomp
 shell none
 
 # private-bin amarok
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# seccomp
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index 86e19f838..3f4795195 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -32,6 +32,3 @@ private-dev
 # private-tmp
 
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nosound
diff --git a/etc/caja.profile b/etc/caja.profile
index adbcc09b9..1350b63dd 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -5,6 +5,9 @@ include /etc/firejail/caja.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a caja process running on MATE desktops firejail will have no effect.
+
 noblacklist ~/.config/caja
 noblacklist ~/.local/share/Trash
 noblacklist ~/.local/share/caja-python
@@ -24,12 +27,8 @@ seccomp
 shell none
 tracelog
 
+# caja needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin caja
 # private-dev
 # private-etc fonts
 # private-tmp
-
-# CLOBBERED COMMENTS
-# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# caja needs to be able to start arbitrary applications so we cannot blacklist their files
-# is already a caja process running on MATE desktops firejail will have no effect.
diff --git a/etc/catfish.profile b/etc/catfish.profile
index 9fef3dc83..759b5e384 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -5,6 +5,8 @@ include /etc/firejail/catfish.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# We can't blacklist much since catfish
+# is for finding files/content
 noblacklist ~/.config/catfish
 
 include /etc/firejail/disable-devel.inc
@@ -22,12 +24,8 @@ seccomp
 shell none
 tracelog
 
+# These options work but are disabled in case
+# a users wants to search in these directories.
 # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m
 # private-dev
 # private-tmp
-
-# CLOBBERED COMMENTS
-# These options work but are disabled in case
-# We can't blacklist much since catfish
-# a users wants to search in these directories.
-# is for finding files/content
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 8aa11a0e6..fe0153959 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -32,6 +32,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# cherrytree note taking application
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 97149d4d4..cec5366d9 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -11,6 +11,7 @@ noblacklist ~/.config/chromium-flags.conf
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -34,8 +35,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# chromium is distributed with a perl script on Arch
-# disable-mnt
-# specific to Arch
diff --git a/etc/clementine.profile b/etc/clementine.profile
index a69be26df..13a14af3b 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -16,7 +16,5 @@ nonewprivs
 noroot
 novideo
 protocol unix,inet,inet6
-seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
-
-# CLOBBERED COMMENTS
 # Clementine makes ioprio_set system calls, which are blacklisted by default.
+seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/cpio.profile b/etc/cpio.profile
index cd9b9ad7c..c5d7680a3 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -25,7 +25,3 @@ shell none
 tracelog
 
 private-dev
-
-# CLOBBERED COMMENTS
-# /boot is not visible and /var is heavily modified
-# /sbin and /usr/sbin are visible inside the sandbox
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index 0b63151a8..460966321 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -22,11 +22,9 @@ seccomp
 shell none
 tracelog
 
+# clvc doesn't like private-bin
 # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev
 private-tmp
 
 memory-deny-write-execute
-
-# CLOBBERED COMMENTS
-# clvc doesn't like private-bin
diff --git a/etc/deluge.profile b/etc/deluge.profile
index ed115b024..bb45c4371 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -27,9 +27,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
+# deluge is using python on Debian
 # private-bin deluge,sh,python,uname
 private-dev
 private-tmp
-
-# CLOBBERED COMMENTS
-# deluge is using python on Debian
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 0ff437608..35365984e 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -21,6 +21,7 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 shell none
 
 # private-bin program
@@ -30,6 +31,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
index 5760f6811..93acbd09e 100644
--- a/etc/dolphin.profile
+++ b/etc/dolphin.profile
@@ -5,6 +5,8 @@ include /etc/firejail/dolphin.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
+
 noblacklist ${HOME}/.local/share/Trash
 noblacklist ~/.config/dolphinrc
 noblacklist ~/.local/share/dolphin
@@ -23,11 +25,8 @@ protocol unix
 seccomp
 shell none
 
+# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin
 # private-dev
 # private-etc
 # private-tmp
-
-# CLOBBERED COMMENTS
-# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
-# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
diff --git a/etc/etr.profile b/etc/etr.profile
index 6ed9a274d..dedc1e224 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -28,7 +28,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound
diff --git a/etc/evince.profile b/etc/evince.profile
index e58cef336..1a2b04160 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -28,11 +28,9 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
 private-etc fonts
+# evince needs access to /tmp/mozilla* to work in firefox
 # private-tmp
 
 memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# evince needs access to /tmp/mozilla* to work in firefox
diff --git a/etc/file.profile b/etc/file.profile
index 6e8280c3b..99d2fd865 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -28,6 +28,3 @@ x11 none
 private-bin file
 private-dev
 private-etc magic.mgc,magic,localtime
-
-# CLOBBERED COMMENTS
-# noroot
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 8d48a4704..27f436c4f 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -68,6 +68,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# disable-mnt
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index b3aa80f85..be06dc460 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -5,11 +5,17 @@ include /etc/firejail/flashpeak-slimjet.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# This is a whitelisted profile, the internal browser sandbox
+# is disabled because it requires sudo password. The command
+# to run it is as follows:
+#  firejail flashpeak-slimjet --no-sandbox
+
 noblacklist ~/.cache/slimjet
 noblacklist ~/.config/slimjet
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -28,9 +34,3 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
-
-# CLOBBERED COMMENTS
-#  firejail flashpeak-slimjet --no-sandbox
-# chromium is distributed with a perl script on Arch
-# is disabled because it requires sudo password. The command
-# to run it is as follows:
diff --git a/etc/franz.profile b/etc/franz.profile
index 486326fe0..82bdabfcd 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -37,6 +37,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# tracelog
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index dc8ad3e08..b1d9798bc 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -28,7 +28,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound
diff --git a/etc/gajim.profile b/etc/gajim.profile
index d8ca7424c..451a93c31 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -40,7 +40,5 @@ disable-mnt
 private-dev
 # private-etc fonts
 # private-tmp
-read-only ${HOME}/.local/lib/python2.7/site-packages/
-
-# CLOBBERED COMMENTS
 # Allow the local python 2.7 site packages, in case any plugins are using these
+read-only ${HOME}/.local/lib/python2.7/site-packages/
diff --git a/etc/geary.profile b/etc/geary.profile
index 5833e51cf..3f9faf058 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -5,6 +5,9 @@ include /etc/firejail/geary.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Users have Geary set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+
 noblacklist ~/.gnupg
 noblacklist ~/.local/share/geary
 
@@ -21,9 +24,5 @@ ignore private-tmp
 read-only ~/.config/mimeapps.list
 read-only ~/.local/share/applications
 
-include /etc/firejail/firefox.profile
-
-# CLOBBERED COMMENTS
-# Users have Geary set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
 # allow browsers
+include /etc/firejail/firefox.profile
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 2fd7f20fe..aa91d9518 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -5,6 +5,8 @@ include /etc/firejail/gedit.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
+
 noblacklist ~/.config/gedit
 
 include /etc/firejail/disable-common.inc
@@ -31,6 +33,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index 9434d49b8..5936787dd 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -26,6 +26,3 @@ shell none
 # private-bin geeqie
 private-dev
 # private-etc X11
-
-# CLOBBERED COMMENTS
-# Experimental:
diff --git a/etc/ghb.profile b/etc/ghb.profile
index 80291223c..9437cea9e 100644
--- a/etc/ghb.profile
+++ b/etc/ghb.profile
@@ -3,6 +3,3 @@
 
 
 include /etc/firejail/handbrake.profile
-
-# CLOBBERED COMMENTS
-# HandBrake
diff --git a/etc/gimp.profile b/etc/gimp.profile
index e63d10d35..d77c4df8d 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -24,10 +24,7 @@ shell none
 private-dev
 private-tmp
 
