diff options
| author |  Shahriar Heidrich <smheidrich@weltenfunktion.de> | 2024-06-08 10:52:17 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-06-08 08:52:17 +0000 |
| commit | 533db20e9912e782e149e49d2e3a86e842a2b3af (patch) | |
| tree | ed02316d96bde0aecbb25c98fbbd8391696ab920 /etc/inc/disable-common.inc | |
| parent | New profile: armcord (#6365) (diff) | |
| download | firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.tar.gz firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.tar.zst firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.zip | |
profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
This closes the escape route discussed in #6357.
It's left open for i3's own profile, so that people who run i3 itself
sandboxed still have the option to use IPC with it at all.
Reference for file paths:
https://i3wm.org/docs/userguide.html#_interprocess_communication
Diffstat (limited to 'etc/inc/disable-common.inc')
| -rw-r--r-- | etc/inc/disable-common.inc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 55aabbc73..14f7d8cf7 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo | |||
| 167 | blacklist ${RUNUSER}/gnome-shell | 167 | blacklist ${RUNUSER}/gnome-shell |
| 168 | blacklist ${RUNUSER}/gsconnect | 168 | blacklist ${RUNUSER}/gsconnect |
| 169 | 169 | ||
| 170 | # i3 IPC socket (allows arbitrary shell script execution) | ||
| 171 | blacklist ${RUNUSER}/i3/ipc-socket.* | ||
| 172 | blacklist /tmp/i3-*/ipc-socket.* | ||
| 173 | |||
| 170 | # systemd | 174 | # systemd |
| 171 | blacklist ${HOME}/.config/systemd | 175 | blacklist ${HOME}/.config/systemd |
| 172 | blacklist ${HOME}/.local/share/systemd | 176 | blacklist ${HOME}/.local/share/systemd |