33 files changed, 129 insertions, 159 deletions
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index 74b0b6ef6..0ab6465ca 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -6,24 +6,19 @@ include archiver-common.local
 blacklist ${RUNUSER}
-# WARNING: Users can (un)restrict file access for **all** archivers by
+# Comment/uncomment the relevant include file(s) in your archiver-common.local
-# commenting/uncommenting the needed include file(s) here or by putting those
+# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**
-# into archiver-common.local.
+# in the relevant <archiver>.local. Beware that things tend to break when overtightening
-#
+# profiles. For example, because you only need to (un)compress files in ${DOWNLOADS},
-# Another option is to do this **per archiver** in the relevant
+# other applications may need access to ${HOME}/.local/share.
-# <archiver>.local. Just beware that things tend to break when overtightening
-# profiles. For example, because you only need to (un)compress files in
+# Add the next line to your archiver-common.local if you don't need to compress files in disable-common.inc.
-# ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
-# Uncomment the next line (or put it into your archiver-common.local) if you
-# don't need to compress files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your archiver-common.local) if you
+# Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc.
-# don't need to compress files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index d2dcaace1..bef708bdc 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -40,9 +40,9 @@ seccomp
 shell none
 # disable-mnt
-# Add your custom event hook commands to 'private-bin' in your aria2c.local
+# Add your custom event hook commands to 'private-bin' in your aria2c.local.
 private-bin aria2c,gzip
-# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
+# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
 #private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index 178e2dc9f..5c93f8be9 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -12,37 +12,25 @@ noblacklist ${HOME}/.config/bcompare
 # KDE's Gwenview to view images via right click -> Open With -> Associated Application
 noblacklist ${HOME}/.config/gwenviewrc
-# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc
+# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc
+# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-# Uncommenting this breaks launch
+#include disable-shell.inc - breaks launch
-# include disable-shell.inc
 include disable-write-mnt.inc
-# Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS}
-# include disable-xdg.inc
-# include whitelist-common.inc
-# include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
 apparmor
 caps.drop all
-# Uncommenting might break Pulse Audio
-#machine-id
 net none
 no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-# Allow applications launched on sound files to play them
-#nosound
 notv
 nou2f
 novideo
@@ -53,9 +41,6 @@ tracelog
 private-cache
 private-dev
-# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives,fonts,machine-id
-# Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1"
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index 19addd285..e6df50b43 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -6,4 +6,5 @@ caps.drop all
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
-seccomp !chroot
+# kcmp is requeired for ozone-platform=wayland, see #3783.
+seccomp !chroot,!kcmp
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 3667c350d..e9bef8df7 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -30,12 +30,10 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# Uncomment the next line (or add it to your chromium-common.local)
+# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
-# if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
-# Uncomment or put in your chromium-common.local to allow screen sharing under
+# Add the next line to your chromium-common.local to allow screen sharing under wayland.
-# wayland.
 #whitelist ${RUNUSER}/pipewire-0
 apparmor
@@ -50,12 +48,10 @@ shell none
 disable-mnt
 private-cache
 ?BROWSER_DISABLE_U2F: private-dev
-# problems with multiple browser sessions
+#private-tmp - issues when using multiple browser sessions
-#private-tmp
-# prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
+#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
-# dbus-user none
 dbus-system none
-# the file dialog needs to work without d-bus
+# The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index b4a8303a2..691657fa0 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -11,7 +11,7 @@ noblacklist ${HOME}/.claws-mail
 mkdir ${HOME}/.claws-mail
 whitelist ${HOME}/.claws-mail
-# If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local)
+# Add the below lines to your claws-mail.local if you use python-based plugins.
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
 #include allow-python3.inc
@@ -23,7 +23,7 @@ whitelist /usr/share/doc/claws-mail
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.keyring.SystemPrompter
-# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local)
+# Add the next line to your claws-mail.local if you use the notification plugin.
 # dbus-user.talk org.freedesktop.Notifications
 # Redirect
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index dace5e83e..130d23522 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -42,6 +42,6 @@ private-cache
 private-dev
 private-tmp
-# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it
+# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
 # dbus-user none
 # dbus-system none
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index f8b194044..9366edfa1 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -9,9 +9,9 @@ include globals.local
 # curl 7.74.0 introduces experimental support for HSTS cache
 # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
-# technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts
+# Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts.
