>You can bypass klauncher/kdeinit by exporting the KDE_FORK_SLAVES >environment variable set to 1. Then the applications will spawn the >ioslave process on their own. > >Not sure if this actually helps you, though.
Thanks for the pointer to KDE_FORK_SLAVES, it is heading in the right direction and actually seems to solve a number of other issues with sandboxing KDE apps. I feel I should explain my use case a bit better: Imagine a sandboxed app with limited access to system resources.... and someone with bad intentions controlling this app and trying to escape the sandbox. There are well-known ways to escape from a sandbox, like X11 and D-Bus sockets, but KDE has interesting additional challenges. One is the kdeinit socket, and slave sockets are *potentially* another. My concern is a sandboxed app that somehow manages to control a KIO slave running outside the sandbox. A sysadmin could probably address this by setting KDE_FORK_SLAVES for all programs globally... unfortunately it won't work if the sandbox tries to do something similar.
