pkcs11 read-only #5354

New issue

Closed

opened 2026-05-05 10:36:54 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:36:54 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/5077
Author: @kmk3
Created: 3/27/2022
Status: ✅ Merged
Merged: 3/29/2022
Merged by: @netblue30

Base: master ← Head: dc-add-pkcs11

📝 Commits (1)

14428e6 disable-common.inc: make ~/.config/pkcs11 read-only

📊 Changes

1 file changed (+1 additions, -0 deletions)

View changed files

📝 etc/inc/disable-common.inc (+1 -0)

📄 Description

It looks like it allows arbitrary command execution. From
pkcs11.conf(5):

remote:
    Instead of loading the PKCS#11 module locally, run the module
    remotely.

    Specify a command to run, prefixed with | a pipe. The command
    must speak the p11-kit remoting protocol on its standard in
    and standard out. For example:

        remote: |ssh user@remote p11-kit remote /path/to/module.so

    Other forms of remoting will appear in later p11-kit releases.

Environment: p11-kit 0.24.1-1 on Artix Linux.

Currently this entry only exists on whitelist-common.inc, added on
commit f74cfd07c ("add p11-kit support - #1646").

With this commit applied, all read-only entries on whitelist-commons.inc
are also part of disable-common.inc.

See also the discussion on #5069.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/5077 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 3/27/2022 **Status:** ✅ Merged **Merged:** 3/29/2022 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `dc-add-pkcs11` --- ### 📝 Commits (1) - [`14428e6`](https://github.com/netblue30/firejail/commit/14428e6904e7d4bee9c742a35e55e0054ad601cd) disable-common.inc: make ~/.config/pkcs11 read-only ### 📊 Changes **1 file changed** (+1 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `etc/inc/disable-common.inc` (+1 -0) </details> ### 📄 Description It looks like it allows arbitrary command execution. From pkcs11.conf(5): > remote: > Instead of loading the PKCS#11 module locally, run the module > remotely. > > Specify a command to run, prefixed with | a pipe. The command > must speak the p11-kit remoting protocol on its standard in > and standard out. For example: > > remote: |ssh user@remote p11-kit remote /path/to/module.so > > Other forms of remoting will appear in later p11-kit releases. Environment: p11-kit 0.24.1-1 on Artix Linux. Currently this entry only exists on whitelist-common.inc, added on commit f74cfd07c ("add p11-kit support - #1646"). With this commit applied, all read-only entries on whitelist-commons.inc are also part of disable-common.inc. See also the discussion on #5069. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:36:54 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:45:31 -06:00

[PR #6078] [MERGED] feature: add Landlock support #5820

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5354

No description provided.

Rows
Columns