## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Please use "/etc/permission-hardener.d/20_user.conf" or
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
## configuration. When security-misc-shared is updated, this file may be
## overwritten.

## TODO: research
## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
##
## Historic Qubes upstream security issue:
## qfile-unpacker allows unprivileged users in VMs to gain root privileges
## https://github.com/QubesOS/qubes-issues/issues/8633
##
## matches both:
## - /usr/lib/qubes/qfile-unpacker whitelist
##   - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker.
##   - Stripping SUID from this does *not* break file copying.
##   - TODO: further reserach required on its purpose
## - /usr/bin/qfile-unpacker
##   - Appears to be an integral part of file transfer between qubes, stripping
##     SUID from this in an AppVM results in that AppVM being unable to receive
##     files any longer. (It can still send files to other qubes though.)
qfile-unpacker matchwhitelist