231 files changed, 555 insertions, 547 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 1b0e00bc6..b688647b5 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -33,7 +33,8 @@ blacklist-nolog ${HOME}/.viminfo
 blacklist-nolog /tmp/clipmenu*
 # X11 session autostart
-# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
+# this will kill --x11=xpra cmdline option for all programs
+#blacklist ${HOME}/.xpra
 blacklist ${HOME}/.Xsession
 blacklist ${HOME}/.blackbox
 blacklist ${HOME}/.config/autostart
@@ -241,8 +242,9 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
-# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
+# a virtual /var/log directory (mostly empty) is build up by default for every
-# every sandbox, unless --writable-var-log switch is activated
+# sandbox, unless --writable-var-log switch is activated
+#blacklist /var/log
 blacklist /var/mail
 blacklist /var/opt
 blacklist /var/run/acpid.socket
@@ -562,7 +564,7 @@ blacklist ${PATH}/bmon
 blacklist ${PATH}/fping
 blacklist ${PATH}/fping6
 blacklist ${PATH}/hostname
-# blacklist ${PATH}/ip - breaks --ip=dhcp
+#blacklist ${PATH}/ip # breaks --ip=dhcp
 blacklist ${PATH}/mtr
 blacklist ${PATH}/mtr-packet
 blacklist ${PATH}/netstat
@@ -611,8 +613,8 @@ blacklist /tmp/tmux-*
 blacklist ${PATH}/gnome-terminal
 blacklist ${PATH}/gnome-terminal.wrapper
 blacklist ${PATH}/kgx
-# blacklist ${PATH}/konsole
 # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
+#blacklist ${PATH}/konsole
 blacklist ${PATH}/lilyterm
 blacklist ${PATH}/lxterminal
 blacklist ${PATH}/mate-terminal
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index a0eed24ca..dcd1259cf 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -44,7 +44,7 @@ private-dev
 private-etc @x11
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 184036f24..275ff41ef 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 # disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
 # this affects ubuntu and debian currently
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
@@ -42,17 +42,17 @@ no3d
 nodvd
 nogroups
 noinput
-# nonewprivs
+#nonewprivs
 noroot
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink
+#protocol unix,inet,inet6,netlink
-# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
+#seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 private-dev
-# private-tmp - breaks programs that depend on akonadi
+#private-tmp # breaks programs that depend on akonadi
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index d88a1fcad..9de992a76 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -49,4 +49,4 @@ private-dev
 private-tmp
 deterministic-shutdown
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 22a303cdd..14c425cc6 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -49,7 +49,7 @@ seccomp.block-secondary
 tracelog
 disable-mnt
-# private-bin alacarte,bash,python*,sh
+#private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
 private-etc @tls-ca,@x11,mime.types
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index 389aae602..0c78ab20d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -26,11 +26,11 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
-# private-bin amarok
+#private-bin amarok
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 dbus-user filter
@@ -45,4 +45,4 @@ dbus-user.talk org.freedesktop.Notifications
 #dbus-user.talk org.kde.knotify
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 3dfa0f95a..09289ace1 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 private-cache
-# private-tmp
+#private-tmp
 # noexec /tmp breaks 'Android Profiler'
 #noexec /tmp
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index 2d0bfcb6c..acf52509c 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -55,4 +55,4 @@ private-tmp
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index 85ea76939..a925e223f 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -21,7 +21,7 @@ caps.drop all
 netfilter
 no3d
 nodvd
-# nogroups
+#nogroups
 nonewprivs
 noroot
 nosound
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 7f9463c4f..65ffdfa1b 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -39,7 +39,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
-# disable-mnt
+#disable-mnt
 # Add your custom event hook commands to 'private-bin' in your aria2c.local.
 private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 272e06219..65e965248 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -42,7 +42,7 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 897140857..f6369eb86 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -35,7 +35,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index c09ad7936..601ef5c13 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -26,7 +26,7 @@ apparmor
 caps.drop all
 netfilter
 no3d
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -44,5 +44,5 @@ dbus-user none
 dbus-system none
 # mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index 8e8f8515f..f21a8c34a 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -26,7 +26,7 @@ noblacklist ${HOME}/.config/Atom
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
-# net none
+#net none
 nosound
 # Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index d0513d2a7..26b978158 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -22,7 +22,7 @@ include disable-xdg.inc
 include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
 machine-id
 no3d
@@ -44,7 +44,7 @@ private-dev
 private-etc
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
-#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
+#private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit
 private-tmp
 # webkit gtk killed by memory-deny-write-execute
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index 6abd87c92..6d1a07e2d 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin audacious
+#private-bin audacious
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index c2a482b61..e70215891 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -54,7 +54,7 @@ private-etc @x11
 private-tmp
 # problems on Fedora 27
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index deba11a47..816852a71 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 disable-mnt
-# private-bin audio-recorder
+#private-bin audio-recorder
 private-cache
 private-etc
 private-tmp
@@ -50,5 +50,5 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 96c70a838..cbd97449d 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# apparmor
+#apparmor
 caps.drop all
 netfilter
 no3d
@@ -31,19 +31,19 @@ noroot
 nosound
 notv
 nou2f
-# novideo
+#novideo
 protocol unix,inet,inet6
 seccomp
 disable-mnt
-# private-bin authenticator,python*
+#private-bin authenticator,python*
 private-dev
 private-etc @tls-ca
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index 834eac11a..bc47b26a9 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -38,5 +38,5 @@ private-cache
 private-dev
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 084b7c702..de4004724 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -7,10 +7,10 @@ include globals.local
 # Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-# mkdir ${HOME}/.local/share/baloo
+#mkdir ${HOME}/.local/share/baloo
-# read-only ${HOME}
+#read-only ${HOME}
-# read-write ${HOME}/.local/share/baloo
+#read-write ${HOME}/.local/share/baloo
-# ignore read-write
+#ignore read-write
 noblacklist ${HOME}/.config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloofilerc
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
@@ -46,7 +46,7 @@ novideo
 protocol unix
 # blacklisting of ioprio_set system calls breaks baloo_file
 seccomp !ioprio_set
-# x11 xorg
+#x11 xorg
 private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
 private-cache
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 31ef66a58..942d82941 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -6,13 +6,13 @@ include baobab.local
 # Persistent global definitions
 include globals.local
-# include disable-common.inc
+#include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
-# include disable-xdg.inc
+#include disable-xdg.inc
 include whitelist-runuser-common.inc
@@ -37,8 +37,8 @@ private-bin baobab
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index d566b94e8..c0e024445 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -19,7 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-#include disable-shell.inc - breaks launch
+#include disable-shell.inc # breaks launch
 include disable-write-mnt.inc
 apparmor
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 3fb2a82c3..dcef2bff1 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -48,7 +48,7 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot
 disable-mnt
-# private-bin bibletime
+#private-bin bibletime
 private-cache
 private-dev
 private-etc @tls-ca,sword,sword.conf
@@ -57,4 +57,4 @@ private-tmp
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 53d212e34..e596ec9d2 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -48,7 +48,7 @@ tracelog
 disable-mnt
 private-bin bijiben
-# private-cache -- access to .cache/tracker is required
+#private-cache # access to .cache/tracker is required
 private-dev
 private-etc @x11
 private-tmp
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 988a1479e..0f10c7ce0 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -10,7 +10,7 @@ ignore noexec ${HOME}
 noblacklist /sbin
 noblacklist /usr/sbin
-# noblacklist /var/log
+#noblacklist /var/log
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 52d970d89..cd1b059b4 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -18,7 +18,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 caps.drop all
 net none
@@ -36,11 +36,11 @@ protocol unix
 seccomp
 private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
 # memory-deny-write-execute breaks some systems, see issue #1850
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 6dd540943..85f232751 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -31,7 +31,7 @@ novideo
 protocol unix
 seccomp
-# private-bin bash,bless,mono,sh
+#private-bin bash,bless,mono,sh
 private-cache
 private-dev
 private-etc mono
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index a483c2b0a..684504937 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -32,4 +32,4 @@ seccomp !chroot,!ioperm
 private-cache
 private-dev
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index 12d7062ab..92184ef18 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -29,9 +29,9 @@ protocol unix
 seccomp
 tracelog
-# private-bin brasero
+#private-bin brasero
 private-cache
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
index cf5f462ae..8616996d2 100644
--- a/etc/profile-a-l/build-systems-common.profile
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -39,7 +39,7 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index b347941d7..cb9c92ffb 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -36,4 +36,4 @@ seccomp !chroot
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index c2972f902..ffb83b2ed 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -32,9 +32,9 @@ seccomp.block-secondary
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
 private-dev
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index df94ac859..4f8fd7187 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -48,8 +48,8 @@ private-cache
 private-etc
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 7cb56efee..36c7c1091 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
 netfilter
@@ -34,7 +34,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
-# private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
+#private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index e2df341e9..037f6ee40 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -15,10 +15,10 @@ noblacklist ${HOME}/.config/catfish
