From df8a323d03747858b55d905465c1f9415bbb8022 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Thu, 21 Aug 2025 18:39:28 -0500
Subject: [PATCH] Fix XDG handling, replace Xfce with LXQt where appropriate,
 make USBGuard configuration work

---
 debian/security-misc.postinst                                | 4 ++++
 etc/profile.d/30_security-misc.sh                            | 2 +-
 usr/lib/permission-hardener.d/25_default_whitelist_pam.conf  | 2 +-
 .../systemd/system/usbguard.service.d/30_security-misc.conf  | 5 +++++
 4 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf

diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index ac81a23..e294c7e 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -89,6 +89,10 @@ case "$1" in
 
         ## migrate permission_hardener state to v2 if applicable
         migrate_permission_hardener_state
+
+        ## Fix usbguard config permissions, this seemingly can't be done
+        ## during the unpack stage
+        chmod 0600 /etc/usbguard/rules.d/30_security-misc.conf
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh
index 8cb5673..39ee52b 100755
--- a/etc/profile.d/30_security-misc.sh
+++ b/etc/profile.d/30_security-misc.sh
@@ -4,7 +4,7 @@
 ## See the file COPYING for copying conditions.
 
 if [ -z "$XDG_CONFIG_DIRS" ]; then
-   XDG_CONFIG_DIRS="/etc/xdg"
+   XDG_CONFIG_DIRS="/etc:/etc/xdg:/usr/share"
 fi
 if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then
    export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS"
diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
index b787e5f..3ec762c 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
@@ -16,7 +16,7 @@
 ## relies solely on the calling user's UID and GID, though this could require
 ## further review.)
 ##
-## Without this, Xfce fails to start with a dbus-launch error.
+## Without this, LXQt fails to start with a dbus-launch error.
 ##
 ## TODO: audit pam-tmpdir-helper
 pam-tmpdir-helper matchwhitelist
diff --git a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf
new file mode 100644
index 0000000..70accaf
--- /dev/null
+++ b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf
@@ -0,0 +1,5 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+ConditionPathExists=/sys/bus/usb