From 8107782fa54ec0e21893e6bd4a6baabb71eb864b Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Fri, 8 Nov 2024 15:36:04 +1100
Subject: [PATCH 01/12]  Enable `ssbd=force-on`

---
 etc/default/grub.d/40_cpu_mitigations.cfg | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index e426673..1b900c0 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -47,10 +47,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
 ## Disable Speculative Store Bypass (Spectre Variant 4).
+## Unconditionally enable mitigation for both kernel and userspace.
 ##
 ## https://www.suse.com/support/kb/doc/?id=000019189
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
 
 ## Enable mitigations for the L1TF vulnerability through disabling SMT
 ## and L1D flush runtime control.

From 5bd0a277bf39812c6adf40a7a3ef6390935fa08e Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun, 10 Nov 2024 06:29:17 -0500
Subject: [PATCH 02/12] fix permission-hardener issue "Removing capabilities
 failed. File: '/bin/ping'"

no longer user end-of-options marker (`--`) for `setcap`
since setcap does not support it

Fixes https://github.com/QubesOS/qubes-issues/issues/9569

https://forums.whonix.org/t/permission-hardener-error/20719
---
 usr/bin/permission-hardener | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener
index ad6f9b8..e5039c0 100755
--- a/usr/bin/permission-hardener
+++ b/usr/bin/permission-hardener
@@ -539,7 +539,12 @@ set_file_perms() {
       ## The value of the capability argument is not permitted for a file. Or
       ## the file is not a regular (non-symlink) file
       ## Therefore use echo_wrapper_ignore.
-      echo_wrapper_ignore verbose setcap -r -- "${fso}"
+      ##
+      ## NOTE: setcap does not support End-of-Options Marker ('--') yet.
+      ## setcap bug report:
+      ## setcap Command Does Not Support End-of-Options Marker ('--')
+      ## https://bugzilla.kernel.org/show_bug.cgi?id=219487
+      echo_wrapper_ignore verbose setcap -r "${fso}"
       getcap_output="$(getcap -- "${fso}")"
       if test -n "${getcap_output}"; then
         exit_code=205

From 4c649577f053af12bcd02c20576bf2d8aec1476d Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun, 10 Nov 2024 11:52:42 +0000
Subject: [PATCH 03/12] bumped changelog version

---
 changelog.upstream | 41 +++++++++++++++++++++++++++++++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 47 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 4516505..df7fcb6 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,44 @@
+commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd
+Merge: 5bd0a27 238f32e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 10 06:32:30 2024 -0500
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 10 06:29:17 2024 -0500
+
+    fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'"
+    
+    no longer user end-of-options marker (`--`) for `setcap`
+    since setcap does not support it
+    
+    Fixes https://github.com/QubesOS/qubes-issues/issues/9569
+    
+    https://forums.whonix.org/t/permission-hardener-error/20719
+
+commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313
+Merge: 3af2684 8107782
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 8 07:39:40 2024 -0500
+
+    Merge pull request #280 from raja-grewal/ssbd
+    
+     Enable `ssbd=force-on`
+
+commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b
+Author: raja-grewal <rg_public@proton.me>
+Date:   Fri Nov 8 15:36:04 2024 +1100
+
+     Enable `ssbd=force-on`
+
+commit 3af2684134279ba6f5b18b40986f02a50baa5604
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Oct 30 09:43:05 2024 +0000
+
+    bumped changelog version
+
 commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Mon Oct 28 05:10:19 2024 -0400
diff --git a/debian/changelog b/debian/changelog
index ce0a844..6fcb3e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:40.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 10 Nov 2024 11:52:42 +0000
+
 security-misc (3:40.3-1) unstable; urgency=medium
 
   * New upstream version (local package).