-noexec /tmp
-
-# CLOBBERED COMMENTS
-# gimp
 # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory
 # if you are not using external plugins, you can enable noexec statement below
 # noexec ${HOME}
+noexec /tmp
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 443dccfea..739100888 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -5,6 +5,8 @@ include /etc/firejail/gjs.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.cache/libgweather
 noblacklist ~/.cache/org.gnome.Books
 noblacklist ~/.config/libreoffice
@@ -29,6 +31,3 @@ tracelog
 private-dev
 # private-etc fonts
 private-tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
index 480c6a35f..996c8e1f4 100644
--- a/etc/gnome-2048.profile
+++ b/etc/gnome-2048.profile
@@ -31,6 +31,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nosound
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index e934b48a5..60bd2f68d 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-books.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.cache/org.gnome.Books
 
 include /etc/firejail/disable-common.inc
@@ -32,6 +34,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 2e949271b..995415edc 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -33,6 +33,3 @@ private-tmp
 memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# net none
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
index 2c77c32ae..e56a32a4a 100644
--- a/etc/gnome-documents.profile
+++ b/etc/gnome-documents.profile
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-documents.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.config/libreoffice
 
 include /etc/firejail/disable-common.inc
@@ -30,6 +32,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 79ea783a6..1e60c4470 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-maps.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ${HOME}/.cache/champlain
 
 include /etc/firejail/disable-common.inc
@@ -32,6 +34,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index bb13672f4..5982b9dbd 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-photos.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.local/share/gnome-photos
 
 include /etc/firejail/disable-common.inc
@@ -30,6 +32,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 77538ad6e..514ef6f15 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -5,6 +5,8 @@ include /etc/firejail/gnome-weather.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
 noblacklist ~/.cache/libgweather
 
 include /etc/firejail/disable-common.inc
@@ -33,6 +35,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 53220997a..b6c39bfd2 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-beta
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -32,7 +33,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# chromium is distributed with a perl script on Arch
-# disable-mnt
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index 6f4ec9101..ea111c7f6 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-unstable
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -32,7 +33,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# chromium is distributed with a perl script on Arch
-# disable-mnt
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 84fdcdd21..f0d452841 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome
 noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
+# chromium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -32,7 +33,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# chromium is distributed with a perl script on Arch
-# disable-mnt
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index e326c8083..9c6c70f9f 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+# whitelist ~/.config/pulse
+# whitelist ~/.pulse
 whitelist ~/.config/Google Play Music Desktop Player
 include /etc/firejail/whitelist-common.inc
 
@@ -32,7 +34,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# whitelist ~/.config/pulse
-# whitelist ~/.pulse
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 19d83866e..0f2be604b 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -34,6 +34,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# Experimental:
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile
index 80291223c..9437cea9e 100644
--- a/etc/handbrake-gtk.profile
+++ b/etc/handbrake-gtk.profile
@@ -3,6 +3,3 @@
 
 
 include /etc/firejail/handbrake.profile
-
-# CLOBBERED COMMENTS
-# HandBrake
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index f070937ef..ceebb6d18 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -6,6 +6,8 @@ include /etc/firejail/hexchat.local
 include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.config/hexchat
+# noblacklist /usr/lib/python2*
+# noblacklist /usr/lib/python3*
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -29,15 +31,10 @@ shell none
 tracelog
 
 disable-mnt
+# debug note: private-bin requires perl, python, etc on some systems
 private-bin hexchat
 private-dev
 private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# Currently in testing (may not work for all users)
-# debug note: private-bin requires perl, python, etc on some systems
-# noblacklist /usr/lib/python2*
-# noblacklist /usr/lib/python3*
diff --git a/etc/icedove.profile b/etc/icedove.profile
index 8cb4ec1ea..3931fd0c0 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -5,6 +5,9 @@ include /etc/firejail/icedove.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Users have icedove set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+
 noblacklist ~/.cache/icedove
 noblacklist ~/.gnupg
 noblacklist ~/.icedove
@@ -19,9 +22,5 @@ include /etc/firejail/whitelist-common.inc
 
 ignore private-tmp
 
-include /etc/firejail/firefox.profile
-
-# CLOBBERED COMMENTS
-# Users have icedove set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
 # allow browsers
+include /etc/firejail/firefox.profile
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
index 2ca4cba69..f0f0637d9 100644
--- a/etc/idea.sh.profile
+++ b/etc/idea.sh.profile
@@ -32,6 +32,3 @@ private-dev
 # private-tmp
 
