profiles: deny access to ~/.config/autostart (#6257)

The files in this directory are intended to be automatically executed
when the user logs in.

In which case, granting write access to this directory allows the
program to easily escape the sandbox (by autostarting itself outside of
firejail, for example).

Misc: This was noticed on #6244.

1 files changed, 5 insertions, 2 deletions

diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 54f2923ba..713cb98e9 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -5,7 +5,11 @@ include gitter.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/autostart
+# To allow the program to autostart, add the following to gitter.local:
+# Warning: This allows the program to easily escape the sandbox.
+#noblacklist ${HOME}/.config/autostart
+#whitelist ${HOME}/.config/autostart
+
 noblacklist ${HOME}/.config/Gitter
 
 include disable-common.inc
@@ -16,7 +20,6 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/Gitter
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/autostart
 whitelist ${HOME}/.config/Gitter
 whitelist /opt/Gitter
 include whitelist-var-common.inc