profiles: deny access to ~/.config/autostart (#6257)

The files in this directory are intended to be automatically executed when the user logs in. In which case, granting write access to this directory allows the program to easily escape the sandbox (by autostarting itself outside of firejail, for example). Misc: This was noticed on #6244.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2024-03-24 06:44:22 +0000
committer: GitHub <noreply@github.com> 2024-03-24 06:44:22 +0000
commit: 945ad858ed61f71b6eed852f118c292fda8442f9 (patch)
tree: 6b5bf13955fc3964a12eb5104936c2f05ad5c8a8
parent: gconf-editor: remove X11 socket blacklist (diff)
download: firejail-945ad858ed61f71b6eed852f118c292fda8442f9.tar.gz
firejail-945ad858ed61f71b6eed852f118c292fda8442f9.tar.zst
firejail-945ad858ed61f71b6eed852f118c292fda8442f9.zip
3 files changed, 16 insertions, 7 deletions
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index 4fdf1bbfe..3094495d6 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -5,7 +5,12 @@ include dropbox.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/autostart
+# To allow the program to autostart, add the following to dropbox.local:
+# Warning: This allows the program to easily escape the sandbox.
+#noblacklist ${HOME}/.config/autostart
+#mkfile ${HOME}/.config/autostart/dropbox.desktop
+#whitelist ${HOME}/.config/autostart/dropbox.desktop
 noblacklist ${HOME}/.dropbox
 noblacklist ${HOME}/.dropbox-dist
@@ -20,8 +25,6 @@ include disable-programs.inc
 mkdir ${HOME}/.dropbox
 mkdir ${HOME}/.dropbox-dist
 mkdir ${HOME}/Dropbox
-mkfile ${HOME}/.config/autostart/dropbox.desktop
-whitelist ${HOME}/.config/autostart/dropbox.desktop
 whitelist ${HOME}/.dropbox
 whitelist ${HOME}/.dropbox-dist
 whitelist ${HOME}/Dropbox
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 54f2923ba..713cb98e9 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -5,7 +5,11 @@ include gitter.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/autostart
+# To allow the program to autostart, add the following to gitter.local:
+# Warning: This allows the program to easily escape the sandbox.
+#noblacklist ${HOME}/.config/autostart
+#whitelist ${HOME}/.config/autostart
 noblacklist ${HOME}/.config/Gitter
 include disable-common.inc
@@ -16,7 +20,6 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Gitter
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/autostart
 whitelist ${HOME}/.config/Gitter
 whitelist /opt/Gitter
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index db87b21bc..3c752a0c7 100644
--- a/etc/profile-m-z/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -6,7 +6,11 @@ include meteo-qt.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/autostart
+# To allow the program to autostart, add the following to meteo-qt.local:
+# Warning: This allows the program to easily escape the sandbox.
+#noblacklist ${HOME}/.config/autostart
+#whitelist ${HOME}/.config/autostart
 noblacklist ${HOME}/.config/meteo-qt
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -21,7 +25,6 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/meteo-qt
-whitelist ${HOME}/.config/autostart
 whitelist ${HOME}/.config/meteo-qt
 include whitelist-common.inc
 include whitelist-var-common.inc
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-03-24 06:44:22 +0000
committer	GitHub <noreply@github.com>	2024-03-24 06:44:22 +0000
commit	945ad858ed61f71b6eed852f118c292fda8442f9 (patch)
tree	6b5bf13955fc3964a12eb5104936c2f05ad5c8a8
parent	gconf-editor: remove X11 socket blacklist (diff)
download	firejail-945ad858ed61f71b6eed852f118c292fda8442f9.tar.gz firejail-945ad858ed61f71b6eed852f118c292fda8442f9.tar.zst firejail-945ad858ed61f71b6eed852f118c292fda8442f9.zip