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nosound
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index cde845907..6bba90d14 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -28,6 +28,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# inkscape
diff --git a/etc/iridium.profile b/etc/iridium.profile
index 03fae05dc..95e94cbf9 100644
--- a/etc/iridium.profile
+++ b/etc/iridium.profile
@@ -9,6 +9,7 @@ noblacklist ~/.cache/iridium
 noblacklist ~/.config/iridium
 
 include /etc/firejail/disable-common.inc
+# chromium/iridium is distributed with a perl script on Arch
 # include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
@@ -22,6 +23,3 @@ whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 netfilter
-
-# CLOBBERED COMMENTS
-# chromium/iridium is distributed with a perl script on Arch
diff --git a/etc/kodi.profile b/etc/kodi.profile
index f3eb6867f..06db44132 100644
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@@ -27,6 +27,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# novideo
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 3b3045e07..b6406cc0d 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -22,6 +22,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+# nosound - KWrite is using ALSA!
 protocol unix
 seccomp
 shell none
@@ -31,6 +32,3 @@ tracelog
 private-dev
 # private-etc fonts
 private-tmp
-
-# CLOBBERED COMMENTS
-# nosound - KWrite is using ALSA!
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index e2c8d0878..8387fef98 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -28,6 +28,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# whitelist /tmp/.X11-unix/
diff --git a/etc/liferea.profile b/etc/liferea.profile
index a0dd1a1ff..f9c050acb 100644
--- a/etc/liferea.profile
+++ b/etc/liferea.profile
@@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
+# no3d
 nogroups
 nonewprivs
 noroot
+# nosound
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -38,7 +40,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# no3d
-# nosound
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index 961fca905..bbceee7c7 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -29,6 +29,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# luminance-hdr
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index 22ecbaa6f..771211b31 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+# noroot - somehow this breaks on Debian Jessie!
 protocol unix,inet,inet6
 seccomp
-
-# CLOBBERED COMMENTS
-# noroot - somehow this breaks on Debian Jessie!
diff --git a/etc/midori.profile b/etc/midori.profile
index f3a219f52..5b390a170 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -36,9 +36,7 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
 nonewprivs
+# noroot - problems on Ubuntu 14.04
 protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-
-# CLOBBERED COMMENTS
-# noroot - porblems on Ubuntu 14.04
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
index 25bcef47a..b431e4695 100644
--- a/etc/mplayer.profile
+++ b/etc/mplayer.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+# nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
@@ -26,6 +27,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nogroups
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 7c1e5ea27..56192ac17 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -25,6 +25,3 @@ tracelog
 
 private-bin mpv,youtube-dl,python,python2.7,python3.6,env
 private-dev
-
-# CLOBBERED COMMENTS
-# to test
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index 882f17485..a2f5d46b4 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -27,6 +27,7 @@ nonewprivs
 noroot
 novideo
 protocol unix,inet,inet6
+# seccomp
 shell none
 
 disable-mnt
@@ -35,6 +36,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# seccomp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index a55a01206..4b98552c4 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -19,6 +19,7 @@ noroot
 nosound
 protocol unix
 seccomp
+# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
 shell none
 tracelog
 
