From c083a7b737050c532977b46fac6400f1dbc24ff6 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Fri, 7 Dec 2018 16:29:06 +0100
Subject: improve sandboxing of KDE apps: set KDE_FORK_SLAVES, blacklist
 slave-sockets

setting the KDE_FORK_SLAVES environment variable removes all inconsistencies
that arise from slaves running outside the sandbox or in a different sandbox;
it also makes it slightly more difficult to abuse KIO in general and helps to
mitigate security problems due to thumbnailing, which now always happens inside
the same sandbox. The trade-off is more concurrently running slave processes.

closes #2285
---
 etc/disable-common.inc | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'etc/disable-common.inc')

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 74b653385..481717d24 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -118,11 +118,14 @@ read-only ${HOME}/.local/share/konsole
 read-only ${HOME}/.local/share/kservices5
 read-only ${HOME}/.local/share/kssl
 
-# kdeinit socket
-blacklist /run/user/*/kdeinit5__*
-# blacklist /run/user/*/ksocket-*/kdeinit4__*
-# blacklist /tmp/ksocket-*/kdeinit4__*
-# causes issues when kdeinit4 gets killed; enable on KDE Plasma 4
+# KDE sockets
+blacklist ${RUNUSER}/kdeinit5__*
+blacklist ${RUNUSER}/*.slave-socket
+# decide heuristically if the kdeinit4 socket can be blacklisted
+?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*/kdeinit4__*
+blacklist ${RUNUSER}/ksocket-*/*.slave-socket
+?HAS_NODBUS: blacklist /tmp/ksocket-*/kdeinit4__*
+blacklist /tmp/ksocket-*/*.slave-socket
 
 # gnome
 # contains extensions, last used times of applications, and notifications
-- 
cgit v1.2.3-70-g09d2