From 29ae5f5980d521f6a4b468f5bf41210f78fdf10a Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 11 Nov 2024 05:28:31 -0500
Subject: [PATCH 04/12] fix optional opt-in `harden-module-loading.service`

by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable

Thanks to @ArrayBolt3 for the bug report!
---
 usr/libexec/security-misc/disable-kernel-module-loading | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 usr/libexec/security-misc/disable-kernel-module-loading

diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading
old mode 100644
new mode 100755

From 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 11 Nov 2024 05:36:41 -0500
Subject: [PATCH 05/12] fix `panic-on-oops.service`

remove `After=multi-user.target` because already using `WantedBy=multi-user.target`

Thanks to @ArrayBolt3 for the bug report!
---
 usr/lib/systemd/system/panic-on-oops.service | 1 -
 1 file changed, 1 deletion(-)

diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service
index cf13053..425ab5c 100644
--- a/usr/lib/systemd/system/panic-on-oops.service
+++ b/usr/lib/systemd/system/panic-on-oops.service
@@ -7,7 +7,6 @@ Documentation=https://github.com/Kicksecure/security-misc
 
 ConditionKernelCommandLine=!panic-on-oops=0
 
-After=multi-user.target
 After=graphical.target
 After=getty.target
 

From ef05b1a160b24d5aa42da9cc15009d94a37cf120 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 11 Nov 2024 05:40:41 -0500
Subject: [PATCH 06/12] disable legacy matroxfb_base framebuffer driver

fix typo matroxfb_bases -> matroxfb_base

Thanks to @ArrayBolt3 for the bug report!
---
 etc/modprobe.d/30_security-misc_disable.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf
index 3df5a51..561441a 100644
--- a/etc/modprobe.d/30_security-misc_disable.conf
+++ b/etc/modprobe.d/30_security-misc_disable.conf
@@ -262,7 +262,7 @@ install i810fb /usr/bin/disabled-framebuffer-by-security-misc
 install intelfb /usr/bin/disabled-framebuffer-by-security-misc
 install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
 install lxfb /usr/bin/disabled-framebuffer-by-security-misc
-install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
+install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc
 install neofb /usr/bin/disabled-framebuffer-by-security-misc
 install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
 install pm2fb /usr/bin/disabled-framebuffer-by-security-misc

From 7c06e22c7d11c345428f3ad42ba43805ebc8d810 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 11 Nov 2024 05:43:25 -0500
Subject: [PATCH 07/12] deleted `/usr/bin/pkexec.security-misc`

This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of:

> Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
* https://forums.whonix.org/t/cannot-use-pkexec/8129

This was a worthwhile effort, interesting approach but ultimately a dead-end.
---
 usr/bin/pkexec.security-misc | 132 -----------------------------------
 1 file changed, 132 deletions(-)
 delete mode 100755 usr/bin/pkexec.security-misc

diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc
deleted file mode 100755
index 3739391..0000000
--- a/usr/bin/pkexec.security-misc
+++ /dev/null
@@ -1,132 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with
-## hidepid.
-## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
-## * https://forums.whonix.org/t/cannot-use-pkexec/8129
-
-set -e
-
-my_real_path="$(realpath "$0")" || true
-identifier="$my_real_path wrapper"
-exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1
-
-log_to_journal() {
-   echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true
-}
-
-log_to_journal "$0 $@"
-log_to_journal "DISPLAY: '$DISPLAY'"
-my_pstree="$(pstree -p $$)" || true
-log_to_journal "my_pstree: '$my_pstree'"
-
-## If hidepid is not in use, just use pkexec normally.
-if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
-   pkexec.security-misc-orig "$@"
-   exit $?
-fi
-
-switch_user=false
-
-original_args="$@"
-
-## Thanks to:
-## https://mywiki.wooledge.org/BashFAQ/035
-
-while :
-do
-      case $1 in
-         ## Should show 'pkexec --version' or fail?
-         --version)
-            shift
-            pkexec.security-misc-orig "$original_args"
-            exit $?
-            ;;
-         ## Should show 'pkexec --help' or fail?
-         --help)
-            shift
-            pkexec.security-misc-orig "$original_args"
-            exit $?
-            ;;
-         ## Drop --disable-internal-agent as not needed and breaking both,
-         ## lxqt-sudo and sudo.
-         --disable-internal-agent)
-            shift
-            ;;
-         --user)
-            ## lxqt-sudo does not support "--user".
-            ## We should not make this wrapper run something as root which
-            ## is supposed to run under a different user. Try using
-            ## "sudo -A --user user --set-home" instead.
-            user_pkexec_wrapper="$2"
-            if [ "$user_pkexec_wrapper" = "" ]; then
-               shift
-            else
-               shift 2
-            fi
-            switch_user=true
-            maybe_switch_to_user="--user $user_pkexec_wrapper"
-            ;;
-         --)
-            shift
-            break
-            ;;
-         *)
-            break
-            ;;
-      esac
-done
-
-## If there are input files (for example) that follow the options, they
-## will remain in the "$@" positional parameters.
-
-if [ "$PKEXEC_UID" = "" ]; then
-   if [ ! "$user_pkexec_wrapper" = "" ]; then
-      PKEXEC_UID="$user_pkexec_wrapper"
-   elif [ ! "$SUDO_USER" = "" ]; then
-      PKEXEC_UID="$SUDO_USER"
-   else
-      PKEXEC_UID="$(whoami)"
-   fi
-fi
-export PKEXEC_UID
-
-if [[ "$@" = "" ]]; then
-   ## Call original pkexec in case there are no arguments.
-   pkexec.security-misc-orig $original_args
-   exit $?
-fi
-
-exit_code=0
-
-## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions.
-## Therefore use 'sudo -l' to see if there is any already existing sudoers exception.
-## Did not work. 'sudo -l' will always exit with exit code '0'.
-# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then
-#    log_to_journal "sudoers exception: yes"
-#    sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
-#    log_to_journal "sudo --user | exit_code: '$exit_code'"
-#    exit "$exit_code"
-# fi
-#
-# log_to_journal "sudoers exception: no"
-
-if [ "$switch_user" = "true" ]; then
-   ## 'sudo --user user' clears environment variables such as PATH.
-   lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
-else
-   ## set PATH same as root
-   ## This is required for gdebi.
-   ## REVIEW: is it ok that users can find out the PATH setting of root?
-   ## lxqt-sudo does not clear environment variable PATH.
-   PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)"
-   export PATH
-   lxqt-sudo "$@" || { exit_code=$? ; true; };
-fi
-
-log_to_journal "exit_code: '$exit_code'"
-
-exit "$exit_code"

From 50161f5d79eea2ab796863e4eb30eccc17e0b41d Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 11 Nov 2024 05:48:11 -0500
Subject: [PATCH 08/12] moved /etc/dkms/framework.conf.d/30_security-misc.conf
 (renamed) to usability-misc

---
 debian/security-misc.maintscript              |  3 +++
 .../framework.conf.d/30_security-misc.conf    | 20 -------------------
 2 files changed, 3 insertions(+), 20 deletions(-)
 delete mode 100644 etc/dkms/framework.conf.d/30_security-misc.conf

diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript
index b875fd4..f6d6a83 100644
--- a/debian/security-misc.maintscript
+++ b/debian/security-misc.maintscript
@@ -81,3 +81,6 @@ rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
 
 ## renamed to /etc/default/grub.d/41_quiet_boot.cfg
 rm_conffile /etc/default/grub.d/41_quiet.cfg
+
+## moved to usability-misc
+rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf
diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf
deleted file mode 100644
index abf9a78..0000000
--- a/etc/dkms/framework.conf.d/30_security-misc.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.
-## This does not necessarily belong into security-misc.
-##
-## Example here:
-## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26
-##
-## This might no longer be possible in the future. See:
-## "Stop handling dkms.conf as a bash/shell script"
-## https://github.com/dell/dkms/issues/414
-ENOUGH_RAM="1950"
-total_ram="$(free -m | sed  -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')"
-if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then
-   true "INFO: Enough RAM available. Not lowering compilation cores."
-else
-   true "INFO: Not enough RAM available. Lowering compilation cores to 1."
-   parallel_jobs=1
-fi

From 65fc0419a84d62e07c61d7e37ef27d144b6b6794 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 11 Nov 2024 11:07:57 +0000
Subject: [PATCH 09/12] bumped changelog version

