diff options
author | Shahriar Heidrich <smheidrich@weltenfunktion.de> | 2024-06-08 10:52:17 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-08 08:52:17 +0000 |
commit | 533db20e9912e782e149e49d2e3a86e842a2b3af (patch) | |
tree | ed02316d96bde0aecbb25c98fbbd8391696ab920 /etc/profile-a-l | |
parent | New profile: armcord (#6365) (diff) | |
download | firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.tar.gz firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.tar.zst firejail-533db20e9912e782e149e49d2e3a86e842a2b3af.zip |
profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
This closes the escape route discussed in #6357.
It's left open for i3's own profile, so that people who run i3 itself
sandboxed still have the option to use IPC with it at all.
Reference for file paths:
https://i3wm.org/docs/userguide.html#_interprocess_communication
Diffstat (limited to 'etc/profile-a-l')
-rw-r--r-- | etc/profile-a-l/i3.profile | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile index 2268072ef..412e31762 100644 --- a/etc/profile-a-l/i3.profile +++ b/etc/profile-a-l/i3.profile | |||
@@ -8,6 +8,10 @@ include globals.local | |||
8 | 8 | ||
9 | # all applications started in i3 will run in this profile | 9 | # all applications started in i3 will run in this profile |
10 | noblacklist ${HOME}/.config/i3 | 10 | noblacklist ${HOME}/.config/i3 |
11 | noblacklist ${RUNUSER}/i3 | ||
12 | noblacklist ${RUNUSER}/i3/ipc-socket.* | ||
13 | noblacklist /tmp/i3-* | ||
14 | noblacklist /tmp/i3-*/ipc-socket.* | ||
11 | include disable-common.inc | 15 | include disable-common.inc |
12 | 16 | ||
13 | caps.drop all | 17 | caps.drop all |