Whitelist runuser common (#3286)

* introduce whitelist-runuser-common.inc * If an applications does not need a whitelist it can/should be nowhitelisted. Example: nowhitelist ${RUNUSER}/pulse include whitelist-runuser-common.inc * ${RUNUSER}/bus is inaccessible with nodbus regardless of the whitelist. (as it should) * strange wayland setups with an second wayland-compostior need to whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on. * some display-manager store there Xauthority file in ${RUNUSER}. test results with fedora 31: - ssdm: ~/.Xauthority is used - lightdm: /run/lightdm/USER/Xauthority - gdm: /run/user/UID/gdm/Xauthority * IMPORTANT: ATM we can only enable this for non-graphical and GTK3 programs because mutter (GNOMEs window-manger) stores the Xauthority file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX where XXXXXX is random. Until we have whitelist globbing we can't whitelist this file. QT/KDE and other toolkits without full wayland support won't be able to start. * wru update 1 - add wru to more profiles. - blacklist ${RUNUSER} works for the most cli programs too. * add wruc to more profiles * fixes * fixes * wruc: hide pulse pid * update * remove wruc from all the x11 profiles * fixes * fix ordering * read-only * revert read-only * update *
2026-05-15 14:16:14 -06:00 · 2020-03-31 16:51:02 +00:00 · 2020-03-31 16:51:02 +00:00 · 4747e0ed7f
commit 4747e0ed7f
parent 19eca5fd83
74 changed files with 116 additions and 12 deletions
--- a/1
+++ b/1
@ -3,6 +3,7 @@ firejail (0.9.63) baseline; urgency=low
  * DHCP client support
  * SELinux labeling support
  * 32-bit seccomp filter
+  * restrict ${RUNUSER} in serveral profiles
  * new condition: HAS_NOSOUND
  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@ -14,6 +14,8 @@ include disable-passwdmgr.inc
 # include disable-programs.inc
 # include disable-xdg.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 net none
 no3d
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@ -24,6 +24,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/curl.profile
+++ b/etc/curl.profile
@ -10,6 +10,8 @@ include globals.local
 noblacklist ${HOME}/.curlrc

 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 include disable-common.inc
 include disable-exec.inc
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@ -24,6 +24,7 @@ mkdir ${HOME}/.config/d-feet
 whitelist ${HOME}/.config/d-feet
 whitelist /usr/share/d-feet
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@ -16,6 +16,7 @@ include disable-xdg.inc

 whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/dig.profile
+++ b/etc/dig.profile
@ -11,6 +11,8 @@ noblacklist ${HOME}/.digrc
 noblacklist ${PATH}/dig

 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 include disable-common.inc
 # include disable-devel.inc
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@ -18,6 +18,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@ -21,6 +21,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/enchant
 whitelist ${HOME}/.config/enchant
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/eo-common.profile
+++ b/etc/eo-common.profile
@ -18,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/evince.profile
+++ b/etc/evince.profile
@ -21,6 +21,7 @@ whitelist /usr/share/doc
 whitelist /usr/share/evince
 whitelist /usr/share/poppler
 whitelist /usr/share/tracker
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@ -23,6 +23,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 # no3d breaks under wayland
--- a/etc/feedreader.profile
+++ b/etc/feedreader.profile
@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/feedreader
 whitelist ${HOME}/.local/share/feedreader
 whitelist /usr/share/feedreader
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@ -14,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc

 whitelist /usr/share/file-roller
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/file.profile
+++ b/etc/file.profile
@ -8,6 +8,7 @@ include file.local
 include globals.local

 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 include disable-common.inc
 include disable-exec.inc
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@ -17,6 +17,8 @@ include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 caps.drop all
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@ -17,6 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 # apparmor - makes settings immutable
--- a/etc/gfeeds.profile
+++ b/etc/gfeeds.profile
@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist /usr/share/gfeeds
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@ -28,6 +28,7 @@ include disable-programs.inc
 #include whitelist-common.inc

 whitelist /usr/share/gitg
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@ -22,6 +22,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@ -16,6 +16,7 @@ include disable-programs.inc
 include disable-xdg.inc