-# if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
+# If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
-# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact
+# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact.
 noblacklist ${HOME}/.curl-hsts
 noblacklist ${HOME}/.curlrc
@@ -22,7 +22,7 @@ include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local
+# Depending on workflow you can add 'include disable-xdg.inc' to your curl.local.
 #include disable-xdg.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 80d97a31f..b99b31df8 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-#mkfile ${HOME}/.digrc -- see #903
+#mkfile ${HOME}/.digrc - see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
@@ -49,7 +49,7 @@ tracelog
 disable-mnt
 private-bin bash,dig,sh
 private-dev
-# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
+# Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038).
 #private-lib
 private-tmp
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index fc920a065..49feec32e 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -6,7 +6,7 @@ include dolphin-emu.local
 # Persistent global definitions
 include globals.local
-# Note: you must whitelist your games folder in a dolphin-emu.local
+# Note: you must whitelist your games folder in your dolphin-emu.local.
 noblacklist ${HOME}/.cache/dolphin-emu
 noblacklist ${HOME}/.config/dolphin-emu
@@ -36,10 +36,10 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# uncomment the following line if you do not need NetPlay support
+# Add the next line to your dolphin-emu.local if you do not need NetPlay support.
 # net none
 netfilter
-# uncomment the following line if you do not need disc support
+# Add the next line to your dolphin-emu.local if you do not need disc support.
 #nodvd
 nogroups
 nonewprivs
@@ -54,7 +54,7 @@ tracelog
 private-bin bash,dolphin-emu,dolphin-emu-x11,sh
 private-cache
-# uncomment the following line if you do not need controller support
+# Add the next line to your dolphin-emu.local if you do not need controller support.
 #private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
 private-opt none
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 79b449ab1..8785a192c 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -18,8 +18,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# Uncomment the next line (or add it to your chromium-common.local)
+# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
-# if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
 apparmor
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index 226237b5b..55bf743ef 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -8,8 +8,7 @@ include globals.local
 noblacklist ${HOME}/.emacs
 noblacklist ${HOME}/.emacs.d
-# if you need gpg uncomment the following line
+# Add the next line to your emacs.local if you need gpg support.
-# or put it into your emacs.local
 #noblacklist ${HOME}/.gnupg
 # Allows files commonly used by IDEs
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 25d5196fc..eeccb81be 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,8 +6,8 @@ include evince.local
 # Persistent global definitions
 include globals.local
-# Uncomment this line and the bottom ones to use bookmarks
+# WARNING: using bookmarks possibly exposes information, including file history from other programs.
-# NOTE: This possibly exposes information, including file history from other programs.
+# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
 #noblacklist ${HOME}/.local/share/gvfs-metadata
 noblacklist ${HOME}/.config/evince
@@ -57,9 +57,9 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
-# might break two-page-view on some systems
+# dbus-user filtering might break two-page-view on some systems
 dbus-user filter
-# Also uncomment these two lines if you want to use bookmarks
+# Add the next two lines to your evince.local if you need bookmarks support.
 #dbus-user.talk org.gtk.vfs.Daemon
 #dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 30135d4bc..b6741d701 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -42,8 +42,9 @@ shell none
 tracelog
 x11 none
-# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
+# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool
-# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
+# to /usr/bin/exiftool and add the below to your exiftool.local.
+# Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening.
 #private-bin exiftool,perl
 private-cache
 private-dev
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 4d6a0c33a..68ce0da61 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -15,10 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-# This profile disables network access
+# Add the next line to your feh.local to enable network access.
-# In order to enable network access,
+#include feh-network.inc.profile
-# uncomment the following or put it in your feh.local:
-# include feh-network.inc.profile
 caps.drop all
 net none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index a955722c8..b0ead7590 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -9,7 +9,7 @@ include firefox-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
+# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
 #include firefox-common-addons.profile
 noblacklist ${HOME}/.pki
@@ -32,7 +32,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
+# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
 #machine-id
 netfilter
 nodvd
@@ -52,10 +52,11 @@ shell none
 disable-mnt
 ?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
+# Add it to your firefox-common.local if you want to enable it.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
-# breaks various desktop integration features
+# 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
-# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
+# Gnome connector, KDE connect and power management on KDE Plasma.
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 68dd350ca..cefba93d4 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,8 +14,8 @@ mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
-# Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin
+# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
-# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them
+# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
@@ -27,31 +27,30 @@ whitelist /usr/share/mozilla
 whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
-# firefox requires a shell to launch on Arch.
+# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
-# Fedora use shell scripts to launch firefox, at least this is required
+# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
 #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
-# private-etc must first be enabled in firefox-common.profile
+# Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too.
 #private-etc firefox
 dbus-user filter
 dbus-user.own org.mozilla.Firefox.*
 dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
-# Uncomment or put in your firefox.local to enable native notifications.
+# Add the next line to your firefox.local to enable native notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Uncomment or put in your firefox.local to allow to inhibit screensavers
+# Add the next line to your firefox.local to allow inhibiting screensavers.
 #dbus-user.talk org.freedesktop.ScreenSaver
-# Uncomment or put in your firefox.local for plasma browser integration
+# Add the next lines to your firefox.local for plasma browser integration.
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Uncomment or put in your firefox.local to allow screen sharing under wayland.
+# Add the next two lines to your firefox.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
 #dbus-user.talk org.freedesktop.portal.*
-# Also uncomment or put in your firefox.local if screen sharing sharing still
+# Add the next line to your firefox.local if screen sharing sharing still does not work
-# does not work with the above lines (might depend on the portal
+# with the above lines (might depend on the portal implementation).
-# implementation)
 #ignore noroot
 ignore dbus-user none
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 125ddf79c..e2da1747e 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -21,7 +21,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# Comment the following line if you need to whitelist folders other than ~/Downloads
+# Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads.
 include disable-xdg.inc
 mkdir ${HOME}/.gnupg
@@ -73,7 +73,7 @@ dbus-user.talk org.kde.kwalletd5
 dbus-user.talk org.mpris.MediaPlayer2.*
 dbus-system filter
 dbus-system.talk org.freedesktop.login1
-# Uncomment for location plugin support
+# Add the next line to your gajim.local to enable location plugin support.
 #dbus-system.talk org.freedesktop.GeoClue2
 join-or-start gajim
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index e339f6abb..5e1b024fe 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -51,8 +51,8 @@ private-dev
 private-etc none
 private-tmp
-# Uncomment (or add to your gapplcation.local) the next line to filter D-Bus names.
+# Add the next line to your gapplication.local to filter D-Bus names.
-# You might need to add additional dbus-user.talk rules. see 'gapplication list-apps'.
+# You might need to add additional dbus-user.talk rules (see 'gapplication list-apps').
 #dbus-user filter
 dbus-user.talk org.gnome.Boxes
 dbus-user.talk org.gnome.Builder
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 30251fbe5..d61bea6c4 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -43,7 +43,7 @@ tracelog
 # private-bin gedit
 private-dev
-# private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them.
+# private-lib breaks python plugins - add the next line to your gedit.local if you don't use them.
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index bc5ef966c..e26fadca2 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -6,7 +6,7 @@ include gimp.local
 # Persistent global definitions
 include globals.local
-# Uncomment or add to gimp.local in order to support scanning via xsane (see #3640).
+# Add the next lines to your gimp.local in order to support scanning via xsane (see #3640).
 # TODO: Replace 'ignore seccomp' with a less permissive option.
 #ignore seccomp
 #ignore dbus-system
@@ -15,8 +15,7 @@ include globals.local
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
-# if you are not using external plugins, you can comment 'ignore noexec' statement below
+# If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
-# or put 'noexec ${HOME}' in your gimp.local
 ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/babl
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 312655b9b..7894e4d8d 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -14,8 +14,8 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.subversion
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/git-cola
-# Put your editor,diff viewer config path below and uncomment to load settings
+# Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings.
-# noblacklist ${HOME}/
+#noblacklist ${HOME}/
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -34,7 +34,7 @@ include disable-xdg.inc
 whitelist ${RUNUSER}/gnupg
 whitelist ${RUNUSER}/keyring
-# Whitelist your editor, diff viewer, gnupg path below in /usr/share/
+# Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer.
 whitelist /usr/share/git
 whitelist /usr/share/git-cola
 whitelist /usr/share/git-core
@@ -65,8 +65,8 @@ seccomp
 shell none
 tracelog
-# Add your own diff viewer,editor,pinentry program
+# Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local.
-# pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+#private-bin pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
@@ -74,13 +74,14 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitc
 private-tmp
 writable-run-user
-# Breaks meld as diff viewer
+# dbus-user filtering breaks meld as diff viewer
-# dbus-user filter
+# Add the next line to your git-cola.local if you don't use meld.
