diff options
author | smitsohu <smitsohu@gmail.com> | 2018-12-07 16:29:06 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-12-07 16:29:06 +0100 |
commit | c083a7b737050c532977b46fac6400f1dbc24ff6 (patch) | |
tree | 3f9438ec7985b5191da4ca47fb0b9e4822cf249f /etc/disable-common.inc | |
parent | add HAS_NODBUS conditional, ${RUNUSER} makro (diff) | |
download | firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.tar.gz firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.tar.zst firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.zip |
improve sandboxing of KDE apps: set KDE_FORK_SLAVES, blacklist slave-sockets
setting the KDE_FORK_SLAVES environment variable removes all inconsistencies
that arise from slaves running outside the sandbox or in a different sandbox;
it also makes it slightly more difficult to abuse KIO in general and helps to
mitigate security problems due to thumbnailing, which now always happens inside
the same sandbox. The trade-off is more concurrently running slave processes.
closes #2285
Diffstat (limited to 'etc/disable-common.inc')
-rw-r--r-- | etc/disable-common.inc | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 74b653385..481717d24 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -118,11 +118,14 @@ read-only ${HOME}/.local/share/konsole | |||
118 | read-only ${HOME}/.local/share/kservices5 | 118 | read-only ${HOME}/.local/share/kservices5 |
119 | read-only ${HOME}/.local/share/kssl | 119 | read-only ${HOME}/.local/share/kssl |
120 | 120 | ||
121 | # kdeinit socket | 121 | # KDE sockets |
122 | blacklist /run/user/*/kdeinit5__* | 122 | blacklist ${RUNUSER}/kdeinit5__* |
123 | # blacklist /run/user/*/ksocket-*/kdeinit4__* | 123 | blacklist ${RUNUSER}/*.slave-socket |
124 | # blacklist /tmp/ksocket-*/kdeinit4__* | 124 | # decide heuristically if the kdeinit4 socket can be blacklisted |
125 | # causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | 125 | ?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*/kdeinit4__* |
126 | blacklist ${RUNUSER}/ksocket-*/*.slave-socket | ||
127 | ?HAS_NODBUS: blacklist /tmp/ksocket-*/kdeinit4__* | ||
128 | blacklist /tmp/ksocket-*/*.slave-socket | ||
126 | 129 | ||
127 | # gnome | 130 | # gnome |
128 | # contains extensions, last used times of applications, and notifications | 131 | # contains extensions, last used times of applications, and notifications |