From b539d3e7587cc66d528de93f501868569fc34cfd Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Mon, 14 Feb 2022 21:52:32 -0300
Subject: firejail.config: add warning about allow-tray

According to #4053, there is currently no safe (in the sense of not
allowing to escape the sandbox) implementation of
`org.kde.StatusNotifierWatcher`, but it is required by multiple programs
for tray functionality.  Users may not be aware of this (for example,
see #4508), so add a warning about it.

Note: allow-tray was added on commit c86cae2d0 ("Add new condition
ALLOW_TRAY", 2021-09-04) / PR #4510.
---
 etc/firejail.config | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'etc/firejail.config')

diff --git a/etc/firejail.config b/etc/firejail.config
index 7912b746c..856018101 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,7 +2,8 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
 
-# Allow programs to display a tray icon
+# Allow programs to display a tray icon (warning: allows escaping the sandbox;
+# see https://github.com/netblue30/firejail/discussions/4053)
 # allow-tray no
 
 # Enable AppArmor functionality, default enabled.
-- 
cgit v1.2.3-54-g00ecf