 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-characters.profile
+++ b/etc/gnome-characters.profile
@ -19,6 +19,7 @@ include disable-xdg.inc

 whitelist /usr/share/org.gnome.Characters
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@ -17,6 +17,7 @@ include disable-xdg.inc
 whitelist /usr/share/gnome-clocks
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@ -17,6 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc

 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 caps.drop all
--- a/etc/gnome-hexgl.profile
+++ b/etc/gnome-hexgl.profile
@ -15,9 +15,8 @@ include disable-programs.inc
 include disable-xdg.inc

 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/wayland-0
 whitelist /usr/share/gnome-hexgl
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-latex.profile
+++ b/etc/gnome-latex.profile
@ -22,6 +22,7 @@ include disable-programs.inc
 whitelist /usr/share/gnome-latex
 whitelist /usr/share/perl5
 whitelist /usr/share/texlive
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 # May cause issues.
 #include whitelist-var-common.inc
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@ -15,6 +15,7 @@ include disable-programs.inc
 include disable-xdg.inc

 whitelist /var/log/journal
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@ -35,6 +35,7 @@ whitelist ${PICTURES}
 whitelist /usr/share/gnome-maps
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@ -21,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 apparmor
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@ -16,6 +16,7 @@ include disable-xdg.inc

 whitelist /usr/share/gnome-nettool
 #include whitelist-common.inc -- see #903
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-passwordsafe.profile
+++ b/etc/gnome-passwordsafe.profile
@ -21,13 +21,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

-whitelist ${RUNUSER}/bus
-# If you have a second wayland compositor, whitelist its socket here.
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/gdm/Xauthority
-
 whitelist /usr/share/cracklib
 whitelist /usr/share/passwordsafe
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@ -17,6 +17,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 apparmor
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule
 whitelist /var/spool/atd
 whitelist /var/spool/cron
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@ -17,11 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 apparmor
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@ -21,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 caps.drop all
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@ -21,9 +21,12 @@ include disable-xdg.inc

 mkdir ${HOME}/.gnupg
 whitelist ${HOME}/.gnupg
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@ -18,9 +18,12 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/pacman/keyrings
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@ -15,6 +15,7 @@ include disable-programs.inc
 include disable-xdg.inc

 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@ -7,6 +7,7 @@ include highlight.local
 include globals.local

 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 include disable-common.inc
 include disable-devel.inc
--- a/etc/latex-common.profile
+++ b/etc/latex-common.profile
@ -14,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc

 whitelist /var/lib
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 caps.drop all
--- a/etc/less.profile
+++ b/etc/less.profile
@ -8,6 +8,7 @@ include less.local
 include globals.local

 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 noblacklist ${HOME}/.lesshst

--- a/etc/links.profile
+++ b/etc/links.profile
@ -24,6 +24,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.links
 whitelist ${HOME}/.links
 whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 caps.drop all
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@ -16,6 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
--- a/etc/meld.profile
+++ b/etc/meld.profile
@ -36,6 +36,8 @@ include disable-passwdmgr.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc

+include whitelist-runuser-common.inc
+
 # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share.
 #whitelist /usr/share/meld
 #include whitelist-usr-share-common.inc
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@ -40,6 +40,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
--- a/etc/newsboat.profile
+++ b/etc/newsboat.profile
@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.newsboat
 whitelist ${HOME}/.newsboat
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 caps.drop all
--- a/etc/nslookup.profile
+++ b/etc/nslookup.profile
@ -7,6 +7,10 @@ include nslookup.local
 # Persistent global definitions
 include globals.local

+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
 noblacklist ${PATH}/nslookup

 include disable-common.inc
--- a/etc/pandoc.profile
+++ b/etc/pandoc.profile
@ -8,6 +8,7 @@ include pandoc.local
 include globals.local

 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 noblacklist ${DOCUMENTS}

--- a/etc/patch.profile
+++ b/etc/patch.profile
@ -8,6 +8,7 @@ include patch.local
 include globals.local

 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 noblacklist ${DOCUMENTS}

--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@ -7,6 +7,7 @@ include pdftotext.local
 include globals.local

