From 533db20e9912e782e149e49d2e3a86e842a2b3af Mon Sep 17 00:00:00 2001 From: Shahriar Heidrich Date: Sat, 8 Jun 2024 10:52:17 +0200 Subject: profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361) This closes the escape route discussed in #6357. It's left open for i3's own profile, so that people who run i3 itself sandboxed still have the option to use IPC with it at all. Reference for file paths: https://i3wm.org/docs/userguide.html#_interprocess_communication --- etc/inc/disable-common.inc | 4 ++++ etc/inc/disable-programs.inc | 2 ++ etc/profile-a-l/i3.profile | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 55aabbc73..14f7d8cf7 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo blacklist ${RUNUSER}/gnome-shell blacklist ${RUNUSER}/gsconnect +# i3 IPC socket (allows arbitrary shell script execution) +blacklist ${RUNUSER}/i3/ipc-socket.* +blacklist /tmp/i3-*/ipc-socket.* + # systemd blacklist ${HOME}/.config/systemd blacklist ${HOME}/.local/share/systemd diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 73876fde3..d2f8b8cfa 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -1251,11 +1251,13 @@ blacklist ${HOME}/yt-dlp.conf blacklist ${HOME}/yt-dlp.conf.txt blacklist ${RUNUSER}/*firefox* blacklist ${RUNUSER}/akonadi +blacklist ${RUNUSER}/i3 blacklist ${RUNUSER}/psd/*firefox* blacklist ${RUNUSER}/qutebrowser blacklist /etc/ssmtp blacklist /tmp/.wine-* blacklist /tmp/akonadi-* +blacklist /tmp/i3-* blacklist /tmp/lwjgl_* blacklist /var/games/nethack blacklist /var/games/slashem diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile index 2268072ef..412e31762 100644 --- a/etc/profile-a-l/i3.profile +++ b/etc/profile-a-l/i3.profile @@ -8,6 +8,10 @@ include globals.local # all applications started in i3 will run in this profile noblacklist ${HOME}/.config/i3 +noblacklist ${RUNUSER}/i3 +noblacklist ${RUNUSER}/i3/ipc-socket.* +noblacklist /tmp/i3-* +noblacklist /tmp/i3-*/ipc-socket.* include disable-common.inc caps.drop all -- cgit v1.2.3-54-g00ecf