Switch kmail to whitelisting

author: kortewegdevries <kortewegdevries@protonmail.ch> 2020-08-29 06:44:22 +0000
committer: kortewegdevries <kortewegdevries@protonmail.ch> 2020-08-29 06:44:22 +0000
commit: 5532fbdb9749c5333ac03152f8c94fd364182d32 (patch)
tree: d7632129c4aff3253aecac562b6e7809b44e867f /etc/profile-a-l
parent: GPG default, fixes... (diff)
download: firejail-5532fbd.tar.gz
firejail-5532fbd.tar.zst
firejail-5532fbd.zip
2 files changed, 76 insertions, 3 deletions
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 2967218c7..4f0ebf630 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -39,6 +39,7 @@ whitelist ${HOME}/.cache/evolution
 whitelist ${HOME}/.config/evolution
 whitelist ${HOME}/.local/share/evolution
 whitelist ${HOME}/.local/share/pki
+whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/evolution
@@ -70,6 +71,7 @@ shell none
 tracelog
 # disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
 # private-bin evolution
 private-cache
 private-dev
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index ab4ff10b9..635f698a8 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,6 +9,9 @@ include globals.local
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.kde/
+# noblacklist ${HOME}/.kde4/
 noblacklist ${HOME}/.cache/akonadi*
 noblacklist ${HOME}/.cache/kmail2
 noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +22,6 @@ noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.config/kmailsearchindexingrc
 noblacklist ${HOME}/.config/mailtransports
 noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/akonadi*
 noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +32,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
 noblacklist /tmp/akonadi-*
+noblacklist /var/mail
+noblacklist /var/spool/mail
 include disable-common.inc
 include disable-devel.inc
@@ -37,10 +41,72 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.kde/
+# mkdir ${HOME}/.kde4/
+mkdir ${HOME}/.cache/akonadi*
+mkdir ${HOME}/.cache/kmail2
+mkdir ${HOME}/.config/akonadi*
+mkdir ${HOME}/.config/baloorc
+mkdir ${HOME}/.config/emaildefaults
+mkdir ${HOME}/.config/emailidentities
+mkdir ${HOME}/.config/kmail2rc
+mkdir ${HOME}/.config/kmailsearchindexingrc
+mkdir ${HOME}/.config/mailtransports
+mkdir ${HOME}/.config/specialmailcollectionsrc
+mkdir ${HOME}/.local/share/akonadi*
+mkdir ${HOME}/.local/share/apps/korganizer
+mkdir ${HOME}/.local/share/contacts
+mkdir ${HOME}/.local/share/emailidentities
+mkdir ${HOME}/.local/share/kmail2
+mkdir ${HOME}/.local/share/kxmlgui5/kmail
+mkdir ${HOME}/.local/share/kxmlgui5/kmail2
+mkdir ${HOME}/.local/share/local-mail
+mkdir ${HOME}/.local/share/notes
+mkdir /tmp/akonadi-*
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.kde/
+# whitelist ${HOME}/.kde4/
+whitelist ${HOME}/.cache/akonadi*
+whitelist ${HOME}/.cache/kmail2
+whitelist ${HOME}/.config/akonadi*
+whitelist ${HOME}/.config/baloorc
+whitelist ${HOME}/.config/emaildefaults
+whitelist ${HOME}/.config/emailidentities
+whitelist ${HOME}/.config/kmail2rc
+whitelist ${HOME}/.config/kmailsearchindexingrc
+whitelist ${HOME}/.config/mailtransports
+whitelist ${HOME}/.config/specialmailcollectionsrc
+whitelist ${HOME}/.local/share/akonadi*
+whitelist ${HOME}/.local/share/apps/korganizer
+whitelist ${HOME}/.local/share/contacts
+whitelist ${HOME}/.local/share/emailidentities
+whitelist ${HOME}/.local/share/kmail2
+whitelist ${HOME}/.local/share/kxmlgui5/kmail
+whitelist ${HOME}/.local/share/kxmlgui5/kmail2
+whitelist ${HOME}/.local/share/local-mail
+whitelist ${HOME}/.local/share/notes
+whitelist ${DOWNLOADS}
+whitelist ${DOCUMENTS}
+whitelist ${RUNUSER}/gnupg
+whitelist /tmp/akonadi-*
+whitelist /usr/share/akonadi
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/kconf_update
+whitelist /usr/share/kf5