@@ -26,9 +27,5 @@ tracelog
 private-dev
 private-etc fonts
 private-tmp
-read-only ${HOME}
-
-# CLOBBERED COMMENTS
-# Experimental:
 # mupdf will never write anything
-# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+read-only ${HOME}
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 9c3bfe658..f0680c4ce 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+# you'll need to manually whitelist ROM files
 mkdir ${HOME}/.config/mupen64plus
 mkdir ${HOME}/.local/share/mupen64plus
 whitelist ${HOME}/.config/mupen64plus/
@@ -24,6 +25,3 @@ net none
 nonewprivs
 noroot
 seccomp
-
-# CLOBBERED COMMENTS
-# manually whitelist ROM files
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 350e7f9b6..2da8f32d7 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -5,6 +5,9 @@ include /etc/firejail/nautilus.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a nautilus process running on gnome desktops firejail will have no effect.
+
 noblacklist ~/.config/nautilus
 noblacklist ~/.local/share/Trash
 noblacklist ~/.local/share/nautilus
@@ -25,12 +28,8 @@ seccomp
 shell none
 tracelog
 
+# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin nautilus
 # private-dev
 # private-etc fonts
 # private-tmp
-
-# CLOBBERED COMMENTS
-# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# is already a nautilus process running on gnome desktops firejail will have no effect.
-# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index e4c87e5b9..2587027ab 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -28,7 +28,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index ab72497c0..e3e498195 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -12,6 +12,26 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-programs.inc
 
+# These are uncommented in the Firefox profile. If you run into trouble you may
+# want to uncomment (some of) them.
+#whitelist ~/dwhelper
+#whitelist ~/.zotero
+#whitelist ~/.vimperatorrc
+#whitelist ~/.vimperator
+#whitelist ~/.pentadactylrc
+#whitelist ~/.pentadactyl
+#whitelist ~/.keysnail.js
+#whitelist ~/.config/gnome-mplayer
+#whitelist ~/.cache/gnome-mplayer/plugin
+#whitelist ~/.pki
+#whitelist ~/.lastpass
+
+# For silverlight
+#whitelist ~/.wine-pipelight
+#whitelist ~/.wine-pipelight64
+#whitelist ~/.config/pipelight-widevine
+#whitelist ~/.config/pipelight-silverlight5.1
+
 mkdir ~/.cache/moonchild productions/pale moon
 mkdir ~/.moonchild productions
 whitelist ${DOWNLOADS}
@@ -34,22 +54,3 @@ tracelog
 # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
 # private-opt palemoon
 private-tmp
-
-# CLOBBERED COMMENTS
-# For silverlight
-# want to uncomment (some of) them.
-# whitelist ~/.cache/gnome-mplayer/plugin
-# whitelist ~/.config/gnome-mplayer
-# whitelist ~/.config/pipelight-silverlight5.1
-# whitelist ~/.config/pipelight-widevine
-# whitelist ~/.keysnail.js
-# whitelist ~/.lastpass
-# whitelist ~/.pentadactyl
-# whitelist ~/.pentadactylrc
-# whitelist ~/.pki
-# whitelist ~/.vimperator
-# whitelist ~/.vimperatorrc
-# whitelist ~/.wine-pipelight
-# whitelist ~/.wine-pipelight64
-# whitelist ~/.zotero
-# whitelist ~/dwhelper
diff --git a/etc/pingus.profile b/etc/pingus.profile
index 6699b7944..848bf88ad 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -28,7 +28,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 5dcba0825..025a6fa61 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -35,12 +35,9 @@ noroot
 nosound
 protocol unix,inet,inet6,netlink
 seccomp
+# shell none
 
