From d7bd477e7379cd5d74d81e81080d375041cc3b29 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Fri, 20 Dec 2019 12:59:27 -0500
Subject: [PATCH] add "/usr/lib/xorg/Xorg.wrap whitelist"

until this is researched

https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
---
 etc/permission-hardening.d/30_default.conf | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index 28da07c..30e02bc 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -29,10 +29,17 @@
 ## https://www.whonix.org/wiki/Dev/Firejail#Security
 /usr/bin/firejail whitelist
 
-## TODO: research
+## {{ TODO: research
+
 ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
 /usr/lib/qubes/qfile-unpacker whitelist
 
+## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
+## https://lwn.net/Articles/590315/
+/usr/lib/xorg/Xorg.wrap whitelist
+
+## }}
+
 ## SUID regex match whitelist.
 ## TODO: white spaces inside file name untested
 /usr/lib/virtualbox/ matchwhitelist