profiles: deny access to ~/.config/autostart (#6257)

The files in this directory are intended to be automatically executed
when the user logs in.

In which case, granting write access to this directory allows the
program to easily escape the sandbox (by autostarting itself outside of
firejail, for example).

Misc: This was noticed on #6244.

1 files changed, 6 insertions, 3 deletions

diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index 4fdf1bbfe..3094495d6 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -5,7 +5,12 @@ include dropbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/autostart
+# To allow the program to autostart, add the following to dropbox.local:
+# Warning: This allows the program to easily escape the sandbox.
+#noblacklist ${HOME}/.config/autostart
+#mkfile ${HOME}/.config/autostart/dropbox.desktop
+#whitelist ${HOME}/.config/autostart/dropbox.desktop
+
 noblacklist ${HOME}/.dropbox
 noblacklist ${HOME}/.dropbox-dist
 
@@ -20,8 +25,6 @@ include disable-programs.inc
 mkdir ${HOME}/.dropbox
 mkdir ${HOME}/.dropbox-dist
 mkdir ${HOME}/Dropbox
-mkfile ${HOME}/.config/autostart/dropbox.desktop
-whitelist ${HOME}/.config/autostart/dropbox.desktop
 whitelist ${HOME}/.dropbox
 whitelist ${HOME}/.dropbox-dist
 whitelist ${HOME}/Dropbox