Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

profiles: blacklist i3 IPC socket & dir except for i3 itself #6361

Merged
merged 1 commit into from
Jun 8, 2024
Merged

profiles: blacklist i3 IPC socket & dir except for i3 itself #6361

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions etc/inc/disable-common.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,10 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo
blacklist ${RUNUSER}/gnome-shell
blacklist ${RUNUSER}/gsconnect

# i3 IPC socket (allows arbitrary shell script execution)
blacklist ${RUNUSER}/i3/ipc-socket.*
blacklist /tmp/i3-*/ipc-socket.*
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there anything else in the i3 directory?

XY: Would it make sense to blacklist the directory?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On my system, the only other files in there are an error log and another UNIX domain socket called log-stream-socket.*. Seems neither very dangerous nor very useful, so it probably doesn't matter either way.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logs could contain sensitive information.

If there is thing important in it we should blacklist the directory IMHO.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, I agree. Targetting the directory is the better option here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough, I changed it to block the entire directories.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Files that allow command execution are usually made read-only or blacklisted.

Unnecessary directories are usually blacklisted.

So why not both?

I think it would be helpful to have the actual socket paths documented and
having specific entries for them would be one way to do it.

I restored the socket paths, moved the directories to disable-programs.inc,
added the description to the commit message and force-pushed.

Thoughts?


# systemd
blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd
Expand Down
2 changes: 2 additions & 0 deletions etc/inc/disable-programs.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1250,11 +1250,13 @@ blacklist ${HOME}/yt-dlp.conf
blacklist ${HOME}/yt-dlp.conf.txt
blacklist ${RUNUSER}/*firefox*
blacklist ${RUNUSER}/akonadi
blacklist ${RUNUSER}/i3
blacklist ${RUNUSER}/psd/*firefox*
blacklist ${RUNUSER}/qutebrowser
blacklist /etc/ssmtp
blacklist /tmp/.wine-*
blacklist /tmp/akonadi-*
blacklist /tmp/i3-*
blacklist /tmp/lwjgl_*
blacklist /var/games/nethack
blacklist /var/games/slashem
Expand Down
4 changes: 4 additions & 0 deletions etc/profile-a-l/i3.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ include globals.local

# all applications started in i3 will run in this profile
noblacklist ${HOME}/.config/i3
noblacklist ${RUNUSER}/i3
noblacklist ${RUNUSER}/i3/ipc-socket.*
noblacklist /tmp/i3-*
noblacklist /tmp/i3-*/ipc-socket.*
include disable-common.inc

caps.drop all
Expand Down