+whitelist /usr/share/kservices5
+whitelist /usr/share/qlogging-categories5
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runnuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# apparmor
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,7 +122,12 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,gtk-2.0,gtk-3.0,groups,hostname,hosts,ld.so.preload,ld.so.cache,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
-# writable-run-user is needed for signing and encrypting emails
 writable-run-user
+writable-var
+# dbus-user none
+dbus-system none
author	kortewegdevries <kortewegdevries@protonmail.ch>	2020-08-29 06:44:22 +0000
committer	kortewegdevries <kortewegdevries@protonmail.ch>	2020-08-29 06:44:22 +0000
commit	5532fbdb9749c5333ac03152f8c94fd364182d32 (patch)
tree	d7632129c4aff3253aecac562b6e7809b44e867f /etc/profile-a-l
parent	GPG default, fixes... (diff)
download	firejail-5532fbd.tar.gz firejail-5532fbd.tar.zst firejail-5532fbd.zip

diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 2967218c7..4f0ebf630 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile
@@ -39,6 +39,7 @@ whitelist ${HOME}/.cache/evolution
39	whitelist ${HOME}/.config/evolution	39	whitelist ${HOME}/.config/evolution
40	whitelist ${HOME}/.local/share/evolution	40	whitelist ${HOME}/.local/share/evolution
41	whitelist ${HOME}/.local/share/pki	41	whitelist ${HOME}/.local/share/pki
		42	whitelist ${DOCUMENTS}
42	whitelist ${DOWNLOADS}	43	whitelist ${DOWNLOADS}
43	whitelist ${RUNUSER}/gnupg	44	whitelist ${RUNUSER}/gnupg
44	whitelist /usr/share/evolution	45	whitelist /usr/share/evolution
@@ -70,6 +71,7 @@ shell none
70	tracelog	71	tracelog
71		72
72	# disable-mnt	73	# disable-mnt
		74	# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
73	# private-bin evolution	75	# private-bin evolution
74	private-cache	76	private-cache
75	private-dev	77	private-dev


diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index ab4ff10b9..635f698a8 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile
@@ -9,6 +9,9 @@ include globals.local
9	# kmail has problems launching akonadi in debian and ubuntu.	9	# kmail has problems launching akonadi in debian and ubuntu.
10	# one solution is to have akonadi already running when kmail is started	10	# one solution is to have akonadi already running when kmail is started
11		11
		12	noblacklist ${HOME}/.gnupg
		13	# noblacklist ${HOME}/.kde/
		14	# noblacklist ${HOME}/.kde4/
12	noblacklist ${HOME}/.cache/akonadi*	15	noblacklist ${HOME}/.cache/akonadi*
13	noblacklist ${HOME}/.cache/kmail2	16	noblacklist ${HOME}/.cache/kmail2
14	noblacklist ${HOME}/.config/akonadi*	17	noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +22,6 @@ noblacklist ${HOME}/.config/kmail2rc
19	noblacklist ${HOME}/.config/kmailsearchindexingrc	22	noblacklist ${HOME}/.config/kmailsearchindexingrc
20	noblacklist ${HOME}/.config/mailtransports	23	noblacklist ${HOME}/.config/mailtransports
21	noblacklist ${HOME}/.config/specialmailcollectionsrc	24	noblacklist ${HOME}/.config/specialmailcollectionsrc
22	noblacklist ${HOME}/.gnupg
23	noblacklist ${HOME}/.local/share/akonadi*	25	noblacklist ${HOME}/.local/share/akonadi*
24	noblacklist ${HOME}/.local/share/apps/korganizer	26	noblacklist ${HOME}/.local/share/apps/korganizer
25	noblacklist ${HOME}/.local/share/contacts	27	noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +32,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
30	noblacklist ${HOME}/.local/share/local-mail	32	noblacklist ${HOME}/.local/share/local-mail
31	noblacklist ${HOME}/.local/share/notes	33	noblacklist ${HOME}/.local/share/notes
32	noblacklist /tmp/akonadi-*	34	noblacklist /tmp/akonadi-*
		35	noblacklist /var/mail
		36	noblacklist /var/spool/mail
33		37