 include allow-python2.inc
 include allow-python3.inc
-# include disable-common.inc
+#include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
@@ -40,9 +40,9 @@ tracelog
 # These options work but are disabled in case
 # a users wants to search in these directories.
-# private-bin bash,catfish,env,locate,ls,mlocate,python*
+#private-bin bash,catfish,env,locate,ls,mlocate,python*
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 17887b6cc..7fdbc3881 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -41,7 +41,7 @@ private-dev
 private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
-# dbus-user none
+#dbus-user none
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 8803a4d9d..67a3a43af 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -13,7 +13,7 @@ mkdir ${HOME}/.config/ungoogled-chromium
 whitelist ${HOME}/.cache/ungoogled-chromium
 whitelist ${HOME}/.config/ungoogled-chromium
-# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+#private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
 # Redirect
 include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 878e0fe1d..37bfa0bfe 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -33,13 +33,15 @@ include whitelist-run-common.inc
 ?BROWSER_DISABLE_U2F: nou2f
 ?BROWSER_DISABLE_U2F: private-dev
-#private-tmp - issues when using multiple browser sessions
+#private-tmp # issues when using multiple browser sessions
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget
 blacklist ${PATH}/wget2
-#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
+# This prevents access to passwords saved in GNOME Keyring and KWallet, also
+# breaks Gnome connector.
+#dbus-user none
 # The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 14f1bbe64..8c43aac9c 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/chromium
 whitelist ${HOME}/.config/chromium-flags.conf
 whitelist /usr/share/chromium
-# private-bin chromium,chromium-browser,chromedriver
+#private-bin chromium,chromium-browser,chromedriver
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/clac.profile b/etc/profile-a-l/clac.profile
index b654b3890..cd2b2522d 100644
--- a/etc/profile-a-l/clac.profile
+++ b/etc/profile-a-l/clac.profile
@@ -16,10 +16,10 @@ include disable-interpreters.inc
 include disable-proc.inc
 include disable-programs.inc
 include disable-shell.inc
-#include disable-X11.inc - x11 none
+#include disable-X11.inc # x11 none
 include disable-xdg.inc
-#include whitelist-common.inc - see #903
+#include whitelist-common.inc # see #903
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 7fefc68b1..53db480a4 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.claws-mail
 whitelist /usr/share/doc/claws-mail
-# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
+#private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
 # Redirect
 include email-common.profile
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 3b8eb7bbd..37d9e9e3a 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index ee01fa653..3e9363bb4 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -37,6 +37,6 @@ private-dev
 private-tmp
 dbus-system none
-# dbus-user none
+#dbus-user none
 restrict-namespaces
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 652809f1b..0cea1c7d4 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -37,7 +37,7 @@ seccomp
 private-cache
 private-dev
-# private-tmp
+#private-tmp
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 3f3748e1a..2657876b8 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -46,7 +46,7 @@ private-dev
 private-tmp
 # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index 19862bc92..1b69effc3 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -35,7 +35,7 @@ nosound
 # Disabling noexec ${HOME} for now since it will
 # probably interfere with running some programmes
 # in VS Code
-# noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
 # Redirect
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 180282869..b1275e96b 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -48,9 +48,9 @@ private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 # Settings are immutable
-# dbus-user filter
+#dbus-user filter
-# dbus-user.own com.github.bleakgrey.tootle
+#dbus-user.own com.github.bleakgrey.tootle
-# dbus-user.talk ca.desrt.dconf
+#dbus-user.talk ca.desrt.dconf
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 9b05b4416..c280cf22a 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 # This profile could be significantly strengthened by adding the following to cower.local
-# whitelist ${HOME}/<Your Build Folder>
+#whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.config/cower
+#whitelist ${HOME}/.config/cower
 caps.drop all
 ipc-namespace
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index bfe8764d5..42ade7ce9 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -50,10 +50,10 @@ protocol inet,inet6
 seccomp
 tracelog
-# private-bin curl
+#private-bin curl
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-etc @tls-ca
 private-tmp
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index a303c5979..c7a42e0eb 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/8pecxstudios
 whitelist /usr/share/8pecxstudios
 whitelist /usr/share/cyberfox
-# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
+#private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cyberfox
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 7dd5ca260..75338eb6d 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -31,7 +31,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
@@ -52,5 +52,5 @@ private-dev
 private-etc dbus-1
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index e2e2492bc..e8acd60b7 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none - breaks application on older versions
+#net none # breaks application on older versions
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 9811c90d6..0fa88f232 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 377c4e2e3..c071da4b7 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -9,54 +9,54 @@ include globals.local
 # depending on your usage, you can enable some of the commands below:
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-exec.inc
+#include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
-# include disable-write-mnt.inc
+#include disable-write-mnt.inc
-# include disable-xdg.inc
+#include disable-xdg.inc
-# include whitelist-common.inc
+#include whitelist-common.inc
-# include whitelist-runuser-common.inc
+#include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
+#include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
-# ipc-namespace
+#ipc-namespace
-# machine-id
+#machine-id
-# net none
+#net none
 netfilter
-# no3d
+#no3d
-# nodvd
+#nodvd
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
-# nou2f
+#nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# tracelog
+#tracelog
-# disable-mnt
+#disable-mnt
-# private
+#private
-# private-bin program
+#private-bin program
-# private-cache
+#private-cache
 private-dev
 # see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives,fonts,machine-id
+#private-etc alternatives,fonts,machine-id
-# private-lib
+#private-lib
-# private-opt none
+#private-opt none
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# deterministic-shutdown
+#deterministic-shutdown
-# memory-deny-write-execute
+#memory-deny-write-execute
-# read-only ${HOME}
+#read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index ebc751e1a..b257f9a4c 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -13,7 +13,7 @@ include allow-python2.inc
 include allow-python3.inc
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 066cdc8b0..7b5e692a0 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -23,7 +23,7 @@ include whitelist-usr-share-common.inc
 apparmor
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 nodvd
 nogroups
 noinput
@@ -45,9 +45,9 @@ private-etc @tls-ca,@x11
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 7c0fee9c3..781dfdcbc 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -14,13 +14,13 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
-#mkfile ${HOME}/.digrc - see #903
+#mkfile ${HOME}/.digrc # see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index 05f0dfba8..34d4081d4 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -37,11 +37,13 @@ protocol unix,inet,inet6,netlink
 # QtWebengine needs chroot to set up its own sandbox
 seccomp !chroot
-# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+# private-dev prevents libdc1394 from loading; this lib is used to connect to a
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+# camera device
+#private-dev
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index fe2b59a1e..44a3f0846 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -40,7 +40,8 @@ tracelog
 disable-mnt
 private-bin dino
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
+# breaks server connection
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 dbus-user filter
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index bf77828be..40e19dfc3 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -34,7 +34,7 @@ notv
 nou2f
 protocol unix
 seccomp
-# x11 xorg - problems on kubuntu 17.04
+#x11 xorg # problems on kubuntu 17.04
 private-bin display,python*
 private-dev
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 9743ebfbd..0ae09ce7e 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -36,7 +36,7 @@ apparmor