 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 noblacklist ${DOCUMENTS}

--- a/etc/ping.profile
+++ b/etc/ping.profile
@ -7,6 +7,10 @@ include ping.local
 # Persistent global definitions
 include globals.local

+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@ -6,7 +6,6 @@ include pitivi.local
 # Persistent global definitions
 include globals.local

-
 noblacklist ${HOME}/.config/pitivi

 # Allow python (blacklisted by disable-interpreters.inc)
@ -20,6 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 apparmor
--- a/etc/pngquant.profile
+++ b/etc/pngquant.profile
@ -16,6 +16,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

 apparmor
--- a/etc/polari.profile
+++ b/etc/polari.profile
@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/telepathy
 whitelist ${HOME}/.purple
 include whitelist-common.inc
+include whitelist-runuser-common.inc

 caps.drop all
 netfilter
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@ -19,6 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

+include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 caps.drop all
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@ -25,6 +25,7 @@ include disable-xdg.inc
 whitelist /usr/share/rhythmbox
 whitelist /usr/share/lua
 whitelist /usr/share/libquvi-scripts
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/rsync-download_only.profile
+++ b/etc/rsync-download_only.profile
@ -14,6 +14,7 @@ include globals.local

 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 include disable-common.inc
 include disable-devel.inc
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@ -31,7 +31,10 @@ whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/seahorse
 whitelist /usr/share/seahorse-nautilus
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 #include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@ -8,6 +8,7 @@ include shellcheck.local
 include globals.local

 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 noblacklist ${DOCUMENTS}

--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@ -18,7 +18,10 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+whitelist ${RUNUSER}/keyring/ssh
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc

 caps.drop all
 ipc-namespace
--- a/etc/strings.profile
+++ b/etc/strings.profile
@ -8,6 +8,7 @@ include strings.local
 include globals.local

 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 #include disable-common.inc
 include disable-devel.inc
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@ -27,6 +27,7 @@
 #   ALLOW INCLUDES
 #   BLACKLISTS
 #   DISABLE INCLUDES
+#   NOWHITELISTS
 #   MKDIRS
 #   WHITELISTS
 #   WHITELIST INCLUDES
@ -62,6 +63,8 @@ include globals.local
 #blacklist /tmp/.X11-unix
 # Disable Wayland
 #blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only)
+#blacklist ${RUNUSER}

 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@ -116,6 +119,7 @@ include globals.local
 ##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
+#GTK3 only: include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc

--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@ -17,6 +17,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@ -7,6 +7,8 @@ include transmission-gtk.local
 # Persistent global definitions
 include globals.local

+include whitelist-runuser-common.inc
+
 private-bin transmission-gtk

 ignore memory-deny-write-execute
--- a/etc/tshark.profile
+++ b/etc/tshark.profile
@ -16,6 +16,7 @@ include disable-xdg.inc

 whitelist /usr/share/wireshark
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/vim.profile
+++ b/etc/vim.profile
@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 nodvd
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@ -20,6 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc

+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
--- a/etc/wget.profile
+++ b/etc/wget.profile
@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc

 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 include disable-common.inc
 include disable-devel.inc
--- a/etc/whitelist-runuser-common.inc
+++ b/etc/whitelist-runuser-common.inc
@ -0,0 +1,10 @@
+# Local customizations come here
+include whitelist-runuser-common.local
+
+# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
+
+whitelist ${RUNUSER}/bus
+whitelist ${RUNUSER}/dconf
+whitelist ${RUNUSER}/gdm/Xauthority
+whitelist ${RUNUSER}/pulse/native
+whitelist ${RUNUSER}/wayland-0
--- a/etc/whois.profile
+++ b/etc/whois.profile
@ -9,6 +9,7 @@ include globals.local

 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 include disable-common.inc
 include disable-devel.inc
--- a/etc/yelp.profile
+++ b/etc/yelp.profile
@ -23,6 +23,7 @@ whitelist /usr/share/help
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-xsl
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc

--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@ -22,6 +22,7 @@ include allow-python3.inc

 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}

 include disable-common.inc
 include disable-devel.inc