From 2dc957d1c576cc335218d143622780837eeccce0 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Wed, 23 Mar 2022 12:31:05 -0300
Subject: disable-common.inc: make ~/Applications dir read-only

This directory is monitored by both appimaged[1] and
AppImageLauncher[2].  Also, when opening an AppImage with
AppImageLauncher, it may prompt the user to move the AppImage to
~/Applications.

[1] https://github.com/AppImage/appimaged/blob/2323f1825ed6abe19f2d3791d81307449692be03/README.md#monitored-directories
[2] https://github.com/TheAssassin/AppImageLauncher/wiki/Configuration
---
 etc/inc/disable-common.inc | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'etc/inc')

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 080a7f3a1..a2f4ebf2a 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -370,6 +370,9 @@ read-only ${HOME}/.nvm
 read-only ${HOME}/.rustup
 read-only ${HOME}/bin
 
+# Write-protection for portable apps
+read-only ${HOME}/Applications # used for storing AppImages
+
 # Write-protection for desktop entries
 read-only ${HOME}/.config/menus
 read-only ${HOME}/.gnome/apps
-- 
cgit v1.2.3-70-g09d2


From d1336c9927d7f88fc939c2b7a319655cdd898240 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Thu, 24 Mar 2022 14:47:17 -0300
Subject: disable-programs.inc: blacklist ~/Applications dir

It is used for storing AppImages.

Note that even when blacklisting a directory, it is possible to execute
an AppImage from it.  For example, the following works:

    firejail --noprofile --blacklist='${HOME}/Applications' --appimage \
      ~/Applications/foo.AppImage

While the resulting process does not appear to have access to the
blacklisted directory.
---
 etc/inc/disable-programs.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'etc/inc')

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index efe1b2572..558ae2446 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -1144,6 +1144,7 @@ blacklist ${HOME}/.yarn-config
 blacklist ${HOME}/.yarncache
 blacklist ${HOME}/.yarnrc
 blacklist ${HOME}/.zoom
+blacklist ${HOME}/Applications # used for storing AppImages
 blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud
-- 
cgit v1.2.3-70-g09d2