-# Uncomment if you need keyring access
+#dbus-user filter
-# dbus-user.talk org.freedesktop.secrets
+# Add the next line to your git-cola.local if you need keyring access
+#dbus-user.talk org.freedesktop.secrets
 dbus-system none
 read-only ${HOME}/.git-credentials
-# Comment if you need to allow hosts
+# Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts.
 read-only ${HOME}/.ssh
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 93b90eb9e..7b6820a81 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -59,6 +59,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.gitg
 dbus-user.talk ca.desrt.dconf
-# Uncomment (or put in your gitg.local) if you need keyring access.
+# Add the next line to your gitg.local if you need keyring access.
 #dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 4d53a67dd..048fad65c 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -44,8 +44,7 @@ shell none
 tracelog
 disable-mnt
-# Uncomment the next line (or add it to your gnome-characters.local)
+# Add the next line to your gnome-characters.local if you don't need access to recently used chars.
-# if you don't need recently used chars
 #private
 private-bin gjs,gnome-characters
 private-cache
@@ -53,8 +52,7 @@ private-dev
 private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
 private-tmp
-# Uncomment the next lines (or add it to your gnome-characters.local)
+# Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
-# if you don't need recently used chars
 # dbus-user none
 # dbus-system none
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
index 1240dc3b7..249ae187d 100644
--- a/etc/profile-a-l/google-earth-pro.profile
+++ b/etc/profile-a-l/google-earth-pro.profile
@@ -22,8 +22,7 @@ include google-earth-pro.local
 #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}"
 # <--- end of snippet --->
-# If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local
+# If you see errors about missing commands, add 'ignore private-bin' to your google-earth-pro.local.
-#ignore private-bin
 private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings
 # Redirect
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index 2f684349d..1633cc3ee 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -6,24 +6,23 @@ include hasher-common.local
 blacklist ${RUNUSER}
-# WARNING:
+# Comment/uncomment the relevant include file(s) in your hasher-common.local
-# Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed
+# to (un)restrict file access for **all** hashers. Another option is to do this **per hasher**
-# include file(s) here or by putting those into hasher-common.local.
+# in the relevant <hasher>.local. Beware that things tend to break when overtightening
-# Another option is to do this **per hasher** in the relevant <hasher>.local.
+# profiles. For example, because you only need to hash/check files in ${DOWNLOADS},
-# Just beware that things tend to break when overtightening profiles. For example, because you only
+# other applications may need access to ${HOME}/.local/share.
-# need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-common.inc.
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc.
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
 include disable-write-mnt.inc
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc.
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-xdg.inc.
 #include disable-xdg.inc
 apparmor
@@ -47,10 +46,10 @@ shell none
 tracelog
 x11 none
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
+# Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache.
 #private-cache
 private-dev
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
+# Add the next line to your hasher-common.local if you don't need to hash files in /tmp.
 #private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index 9ffdb9e9b..d95d53b7a 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -9,16 +9,16 @@ include globals.local
 # Notice: default browser will most likely not be able to automatically open, due to sandbox.
 # Auto-opening default browser can be disabled in the I2P router console.
 # This profile will not currently work with any Arch User Repository I2P packages,
-# use the distro-independent official I2P java installer instead
+# use the distro-independent official I2P java installer instead.
-# Only needed if i2prouter binary is in home directory, official I2P java installer does this
+# Only needed when i2prouter binary resides in home directory (official I2P java installer does so).
 ignore noexec ${HOME}
 noblacklist ${HOME}/.config/i2p
 noblacklist ${HOME}/.i2p
 noblacklist ${HOME}/.local/share/i2p
 noblacklist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
+# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
 noblacklist /usr/sbin
 # Allow java (blacklisted by disable-devel.inc)
@@ -40,13 +40,14 @@ whitelist ${HOME}/.config/i2p
 whitelist ${HOME}/.i2p
 whitelist ${HOME}/.local/share/i2p
 whitelist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
+# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
 whitelist /usr/sbin/wrapper*
 include whitelist-common.inc
-# May break I2P if wrapper is placed in the home directory; official I2P java installer does this
+# May break I2P if wrapper resides in the home directory (official I2P java installer does so).
-# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
+# When using the Ubuntu official I2P PPA it should be fine to add 'apparmor' to your i2prouter.local,
+# as it places the wrapper in /usr/sbin/
 #apparmor
 caps.drop all
 ipc-namespace
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 5786a4687..eb1e219ab 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -9,8 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/kdiff3fileitemactionrc
 noblacklist ${HOME}/.config/kdiff3rc
-# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc.
+# Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc.
-# by default we deny access only to .ssh and .gnupg
+# By default we deny access only to .ssh and .gnupg.
 #include disable-common.inc
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.gnupg
@@ -19,15 +19,15 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc.
+# Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 include whitelist-runuser-common.inc
-# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.
+# Add the next line to your kdiff3.local if you don't need to compare files in /usr/share.
 #include whitelist-usr-share-common.inc
-# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var.
+# Add the next line to your kdiff3.local if you don't need to compare files in /var.
 #include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 3ad779a12..11c279911 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -30,11 +30,11 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
+# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local.
-# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
+# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx.
 #mkdir ${HOME}/Documents/KeePassXC
 #whitelist ${HOME}/Documents/KeePassXC
-# Needed for KeePassXC-Browser
+# Needed for KeePassXC-Browser.
 #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
@@ -89,12 +89,12 @@ dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.gnome.SessionManager.Presence
-# Uncomment or add to your keepassxc.local to allow Notifications.
+# Add the next line to your keepassxc.local to allow notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Uncomment or add to your keepassxc.local to allow Tray.
+# Add the next line to your keepassxc.local to allow the tray menu.
 #dbus-user.talk org.kde.StatusNotifierWatcher
 #dbus-user.own org.kde.*
 dbus-system none
-# Mutex is stored in /tmp by default, which is broken by private-tmp
+# Mutex is stored in /tmp by default, which is broken by private-tmp.
 join-or-start keepassxc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 5208cb979..8e891a930 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -14,14 +14,15 @@ mkdir ${HOME}/.librewolf
 whitelist ${HOME}/.cache/librewolf
 whitelist ${HOME}/.librewolf
-# Uncomment (or add to librewolf.local) the following lines if you want to
+# Add the next lines to your librewolf.local if you want to use the migration wizard.
-# use the migration wizard.
 #noblacklist ${HOME}/.mozilla
 #whitelist ${HOME}/.mozilla
 # librewolf requires a shell to launch on Arch. We can possibly remove sh though.
+# Add the next line to your librewolf.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
-# private-etc must first be enabled in firefox-common.profile
+# Add the next line to your librewolf.local to enable private-etc. Note
+# that private-etc must first be enabled in firefox-common.local.
 #private-etc librewolf
 # Redirect
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index a122e9bbc..1b10f0934 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -55,8 +55,8 @@ private-tmp
 dbus-user filter
 dbus-user.own net.sourceforge.liferea
 dbus-user.talk ca.desrt.dconf
-# Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local
+# Add the next line to your liferea.local if you use the 'Popup Notifications' plugin.
 #dbus-user.talk org.freedesktop.Notifications
-# Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local
+# Add the next line to your liferea.local if you use the 'Libsecret Support' plugin.
 #dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index ccc77f274..272bc4f3a 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -17,8 +17,8 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# you may want to noblacklist files/directories blacklisted in
+# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
-# disable-programs.inc and used as associated programs
+# used as associated programs can be added in your links.local.
 include disable-programs.inc
 include disable-xdg.inc
@@ -30,19 +30,19 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
-# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
+# Add 'ignore machine-id' to your links.local if you want to restrict access to
-# to allow access only to user-configured associated media player
+# the user-configured associated media player.
 machine-id
 netfilter
-# comment no3d (or put 'ignore no3d' in your links.local) if you want
+# Add 'ignore no3d' to your links.local if you want to restrict access to
-# to allow access only to user-configured associated media player
+# the user-configured associated media player.
 no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-# comment nosound (or put 'ignore nosound' in your links.local) if you want
+# Add 'ignore nosound' to your links.local if you want to restrict access to
-# to allow access only to user-configured associated media player
+# the user-configured associated media player.
 nosound
 notv
 nou2f
@@ -53,14 +53,12 @@ shell none
 tracelog
 disable-mnt
-# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
+# Add  'private-bin PROGRAM1,PROGRAM2' to your links.local  if you want to use user-configured programs.
-# or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin links,sh
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-# Uncomment the following line (or put it in your links.local) allow external
+# Add the next line to your links.local to allow external media players.
-# media players
 # private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 5d05631ec..d750e5fcd 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -66,8 +66,8 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-# uncomment the following line if you do not need controller support
+# Add the next line to your lutris.local if you do not need controller support.
-# private-dev
+#private-dev
 private-tmp
 dbus-user none