refactor claws-mail and sylpheed as whitelist profiles (#3162)

* refactor claws-mail as whitelist profile * refactor sylpheed as whitelist profile * Create email-common.profile * safeguard ${DOCUMENTS} * Add disable-xdg to email-common.profile Thanks @rusty-snake for the review.
author: glitsj16 <glitsj16@users.noreply.github.com> 2020-01-18 11:03:32 +0000
committer: GitHub <noreply@github.com> 2020-01-18 11:03:32 +0000
commit: e8a5e0d3302547c40df2eb7b40a746f5ced3c10e (patch)
tree: c63d48704132b12df09cff047a0a8ef00bd6cf5c /etc/email-common.profile
parent: Merge pull request #3161 from rusty-snake/bl-wayland (diff)
download: firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.tar.gz
firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.tar.zst
firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.zip
1 files changed, 68 insertions, 0 deletions
diff --git a/etc/email-common.profile b/etc/email-common.profile
new file mode 100644
index 000000000..f9d96858b
--- /dev/null
+++ b/etc/email-common.profile
@@ -0,0 +1,68 @@
+# Firejail profile for email-common
+# Description: Common profile for claws-mail and sylpheed email clients
+# This file is overwritten after every install/update
+# Persistent local customizations
+include email-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
+# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+noblacklist ${HOME}/Mail
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+mkfile ${HOME}/.config/mimeapps.list
+mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
+whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
+whitelist ${HOME}/Mail
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+# encrypting and signing email
+read-only ${HOME}/.config/mimeapps.list
+writable-run-user
+# If you want to read local mail stored in /var/mail, add the following to email-common.local:
+# whitelist /var/mail
+# whitelist /var/spool/mail
+# writable-var
author	glitsj16 <glitsj16@users.noreply.github.com>	2020-01-18 11:03:32 +0000
committer	GitHub <noreply@github.com>	2020-01-18 11:03:32 +0000
commit	e8a5e0d3302547c40df2eb7b40a746f5ced3c10e (patch)
tree	c63d48704132b12df09cff047a0a8ef00bd6cf5c /etc/email-common.profile
parent	Merge pull request #3161 from rusty-snake/bl-wayland (diff)
download	firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.tar.gz firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.tar.zst firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.zip

diff --git a/etc/email-common.profile b/etc/email-common.profile new file mode 100644 index 000000000..f9d96858b --- /dev/null +++ b/etc/email-common.profile
@@ -0,0 +1,68 @@
	1	# Firejail profile for email-common
	2	# Description: Common profile for claws-mail and sylpheed email clients
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include email-common.local
	6	# Persistent global definitions
	7	# added by caller profile
	8	#include globals.local
	9
	10	noblacklist ${HOME}/.gnupg
	11	noblacklist ${HOME}/.signature
	12	# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
	13	# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
	14	noblacklist ${HOME}/Mail
	15
	16	noblacklist ${DOCUMENTS}
	17
	18	include disable-common.inc
	19	include disable-devel.inc
	20	include disable-interpreters.inc
	21	include disable-passwdmgr.inc
	22	include disable-programs.inc
	23	include disable-xdg.inc
	24
	25	whitelist ${DOCUMENTS}
	26	whitelist ${DOWNLOADS}
	27	mkfile ${HOME}/.config/mimeapps.list
	28	mkdir ${HOME}/.gnupg
	29	mkfile ${HOME}/.signature
	30	whitelist ${HOME}/.config/mimeapps.list
	31	whitelist ${HOME}/.gnupg
	32	whitelist ${HOME}/.signature
	33	# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
	34	whitelist ${HOME}/Mail
	35	whitelist /usr/share/gnupg
	36	whitelist /usr/share/gnupg2
	37	include whitelist-common.inc
	38	include whitelist-usr-share-common.inc
	39	include whitelist-var-common.inc
	40
	41	caps.drop all
	42	netfilter
	43	no3d
	44	nodvd
	45	nogroups
	46	nonewprivs
	47	noroot
	48	nosound
	49	notv
	50	nou2f
	51	novideo
	52	protocol unix,inet,inet6
	53	seccomp
	54	shell none
	55	tracelog
	56
	57	private-cache
	58	private-dev
	59	private-tmp
	60
	61	# encrypting and signing email
	62	read-only ${HOME}/.config/mimeapps.list
	63	writable-run-user
	64
	65	# If you want to read local mail stored in /var/mail, add the following to email-common.local:
	66	# whitelist /var/mail
	67	# whitelist /var/spool/mail
	68	# writable-var