 caps.drop all
 ipc-namespace
 # Add the next line to your dolphin-emu.local if you do not need NetPlay support.
-# net none
+#net none
 netfilter
 # Add the next line to your dolphin-emu.local if you do not need disc support.
 #nodvd
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 79366b8ee..c9daa939a 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -39,7 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp !chroot
-# tracelog - breaks on Arch
+#tracelog # breaks on Arch
 private-bin drawio
 private-cache
@@ -50,5 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index bea114dd6..63dfd6c0d 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -13,9 +13,9 @@ blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 40fd8be7c..3fd5578e6 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -49,8 +49,8 @@ private-etc
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 48ce0aa22..d73ed9092 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -49,7 +49,7 @@ private-dev
 private-etc @tls-ca,@x11
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 8eee662ad..cffa85fd5 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -75,7 +75,7 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
 private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index e1d107dc7..24e4f8a0e 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -35,9 +35,9 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-bin engrampa
+#private-bin engrampa
 private-dev
-# private-tmp
+#private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 45a1125b4..93929c6ea 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -58,5 +58,5 @@ private-dev
 private-opt Enpass
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 8b32d08b1..795128418 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -59,7 +59,7 @@ private-cache
 private-tmp
 # breaks preferences
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 5b9892af3..4789afee6 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin etr
 private-cache
 private-dev
-# private-etc alternatives,drirc,machine-id,openal,passwd
+#private-etc alternatives,drirc,machine-id,openal,passwd
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 75a3958ad..06a4a64b1 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -34,7 +34,7 @@ include whitelist-var-common.inc
 caps.drop all
 machine-id
-# net none - breaks AppArmor on Ubuntu systems
+#net none # breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index d805766eb..2a30d2e23 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -41,17 +41,17 @@ nou2f
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks falkon
 seccomp !chroot
-# tracelog
+#tracelog
 disable-mnt
-# private-bin falkon
+#private-bin falkon
 private-cache
 private-dev
 private-etc @tls-ca,@x11,adobe,mailcap,mime.types
 private-tmp
-# dbus-user filter
+#dbus-user filter
-# dbus-user.own org.kde.Falkon
+#dbus-user.own org.kde.Falkon
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index fe7f88a75..e9d5709ec 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -24,7 +24,7 @@ include disable-xdg.inc
 apparmor /usr/bin/fdns
 caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
 ipc-namespace
-# netfilter /etc/firejail/webserver.net
+#netfilter /etc/firejail/webserver.net
 no3d
 nodvd
 nogroups
@@ -43,7 +43,7 @@ private-bin bash,fdns,sh
 private-cache
 #private-dev
 private-etc @tls-ca,fdns
-# private-lib
+#private-lib
 private-tmp
 memory-deny-write-execute
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 6aa24cc86..7b205a917 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -29,13 +29,13 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index 3a044542f..27920620a 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -45,4 +45,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index b7d54f05d..af9d556db 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -53,5 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - it breaks old versions of ffmpeg
+#memory-deny-write-execute # it breaks old versions of ffmpeg
 restrict-namespaces
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 78e2751b3..b32f7595c 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - breaks on older Ubuntu versions
+#net none # breaks on older Ubuntu versions
 netfilter
 no3d
 nodvd
@@ -44,7 +44,7 @@ private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dp
 private-cache
 private-dev
 private-etc @x11
-# private-tmp
+#private-tmp
 dbus-user filter
 dbus-user.own org.gnome.ArchiveManager1
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index 88ae56c82..5b9603243 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -33,7 +33,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none - issues on older versions
+#net none # issues on older versions
 no3d
 nodvd
 nogroups
@@ -53,5 +53,5 @@ private-bin font-manager,python*,yelp
 private-dev
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index e21789d73..664773b77 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -45,4 +45,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index f162a4a31..98f473654 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 disable-mnt
-# private-bin frozen-bubble
+#private-bin frozen-bubble
 private-dev
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 8ca349d1c..bd790cab4 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -16,7 +16,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.funnyboat
@@ -41,7 +41,7 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
-# tracelog
+#tracelog
 disable-mnt
 private-cache
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 44d62cc86..aa1b96c41 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index ba0837780..da240c36a 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -53,7 +53,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-#ipc-namespace - may cause issues with X11
+#ipc-namespace # may cause issues with X11
 #machine-id
 netfilter
 no3d
@@ -71,7 +71,7 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 #private-bin geary,sh
 private-cache
 private-dev
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index dbb3ab971..bc265a509 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -13,18 +13,18 @@ noblacklist ${HOME}/.config/gedit
 include allow-common-devel.inc
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -40,14 +40,14 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-bin gedit
+#private-bin gedit
 private-dev
 # private-lib breaks python plugins - add the next line to your gedit.local if you don't use them.
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index e8d4c013f..387ec615f 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -43,7 +43,7 @@ seccomp
 tracelog
 disable-mnt
-#private-bin bash,geekbench*,sh -- #4576
+#private-bin bash,geekbench*,sh # #4576
 private-cache
 private-dev
 private-etc lsb-release
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index f81a49e4f..6cd28f25d 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -32,7 +32,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
-# private-bin geeqie
+#private-bin geeqie
 private-dev
 restrict-namespaces
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 1c97ad21c..007658138 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -58,7 +58,7 @@ tracelog
 disable-mnt
 private-bin gfeeds,python3*
-# private-cache -- feeds are stored in ~/.cache
+#private-cache # feeds are stored in ~/.cache
 private-dev
 private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services
 private-tmp
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index dabf0dd7f..2023ca9f0 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -45,7 +45,7 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
 seccomp.block-secondary
-#tracelog -- breaks
+#tracelog # breaks
 private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index ced1aa190..88134b363 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -29,14 +29,14 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
-# no3d
+#no3d
 nosound
-# private-bin github-desktop
+#private-bin github-desktop
 ?HAS_APPIMAGE: ignore private-dev
-# private-lib
+#private-lib
-# memory-deny-write-execute
+#memory-deny-write-execute
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index bd332a6d5..cad261365 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -38,9 +38,9 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
+#private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index 8c20f7398..4d4a0d50e 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -51,5 +51,5 @@ dbus-user filter
 dbus-user.talk org.mpris.MediaPlayer2.mpd
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 812923b2d..962b8b30f 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -39,7 +39,7 @@ protocol unix
 seccomp
 tracelog
-# private-bin gjs,gnome-books
+#private-bin gjs,gnome-books