---
 changelog.upstream | 57 ++++++++++++++++++++++++++++++++++++++++++++++
 debian/changelog   |  6 +++++
 2 files changed, 63 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index df7fcb6..40e9b99 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,60 @@
+commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:48:11 2024 -0500
+
+    moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc
+
+commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:43:25 2024 -0500
+
+    deleted `/usr/bin/pkexec.security-misc`
+    
+    This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of:
+    
+    > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
+    
+    * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
+    * https://forums.whonix.org/t/cannot-use-pkexec/8129
+    
+    This was a worthwhile effort, interesting approach but ultimately a dead-end.
+
+commit ef05b1a160b24d5aa42da9cc15009d94a37cf120
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:40:41 2024 -0500
+
+    disable legacy matroxfb_base framebuffer driver
+    
+    fix typo matroxfb_bases -> matroxfb_base
+    
+    Thanks to @ArrayBolt3 for the bug report!
+
+commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:36:41 2024 -0500
+
+    fix `panic-on-oops.service`
+    
+    remove `After=multi-user.target` because already using `WantedBy=multi-user.target`
+    
+    Thanks to @ArrayBolt3 for the bug report!
+
+commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:28:31 2024 -0500
+
+    fix optional opt-in `harden-module-loading.service`
+    
+    by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable
+    
+    Thanks to @ArrayBolt3 for the bug report!
+
+commit 4c649577f053af12bcd02c20576bf2d8aec1476d
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 10 11:52:42 2024 +0000
+
+    bumped changelog version
+
 commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd
 Merge: 5bd0a27 238f32e
 Author: Patrick Schleizer <adrelanos@whonix.org>
diff --git a/debian/changelog b/debian/changelog
index 6fcb3e3..9ce2b90 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:40.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Mon, 11 Nov 2024 11:07:57 +0000
+
 security-misc (3:40.4-1) unstable; urgency=medium
 
   * New upstream version (local package).

From 8c2e8e69798e5255529ab3dbee6ca07b8b293100 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 12 Nov 2024 01:41:12 -0500
Subject: [PATCH 10/12] deleted no longer used and out-commented
 `etc/sudoers.d/pkexec-security-misc` leftover

---
 etc/sudoers.d/pkexec-security-misc | 11 -----------
 1 file changed, 11 deletions(-)
 delete mode 100644 etc/sudoers.d/pkexec-security-misc

diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc
deleted file mode 100644
index bd78bde..0000000
--- a/etc/sudoers.d/pkexec-security-misc
+++ /dev/null
@@ -1,11 +0,0 @@
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## REVIEW: is it ok that users can find out the PATH setting of root?
-#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path
-
-## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
-## set. Would otherwise error out with the following error message:
-## "This program must only be run through pkexec"
-## REVIEW: Can bad things be done by spoofing PKEXEC_UID?
-#Defaults:ALL env_keep += "PKEXEC_UID"

From 7987a3914d364e674eb7479b15708c450041af02 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 12 Nov 2024 02:29:42 -0500
Subject: [PATCH 11/12] deleted no longer used and out-commented
 `/etc/sudoers.d/xfce-security-misc` leftover

---
 etc/sudoers.d/xfce-security-misc | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100644 etc/sudoers.d/xfce-security-misc

diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc
deleted file mode 100644
index 3d26d7b..0000000
--- a/etc/sudoers.d/xfce-security-misc
+++ /dev/null
@@ -1,19 +0,0 @@
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
-## /usr/share/polkit-1/actions/org.xfce.power.policy
-
-## Feel free to out comment this if you are not using xfce4-power-manager or Xfce.
-
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]]
-
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]]
-
-## XXX: Should we allow this?
-#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend
-#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate

From 57e1edde23aa3f313ce087e00ebc14d158356d6c Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 12 Nov 2024 09:11:57 +0000
Subject: [PATCH 12/12] bumped changelog version

---
 changelog.upstream | 18 ++++++++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 24 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 40e9b99..dad0b22 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,21 @@
+commit 7987a3914d364e674eb7479b15708c450041af02
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 12 02:29:42 2024 -0500
+
+    deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover
+
+commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 12 01:41:12 2024 -0500
+
+    deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover
+
+commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 11:07:57 2024 +0000
+
+    bumped changelog version
+
 commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Mon Nov 11 05:48:11 2024 -0500
diff --git a/debian/changelog b/debian/changelog
index 9ce2b90..534a025 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:40.6-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 12 Nov 2024 09:11:57 +0000
+
 security-misc (3:40.5-1) unstable; urgency=medium
 
   * New upstream version (local package).