From 14428e6904e7d4bee9c742a35e55e0054ad601cd Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Sun, 27 Mar 2022 16:57:55 -0300
Subject: disable-common.inc: make ~/.config/pkcs11 read-only

It looks like it allows arbitrary command execution.  From
pkcs11.conf(5):

>     remote:
>         Instead of loading the PKCS#11 module locally, run the module
>         remotely.
>
>         Specify a command to run, prefixed with | a pipe. The command
>         must speak the p11-kit remoting protocol on its standard in
>         and standard out. For example:
>
>             remote: |ssh user@remote p11-kit remote /path/to/module.so
>
>         Other forms of remoting will appear in later p11-kit releases.

Environment: p11-kit 0.24.1-1 on Artix Linux.

Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").

With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.

See also the discussion on #5069.
---
 etc/inc/disable-common.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'etc/inc')

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 080a7f3a1..2ff31e80a 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -328,6 +328,7 @@ read-only ${HOME}/.ssh/config.d
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
 read-only ${HOME}/.config/nvim
+read-only ${HOME}/.config/pkcs11
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
-- 
cgit v1.2.3-54-g00ecf