Re: [QUESTION] KIO slave-socket shortcut - does it exist?
- Date: Wed, 5 Dec 2018 02:41:08 +0100
- From: Smits Katze <smitsohu@xxxxxxxxx>
- Subject: Re: [QUESTION] KIO slave-socket shortcut - does it exist?
>You can bypass klauncher/kdeinit by exporting the KDE_FORK_SLAVES
>environment variable set to 1. Then the applications will spawn the
>ioslave process on their own.
>Not sure if this actually helps you, though.
Thanks for the pointer to KDE_FORK_SLAVES, it is heading in the right
direction and actually seems to solve a number of other issues with
sandboxing KDE apps.
I feel I should explain my use case a bit better: Imagine a sandboxed
app with limited access to system resources.... and someone with bad
intentions controlling this app and trying to escape the sandbox.
There are well-known ways to escape from a sandbox, like X11 and D-Bus
sockets, but KDE has interesting additional challenges. One is the
kdeinit socket, and slave sockets are *potentially* another. My
concern is a sandboxed app that somehow manages to control a KIO slave
running outside the sandbox. A sysadmin could probably address this by
setting KDE_FORK_SLAVES for all programs globally... unfortunately it
won't work if the sandbox tries to do something similar.