From 4747e0ed7f1d9e39974a1c5a5900db47ab1423aa Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Tue, 31 Mar 2020 16:51:02 +0000 Subject: Whitelist runuser common (#3286) * introduce whitelist-runuser-common.inc * If an applications does not need a whitelist it can/should be nowhitelisted. Example: nowhitelist ${RUNUSER}/pulse include whitelist-runuser-common.inc * ${RUNUSER}/bus is inaccessible with nodbus regardless of the whitelist. (as it should) * strange wayland setups with an second wayland-compostior need to whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on. * some display-manager store there Xauthority file in ${RUNUSER}. test results with fedora 31: - ssdm: ~/.Xauthority is used - lightdm: /run/lightdm/USER/Xauthority - gdm: /run/user/UID/gdm/Xauthority * IMPORTANT: ATM we can only enable this for non-graphical and GTK3 programs because mutter (GNOMEs window-manger) stores the Xauthority file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX where XXXXXX is random. Until we have whitelist globbing we can't whitelist this file. QT/KDE and other toolkits without full wayland support won't be able to start. * wru update 1 - add wru to more profiles. - blacklist ${RUNUSER} works for the most cli programs too. * add wruc to more profiles * fixes * fixes * wruc: hide pulse pid * update * remove wruc from all the x11 profiles * fixes * fix ordering * read-only * revert read-only * update * --- etc/whitelist-runuser-common.inc | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 etc/whitelist-runuser-common.inc (limited to 'etc/whitelist-runuser-common.inc') diff --git a/etc/whitelist-runuser-common.inc b/etc/whitelist-runuser-common.inc new file mode 100644 index 000000000..de59d03d3 --- /dev/null +++ b/etc/whitelist-runuser-common.inc @@ -0,0 +1,10 @@ +# Local customizations come here +include whitelist-runuser-common.local + +# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles + +whitelist ${RUNUSER}/bus +whitelist ${RUNUSER}/dconf +whitelist ${RUNUSER}/gdm/Xauthority +whitelist ${RUNUSER}/pulse/native +whitelist ${RUNUSER}/wayland-0 -- cgit v1.2.3-70-g09d2