From d484b299ea1a93a401d00a212d675b5837b8aaa9 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 23 Dec 2019 01:38:31 -0500
Subject: [PATCH] matchwhitelist /qubes/qfile-unpacker to match both

- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
---
 etc/permission-hardening.d/30_default.conf | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index f61a8d2..45417d6 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -33,14 +33,9 @@
 /usr/bin/firejail whitelist
 
 ######################################################################
-# SUID exact match whitelist - research required
+# SUID exact match whitelist
 ######################################################################
 
-## TODO: research required
-
-## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
-/usr/lib/qubes/qfile-unpacker whitelist
-
 ## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
 ## https://lwn.net/Articles/590315/
 ## http://forums.whonix.org/t/permission-hardening/8655/25
@@ -54,6 +49,12 @@
 
 /usr/lib/virtualbox/ matchwhitelist
 
+## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
+## match both:
+#/usr/lib/qubes/qfile-unpacker whitelist
+#/lib/qubes/qfile-unpacker
+/qubes/qfile-unpacker matchwhitelist
+
 ######################################################################
 # SUID regex match whitelist
 ######################################################################