diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-03-27 16:57:55 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-03-27 17:16:31 -0300 |
commit | 14428e6904e7d4bee9c742a35e55e0054ad601cd (patch) | |
tree | ee6c0c25d36325eddb1f4273cafb852e5a1d4605 /contrib/update_deb.sh | |
parent | megaglest.profile: Add allow-lua.inc (#5066) (diff) | |
download | firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.tar.gz firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.tar.zst firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.zip |
disable-common.inc: make ~/.config/pkcs11 read-only
It looks like it allows arbitrary command execution. From
pkcs11.conf(5):
> remote:
> Instead of loading the PKCS#11 module locally, run the module
> remotely.
>
> Specify a command to run, prefixed with | a pipe. The command
> must speak the p11-kit remoting protocol on its standard in
> and standard out. For example:
>
> remote: |ssh user@remote p11-kit remote /path/to/module.so
>
> Other forms of remoting will appear in later p11-kit releases.
Environment: p11-kit 0.24.1-1 on Artix Linux.
Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").
With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.
See also the discussion on #5069.
Diffstat (limited to 'contrib/update_deb.sh')
0 files changed, 0 insertions, 0 deletions