profiles: improvements to profiles using private (#5946)

Changes:

* comment `include whitelist-common.inc` when using `private`
* drop `private` on profiles that access files in `${HOME}`
* use `#` in comments

Relates to #903.

9 files changed, 7 insertions, 9 deletions

diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 2fc1d1b8a..0c3d4c1da 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -16,7 +16,7 @@ include globals.local
 #
 
 whitelist /var/lib/xkb
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 
 caps.drop all
 # Xephyr needs to be allowed access to the abstract Unix socket namespace.
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index ee19fa3b0..2bb9f171a 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -19,7 +19,7 @@ include globals.local
 #
 
 whitelist /var/lib/xkb
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 
 caps.drop all
 # Xvfb needs to be allowed access to the abstract Unix socket namespace.
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 4943a80af..a8c6e3533 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -39,7 +39,6 @@ seccomp
 tracelog
 
 disable-mnt
-private
 private-bin mirrormagic
 private-cache
 private-dev
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index f0f2cca2e..5ec81c2ac 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index 4520ac2fa..d563064e1 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-X11.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/reader.profile b/etc/profile-m-z/reader.profile
index 050c46d53..31c45fe84 100644
--- a/etc/profile-m-z/reader.profile
+++ b/etc/profile-m-z/reader.profile
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 5985e0da3..49d98d9f5 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -23,7 +23,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/seahorse-adventures
 whitelist /usr/share/games/seahorse-adventures
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 310e8b470..970063f93 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -40,7 +40,6 @@ seccomp
 tracelog
 
 disable-mnt
-private
 private-bin wordwarvi
 private-cache
 private-dev
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index e85bb9f18..46e3e81bc 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -16,7 +16,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/xbill
 whitelist /var/games/xbill/scores
-include whitelist-common.inc
+#include whitelist-common.inc # see #903
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc