summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2018-03-24 17:00:18 +0100
committerLibravatar smitsohu <smitsohu@gmail.com>2018-03-24 17:00:18 +0100
commitecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4 (patch)
tree7670af2ab2133a5d2a90ae8321d4eced1e8b9395
parentharden openbox profile (diff)
downloadfirejail-ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4.tar.gz
firejail-ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4.tar.zst
firejail-ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4.zip
add basic akonadi integration
as it is now, there is no support for a full akonadi session inside the knotes sandbox, but knotes can connect to akonadi and should work fine
Diffstat
-rw-r--r--README.md3
-rw-r--r--RELNOTES2
-rw-r--r--etc/akonadi_control.profile44
-rw-r--r--etc/disable-programs.inc8
-rw-r--r--etc/kmail.profile21
-rw-r--r--etc/knotes.profile10
-rw-r--r--src/firecfg/firecfg.config1
7 files changed, 82 insertions, 7 deletions
diff --git a/README.md b/README.md
index 90e3f7fcc..248ba6ebc 100644
--- a/README.md
+++ b/README.md
@@ -246,4 +246,5 @@ firefox-common-addons.inc in firefox-common.profile.
246 246
247Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, 247Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
248pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, 248pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
249tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder 249tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder,
250akonadi_control
diff --git a/RELNOTES b/RELNOTES
index e7852663e..4ffcd1212 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -27,7 +27,7 @@ firejail (0.9.53) baseline; urgency=low
27 * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, 27 * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
28 * new profiles: discord-canary, pycharm-community, pycharm-professional, 28 * new profiles: discord-canary, pycharm-community, pycharm-professional,
29 * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, VS Code, 29 * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, VS Code,
30 * new profiles: falkon, gnome-builder, asunder 30 * new profiles: falkon, gnome-builder, asunder, akonadi_control
31 -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500 31 -- netblue30 <netblue30@yahoo.com> Thu, 1 Mar 2018 08:00:00 -0500
32 32
33firejail (0.9.52) baseline; urgency=low 33firejail (0.9.52) baseline; urgency=low
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
new file mode 100644
index 000000000..44184b76a
--- /dev/null
+++ b/etc/akonadi_control.profile
@@ -0,0 +1,44 @@
1# Firejail profile for akonadi_control
2# Persistent local customizations
3include /etc/firejail/akonadi_control.local
4# Persistent global definitions
5include /etc/firejail/globals.local
6
7noblacklist ${HOME}/.cache/akonadi*
8noblacklist ${HOME}/.config/akonadi*
9noblacklist ${HOME}/.config/baloorc
10noblacklist ${HOME}/.local/share/akonadi/*
11noblacklist ${HOME}/.local/share/contacts
12noblacklist ${HOME}/.local/share/local-mail
13noblacklist /usr/sbin
14
15include /etc/firejail/disable-common.inc
16include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc
19
20include /etc/firejail/whitelist-var-common.inc
21
22# depending on your setup it might be possible to
23# enable some of the commented options below
24
25caps.drop all
26ipc-namespace
27no3d
28netfilter
29nodvd
30nogroups
31# nonewprivs
32# noroot
33nosound
34notv
35novideo
36# protocol unix,inet,inet6
37# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice # we need to allow io_getevents, ioprio_set, io_setup, io_submit system calls
38tracelog
39
40private-dev
41# private-tmp - breaks programs that depend on akonadi
42
43noexec ${HOME}
44noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 0d542c6d8..586c50a60 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack
73blacklist ${HOME}/.config/Thunar 73blacklist ${HOME}/.config/Thunar
74blacklist ${HOME}/.config/VirtualBox 74blacklist ${HOME}/.config/VirtualBox
75blacklist ${HOME}/.config/Wire 75blacklist ${HOME}/.config/Wire
76blacklist ${HOME}/.config/akonadi*
76blacklist ${HOME}/.config/akregatorrc 77blacklist ${HOME}/.config/akregatorrc
77blacklist ${HOME}/.config/ardour4 78blacklist ${HOME}/.config/ardour4
78blacklist ${HOME}/.config/ardour5 79blacklist ${HOME}/.config/ardour5
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam
106blacklist ${HOME}/.config/digikamrc 107blacklist ${HOME}/.config/digikamrc
107blacklist ${HOME}/.config/dolphinrc 108blacklist ${HOME}/.config/dolphinrc
108blacklist ${HOME}/.config/dragonplayerrc 109blacklist ${HOME}/.config/dragonplayerrc
110blacklist ${HOME}/.config/emailidentities
109blacklist ${HOME}/.config/enchant 111blacklist ${HOME}/.config/enchant
110blacklist ${HOME}/.config/eog 112blacklist ${HOME}/.config/eog
111blacklist ${HOME}/.config/epiphany 113blacklist ${HOME}/.config/epiphany
@@ -144,6 +146,7 @@ blacklist ${HOME}/.config/katevirc
144blacklist ${HOME}/.config/kdenliverc 146blacklist ${HOME}/.config/kdenliverc
145blacklist ${HOME}/.config/kgetrc 147blacklist ${HOME}/.config/kgetrc
146blacklist ${HOME}/.config/klipperrc 148blacklist ${HOME}/.config/klipperrc
149blacklist ${HOME}/.config/kmail2rc
147blacklist ${HOME}/.config/kritarc 150blacklist ${HOME}/.config/kritarc
148blacklist ${HOME}/.config/kwriterc 151blacklist ${HOME}/.config/kwriterc
149blacklist ${HOME}/.config/kdeconnect 152blacklist ${HOME}/.config/kdeconnect
@@ -346,12 +349,14 @@ blacklist ${HOME}/.local/share/SuperHexagon
346blacklist ${HOME}/.local/share/TelegramDesktop 349blacklist ${HOME}/.local/share/TelegramDesktop
347blacklist ${HOME}/.local/share/Terraria 350blacklist ${HOME}/.local/share/Terraria
348blacklist ${HOME}/.local/share/TpLogger 351blacklist ${HOME}/.local/share/TpLogger
352blacklist ${HOME}/.local/share/akonadi/*
349blacklist ${HOME}/.local/share/akregator 353blacklist ${HOME}/.local/share/akregator
350blacklist ${HOME}/.local/share/aspyr-media 354blacklist ${HOME}/.local/share/aspyr-media
351blacklist ${HOME}/.local/share/baloo 355blacklist ${HOME}/.local/share/baloo
352blacklist ${HOME}/.local/share/caja-python 356blacklist ${HOME}/.local/share/caja-python
353blacklist ${HOME}/.local/share/cdprojektred 357blacklist ${HOME}/.local/share/cdprojektred
354blacklist ${HOME}/.local/share/clipit 358blacklist ${HOME}/.local/share/clipit
359blacklist ${HOME}/.local/share/contacts
355blacklist ${HOME}/.local/share/data/Mumble 360blacklist ${HOME}/.local/share/data/Mumble
356blacklist ${HOME}/.local/share/data/MusE 361blacklist ${HOME}/.local/share/data/MusE
357blacklist ${HOME}/.local/share/data/MuseScore 362blacklist ${HOME}/.local/share/data/MuseScore
@@ -376,11 +381,13 @@ blacklist ${HOME}/.local/share/kaffeine
376blacklist ${HOME}/.local/share/kate 381blacklist ${HOME}/.local/share/kate
377blacklist ${HOME}/.local/share/kdenlive 382blacklist ${HOME}/.local/share/kdenlive
378blacklist ${HOME}/.local/share/kget 383blacklist ${HOME}/.local/share/kget
384blacklist ${HOME}/.local/share/kmail2
379blacklist ${HOME}/.local/share/krita 385blacklist ${HOME}/.local/share/krita
380blacklist ${HOME}/.local/share/ktorrentrc 386blacklist ${HOME}/.local/share/ktorrentrc
381blacklist ${HOME}/.local/share/ktorrent 387blacklist ${HOME}/.local/share/ktorrent
382blacklist ${HOME}/.local/share/kwrite 388blacklist ${HOME}/.local/share/kwrite
383blacklist ${HOME}/.local/share/liferea 389blacklist ${HOME}/.local/share/liferea
390blacklist ${HOME}/.local/share/local-mail
384blacklist ${HOME}/.local/share/lollypop 391blacklist ${HOME}/.local/share/lollypop
385blacklist ${HOME}/.local/share/maps-places.json 392blacklist ${HOME}/.local/share/maps-places.json
386blacklist ${HOME}/.local/share/meld 393blacklist ${HOME}/.local/share/meld
@@ -495,6 +502,7 @@ blacklist ${HOME}/.cache/Franz
495blacklist ${HOME}/.cache/INRIA 502blacklist ${HOME}/.cache/INRIA
496blacklist ${HOME}/.cache/MusicBrainz 503blacklist ${HOME}/.cache/MusicBrainz
497blacklist ${HOME}/.cache/QuiteRss 504blacklist ${HOME}/.cache/QuiteRss
505blacklist ${HOME}/.cache/akonadi*
498blacklist ${HOME}/.cache/attic 506blacklist ${HOME}/.cache/attic
499blacklist ${HOME}/.cache/borg 507blacklist ${HOME}/.cache/borg
500blacklist ${HOME}/.cache/calibre 508blacklist ${HOME}/.cache/calibre
diff --git a/etc/kmail.profile b/etc/kmail.profile
index ca774f4ec..1b3255d61 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,6 +5,18 @@ include /etc/firejail/kmail.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# akonadi with mysql backend fails to run inside this sandbox
9# and should be started in advance
10
11noblacklist ${HOME}/.cache/akonadi*
12noblacklist ${HOME}/.config/akonadi*
13noblacklist ${HOME}/.config/baloorc
14noblacklist ${HOME}/.config/emailidentities
15noblacklist ${HOME}/.config/kmail2rc
16noblacklist ${HOME}/.local/share/akonadi/*
17noblacklist ${HOME}/.local/share/contacts
18noblacklist ${HOME}/.local/share/kmail2
19noblacklist ${HOME}/.local/share/local-mail
8noblacklist ${HOME}/.gnupg 20noblacklist ${HOME}/.gnupg
9 21
10include /etc/firejail/disable-common.inc 22include /etc/firejail/disable-common.inc
@@ -22,11 +34,14 @@ nosound
22notv 34notv
23novideo 35novideo
24protocol unix,inet,inet6,netlink 36protocol unix,inet,inet6,netlink
25# blacklisting of chroot system calls breaks kmail 37# we need to allow chroot and ioprio_set system calls
26seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 38seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
27# tracelog 39# tracelog
28# writable-run-user is needed for signing and encrypting emails 40# writable-run-user is needed for signing and encrypting emails
29writable-run-user 41writable-run-user
30 42
31private-dev 43private-dev
32# private-tmp - breaks akonadi and opening of email attachments 44# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
45
46noexec ${HOME}
47noexec /tmp
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 94ada7855..091c3a8e5 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -5,10 +5,12 @@ include /etc/firejail/knotes.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.config/akonadi*
8noblacklist ${HOME}/.config/knotesrc 9noblacklist ${HOME}/.config/knotesrc
10noblacklist ${HOME}/.local/share/akonadi/*
9 11
10include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
11# include /etc/firejail/disable-devel.inc 13include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
14 16
@@ -22,10 +24,14 @@ nonewprivs
22noroot 24noroot
23nosound 25nosound
24notv 26notv
27novideo
25protocol unix 28protocol unix
26seccomp 29seccomp
27shell none 30shell none
28tracelog 31tracelog
29 32
30private-dev 33private-dev
31#private-tmp - problems on kubuntu 17.04 34# private-tmp - interrupts connection to akonadi
35
36noexec ${HOME}
37noexec /tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e29f95886..c39c1144e 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -16,6 +16,7 @@ VirtualBox
16Wire 16Wire
17Xephyr 17Xephyr
18abrowser 18abrowser
19# akonadi_control - enable later
19akregator 20akregator
20amarok 21amarok
21amule 22amule
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 17:26:16 +0000