34	include disable-common.inc	38	include disable-common.inc
35	include disable-devel.inc	39	include disable-devel.inc
@@ -37,10 +41,72 @@ include disable-exec.inc
37	include disable-interpreters.inc	41	include disable-interpreters.inc
38	include disable-passwdmgr.inc	42	include disable-passwdmgr.inc
39	include disable-programs.inc	43	include disable-programs.inc
		44	include disable-xdg.inc
40		45
		46	mkdir ${HOME}/.gnupg
		47	# mkdir ${HOME}/.kde/
		48	# mkdir ${HOME}/.kde4/
		49	mkdir ${HOME}/.cache/akonadi*
		50	mkdir ${HOME}/.cache/kmail2
		51	mkdir ${HOME}/.config/akonadi*
		52	mkdir ${HOME}/.config/baloorc
		53	mkdir ${HOME}/.config/emaildefaults
		54	mkdir ${HOME}/.config/emailidentities
		55	mkdir ${HOME}/.config/kmail2rc
		56	mkdir ${HOME}/.config/kmailsearchindexingrc
		57	mkdir ${HOME}/.config/mailtransports
		58	mkdir ${HOME}/.config/specialmailcollectionsrc
		59	mkdir ${HOME}/.local/share/akonadi*
		60	mkdir ${HOME}/.local/share/apps/korganizer
		61	mkdir ${HOME}/.local/share/contacts
		62	mkdir ${HOME}/.local/share/emailidentities
		63	mkdir ${HOME}/.local/share/kmail2
		64	mkdir ${HOME}/.local/share/kxmlgui5/kmail
		65	mkdir ${HOME}/.local/share/kxmlgui5/kmail2
		66	mkdir ${HOME}/.local/share/local-mail
		67	mkdir ${HOME}/.local/share/notes
		68	mkdir /tmp/akonadi-*
		69	whitelist ${HOME}/.gnupg
		70	# whitelist ${HOME}/.kde/
		71	# whitelist ${HOME}/.kde4/
		72	whitelist ${HOME}/.cache/akonadi*
		73	whitelist ${HOME}/.cache/kmail2
		74	whitelist ${HOME}/.config/akonadi*
		75	whitelist ${HOME}/.config/baloorc
		76	whitelist ${HOME}/.config/emaildefaults
		77	whitelist ${HOME}/.config/emailidentities
		78	whitelist ${HOME}/.config/kmail2rc
		79	whitelist ${HOME}/.config/kmailsearchindexingrc
		80	whitelist ${HOME}/.config/mailtransports
		81	whitelist ${HOME}/.config/specialmailcollectionsrc
		82	whitelist ${HOME}/.local/share/akonadi*
		83	whitelist ${HOME}/.local/share/apps/korganizer
		84	whitelist ${HOME}/.local/share/contacts
		85	whitelist ${HOME}/.local/share/emailidentities
		86	whitelist ${HOME}/.local/share/kmail2
		87	whitelist ${HOME}/.local/share/kxmlgui5/kmail
		88	whitelist ${HOME}/.local/share/kxmlgui5/kmail2
		89	whitelist ${HOME}/.local/share/local-mail
		90	whitelist ${HOME}/.local/share/notes
		91	whitelist ${DOWNLOADS}
		92	whitelist ${DOCUMENTS}
		93	whitelist ${RUNUSER}/gnupg
		94	whitelist /tmp/akonadi-*
		95	whitelist /usr/share/akonadi
		96	whitelist /usr/share/gnupg
		97	whitelist /usr/share/gnupg2
		98	whitelist /usr/share/kconf_update
		99	whitelist /usr/share/kf5
		100	whitelist /usr/share/kservices5
		101	whitelist /usr/share/qlogging-categories5
		102	whitelist /var/mail
		103	whitelist /var/spool/mail
		104	include whitelist-common.inc
		105	include whitelist-runnuser-common.inc
		106	include whitelist-usr-share-common.inc
41	include whitelist-var-common.inc	107	include whitelist-var-common.inc
42		108
43	# apparmor	109	apparmor
44	caps.drop all	110	caps.drop all
45	netfilter	111	netfilter
46	nodvd	112	nodvd
@@ -56,7 +122,12 @@ protocol unix,inet,inet6,netlink
56	seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set	122	seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
57	# tracelog	123	# tracelog
58		124
		125	private-cache
59	private-dev	126	private-dev
		127	private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,gtk-2.0,gtk-3.0,groups,hostname,hosts,ld.so.preload,ld.so.cache,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
60	# private-tmp - interrupts connection to akonadi, breaks opening of email attachments	128	# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
61	# writable-run-user is needed for signing and encrypting emails
62	writable-run-user	129	writable-run-user
		130	writable-var
		131
		132	# dbus-user none
		133	dbus-system none