From 5d3e0e812bbdb45958031955bb2ed9b961e7f329 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Tue, 7 Sep 2021 17:30:47 +0200 Subject: Rework pipewire/wayland - closes #4483 -- mpv requires whitelisting /usr/share/pipewire - wruc: whitelist pipewire-?, pipewire is becoming more popular and was developed with isolation (container/sandbox) in mind. - wruc: whitelist wayland-? instead of only -0 and -1 - wusc: whitelist /usr/share/pipewire - remove these wruc/wusc lines from other profiles - firefox-common-addons: Make ignore wruc work again (#4512) - firefox: org.freedesktop.portal.Desktop should be enough --- etc/inc/whitelist-runuser-common.inc | 4 ++-- etc/inc/whitelist-usr-share-common.inc | 1 + etc/profile-a-l/chromium-common.profile | 4 ---- etc/profile-a-l/firefox-common-addons.profile | 1 + etc/profile-a-l/firefox.profile | 6 ++---- etc/profile-a-l/librewolf.profile | 6 ++---- etc/profile-m-z/xournalpp.profile | 1 - 7 files changed, 8 insertions(+), 15 deletions(-) (limited to 'etc') diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc index 48309ffe3..a8cab8d07 100644 --- a/etc/inc/whitelist-runuser-common.inc +++ b/etc/inc/whitelist-runuser-common.inc @@ -10,7 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority whitelist ${RUNUSER}/ICEauthority whitelist ${RUNUSER}/.mutter-Xwaylandauth.* whitelist ${RUNUSER}/pulse/native -whitelist ${RUNUSER}/wayland-0 -whitelist ${RUNUSER}/wayland-1 +whitelist ${RUNUSER}/pipewire-? +whitelist ${RUNUSER}/wayland-? whitelist ${RUNUSER}/xauth_* whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index fe0097934..0049ce804 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc @@ -45,6 +45,7 @@ whitelist /usr/share/myspell whitelist /usr/share/p11-kit whitelist /usr/share/perl whitelist /usr/share/perl5 +whitelist /usr/share/pipewire whitelist /usr/share/pixmaps whitelist /usr/share/pki whitelist /usr/share/plasma diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index b35b6ae80..c42243e02 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -37,10 +37,6 @@ include whitelist-var-common.inc # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. #include chromium-common-hardened.inc.profile -# Add the next two lines to your chromium-common.local to allow screen sharing under wayland. -#whitelist ${RUNUSER}/pipewire-0 -#whitelist /usr/share/pipewire/client.conf - apparmor caps.keep sys_admin,sys_chroot netfilter diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index d282f9a60..b2b7c362a 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile @@ -2,6 +2,7 @@ # Persistent customizations should go in a .local file. include firefox-common-addons.local +ignore whitelist ${RUNUSER}/*firefox* ignore include whitelist-runuser-common.inc ignore private-cache diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 5a123d081..9138fed90 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -58,10 +58,8 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.* #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver -# Add the next three lines to your firefox.local to allow screen sharing under wayland. -#whitelist ${RUNUSER}/pipewire-0 -#whitelist /usr/share/pipewire/client.conf -#dbus-user.talk org.freedesktop.portal.* +# Add the next line to your firefox.local to allow screen sharing under wayland. +#dbus-user.talk org.freedesktop.portal.Desktop # Add the next line to your firefox.local if screen sharing sharing still does not work # with the above lines (might depend on the portal implementation). #ignore noroot diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index da047357a..c9f5221f7 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile @@ -44,10 +44,8 @@ dbus-user filter #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver -# Add the next three lines to your librewolf.local to allow screensharing under Wayland. -#whitelist ${RUNUSER}/pipewire-0 -#whitelist /usr/share/pipewire/client.conf -#dbus-user.talk org.freedesktop.portal.* +# Add the next line to your librewolf.local to allow screensharing under Wayland. +#dbus-user.talk org.freedesktop.portal.Desktop # Also add the next line to your librewolf.local if screensharing does not work with # the above lines (depends on the portal implementation). #ignore noroot diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile index 1ef789689..a23ad68df 100644 --- a/etc/profile-m-z/xournalpp.profile +++ b/etc/profile-m-z/xournalpp.profile @@ -13,7 +13,6 @@ noblacklist ${HOME}/.xournalpp include allow-lua.inc -whitelist /usr/share/pipewire whitelist /usr/share/texlive whitelist /usr/share/xournalpp whitelist /var/lib/texmf -- cgit v1.2.3-70-g09d2