diff options
| author |  smitsohu <smitsohu@gmail.com> | 2018-12-07 16:29:06 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2018-12-07 16:29:06 +0100 |
| commit | c083a7b737050c532977b46fac6400f1dbc24ff6 (patch) | |
| tree | 3f9438ec7985b5191da4ca47fb0b9e4822cf249f | |
| parent | add HAS_NODBUS conditional, ${RUNUSER} makro (diff) | |
| download | firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.tar.gz firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.tar.zst firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.zip | |
improve sandboxing of KDE apps: set KDE_FORK_SLAVES, blacklist slave-sockets
setting the KDE_FORK_SLAVES environment variable removes all inconsistencies
that arise from slaves running outside the sandbox or in a different sandbox;
it also makes it slightly more difficult to abuse KIO in general and helps to
mitigate security problems due to thumbnailing, which now always happens inside
the same sandbox. The trade-off is more concurrently running slave processes.
closes #2285
| -rw-r--r-- | etc/disable-common.inc | 13 | ||||
| -rw-r--r-- | src/firejail/env.c | 4 |
2 files changed, 12 insertions, 5 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 74b653385..481717d24 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
| @@ -118,11 +118,14 @@ read-only ${HOME}/.local/share/konsole | |||
| 118 | read-only ${HOME}/.local/share/kservices5 | 118 | read-only ${HOME}/.local/share/kservices5 |
| 119 | read-only ${HOME}/.local/share/kssl | 119 | read-only ${HOME}/.local/share/kssl |
| 120 | 120 | ||
| 121 | # kdeinit socket | 121 | # KDE sockets |
| 122 | blacklist /run/user/*/kdeinit5__* | 122 | blacklist ${RUNUSER}/kdeinit5__* |
| 123 | # blacklist /run/user/*/ksocket-*/kdeinit4__* | 123 | blacklist ${RUNUSER}/*.slave-socket |
| 124 | # blacklist /tmp/ksocket-*/kdeinit4__* | 124 | # decide heuristically if the kdeinit4 socket can be blacklisted |
| 125 | # causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | 125 | ?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*/kdeinit4__* |
| 126 | blacklist ${RUNUSER}/ksocket-*/*.slave-socket | ||
| 127 | ?HAS_NODBUS: blacklist /tmp/ksocket-*/kdeinit4__* | ||
| 128 | blacklist /tmp/ksocket-*/*.slave-socket | ||
| 126 | 129 | ||
| 127 | # gnome | 130 | # gnome |
| 128 | # contains extensions, last used times of applications, and notifications | 131 | # contains extensions, last used times of applications, and notifications |
diff --git a/src/firejail/env.c b/src/firejail/env.c index a09be8a77..fd4bfbd57 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
| @@ -132,6 +132,10 @@ void env_defaults(void) { | |||
| 132 | if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) | 132 | if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) |
| 133 | errExit("setenv"); | 133 | errExit("setenv"); |
| 134 | 134 | ||
| 135 | // spawn KIO slaves inside the sandbox | ||
| 136 | if (setenv("KDE_FORK_SLAVES", "1", 1) < 0) | ||
| 137 | errExit("setenv"); | ||
| 138 | |||
| 135 | // set prompt color to green | 139 | // set prompt color to green |
| 136 | int set_prompt = 0; | 140 | int set_prompt = 0; |
| 137 | if (checkcfg(CFG_FIREJAIL_PROMPT)) | 141 | if (checkcfg(CFG_FIREJAIL_PROMPT)) |