From c083a7b737050c532977b46fac6400f1dbc24ff6 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Fri, 7 Dec 2018 16:29:06 +0100
Subject: improve sandboxing of KDE apps: set KDE_FORK_SLAVES, blacklist
 slave-sockets

setting the KDE_FORK_SLAVES environment variable removes all inconsistencies
that arise from slaves running outside the sandbox or in a different sandbox;
it also makes it slightly more difficult to abuse KIO in general and helps to
mitigate security problems due to thumbnailing, which now always happens inside
the same sandbox. The trade-off is more concurrently running slave processes.

closes #2285
---
 src/firejail/env.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/firejail/env.c')

diff --git a/src/firejail/env.c b/src/firejail/env.c
index a09be8a77..fd4bfbd57 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -132,6 +132,10 @@ void env_defaults(void) {
 	if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0)
 		errExit("setenv");
 
+	// spawn KIO slaves inside the sandbox
+	if (setenv("KDE_FORK_SLAVES", "1", 1) < 0)
+		errExit("setenv");
+
 	// set prompt color to green
 	int set_prompt = 0;
 	if (checkcfg(CFG_FIREJAIL_PROMPT))
-- 
cgit v1.2.3-54-g00ecf