From 4747e0ed7f1d9e39974a1c5a5900db47ab1423aa Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Tue, 31 Mar 2020 16:51:02 +0000
Subject: Whitelist runuser common (#3286)

* introduce whitelist-runuser-common.inc

 * If an applications does not need a whitelist it can/should be
   nowhitelisted. Example:

     nowhitelist ${RUNUSER}/pulse
     include whitelist-runuser-common.inc

 * ${RUNUSER}/bus is inaccessible with nodbus regardless of the
   whitelist. (as it should)

 * strange wayland setups with an second wayland-compostior need to
   whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.

 * some display-manager store there Xauthority file in ${RUNUSER}.
   test results with fedora 31:
   - ssdm: ~/.Xauthority is used
   - lightdm: /run/lightdm/USER/Xauthority
   - gdm: /run/user/UID/gdm/Xauthority

 * IMPORTANT: ATM we can only enable this for non-graphical and GTK3
   programs because mutter (GNOMEs window-manger) stores the Xauthority
   file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
   where XXXXXX is random. Until we have whitelist globbing we can't
   whitelist this file. QT/KDE and other toolkits without full wayland
   support won't be able to start.

* wru update 1

- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.

* add wruc to more profiles

* fixes

* fixes

* wruc: hide pulse pid

* update

* remove wruc from all the x11 profiles

* fixes

* fix ordering

* read-only

* revert read-only

* update

*
---
 etc/gjs.profile | 1 +
 1 file changed, 1 insertion(+)

(limited to 'etc/gjs.profile')

diff --git a/etc/gjs.profile b/etc/gjs.profile
index 85dd57f29..9c8848b8a 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -22,6 +22,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-- 
cgit v1.2.3-54-g00ecf