Add container, WM, package manager, and database sockets to SENSITIVE_PATHS

src/blacklist.rs

@@ -198,7 +198,6 @@ const SENSITIVE_PATHS: &[&str] = &[
     "/tmp/ssh-*",
     "/tmp/tmux-*",
     "${RUNUSER}",
-    "/var/run/docker.sock",
     // -- mail (sensitive content) --
     "${HOME}/.Mail",
     "${HOME}/.mail",
@@ -269,4 +268,30 @@ const SENSITIVE_PATHS: &[&str] = &[
     "/tmp/.XIM-unix",
     "${RUNUSER}/wayland-*",
     "${RUNUSER}/X11-display",
+    // -- container/VM runtime sockets (sandbox escape vectors) --
+    "/var/run/docker.sock",
+    "${RUNUSER}/docker.sock",
+    "${RUNUSER}/podman/podman.sock",
+    "/var/run/podman/podman.sock",
+    "${RUNUSER}/containers/",
+    "${RUNUSER}/crun",
+    "${RUNUSER}/libpod",
+    "${RUNUSER}/runc",
+    "${RUNUSER}/toolbox",
+    "/var/run/libvirt/libvirt-sock",
+    "/var/run/libvirt/libvirt-sock-ro",
+    "${RUNUSER}/libvirt/libvirt-sock",
+    // -- package manager sockets (can install/run arbitrary code) --
+    "${RUNUSER}/snapd-session-agent.socket",
+    "${RUNUSER}/.flatpak*",
+    "${RUNUSER}/.dbus-proxy",
+    // -- window manager IPC (allows arbitrary shell execution) --
+    "/tmp/i3-*/ipc-socket.*",
+    "${RUNUSER}/i3/ipc-socket.*",
+    "/tmp/sway-ipc.*",
+    "${RUNUSER}/sway-ipc.*",
+    // -- database sockets (data access) --
+    "/var/run/mysqld/mysqld.sock",
+    "/var/run/mysql/mysqld.sock",
+    "/tmp/.s.PGSQL.*",
 ];