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index e5c6022e8..40f799693 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -24,7 +24,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-#net none -- breaks currency conversion
+#net none # breaks currency conversion
 netfilter
 no3d
 nodvd
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 9e9730e53..9f592722c 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -52,8 +52,8 @@ private-etc @x11,gconf,mime.types
 private-tmp
 # Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 2326115c3..25a906c69 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -21,7 +21,7 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-#no3d - breaks on Arch
+#no3d # breaks on Arch
 nodvd
 noinput
 nonewprivs
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 45b6fd880..aa0a7f4cc 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -55,7 +55,7 @@ private-dev
 #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
 private-tmp
-# dbus-user none
+#dbus-user none
 dbus-system none
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 17f52e588..40c264c86 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -61,7 +61,7 @@ tracelog
 disable-mnt
 private-bin gjs,gnome-maps
-# private-cache -- gnome-maps cache all maps/satelite-images
+#private-cache # gnome-maps cache all maps/satelite-images
 private-dev
 private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services
 private-tmp
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 052e9ba9c..5315cbec6 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -26,7 +26,7 @@ nou2f
 protocol unix,inet,inet6
 seccomp
-# private-bin gnome-mplayer,mplayer
+#private-bin gnome-mplayer,mplayer
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index 7a9a0e336..7a8338cd7 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-programs.inc
 include disable-xdg.inc
 whitelist /usr/share/gnome-nettool
-#include whitelist-common.inc -- see #903
+#include whitelist-common.inc # see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 1d0291aa2..4d2a3913f 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -36,7 +36,7 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-bin gjs,gnome-photos
+#private-bin gjs,gnome-photos
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index ac0fb555d..dff6032d1 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -16,7 +16,7 @@ include disable-exec.inc
 caps.drop all
 ipc-namespace
-# net none - breaks dbus
+#net none # breaks dbus
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 8f2ab7fd6..898cdf1f8 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -27,7 +27,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 disable-mnt
-# private-dev
+#private-dev
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index b71d77621..33f22136e 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -46,7 +46,7 @@ apparmor
 caps.keep chown,dac_override,setgid,setuid
 ipc-namespace
 machine-id
-#net none - breaks on Ubuntu
+#net none # breaks on Ubuntu
 no3d
 nodvd
 nogroups
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index f4e985342..b3bc7499c 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - breaks dbus
+#net none # breaks dbus
 no3d
 nodvd
 # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
@@ -47,8 +47,8 @@ private-lib
 private-tmp
 writable-var-log
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 memory-deny-write-execute
 # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 147b84a19..8637f5019 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -41,9 +41,9 @@ seccomp.block-secondary
 tracelog
 disable-mnt
-# private-bin gjs,gnome-weather
+#private-bin gjs,gnome-weather
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 5e41384ab..96bbffc41 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -34,7 +34,7 @@ seccomp
 tracelog
-# private-bin godot
+#private-bin godot
 private-cache
 private-dev
 private-etc @games,@tls-ca,@x11,mono
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 8807a239d..96b72230d 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -28,9 +28,9 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin goobox
+#private-bin goobox
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index c2a7d89fd..1218631d8 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -17,8 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 mkdir ${HOME}/.config/Google Play Music Desktop Player
-# whitelist ${HOME}/.config/pulse
+#whitelist ${HOME}/.config/pulse
-# whitelist ${HOME}/.pulse
+#whitelist ${HOME}/.pulse
 whitelist ${HOME}/.config/Google Play Music Desktop Player
 include whitelist-common.inc
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index e05cdf424..25498d89e 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -28,7 +28,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin gpa,gpg
+#private-bin gpa,gpg
 private-dev
 restrict-namespaces
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index f4cd85e3a..3b623a338 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -46,7 +46,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin gpg-agent
+#private-bin gpg-agent
 private-cache
 private-dev
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 60690852a..bf4a1c60b 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -42,7 +42,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin gpg
+#private-bin gpg
 private-cache
 private-dev
diff --git a/etc/profile-a-l/gpg2.profile b/etc/profile-a-l/gpg2.profile
index b831b0f62..a9d928f17 100644
--- a/etc/profile-a-l/gpg2.profile
+++ b/etc/profile-a-l/gpg2.profile
@@ -7,7 +7,7 @@ include gpg2.local
 # added by included profile
 #include globals.local
-# private-bin gpg2
+#private-bin gpg2
 # Redirect
 include gpg.profile
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index ef4aad4da..93db304da 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-#net none - breaks dbus
+#net none # breaks dbus
 no3d
 nodvd
 nogroups
@@ -47,8 +47,8 @@ private-lib
 private-tmp
 # breaks state saving
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 4be71f6d3..889eac07a 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -30,7 +30,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -42,14 +42,14 @@ nou2f
 novideo
 protocol unix
 seccomp
-# tracelog
+#tracelog
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
 private-etc @x11,gimp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index df7f8f3a3..def7bf25f 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -32,7 +32,7 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 caps.drop all
-#machine-id -- breaks sound
+#machine-id # breaks sound
 netfilter
 no3d
 nodvd
@@ -51,8 +51,8 @@ disable-mnt
 # debug note: private-bin requires perl, python, etc on some systems
 private-bin hexchat,python*,sh
 private-dev
-#private-lib - python problems
+#private-lib # python problems
 private-tmp
-# memory-deny-write-execute - breaks python
+#memory-deny-write-execute # breaks python
 restrict-namespaces
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index ccbb66333..d36cf0f46 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -28,7 +28,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 nodvd
 no3d
@@ -55,5 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 82cba7887..47c341333 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -43,7 +43,7 @@ private-dev
 private-etc @x11,gconf
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 31f65962f..2b4c68a4d 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -36,7 +36,7 @@ seccomp
 private-cache
 private-dev
-# private-tmp
+#private-tmp
 noexec /tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index ee341423a..8091a4c9e 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 x11 none
-# private-bin img2txt
+#private-bin img2txt
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index c4fc16c87..ced7a285f 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -61,7 +61,7 @@ protocol unix
 seccomp
 tracelog
-# private-bin inkscape,potrace,python* - problems on Debian stretch
+#private-bin inkscape,potrace,python* # problems on Debian stretch
 private-cache
 private-dev
 private-etc @x11,ImageMagick*,python*
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index e73ca44a8..369519947 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -14,7 +14,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# include disable-shell.inc
+#include disable-shell.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
@@ -26,7 +26,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# machine-id
+#machine-id
 net none
 netfilter
 no3d
@@ -39,14 +39,14 @@ nosound
 notv
 nou2f
 novideo
-# protocol unix
+#protocol unix
 seccomp
-# tracelog
+#tracelog
 disable-mnt
 private
 private-bin bash,ipcalc,ipcalc-ng,perl,sh
-# private-cache
+#private-cache
 private-dev
 # empty etc directory
 private-etc
@@ -57,6 +57,6 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
-# read-only ${HOME}
