disable-common.inc: make ~/.config/pkcs11 read-only

It looks like it allows arbitrary command execution. From pkcs11.conf(5): > remote: > Instead of loading the PKCS#11 module locally, run the module > remotely. > > Specify a command to run, prefixed with | a pipe. The command > must speak the p11-kit remoting protocol on its standard in > and standard out. For example: > > remote: |ssh user@remote p11-kit remote /path/to/module.so > > Other forms of remoting will appear in later p11-kit releases. Environment: p11-kit 0.24.1-1 on Artix Linux. Currently this entry only exists on whitelist-common.inc, added on commit f74cfd07c ("add p11-kit support - #1646"). With this commit applied, all read-only entries on whitelist-commons.inc are also part of disable-common.inc. See also the discussion on #5069.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2022-03-27 16:57:55 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2022-03-27 17:16:31 -0300
commit: 14428e6904e7d4bee9c742a35e55e0054ad601cd (patch)
tree: ee6c0c25d36325eddb1f4273cafb852e5a1d4605 /etc
parent: megaglest.profile: Add allow-lua.inc (#5066) (diff)
download: firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.tar.gz
firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.tar.zst
firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 080a7f3a1..2ff31e80a 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -328,6 +328,7 @@ read-only ${HOME}/.ssh/config.d
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
 read-only ${HOME}/.config/nvim
+read-only ${HOME}/.config/pkcs11
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2022-03-27 16:57:55 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2022-03-27 17:16:31 -0300
commit	14428e6904e7d4bee9c742a35e55e0054ad601cd (patch)
tree	ee6c0c25d36325eddb1f4273cafb852e5a1d4605 /etc
parent	megaglest.profile: Add allow-lua.inc (#5066) (diff)
download	firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.tar.gz firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.tar.zst firejail-14428e6904e7d4bee9c742a35e55e0054ad601cd.zip

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 080a7f3a1..2ff31e80a 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc
@@ -328,6 +328,7 @@ read-only ${HOME}/.ssh/config.d
328	read-only ${HOME}/.caffrc	328	read-only ${HOME}/.caffrc
329	read-only ${HOME}/.cargo/env	329	read-only ${HOME}/.cargo/env
330	read-only ${HOME}/.config/nvim	330	read-only ${HOME}/.config/nvim
		331	read-only ${HOME}/.config/pkcs11
331	read-only ${HOME}/.dotfiles	332	read-only ${HOME}/.dotfiles
332	read-only ${HOME}/.emacs	333	read-only ${HOME}/.emacs
333	read-only ${HOME}/.emacs.d	334	read-only ${HOME}/.emacs.d