diff options
author | smitsohu <smitsohu@gmail.com> | 2018-12-07 16:29:06 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-12-07 16:29:06 +0100 |
commit | c083a7b737050c532977b46fac6400f1dbc24ff6 (patch) | |
tree | 3f9438ec7985b5191da4ca47fb0b9e4822cf249f /src | |
parent | add HAS_NODBUS conditional, ${RUNUSER} makro (diff) | |
download | firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.tar.gz firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.tar.zst firejail-c083a7b737050c532977b46fac6400f1dbc24ff6.zip |
improve sandboxing of KDE apps: set KDE_FORK_SLAVES, blacklist slave-sockets
setting the KDE_FORK_SLAVES environment variable removes all inconsistencies
that arise from slaves running outside the sandbox or in a different sandbox;
it also makes it slightly more difficult to abuse KIO in general and helps to
mitigate security problems due to thumbnailing, which now always happens inside
the same sandbox. The trade-off is more concurrently running slave processes.
closes #2285
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/env.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c index a09be8a77..fd4bfbd57 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -132,6 +132,10 @@ void env_defaults(void) { | |||
132 | if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) | 132 | if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) |
133 | errExit("setenv"); | 133 | errExit("setenv"); |
134 | 134 | ||
135 | // spawn KIO slaves inside the sandbox | ||
136 | if (setenv("KDE_FORK_SLAVES", "1", 1) < 0) | ||
137 | errExit("setenv"); | ||
138 | |||
135 | // set prompt color to green | 139 | // set prompt color to green |
136 | int set_prompt = 0; | 140 | int set_prompt = 0; |
137 | if (checkcfg(CFG_FIREJAIL_PROMPT)) | 141 | if (checkcfg(CFG_FIREJAIL_PROMPT)) |