diff options
author | smitsohu <smitsohu@gmail.com> | 2018-03-24 17:00:18 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-03-24 17:00:18 +0100 |
commit | ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4 (patch) | |
tree | 7670af2ab2133a5d2a90ae8321d4eced1e8b9395 /etc/kmail.profile | |
parent | harden openbox profile (diff) | |
download | firejail-ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4.tar.gz firejail-ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4.tar.zst firejail-ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4.zip |
add basic akonadi integration
as it is now, there is no support for a full akonadi session inside
the knotes sandbox, but knotes can connect to akonadi and should work fine
Diffstat (limited to 'etc/kmail.profile')
-rw-r--r-- | etc/kmail.profile | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/etc/kmail.profile b/etc/kmail.profile index ca774f4ec..1b3255d61 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -5,6 +5,18 @@ include /etc/firejail/kmail.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # akonadi with mysql backend fails to run inside this sandbox | ||
9 | # and should be started in advance | ||
10 | |||
11 | noblacklist ${HOME}/.cache/akonadi* | ||
12 | noblacklist ${HOME}/.config/akonadi* | ||
13 | noblacklist ${HOME}/.config/baloorc | ||
14 | noblacklist ${HOME}/.config/emailidentities | ||
15 | noblacklist ${HOME}/.config/kmail2rc | ||
16 | noblacklist ${HOME}/.local/share/akonadi/* | ||
17 | noblacklist ${HOME}/.local/share/contacts | ||
18 | noblacklist ${HOME}/.local/share/kmail2 | ||
19 | noblacklist ${HOME}/.local/share/local-mail | ||
8 | noblacklist ${HOME}/.gnupg | 20 | noblacklist ${HOME}/.gnupg |
9 | 21 | ||
10 | include /etc/firejail/disable-common.inc | 22 | include /etc/firejail/disable-common.inc |
@@ -22,11 +34,14 @@ nosound | |||
22 | notv | 34 | notv |
23 | novideo | 35 | novideo |
24 | protocol unix,inet,inet6,netlink | 36 | protocol unix,inet,inet6,netlink |
25 | # blacklisting of chroot system calls breaks kmail | 37 | # we need to allow chroot and ioprio_set system calls |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 38 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
27 | # tracelog | 39 | # tracelog |
28 | # writable-run-user is needed for signing and encrypting emails | 40 | # writable-run-user is needed for signing and encrypting emails |
29 | writable-run-user | 41 | writable-run-user |
30 | 42 | ||
31 | private-dev | 43 | private-dev |
32 | # private-tmp - breaks akonadi and opening of email attachments | 44 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||