firejail.config: add warning about allow-tray #4946
Conversation
kmk3
added
the
documentation
There was a problem hiding this comment.
dbus-user.talk org.kde.StatusNotifierWatcher is
unsafe and allows escaping the sandbox
In theory it could be safe, but I'm not aware of a safe implementation.
The unsafer thing with tray icons is dbus-user.own org.kde.*.
WARNING: allows escaping the sandbox;
How cares? There are enough other ways to escape. Anyway let's add it.
see https://github.com/netblue30/firejail/discussions/4053
Do we need the link? IMHO there isn't much information other than "it's unsafe!!!".
According to netblue30#4053, there is currently no safe (in the sense of not allowing to escape the sandbox) implementation of `org.kde.StatusNotifierWatcher`, but it is required by multiple programs for tray functionality. Users may not be aware of this (for example, see netblue30#4508), so add a warning about it. Note: allow-tray was added on commit c86cae2 ("Add new condition ALLOW_TRAY", 2021-09-04) / PR netblue30#4510.
kmk3
force-pushed
the
add-warn-allow-tray
branch
from
3fb276d
to
b539d3e
Compare
|
@rusty-snake left a comment:
Reworded it (and made the warning lowercase). Does it make sense now? Also, what are the implementations of
Users can only choose to care if they know about it. I think it would be
I don't know much about the details, so to me it's much more information than |
IIRC I tested the native kde implementation, gnome-shell-extension-appindicator and the xfce implementation. |
According to #4053, there is currently no safe (in the sense of not
allowing to escape the sandbox) implementation of
org.kde.StatusNotifierWatcher, but it is required by multiple programsfor tray functionality. Users may not be aware of this (for example,
see #4508), so add a warning about it.
Note: allow-tray was added on commit c86cae2 ("Add new condition
ALLOW_TRAY", 2021-09-04) / PR #4510.
Cc: @davidebeatrici