+#read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 81d4f3458..9fb609151 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -21,19 +21,19 @@ include disable-xdg.inc
 include whitelist-var-common.inc
 caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource
-# net none
+#net none
 netfilter
 no3d
-# nonewprivs - breaks privileged helpers
+#nonewprivs # breaks privileged helpers
 noinput
-# noroot - breaks privileged helpers
+#noroot # breaks privileged helpers
 nosound
 notv
 novideo
-# protocol unix - breaks privileged helpers
+#protocol unix # breaks privileged helpers
-# seccomp - breaks privileged helpers
+#seccomp # breaks privileged helpers
 private-dev
-# private-tmp
+#private-tmp
-# restrict-namespaces - breaks privileged helpers
+#restrict-namespaces # breaks privileged helpers
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index 73417bf11..b84d144bd 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -36,7 +36,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
-# private-bin kaffeine
+#private-bin kaffeine
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index a4e67cf6b..359c02b38 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -35,7 +35,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp !chroot
-# tracelog
+#tracelog
 disable-mnt
 private-bin kalgebra,kalgebramobile
@@ -47,4 +47,4 @@ private-tmp
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index 152f73d5d..f141a25e1 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -28,17 +28,17 @@ noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
 include allow-common-devel.inc
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include whitelist-run-common.inc
 include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -52,13 +52,13 @@ novideo
 protocol unix
 seccomp
-# private-bin kate,kbuildsycoca4,kdeinit4
+#private-bin kate,kbuildsycoca4,kdeinit4
 private-dev
-# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
 join-or-start kate
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 70414eeea..5a19d2f50 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -45,7 +45,7 @@ seccomp
 tracelog
 disable-mnt
-# private-bin kazam,python*
+#private-bin kazam,python*
 private-cache
 private-dev
 private-etc @x11
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index cfb756c43..9f10039df 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -60,7 +60,7 @@ private-bin kcalc
 private-cache
 private-dev
 private-etc
-# private-lib - problems on Arch
+#private-lib # problems on Arch
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 2f426e191..dce189c59 100644
--- a/etc/profile-a-l/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -22,7 +22,7 @@ no3d
 nogroups
 noinput
 nonewprivs
-# nosound - disabled for knotify
+#nosound # disabled for knotify
 noroot
 nou2f
 novideo
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index d4933d816..717bfa8d6 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -21,7 +21,7 @@ include disable-programs.inc
 apparmor
 caps.drop all
-# net none
+#net none
 nodvd
 nogroups
 noinput
@@ -34,9 +34,9 @@ seccomp
 private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
 private-dev
-# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
+#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
index c70030a38..115f785eb 100644
--- a/etc/profile-a-l/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -9,21 +9,21 @@ include globals.local
 # searching in blacklisted or masked paths fails silently
 # adjust filesystem restrictions as necessary
-# noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below
+#noblacklist ${HOME}/.cache/kfind # disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/kfindrc
+#noblacklist ${HOME}/.config/kfindrc
-# noblacklist ${HOME}/.kde/share/config/kfindrc
+#noblacklist ${HOME}/.kde/share/config/kfindrc
-# noblacklist ${HOME}/.kde4/share/config/kfindrc
+#noblacklist ${HOME}/.kde4/share/config/kfindrc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 no3d
 nodvd
@@ -38,11 +38,11 @@ novideo
 protocol unix
 seccomp
-# private-bin kbuildsycoca4,kdeinit4,kfind
+#private-bin kbuildsycoca4,kdeinit4,kfind
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index dd45c1889..892577117 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -40,5 +40,5 @@ seccomp
 private-dev
 private-tmp
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 2e369b945..9f41f41db 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -27,13 +27,13 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
@@ -49,4 +49,4 @@ private-tmp
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 9724f4963..20d2c01d6 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -41,7 +41,7 @@ include disable-programs.inc
 include whitelist-run-common.inc
 include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,11 +56,11 @@ novideo
 protocol unix,inet,inet6,netlink
 # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
-# tracelog
+#tracelog
 private-dev
-# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+#private-tmp # interrupts connection to akonadi, breaks opening of email attachments
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index 992b312ee..7615f00c4 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -33,7 +33,7 @@ nou2f
 protocol unix,inet,inet6,netlink
 seccomp
-# private-bin kmplayer,mplayer
+#private-bin kmplayer,mplayer
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index e4781fea3..10a823c89 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -42,5 +42,5 @@ private-cache
 private-dev
 private-tmp
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index a04376430..f61bf36a8 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -28,7 +28,7 @@ include disable-xdg.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -46,7 +46,7 @@ private-cache
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index a0244ef47..8af3657d1 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -10,19 +10,19 @@ include globals.local
 # When a file is opened in krunner, the file viewer runs in its own sandbox
 # with its own profile, if it is sandboxed automatically.
-# noblacklist ${HOME}/.cache/krunner
+#noblacklist ${HOME}/.cache/krunner
-# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+#noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-# noblacklist ${HOME}/.config/chromium
+#noblacklist ${HOME}/.config/chromium
 noblacklist ${HOME}/.config/krunnerrc
 noblacklist ${HOME}/.kde/share/config/krunnerrc
 noblacklist ${HOME}/.kde4/share/config/krunnerrc
-# noblacklist ${HOME}/.local/share/baloo
+#noblacklist ${HOME}/.local/share/baloo
-# noblacklist ${HOME}/.mozilla
+#noblacklist ${HOME}/.mozilla
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include whitelist-var-common.inc
@@ -34,6 +34,6 @@ noroot
 protocol unix,inet,inet6
 seccomp
-# private-cache
+#private-cache
 restrict-namespaces
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index da267b962..63bdc0b83 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -62,9 +62,9 @@ seccomp
 private-bin kbuildsycoca4,kdeinit4,ktmagnetdownloader,ktorrent,ktupnptest
 private-dev
-# private-lib - problems on Arch
+#private-lib # problems on Arch
 private-tmp
 deterministic-shutdown
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 82336969d..1f8757edb 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -65,7 +65,7 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# disable-mnt
+#disable-mnt
 # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 private-bin kube,sink_synchronizer
 private-cache
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 34fe2ace6..efc6b7c56 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -29,14 +29,14 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound - KWrite is using ALSA!
+#nosound # KWrite is using ALSA!
 notv
 nou2f
 novideo
@@ -49,8 +49,8 @@ private-dev
 private-etc @x11
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
 join-or-start kwrite
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 6efe23ade..661c0594a 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -36,8 +36,8 @@ x11 none
 # The user can have a custom coloring script configured in ${HOME}/.lessfilter.
 # Enable private-bin and private-lib if you are not using any filter.
-# private-bin less
+#private-bin less
-# private-lib
+#private-lib
 private-cache
 private-dev
 writable-var-log
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index b0e9015ee..739d2cc1e 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -33,13 +33,13 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 838d619b7..636560789 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -52,7 +52,7 @@ private-cache
 private-dev
 private-etc @tls-ca
 # Add the next line to your links-common.local to allow external media players.
-# private-etc alsa,asound.conf,machine-id,openal,pulse
+#private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 2658c5373..c3497c3bd 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.config/lutris