 # private-bin qbittorrent
 private-dev
 # private-etc X11,fonts,xdg,resolv.conf
 private-tmp
-
-# CLOBBERED COMMENTS
-# shell none
-# there are some problems with "Open destination folder", see bug # 536
diff --git a/etc/rambox.profile b/etc/rambox.profile
index ea88b472c..a5b87e901 100644
--- a/etc/rambox.profile
+++ b/etc/rambox.profile
@@ -26,6 +26,4 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
-
-# CLOBBERED COMMENTS
 # tracelog
diff --git a/etc/ranger.profile b/etc/ranger.profile
index 3915cffb6..3767c7ba8 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -5,6 +5,7 @@ include /etc/firejail/ranger.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# noblacklist /usr/bin/cpan*
 noblacklist /usr/bin/perl
 noblacklist /usr/lib/perl*
 noblacklist /usr/share/perl*
@@ -25,6 +26,3 @@ protocol unix
 seccomp
 
 private-dev
-
-# CLOBBERED COMMENTS
-# noblacklist /usr/bin/cpan*
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 9f8e8fb1a..ac8882165 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+# no3d
 nogroups
 nonewprivs
 noroot
@@ -28,6 +29,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# no3d
diff --git a/etc/scribus.profile b/etc/scribus.profile
index 73343f5da..7e117dcd1 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -5,6 +5,7 @@ include /etc/firejail/scribus.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Support for PDF readers (Scribus 1.5 and higher)
 noblacklist ~/.config/okularpartrc
 noblacklist ~/.config/okularrc
 noblacklist ~/.config/scribus
@@ -35,6 +36,3 @@ tracelog
 
 private-dev
 # private-tmp
-
-# CLOBBERED COMMENTS
-# Support for PDF readers (Scribus 1.5 and higher)
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index d6c6886c7..a55388fee 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -20,12 +20,10 @@ noroot
 nosound
 protocol unix,inet,inet6
 shell none
+# seccomp
 tracelog
 
 # private-bin simple-scan
 # private-dev
 # private-etc fonts
 # private-tmp
-
-# CLOBBERED COMMENTS
-# seccomp
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index 32c0436f8..d67d2a575 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -28,7 +28,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index f6e27a474..25f0107f8 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -17,6 +17,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+# protocol unix,inet,inet6
 seccomp
 shell none
 
@@ -24,6 +25,3 @@ shell none
 # private-dev
 # private-etc
 # private-tmp
-
-# CLOBBERED COMMENTS
-# protocol unix,inet,inet6
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index d3ff02ddf..d8861f937 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+# nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
@@ -27,6 +28,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# nogroups
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index 520524192..f2c88c943 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -23,6 +23,3 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
-
-# CLOBBERED COMMENTS
-# ssh-agent
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 0f9950a81..ac3b7a0ba 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -33,6 +33,3 @@ private-dev
 memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# ssh client
diff --git a/etc/steam.profile b/etc/steam.profile
index b3b62471d..d928e660d 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/steam
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
+# with >=llvm-4 mesa drivers need llvm stuff
 noblacklist /usr/lib/llvm*
 
 include /etc/firejail/disable-common.inc
@@ -26,15 +27,12 @@ netfilter
 nogroups
 nonewprivs
 noroot
+# novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+# tracelog disabled as it breaks integrated browser
+# tracelog
 
 private-dev
 private-tmp
-
-# CLOBBERED COMMENTS
-# novideo
-# tracelog
-# tracelog disabled as it breaks integrated browser
-# with >=llvm-4 mesa drivers need llvm stuff
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 87ad8da7f..4e70f9e8c 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -28,7 +28,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 02db74df3..6861e6efb 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -29,6 +29,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# synfigstudio
diff --git a/etc/tar.profile b/etc/tar.profile
index c3b5aa0e6..817e51542 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -16,11 +16,9 @@ nosound
 shell none
 tracelog
 
+# support compressed archives
 private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
 private-dev
 private-etc passwd,group,localtime
 
 include /etc/firejail/default.profile
-
-# CLOBBERED COMMENTS
-# support compressed archives
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index c80f76aa8..d3b7ee871 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -5,6 +5,9 @@ include /etc/firejail/thunderbird.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Users have thunderbird set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+
 noblacklist ~/.cache/thunderbird
 noblacklist ~/.gnupg
 noblacklist ~/.icedove
@@ -27,9 +30,5 @@ ignore private-tmp
 read-only ~/.config/mimeapps.list
 read-only ~/.local/share/applications
 
