profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)

This closes the escape route discussed in #6357.

It's left open for i3's own profile, so that people who run i3 itself
sandboxed still have the option to use IPC with it at all.

Reference for file paths:
https://i3wm.org/docs/userguide.html#_interprocess_communication

3 files changed, 10 insertions, 0 deletions

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 55aabbc73..14f7d8cf7 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo
 blacklist ${RUNUSER}/gnome-shell
 blacklist ${RUNUSER}/gsconnect
 
+# i3 IPC socket (allows arbitrary shell script execution)
+blacklist ${RUNUSER}/i3/ipc-socket.*
+blacklist /tmp/i3-*/ipc-socket.*
+
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 73876fde3..d2f8b8cfa 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -1251,11 +1251,13 @@ blacklist ${HOME}/yt-dlp.conf
 blacklist ${HOME}/yt-dlp.conf.txt
 blacklist ${RUNUSER}/*firefox*
 blacklist ${RUNUSER}/akonadi
+blacklist ${RUNUSER}/i3
 blacklist ${RUNUSER}/psd/*firefox*
 blacklist ${RUNUSER}/qutebrowser
 blacklist /etc/ssmtp
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
+blacklist /tmp/i3-*
 blacklist /tmp/lwjgl_*
 blacklist /var/games/nethack
 blacklist /var/games/slashem
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index 2268072ef..412e31762 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -8,6 +8,10 @@ include globals.local
 
 # all applications started in i3 will run in this profile
 noblacklist ${HOME}/.config/i3
+noblacklist ${RUNUSER}/i3
+noblacklist ${RUNUSER}/i3/ipc-socket.*
+noblacklist /tmp/i3-*
+noblacklist /tmp/i3-*/ipc-socket.*
 include disable-common.inc
 
 caps.drop all