diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-21 04:37:34 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-22 04:41:11 -0300 |
commit | add6ee8c23bc500c27ba9e4258be8d0f7a26945e (patch) | |
tree | f3550fd1524902113142f9fbeaf6cc6716e53601 /etc | |
parent | refactor nodejs applications (npm & yarn) (#3876) (diff) | |
download | firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.tar.gz firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.tar.zst firejail-add6ee8c23bc500c27ba9e4258be8d0f7a26945e.zip |
ssh: move auth socket blacklist to disable-common.inc
That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").
Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc. Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.
Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/disable-common.inc | 3 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 |
2 files changed, 3 insertions, 1 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 0de539d57..eeafe3ec4 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -347,6 +347,9 @@ read-only ${HOME}/.local/share/mime | |||
347 | # Write-protection for thumbnailer dir | 347 | # Write-protection for thumbnailer dir |
348 | read-only ${HOME}/.local/share/thumbnailers | 348 | read-only ${HOME}/.local/share/thumbnailers |
349 | 349 | ||
350 | # prevent access to ssh-agent | ||
351 | blacklist /tmp/ssh-* | ||
352 | |||
350 | # top secret | 353 | # top secret |
351 | blacklist ${HOME}/*.kdb | 354 | blacklist ${HOME}/*.kdb |
352 | blacklist ${HOME}/*.kdbx | 355 | blacklist ${HOME}/*.kdbx |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 74cbfbcbe..2ef40b23a 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -856,7 +856,6 @@ blacklist ${HOME}/.yarncache | |||
856 | blacklist ${HOME}/.yarnrc | 856 | blacklist ${HOME}/.yarnrc |
857 | blacklist ${HOME}/.zoom | 857 | blacklist ${HOME}/.zoom |
858 | blacklist /tmp/akonadi-* | 858 | blacklist /tmp/akonadi-* |
859 | blacklist /tmp/ssh-* | ||
860 | blacklist /tmp/.wine-* | 859 | blacklist /tmp/.wine-* |
861 | blacklist /var/games/nethack | 860 | blacklist /var/games/nethack |
862 | blacklist /var/games/slashem | 861 | blacklist /var/games/slashem |