2 files changed, 10 insertions, 5 deletions

diff --git a/etc/default.profile b/etc/default.profile
index 487e80c64..603321316 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -7,13 +7,16 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
-shell none
 
+#
+# depending on you usage, you can enable some of the commands below: 
+#
+# nogroups
+# shell none
 # private-bin program
 # private-etc none
 # private-dev
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 7116fa1a6..7f9261d8b 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -16,9 +16,6 @@ net none
 shell none
 tracelog
 
-#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
-
-private-bin mupdf,sh,tempfile,rm
 private-tmp
 private-dev
 private-etc fonts
@@ -26,3 +23,8 @@ private-etc fonts
 # mupdf will never write anything
 read-only ${HOME}
 
+#
+# Experimental:
+#
+#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+# private-bin mupdf,sh,tempfile,rm