ssh: move auth socket blacklist to disable-common.inc

That was added on the commit e93fbf3bd ("disable ssh-agent sockets in disable-programs.inc"). Currently, it's the only ssh-related entry on disable-programs.inc. Further, it seems that all the other socket blacklists live on disable-common.inc. Also, even though this socket does not necessarily allow arbitrary command execution on the local machine (like some paths on disable-common.inc do), it could still do so for remote systems. Put it above the "top secret" section, like the terminal sockets are above the terminal server section.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2021-01-21 04:37:34 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2021-01-22 04:41:11 -0300
commit: add6ee8c23bc500c27ba9e4258be8d0f7a26945e (patch)
tree: f3550fd1524902113142f9fbeaf6cc6716e53601 /etc/inc/disable-common.inc
parent: refactor nodejs applications (npm & yarn) (#3876) (diff)
download: firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.tar.gz
firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.tar.zst
firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 0de539d57..eeafe3ec4 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -347,6 +347,9 @@ read-only ${HOME}/.local/share/mime
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
+# prevent access to ssh-agent
+blacklist /tmp/ssh-*
 # top secret
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.kdbx
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2021-01-21 04:37:34 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2021-01-22 04:41:11 -0300
commit	add6ee8c23bc500c27ba9e4258be8d0f7a26945e (patch)
tree	f3550fd1524902113142f9fbeaf6cc6716e53601 /etc/inc/disable-common.inc
parent	refactor nodejs applications (npm & yarn) (#3876) (diff)
download	firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.tar.gz firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.tar.zst firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.zip

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 0de539d57..eeafe3ec4 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc
@@ -347,6 +347,9 @@ read-only ${HOME}/.local/share/mime
347	# Write-protection for thumbnailer dir	347	# Write-protection for thumbnailer dir
348	read-only ${HOME}/.local/share/thumbnailers	348	read-only ${HOME}/.local/share/thumbnailers
349		349
		350	# prevent access to ssh-agent
		351	blacklist /tmp/ssh-*
		352
350	# top secret	353	# top secret
351	blacklist ${HOME}/*.kdb	354	blacklist ${HOME}/*.kdb
352	blacklist ${HOME}/*.kdbx	355	blacklist ${HOME}/*.kdbx