 noblacklist ${HOME}/.local/share/lutris
-# noblacklist ${HOME}/.wine
+#noblacklist ${HOME}/.wine
 noblacklist /tmp/.wine-*
 # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
 # Lutris won't even start.
@@ -39,7 +39,7 @@ mkdir ${HOME}/.cache/wine
 mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
-# mkdir ${HOME}/.wine
+#mkdir ${HOME}/.wine
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Games
 whitelist ${HOME}/.cache/lutris
@@ -47,7 +47,7 @@ whitelist ${HOME}/.cache/wine
 whitelist ${HOME}/.cache/winetricks
 whitelist ${HOME}/.config/lutris
 whitelist ${HOME}/.local/share/lutris
-# whitelist ${HOME}/.wine
+#whitelist ${HOME}/.wine
 whitelist /usr/share/lutris
 whitelist /usr/share/wine
 include whitelist-common.inc
@@ -55,11 +55,11 @@ include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
-# allow-debuggers
+#allow-debuggers
-# apparmor
+#apparmor
 caps.drop all
 ipc-namespace
-# net none
+#net none
 netfilter
 nodvd
 nogroups
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index caf8de104..248061b3f 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -34,10 +34,10 @@ protocol unix,inet,inet6
 seccomp
 tracelog
-# private-bin lynx
+#private-bin lynx
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index c3366acef..d210333c3 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -31,7 +31,7 @@ include whitelist-usr-share-common.inc
 apparmor
 machine-id
-# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
+#private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
 private-etc @x11,lyx,mime.types,texmf
 # Redirect
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index e75de80ac..a6a9ba6bc 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -40,8 +40,8 @@ notv
 nou2f
 novideo
 protocol unix,netlink
-#seccomp - breaks loading with no logs
+#seccomp # breaks loading with no logs
-#tracelog - 32/64 bit incompatibility
+#tracelog # 32/64 bit incompatibility
 private-bin PCSX2
 private-cache
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 0e18b3cdf..dd5639268 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -57,7 +57,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
@@ -81,5 +81,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 34d500bb1..fe1f9b877 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -35,4 +35,4 @@ private-bin awk,bash,dig,sh,Viber
 private-etc @tls-ca,@x11,mailcap,proxychains.conf
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 0c3d4c1da..aae1808dd 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -25,7 +25,7 @@ nogroups
 noinput
 nonewprivs
 # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
-# noroot
+#noroot
 nosound
 notv
 nou2f
@@ -35,10 +35,10 @@ seccomp
 disable-mnt
 # using a private home directory
 private
-# private-bin sh,Xephyr,xkbcomp
+#private-bin sh,Xephyr,xkbcomp
-# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
+#private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
 private-dev
-# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 #private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 2bb9f171a..052ea520d 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -39,8 +39,8 @@ seccomp
 disable-mnt
 # using a private home directory
 private
-# private-bin sh,xkbcomp,Xvfb
+#private-bin sh,xkbcomp,Xvfb
-# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
+#private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
 private-etc gai.conf,host.conf
 private-tmp
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 266d00395..b6afbad59 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -14,8 +14,8 @@ blacklist ${RUNUSER}/wayland-*
 # for potential issues and their solutions when Firejailing makepkg
 # This profile could be significantly strengthened by adding the following to makepkg.local
-# whitelist ${HOME}/<Your Build Folder>
+#whitelist ${HOME}/<Your Build Folder>
-# whitelist ${HOME}/.gnupg
+#whitelist ${HOME}/.gnupg
 # Enable severely restricted access to ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index d1655fabb..fcc4845df 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -13,8 +13,8 @@ noblacklist ${HOME}/.cache/midori
 noblacklist ${HOME}/.config/midori
 noblacklist ${HOME}/.local/share/midori
 noblacklist ${HOME}/.local/share/pki
-# noblacklist ${HOME}/.local/share/webkit
+#noblacklist ${HOME}/.local/share/webkit
-# noblacklist ${HOME}/.local/share/webkitgtk
+#noblacklist ${HOME}/.local/share/webkitgtk
 noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/gnome-mplayer
@@ -54,7 +54,7 @@ caps.drop all
 netfilter
 nodvd
 nonewprivs
-# noroot - problems on Ubuntu 14.04
+#noroot # problems on Ubuntu 14.04
 notv
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 86359426b..ab1c93eaf 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -56,7 +56,7 @@ dbus-user filter
 dbus-user.own org.mpris.MediaPlayer2.mpd
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 read-only ${HOME}
 restrict-namespaces
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 7d9ff39ad..bdb9fa51d 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -24,9 +24,9 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# net none - mplayer can be used for streaming.
+#net none # mplayer can be used for streaming.
 netfilter
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
diff --git a/etc/profile-m-z/mullvad-browser.profile b/etc/profile-m-z/mullvad-browser.profile
index b9eb57743..cdbb0ae9c 100644
--- a/etc/profile-m-z/mullvad-browser.profile
+++ b/etc/profile-m-z/mullvad-browser.profile
@@ -73,13 +73,13 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mullvad-browser,mv,python*,rm,sed,sh,tail,tar,tclsh,test,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc @tls-ca
-#private-opt mullvad-browser - can cause slow startup
+#private-opt mullvad-browser # can cause slow startup
 private-tmp
 blacklist ${PATH}/curl
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 73107680c..41f82bd07 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -41,12 +41,12 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp
+#seccomp
 disable-mnt
 # private-bin works, but causes weirdness
-# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
+#private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index ef09e6fca..52dc46800 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -41,5 +41,5 @@ disable-mnt
 private-bin mumble
 private-tmp
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index ca951f70c..b62674ad6 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -37,7 +37,7 @@ protocol unix,inet,inet6
 seccomp !chroot
 tracelog
-# private-bin musescore,mscore
+#private-bin musescore,mscore
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 7ce7fbd19..d67cd24bd 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -35,4 +35,4 @@ disable-mnt
 private-dev
 private-etc @tls-ca
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 288ffedf1..f56c2b1e5 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -121,7 +121,7 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
 private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 6b4074dfb..ba63b2067 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -41,7 +41,7 @@ seccomp
 tracelog
 x11 none
-# disable-mnt
+#disable-mnt
 private-bin nano,rnano
 private-cache
 private-dev
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 09687199b..5cfd8290a 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -29,7 +29,7 @@ seccomp
 x11 none
 private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 5bd1e7cba..e028d8d42 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -113,7 +113,7 @@ seccomp
 seccomp.block-secondary
 tracelog
-# disable-mnt
+#disable-mnt
 private-cache
 private-dev
 private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 7a97ca825..254eb789a 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,11 +42,11 @@ private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,ni
 private-cache
 private-dev
 private-etc @tls-ca,@x11
-# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
+#private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index dec48c827..57fba2693 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -17,7 +17,7 @@ whitelist ${HOME}/.config/nuclear
 no3d
-# private-bin nuclear
+#private-bin nuclear
 private-etc @tls-ca,@x11,host.conf,mime.types
 private-opt nuclear
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 8e0758c37..ac573dc47 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -44,7 +44,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# net none
+#net none
 netfilter
 nodvd
 nogroups
@@ -62,12 +62,13 @@ tracelog
 private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
 private-etc @x11,cups
-# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
+# on KDE we need access to the real /tmp for data exchange with email clients
+#private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
 join-or-start okular
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 47ac9fc05..3338cadf5 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -50,7 +50,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin onionshare,onionshare-cli,onionshare-gui,python*,tor*
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 3449ac686..e10f6011b 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -24,7 +24,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# net none - networked game
+#net none # networked game
 netfilter
 nodvd
 nogroups
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index fa16c05e2..c4849b958 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -24,7 +24,7 @@ nogroups
 noinput
 nonewprivs
 noroot
-# nosound - calendar application, It must be able to play sound to wake you up.
+#nosound # calendar application, It must be able to play sound to wake you up.
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index a1c0462ba..76d4a2c52 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -57,4 +57,4 @@ private-tmp
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index a852a2a18..5bc0bd700 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -40,7 +40,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-# private-bin pidgin
+#private-bin pidgin
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index d563064e1..c3aa0a501 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -55,7 +55,7 @@ tracelog
 disable-mnt
 private
-#private-bin ping - has mammoth problems with execvp: "No such file or directory"
+#private-bin ping # has mammoth problems with execvp: "No such file or directory"
 private-cache
 private-dev
 private-etc @tls-ca
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index efcdaa661..6e56208d5 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -21,10 +21,10 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -45,8 +45,8 @@ private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
 join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 34e18cbd7..38fa01553 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -53,7 +53,7 @@ writable-var-log
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks opening file-chooser
+#memory-deny-write-execute # breaks opening file-chooser
 read-only ${HOME}
 read-write ${HOME}/.config/PacmanLogViewer
 read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index af117c3b5..7a735bba7 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -43,4 +43,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index a1a0606b9..1417a87c9 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -62,7 +62,7 @@ novideo
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp !chroot
-#tracelog - breaks on Arch
+#tracelog # breaks on Arch
 disable-mnt
 # Add the next line to your psi.local to enable GPG support.
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 875b83e8e..fa307fc88 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -34,8 +34,8 @@ nou2f
 novideo
 tracelog
-# private-etc alternatives,fonts,passwd - minimal required to run but will probably break
+# minimum required to run but will probably break the program!
-# program!
