diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-03-24 06:44:22 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-24 06:44:22 +0000 |
commit | 945ad858ed61f71b6eed852f118c292fda8442f9 (patch) | |
tree | 6b5bf13955fc3964a12eb5104936c2f05ad5c8a8 /etc | |
parent | gconf-editor: remove X11 socket blacklist (diff) | |
download | firejail-945ad858ed61f71b6eed852f118c292fda8442f9.tar.gz firejail-945ad858ed61f71b6eed852f118c292fda8442f9.tar.zst firejail-945ad858ed61f71b6eed852f118c292fda8442f9.zip |
profiles: deny access to ~/.config/autostart (#6257)
The files in this directory are intended to be automatically executed
when the user logs in.
In which case, granting write access to this directory allows the
program to easily escape the sandbox (by autostarting itself outside of
firejail, for example).
Misc: This was noticed on #6244.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/profile-a-l/dropbox.profile | 9 | ||||
-rw-r--r-- | etc/profile-a-l/gitter.profile | 7 | ||||
-rw-r--r-- | etc/profile-m-z/meteo-qt.profile | 7 |
3 files changed, 16 insertions, 7 deletions
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile index 4fdf1bbfe..3094495d6 100644 --- a/etc/profile-a-l/dropbox.profile +++ b/etc/profile-a-l/dropbox.profile | |||
@@ -5,7 +5,12 @@ include dropbox.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/autostart | 8 | # To allow the program to autostart, add the following to dropbox.local: |
9 | # Warning: This allows the program to easily escape the sandbox. | ||
10 | #noblacklist ${HOME}/.config/autostart | ||
11 | #mkfile ${HOME}/.config/autostart/dropbox.desktop | ||
12 | #whitelist ${HOME}/.config/autostart/dropbox.desktop | ||
13 | |||
9 | noblacklist ${HOME}/.dropbox | 14 | noblacklist ${HOME}/.dropbox |
10 | noblacklist ${HOME}/.dropbox-dist | 15 | noblacklist ${HOME}/.dropbox-dist |
11 | 16 | ||
@@ -20,8 +25,6 @@ include disable-programs.inc | |||
20 | mkdir ${HOME}/.dropbox | 25 | mkdir ${HOME}/.dropbox |
21 | mkdir ${HOME}/.dropbox-dist | 26 | mkdir ${HOME}/.dropbox-dist |
22 | mkdir ${HOME}/Dropbox | 27 | mkdir ${HOME}/Dropbox |
23 | mkfile ${HOME}/.config/autostart/dropbox.desktop | ||
24 | whitelist ${HOME}/.config/autostart/dropbox.desktop | ||
25 | whitelist ${HOME}/.dropbox | 28 | whitelist ${HOME}/.dropbox |
26 | whitelist ${HOME}/.dropbox-dist | 29 | whitelist ${HOME}/.dropbox-dist |
27 | whitelist ${HOME}/Dropbox | 30 | whitelist ${HOME}/Dropbox |
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index 54f2923ba..713cb98e9 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile | |||
@@ -5,7 +5,11 @@ include gitter.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/autostart | 8 | # To allow the program to autostart, add the following to gitter.local: |
9 | # Warning: This allows the program to easily escape the sandbox. | ||
10 | #noblacklist ${HOME}/.config/autostart | ||
11 | #whitelist ${HOME}/.config/autostart | ||
12 | |||
9 | noblacklist ${HOME}/.config/Gitter | 13 | noblacklist ${HOME}/.config/Gitter |
10 | 14 | ||
11 | include disable-common.inc | 15 | include disable-common.inc |
@@ -16,7 +20,6 @@ include disable-programs.inc | |||
16 | 20 | ||
17 | mkdir ${HOME}/.config/Gitter | 21 | mkdir ${HOME}/.config/Gitter |
18 | whitelist ${DOWNLOADS} | 22 | whitelist ${DOWNLOADS} |
19 | whitelist ${HOME}/.config/autostart | ||
20 | whitelist ${HOME}/.config/Gitter | 23 | whitelist ${HOME}/.config/Gitter |
21 | whitelist /opt/Gitter | 24 | whitelist /opt/Gitter |
22 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile index db87b21bc..3c752a0c7 100644 --- a/etc/profile-m-z/meteo-qt.profile +++ b/etc/profile-m-z/meteo-qt.profile | |||
@@ -6,7 +6,11 @@ include meteo-qt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/autostart | 9 | # To allow the program to autostart, add the following to meteo-qt.local: |
10 | # Warning: This allows the program to easily escape the sandbox. | ||
11 | #noblacklist ${HOME}/.config/autostart | ||
12 | #whitelist ${HOME}/.config/autostart | ||
13 | |||
10 | noblacklist ${HOME}/.config/meteo-qt | 14 | noblacklist ${HOME}/.config/meteo-qt |
11 | 15 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | 16 | # Allow python (blacklisted by disable-interpreters.inc) |
@@ -21,7 +25,6 @@ include disable-shell.inc | |||
21 | include disable-xdg.inc | 25 | include disable-xdg.inc |
22 | 26 | ||
23 | mkdir ${HOME}/.config/meteo-qt | 27 | mkdir ${HOME}/.config/meteo-qt |
24 | whitelist ${HOME}/.config/autostart | ||
25 | whitelist ${HOME}/.config/meteo-qt | 28 | whitelist ${HOME}/.config/meteo-qt |
26 | include whitelist-common.inc | 29 | include whitelist-common.inc |
27 | include whitelist-var-common.inc | 30 | include whitelist-var-common.inc |