diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index 28da07c..30e02bc 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -29,10 +29,17 @@
 ## https://www.whonix.org/wiki/Dev/Firejail#Security
 /usr/bin/firejail whitelist
 
-## TODO: research
+## {{ TODO: research
+
 ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
 /usr/lib/qubes/qfile-unpacker whitelist
 
+## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
+## https://lwn.net/Articles/590315/
+/usr/lib/xorg/Xorg.wrap whitelist
+
+## }}
+
 ## SUID regex match whitelist.
 ## TODO: white spaces inside file name untested
 /usr/lib/virtualbox/ matchwhitelist