+#private-etc alternatives,fonts,passwd
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 9605da3ac..ae0a2cdf1 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -55,12 +55,12 @@ seccomp
 private-bin python*,qbittorrent
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 # See https://github.com/netblue30/firejail/issues/3707 for tray-icon
 dbus-user none
 dbus-system none
-# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
+#memory-deny-write-execute # problems on Arch, see #1690 on GitHub repo
 restrict-namespaces
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index ecd62a7d1..66c8f3238 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -18,7 +18,7 @@ include disable-xdg.inc
 caps.drop all
 netfilter
-# no3d
+#no3d
 nogroups
 noinput
 nonewprivs
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 4caa0917f..784d2fafd 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -41,7 +41,7 @@ private-dev
 private-tmp
 # needs D-Bus when started from a file manager
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index ab0f9425a..20c84c5a8 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -48,5 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile
index 4589c9e4a..4ec990e95 100644
--- a/etc/profile-m-z/quassel.profile
+++ b/etc/profile-m-z/quassel.profile
@@ -25,4 +25,4 @@ seccomp !chroot
 private-cache
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index a59f01f85..4102b1ea0 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -50,6 +50,6 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
 restrict-namespaces
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
index 405ab818d..603ec8ff4 100644
--- a/etc/profile-m-z/rpcs3.profile
+++ b/etc/profile-m-z/rpcs3.profile
@@ -54,7 +54,8 @@ tracelog
 disable-mnt
 #private-cache
-#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
+# seems to need awk
+#private-etc alternatives,ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/rssguard.profile b/etc/profile-m-z/rssguard.profile
index 81381c205..ce455baba 100644
--- a/etc/profile-m-z/rssguard.profile
+++ b/etc/profile-m-z/rssguard.profile
@@ -31,13 +31,13 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 34cf783fe..8e25375b0 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -55,7 +55,7 @@ protocol unix
 seccomp
 tracelog
-# private-bin gimp*,gs,scribus
+#private-bin gimp*,gs,scribus
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index c2dbbc2c6..1171a52f0 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -55,7 +55,7 @@ seccomp
 tracelog
 disable-mnt
-# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
+#private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
 writable-run-user
 restrict-namespaces
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 667f9c557..74587c992 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -34,36 +34,36 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
 noblacklist /etc/init.d
-# noblacklist /var/opt
+#noblacklist /var/opt
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-exec.inc
+#include disable-exec.inc
-# include disable-interpreters.inc
+#include disable-interpreters.inc
 include disable-programs.inc
 include disable-write-mnt.inc
 include disable-xdg.inc
-# include whitelist-runuser-common.inc
+#include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
+#include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
 # people use to install servers all over the place!
 # apparmor runs executable only from default system locations
-# apparmor
+#apparmor
 caps
-# ipc-namespace
+#ipc-namespace
 machine-id
-# netfilter /etc/firejail/webserver.net
+#netfilter /etc/firejail/webserver.net
 no3d
 nodvd
-# nogroups
+#nogroups
 noinput
 nonewprivs
-# noroot
+#noroot
 nosound
 notv
 nou2f
@@ -74,22 +74,22 @@ tab # allow tab completion
 disable-mnt
 private
-# private-bin program
+#private-bin program
-# private-cache
+#private-cache
 private-dev
 # see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives
+#private-etc alternatives
-# private-lib
+#private-lib
-# private-opt none
+#private-opt none
 private-tmp
-# writable-run-user
+#writable-run-user
-# writable-var
+#writable-var
-# writable-var-log
+#writable-var-log
 dbus-user none
-# dbus-system none
+#dbus-system none
-# deterministic-shutdown
+#deterministic-shutdown
-# memory-deny-write-execute
+#memory-deny-write-execute
-# read-only ${HOME}
+#read-only ${HOME}
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index 96e4cf283..154e29ccf 100644
--- a/etc/profile-m-z/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -7,7 +7,7 @@ include globals.local
 include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 14846cf58..f8bcd3c6e 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -28,15 +28,15 @@ nonewprivs
 noroot
 nosound
 notv
-# novideo
+#novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks simple-scan
 seccomp !ioperm
 tracelog
-# private-bin simple-scan
+#private-bin simple-scan
-# private-dev
+#private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index f88ae65c8..995b59538 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -33,7 +33,7 @@ novideo
 protocol unix
 seccomp
-# private-bin simutrans
+#private-bin simutrans
 private-dev
 private-etc @games,@x11
 private-tmp
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 6b73b2289..3b78f7fd2 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -22,16 +22,16 @@ nonewprivs
 noroot
 nosound
 notv
-# novideo
+#novideo
 protocol unix,inet,inet6,netlink
 # blacklisting of ioperm system calls breaks skanlite
 seccomp !ioperm
-# private-bin kbuildsycoca4,kdeinit4,skanlite
+#private-bin kbuildsycoca4,kdeinit4,skanlite
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 9dd41fd27..ece191b73 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -36,7 +36,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nogroups
+#nogroups
 noinput
 nonewprivs
 noroot
@@ -49,7 +49,7 @@ private-dev
 private-tmp
 # problems with KDE
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile
index eb18c1f01..940c35b2e 100644
--- a/etc/profile-m-z/sniffnet.profile
+++ b/etc/profile-m-z/sniffnet.profile
@@ -29,8 +29,8 @@ netfilter
 nodvd
 nogroups
 noinput
-# nonewprivs - breaks network traffic capture for unprivileged users
+#nonewprivs # breaks network traffic capture for unprivileged users
-# noroot
+#noroot
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
index e2be4e9e0..07f9b0094 100644
--- a/etc/profile-m-z/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -21,13 +21,13 @@ apparmor
 caps.drop all
 ipc-namespace
 net none
-# no3d
+#no3d
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
 nou2f
 novideo
@@ -43,5 +43,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index f5ac6c739..5c5763538 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -38,7 +38,7 @@ private-cache
 private-dev
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index ce356367f..013c7ac13 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -46,8 +46,8 @@ private-etc @tls-ca
 private-tmp
 # breaks proxy creation
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index a7956a76e..fde85be64 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -32,10 +32,10 @@ nodvd
 nogroups
 noinput
 nonewprivs
-# noroot - see issue #1543
+#noroot # see issue #1543
 nosound
 notv
-# nou2f - OpenSSH >= 8.2 supports U2F
+#nou2f # OpenSSH >= 8.2 supports U2F
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -43,7 +43,7 @@ tracelog
 private-cache
 private-dev
-# private-tmp # Breaks when exiting
+#private-tmp # Breaks when exiting
 writable-run-user
 dbus-user none
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 3fe0963a9..fe4e4b6d7 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -47,4 +47,4 @@ private-etc @tls-ca,@x11,host.conf
 dbus-user none
 dbus-system none
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 6de288c46..8b5d7e253 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -49,5 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+#memory-deny-write-execute # breaks on Arch (see issue #1803)
 restrict-namespaces
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 2ad107f1a..65aea6667 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -41,7 +41,7 @@ seccomp.block-secondary
 tracelog
 disable-mnt
-# private-bin supertux2
+#private-bin supertux2
 private-cache
 private-etc
 private-dev
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
index 7b6a87b31..728db012e 100644
--- a/etc/profile-m-z/sushi.profile
+++ b/etc/profile-m-z/sushi.profile
@@ -13,7 +13,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
-# include disable-programs.inc
+#include disable-programs.inc
 include disable-shell.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 5fb35aa04..7cef394c2 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -13,7 +13,7 @@ whitelist ${HOME}/.sylpheed-2.0
 whitelist /usr/share/sylpheed
-# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
+#private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
 # Redirect
 include email-common.profile
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 726baf336..b0a80fc27 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -59,11 +59,11 @@ seccomp
 tracelog
 disable-mnt
-#private-bin sysprof - breaks help menu
+#private-bin sysprof # breaks help menu
 private-cache
 private-dev
 private-etc @tls-ca
-# private-lib - breaks help menu
+#private-lib # breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
@@ -73,5 +73,5 @@ dbus-user.own org.gnome.Yelp
 dbus-user.own org.gnome.Sysprof3
 dbus-user.talk ca.desrt.dconf
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 41da4ee13..06b547b3d 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -39,4 +39,4 @@ disable-mnt
 private-dev
 private-tmp
-# restrict-namespaces
+#restrict-namespaces
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 17e2f0856..979971ac2 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -35,7 +35,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
-# noblacklist ${HOME}/.icedove
+#noblacklist ${HOME}/.icedove
 noblacklist ${HOME}/.thunderbird
 include disable-xdg.inc
@@ -46,11 +46,11 @@ include disable-xdg.inc
 # See https://github.com/netblue30/firejail/issues/2357
 mkdir ${HOME}/.cache/thunderbird
 mkdir ${HOME}/.gnupg
-# mkdir ${HOME}/.icedove
+#mkdir ${HOME}/.icedove
 mkdir ${HOME}/.thunderbird
 whitelist ${HOME}/.cache/thunderbird
 whitelist ${HOME}/.gnupg
-# whitelist ${HOME}/.icedove
+#whitelist ${HOME}/.icedove
 whitelist ${HOME}/.thunderbird
 whitelist /usr/share/gnupg
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index a855ff839..ddd2aa85f 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -12,10 +12,10 @@ blacklist ${RUNUSER}
 noblacklist /tmp/tmux-*
-# include disable-common.inc
+#include disable-common.inc
-# include disable-devel.inc
+#include disable-devel.inc
-# include disable-exec.inc
+#include disable-exec.inc
-# include disable-programs.inc
+#include disable-programs.inc
 caps.drop all
 ipc-namespace
@@ -36,9 +36,9 @@ seccomp
 seccomp.block-secondary
 tracelog
-# private-cache
+#private-cache
 private-dev
-# private-tmp
+#private-tmp
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 86746c7f1..20ebddb69 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -56,13 +56,13 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 seccomp.block-secondary
-#tracelog - may cause issues, see #1930
+#tracelog # may cause issues, see #1930
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
 private-etc @tls-ca
-#private-opt tor-browser - can cause slow startup
+#private-opt tor-browser # can cause slow startup
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index a4cb49171..73d3b0b6f 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -35,7 +35,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 netfilter
 nogroups
@@ -55,7 +55,7 @@ private-etc @tls-ca,@x11,python*
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
 dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index f30b0aef6..c46b00fc9 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -33,8 +33,8 @@ protocol unix
 seccomp
 tracelog
-# private-bin tracker
+#private-bin tracker
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 2578eb0be..5e9e7f127 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -52,7 +52,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 tracelog
-# disable-mnt
+#disable-mnt
 private-bin trojita
 private-cache
 private-dev
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index c182326bb..175ae4591 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -36,8 +36,8 @@ tracelog