-include /etc/firejail/firefox.profile
-
-# CLOBBERED COMMENTS
-# Users have thunderbird set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
 # allow browsers
+include /etc/firejail/firefox.profile
diff --git a/etc/tracker.profile b/etc/tracker.profile
index 98040133c..feb8b4fd3 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -5,6 +5,8 @@ include /etc/firejail/tracker.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Tracker is started by systemd on most systems. Therefore it is not firejailed by default
+
 blacklist /tmp/.X11-unix
 
 include /etc/firejail/disable-common.inc
@@ -28,6 +30,3 @@ tracelog
 # private-dev
 # private-etc fonts
 # private-tmp
-
-# CLOBBERED COMMENTS
-# Tracker is started by systemd on most systems. Therefore it is not firejailed by default
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index fc24fc04d..e09b65632 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -27,7 +27,3 @@ shell none
 private-dev
 # private-etc none
 private-tmp
-
-# CLOBBERED COMMENTS
-# depending on your usage, you can enable some of the commands below:
-# nosound
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index ca7987932..e94dec35c 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -8,6 +8,7 @@ include /etc/firejail/globals.local
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/.config/VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
+# noblacklist /usr/bin/virtualbox
 noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
 
@@ -23,6 +24,3 @@ include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
-
-# CLOBBERED COMMENTS
-# noblacklist /usr/bin/virtualbox
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 1b63f1573..ae9b49e8c 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -29,6 +29,3 @@ private-dev
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# disable-mnt
diff --git a/etc/vlc.profile b/etc/vlc.profile
index c95f6f048..a41f367dd 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
+# nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
@@ -26,7 +27,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# memory-deny-write-execute - breaks playing videos
-# nogroups
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 157fe3e81..9569226aa 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+# mkdir ~/.warzone2100-3.1
+# mkdir ~/.warzone2100-3.2
 whitelist ~/.warzone2100-3.1
 whitelist ~/.warzone2100-3.2
 include /etc/firejail/whitelist-common.inc
@@ -30,8 +32,3 @@ disable-mnt
 private-bin warzone2100
 private-dev
 private-tmp
-
-# CLOBBERED COMMENTS
-# Call these options
-# mkdir ~/.warzone2100-3.1
-# mkdir ~/.warzone2100-3.2
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 75a4dc4a7..833414f3e 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -17,7 +17,6 @@ noroot
 protocol unix,inet,inet6
 seccomp
 
-# CLOBBERED COMMENTS
+# no private-bin support for various reasons:
 # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
 # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins
-# no private-bin support for various reasons:
diff --git a/etc/wire.profile b/etc/wire.profile
index f20dfe8e2..aacea9940 100644
--- a/etc/wire.profile
+++ b/etc/wire.profile
@@ -5,6 +5,9 @@ include /etc/firejail/wire.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH.
+# To use wire with firejail run "firejail /opt/Wire/wire"
+
 noblacklist ~/.config/Wire
 noblacklist ~/.config/wire
 
@@ -25,7 +28,3 @@ shell none
 disable-mnt
 private-dev
 private-tmp
-
-# CLOBBERED COMMENTS
-# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH.
-# To use wire with firejail run "firejail /opt/Wire/wire"
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 0c4bc8029..8a25ec011 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -12,9 +12,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+# caps.drop all
 netfilter
 no3d
+# nogroups - breaks unprivileged wireshark usage
+# nonewprivs - breaks unprivileged wireshark usage
+# noroot
 nosound
+# protocol unix,inet,inet6,netlink
+# seccomp - breaks unprivileged wireshark usage
 shell none
 tracelog
 
@@ -25,11 +31,3 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
-
-# CLOBBERED COMMENTS
-# caps.drop all
-# nogroups - breaks unprivileged wireshark usage
-# nonewprivs - breaks unprivileged wireshark usage
-# noroot
-# protocol unix,inet,inet6,netlink
-# seccomp - breaks unprivileged wireshark usage