diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-03-27 16:57:55 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-03-27 17:16:31 -0300 |
commit | 14428e6904e7d4bee9c742a35e55e0054ad601cd (patch) | |
tree | ee6c0c25d36325eddb1f4273cafb852e5a1d4605 /etc/inc | |
parent | megaglest.profile: Add allow-lua.inc (#5066) (diff) | |
download | firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.tar.gz firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.tar.zst firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.zip |
disable-common.inc: make ~/.config/pkcs11 read-only
It looks like it allows arbitrary command execution. From
pkcs11.conf(5):
> remote:
> Instead of loading the PKCS#11 module locally, run the module
> remotely.
>
> Specify a command to run, prefixed with | a pipe. The command
> must speak the p11-kit remoting protocol on its standard in
> and standard out. For example:
>
> remote: |ssh user@remote p11-kit remote /path/to/module.so
>
> Other forms of remoting will appear in later p11-kit releases.
Environment: p11-kit 0.24.1-1 on Artix Linux.
Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").
With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.
See also the discussion on #5069.
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/disable-common.inc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 080a7f3a1..2ff31e80a 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -328,6 +328,7 @@ read-only ${HOME}/.ssh/config.d | |||
328 | read-only ${HOME}/.caffrc | 328 | read-only ${HOME}/.caffrc |
329 | read-only ${HOME}/.cargo/env | 329 | read-only ${HOME}/.cargo/env |
330 | read-only ${HOME}/.config/nvim | 330 | read-only ${HOME}/.config/nvim |
331 | read-only ${HOME}/.config/pkcs11 | ||
331 | read-only ${HOME}/.dotfiles | 332 | read-only ${HOME}/.dotfiles |
332 | read-only ${HOME}/.emacs | 333 | read-only ${HOME}/.emacs |
333 | read-only ${HOME}/.emacs.d | 334 | read-only ${HOME}/.emacs.d |