 private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
 # add your configured file browser in udiskie.local, e. g.
-# private-bin nautilus
+#private-bin nautilus
-# private-bin thunar
+#private-bin thunar
 private-cache
 private-dev
 private-etc @x11,mime.types
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 3e2b28dec..4e7dc3705 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -34,11 +34,11 @@ protocol unix,inet,inet6,netlink
 seccomp
 disable-mnt
-# private-bin unknown-horizons
+#private-bin unknown-horizons
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
 # doesn't work - maybe all Tcl/Tk programs have this problem
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index aa8199442..8c6efaa1c 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -49,5 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
+#memory-deny-write-execute # breaks on Arch (see issues #1803 and #1808)
 restrict-namespaces
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index ae8afbbf1..b768a635a 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -9,7 +9,7 @@ include globals.local
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/.config/VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
-# noblacklist /usr/bin/virtualbox
+#noblacklist /usr/bin/virtualbox
 noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 79ba41d44..a7b0f5f1d 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -15,7 +15,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-#include disable-shell.inc - problems on Debian 11
+#include disable-shell.inc # problems on Debian 11
 mkdir ${HOME}/.local/share/warzone2100
 mkdir ${HOME}/.local/share/warzone2100-3.3.0
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 1e2b164b9..33f404464 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -20,23 +20,23 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
-# whitelist /usr/share/wine
+#whitelist /usr/share/wine
-# include whitelist-usr-share-common.inc
+#include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 # Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this.
 allow-debuggers
 caps.drop all
-# net none
+#net none
 netfilter
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound
+#nosound
 notv
-# novideo
+#novideo
 seccomp
 private-dev
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index d1b757a25..7caac217f 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -25,29 +25,30 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
-# caps.drop all
+#caps.drop all
 caps.keep dac_override,dac_read_search,net_admin,net_raw
 netfilter
 no3d
-# nogroups - breaks network traffic capture for unprivileged users
+#nogroups # breaks network traffic capture for unprivileged users
 noinput
-# nonewprivs - breaks network traffic capture for unprivileged users
+#nonewprivs # breaks network traffic capture for unprivileged users
-# noroot
+#noroot
 nodvd
 nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
+# commented out in case they bring in new protocols
+#protocol unix,inet,inet6,netlink,packet,bluetooth
 #seccomp
 tracelog
-# private-bin wireshark
+#private-bin wireshark
 private-cache
 # private-dev prevents (some) interfaces from being shown.
 # Add the below line to your wirehsark.local if you only want to inspect pcap files.
 #private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index dda803bd5..b47437e2d 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -23,10 +23,10 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 machine-id
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -46,9 +46,9 @@ private-dev
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 # xed uses python plugins, memory-deny-write-execute breaks python
-# memory-deny-write-execute
+#memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index 141fda909..96edc15ab 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -25,8 +25,8 @@ protocol unix
 seccomp
 tracelog
-# private-bin xfburn
+#private-bin xfburn
-# private-dev
+#private-dev
-# private-tmp
+#private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 9c4fa8293..6c3a5812b 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -53,5 +53,5 @@ dbus-user.own org.xfce.xfce4-mixer
 dbus-user.talk org.xfce.Xfconf
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index 4d841b35c..9094a7872 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -47,5 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
-# memory-deny-write-execute -- see #3790
+#memory-deny-write-execute # see #3790
 restrict-namespaces
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index a673d6aa3..9741888f0 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -27,7 +27,7 @@ include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
 netfilter
 nogroups
@@ -41,11 +41,11 @@ tracelog
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 restrict-namespaces
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 05c12b9a2..b00307394 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -45,11 +45,11 @@ seccomp
 disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
-# private
+#private
 # older Xpra versions also use Xvfb
-# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
+#private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
 private-dev
-# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
+#private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
 private-tmp
 restrict-namespaces
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 6edbf9357..cad836fdc 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -18,9 +18,9 @@ include disable-programs.inc
 include disable-xdg.inc
 # Breaks xreader on Mint 18.3
-# include whitelist-var-common.inc
+#include whitelist-var-common.inc
-# apparmor
+#apparmor
 caps.drop all
 no3d
 nodvd
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 6c31df4a9..575c1bf68 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -19,9 +19,9 @@ include disable-shell.inc
 include whitelist-var-common.inc
-# apparmor - makes settings immutable
+#apparmor # makes settings immutable
 caps.drop all
-# net none - makes settings immutable
+#net none # makes settings immutable
 no3d
 nodvd
 nogroups
@@ -42,8 +42,8 @@ private-lib
 private-tmp
 # makes settings immutable
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 memory-deny-write-execute
 restrict-namespaces
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index f5dd0c309..f957954dd 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -33,16 +33,14 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support.
+#machine-id # add this to your yelp.local if you don't need sound support.
-#machine-id
 net none
 nodvd
 nogroups
 noinput
 nonewprivs
 noroot
-# nosound - add the next line to your yelp.local if you don't need sound support.
+#nosound # add this to your yelp.local if you don't need sound support.
-#nosound
 notv
 nou2f
 novideo
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index de07e3ddf..ccf5f1e63 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -13,9 +13,9 @@ noblacklist ${HOME}/.config/youtube-music-desktop-app
 mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
-# private-bin env,ytmdesktop
+#private-bin env,ytmdesktop
 private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
-# private-opt
+#private-opt
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 09a1d37a3..d576dbefd 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -67,5 +67,5 @@ dbus-user.talk org.mozilla.*
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
-# memory-deny-write-execute - breaks on Arch
+#memory-deny-write-execute # breaks on Arch
 restrict-namespaces