diff options
author | 2024-06-08 10:52:17 +0200 | |
---|---|---|
committer | 2024-06-08 08:52:17 +0000 | |
commit | 533db20e9912e782e149e49d2e3a86e842a2b3af (patch) | |
tree | ed02316d96bde0aecbb25c98fbbd8391696ab920 /etc/inc/disable-common.inc | |
parent | New profile: armcord (#6365) (diff) | |
download | firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.tar.gz firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.tar.zst firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.zip |
profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
This closes the escape route discussed in #6357.
It's left open for i3's own profile, so that people who run i3 itself
sandboxed still have the option to use IPC with it at all.
Reference for file paths:
https://i3wm.org/docs/userguide.html#_interprocess_communication
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r-- | etc/inc/disable-common.inc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 55aabbc73..14f7d8cf7 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo | |||
167 | blacklist ${RUNUSER}/gnome-shell | 167 | blacklist ${RUNUSER}/gnome-shell |
168 | blacklist ${RUNUSER}/gsconnect | 168 | blacklist ${RUNUSER}/gsconnect |
169 | 169 | ||
170 | # i3 IPC socket (allows arbitrary shell script execution) | ||
171 | blacklist ${RUNUSER}/i3/ipc-socket.* | ||
172 | blacklist /tmp/i3-*/ipc-socket.* | ||
173 | |||
170 | # systemd | 174 | # systemd |
171 | blacklist ${HOME}/.config/systemd | 175 | blacklist ${HOME}/.config/systemd |
172 | blacklist ${HOME}/.local/share/systemd | 176 | blacklist ${HOME}/.local/share/systemd |