diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-21 04:37:34 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-22 04:41:11 -0300 |
commit | add6ee8c23bc500c27ba9e4258be8d0f7a26945e (patch) | |
tree | f3550fd1524902113142f9fbeaf6cc6716e53601 | |
parent | refactor nodejs applications (npm & yarn) (#3876) (diff) | |
download | firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.tar.gz firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.tar.zst firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.zip |
ssh: move auth socket blacklist to disable-common.inc
That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").
Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc. Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.
Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.
-rw-r--r-- | etc/inc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 |
2 files changed, 3 insertions, 1 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 0de539d57..eeafe3ec4 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -347,6 +347,9 @@ read-only ${HOME}/.local/share/mime | |||
347 | # Write-protection for thumbnailer dir | 347 | # Write-protection for thumbnailer dir |
348 | read-only ${HOME}/.local/share/thumbnailers | 348 | read-only ${HOME}/.local/share/thumbnailers |
349 | 349 | ||
350 | # prevent access to ssh-agent | ||
351 | blacklist /tmp/ssh-* | ||
352 | |||
350 | # top secret | 353 | # top secret |
351 | blacklist ${HOME}/*.kdb | 354 | blacklist ${HOME}/*.kdb |
352 | blacklist ${HOME}/*.kdbx | 355 | blacklist ${HOME}/*.kdbx |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 74cbfbcbe..2ef40b23a 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -856,7 +856,6 @@ blacklist ${HOME}/.yarncache | |||
856 | blacklist ${HOME}/.yarnrc | 856 | blacklist ${HOME}/.yarnrc |
857 | blacklist ${HOME}/.zoom | 857 | blacklist ${HOME}/.zoom |
858 | blacklist /tmp/akonadi-* | 858 | blacklist /tmp/akonadi-* |
859 | blacklist /tmp/ssh-* | ||
860 | blacklist /tmp/.wine-* | 859 | blacklist /tmp/.wine-* |
861 | blacklist /var/games/nethack | 860 | blacklist /var/games/nethack |
862 | blacklist /var/games/slashem | 861 | blacklist /var/games/slashem |