Merge pull request #1270 from SYN-cook/patch-1

completing noexec

1 files changed, 7 insertions, 8 deletions

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 1c1b298a9..7a5e8bf5b 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -181,19 +181,14 @@ read-only ${HOME}/.gem
 read-only ${HOME}/.luarocks
 read-only ${HOME}/.npm-packages
 
-###########################
 # The following block breaks trash functionality in file managers
-##########################
-# Make the contents of ~/.local read-only,
-#  except the commonly-used ~/.local/share,
-#   but including ~/.local/share/applications
 #read-only  ${HOME}/.local
 #read-write ${HOME}/.local/share
 #noexec     ${HOME}/.local/share
-read-only  ${HOME}/.local/share/applications
-blacklist ${HOME}/.local/share/Trash
-
+blacklist   ${HOME}/.local/share/Trash
 
+# Write-protection for desktop entries
+read-only ${HOME}/.local/share/applications
 
 # top secret
 blacklist ${HOME}/.ecryptfs
@@ -296,3 +291,7 @@ blacklist ${PATH}/urxvtcd
 # kernel files
 blacklist /vmlinuz*
 blacklist /initrd*
+
+# complement noexec ${HOME} and noexec /tmp
+noexec ${HOME}/.config/pulse
+noexec /tmp/.X11-unix