archivers: limiting file system access (#3834)

* limit file system access with comments in archiver-common.inc

* note wording

* Warn against overtightening file system access

Be more explicit about things breaking when archiver profiles are too tight. Thanks for the suggestion by @rusty-snake in #3834.

1 files changed, 11 insertions, 2 deletions

diff --git a/etc/inc/archiver-common.inc b/etc/inc/archiver-common.inc
index 2c5e4d8bf..9812e3ebb 100644
--- a/etc/inc/archiver-common.inc
+++ b/etc/inc/archiver-common.inc
@@ -6,12 +6,21 @@ include archiver-common.local
 
 blacklist ${RUNUSER}
 
-include disable-common.inc
+# WARNING:
+# Users can (un)restrict file access for **all** archivers by commenting/uncommenting the needed
+# include file(s) here or by putting those into archiver-common.local.
+# Another option is to do this **per archiver** in the relevant <archiver>.local.
+# Just beware that things tend to break when overtightening profiles. For example, because you only
+# need to (un)compress files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+
+# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-common.inc.
+#include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-include disable-programs.inc
+# Uncomment the next line (or put it into your archiver-common.local) if you don't need to compress files in disable-programs.inc.
+#include disable-programs.inc
 include disable-shell.inc
 
 apparmor