2 files changed, 23 insertions, 24 deletions

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 1c1b298a9..7a5e8bf5b 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -181,19 +181,14 @@ read-only ${HOME}/.gem
 read-only ${HOME}/.luarocks
 read-only ${HOME}/.npm-packages
 
-###########################
 # The following block breaks trash functionality in file managers
-##########################
-# Make the contents of ~/.local read-only,
-#  except the commonly-used ~/.local/share,
-#   but including ~/.local/share/applications
 #read-only  ${HOME}/.local
 #read-write ${HOME}/.local/share
 #noexec     ${HOME}/.local/share
-read-only  ${HOME}/.local/share/applications
-blacklist ${HOME}/.local/share/Trash
-
+blacklist   ${HOME}/.local/share/Trash
 
+# Write-protection for desktop entries
+read-only ${HOME}/.local/share/applications
 
 # top secret
 blacklist ${HOME}/.ecryptfs
@@ -296,3 +291,7 @@ blacklist ${PATH}/urxvtcd
 # kernel files
 blacklist /vmlinuz*
 blacklist /initrd*
+
+# complement noexec ${HOME} and noexec /tmp
+noexec ${HOME}/.config/pulse
+noexec /tmp/.X11-unix
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5bfa06ade..3ff104d26 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -789,7 +789,23 @@ int sandbox(void* sandbox_arg) {
         //****************************
         if (checkcfg(CFG_DISABLE_MNT))
                 fs_mnt();
+        
+        //****************************
+        // nosound/no3d and fix for pulseaudio 7.0
+        //****************************
+        if (arg_nosound) {
+                // disable pulseaudio
+                pulseaudio_disable();
 
+                // disable /dev/snd
+                fs_dev_disable_sound();
+        }
+        else
+                pulseaudio_init();
+        
+        if (arg_no3d)
+                fs_dev_disable_3d();
+        
         //****************************
         // apply the profile file
         //****************************
@@ -809,22 +825,6 @@ int sandbox(void* sandbox_arg) {
         //****************************
         if (arg_trace || arg_tracelog)
                 fs_trace();
-                
-        //****************************
-        // nosound/no3d and fix for pulseaudio 7.0
-        //****************************
-        if (arg_nosound) {
-                // disable pulseaudio
-                pulseaudio_disable();
-
-                // disable /dev/snd
-                fs_dev_disable_sound();
-        }
-        else
-                pulseaudio_init();
-        
-        if (arg_no3d)
-                fs_dev_disable_3d();
         
         //****************************
         // set dns