Merge pull request #5571 from glitsj16/ec-refactor

email-common refactoring
author: netblue30 <netblue30@protonmail.com> 2023-01-15 09:24:30 -0500
committer: GitHub <noreply@github.com> 2023-01-15 09:24:30 -0500
commit: c93ac418630fbf73d670fd502f5e14ba9fd49d44 (patch)
tree: aec16d3bbf9d4bbdf339e3d0bc44091796f6fc47 /etc/profile-a-l
parent: Merge pull request #5563 from glitsj16/linuxqq (diff)
parent: balsa: drop private-bin (diff)
download: firejail-c93ac418630fbf73d670fd502f5e14ba9fd49d44.tar.gz
firejail-c93ac418630fbf73d670fd502f5e14ba9fd49d44.tar.zst
firejail-c93ac418630fbf73d670fd502f5e14ba9fd49d44.zip
3 files changed, 17 insertions, 80 deletions
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 661356ff6..fb66016a9 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -7,76 +7,20 @@ include balsa.local
 include globals.local
 noblacklist ${HOME}/.balsa
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.signature
 noblacklist ${HOME}/mail
-noblacklist /var/mail
-noblacklist /var/spool/mail
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 mkdir ${HOME}/.balsa
-mkdir ${HOME}/.gnupg
-mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
 whitelist ${HOME}/.balsa
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.signature
 whitelist ${HOME}/mail
-whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/balsa
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /var/mail
-whitelist /var/spool/mail
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
+# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg.
-caps.drop all
+#private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-tracelog
-# disable-mnt
-# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
-private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
-private-tmp
-writable-run-user
-writable-var
-dbus-user filter
 dbus-user.own org.desktop.Balsa
-dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.freedesktop.secrets
-dbus-user.talk org.gnome.keyring.SystemPrompter
-dbus-system none
-read-only ${HOME}/.mozilla/firefox/profiles.ini
+# Redirect
-restrict-namespaces
+include email-common.profile
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index ce7b30122..e0f1bca94 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -20,17 +20,5 @@ whitelist /usr/share/doc/claws-mail
 # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
-dbus-user filter
-dbus-user.talk ca.desrt.dconf
-# Add the next line to your claws-mail.local if you use the notification plugin.
-# dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.freedesktop.secrets
-dbus-user.talk org.gnome.keyring
-dbus-user.talk org.gnome.keyring.PrivatePrompter
-dbus-user.talk org.gnome.keyring.SystemPrompter
-dbus-user.talk org.gnome.seahorse
-dbus-user.talk org.gnome.seahorse.Application
-dbus-user.talk org.mozilla.*
 # Redirect
 include email-common.profile
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 86fb27514..0bdfe995e 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -1,5 +1,5 @@
 # Firejail profile for email-common
-# Description: Common profile for claws-mail and sylpheed email clients
+# Description: Common profile for GUI mail clients
 # This file is overwritten after every install/update
 # Persistent local customizations
 include email-common.local
@@ -14,6 +14,8 @@ noblacklist ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
 # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
 noblacklist ${HOME}/Mail
+noblacklist /var/mail
+noblacklist /var/spool/mail
 noblacklist ${DOCUMENTS}
@@ -38,6 +40,8 @@ whitelist ${HOME}/Mail
 whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -69,16 +73,17 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnup
 private-tmp
 # encrypting and signing email
 writable-run-user
+writable-var
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.*
+dbus-user.talk org.gnome.seahorse.*
+dbus-user.talk org.mozilla.*
 dbus-system none
-# If you want to read local mail stored in /var/mail, add the following to email-common.local:
-#noblacklist /var/mail
-#noblacklist /var/spool/mail
-#whitelist /var/mail
-#whitelist /var/spool/mail
-#writable-var
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.signature
 restrict-namespaces
author	netblue30 <netblue30@protonmail.com>	2023-01-15 09:24:30 -0500
committer	GitHub <noreply@github.com>	2023-01-15 09:24:30 -0500
commit	c93ac418630fbf73d670fd502f5e14ba9fd49d44 (patch)
tree	aec16d3bbf9d4bbdf339e3d0bc44091796f6fc47 /etc/profile-a-l
parent	Merge pull request #5563 from glitsj16/linuxqq (diff)
parent	balsa: drop private-bin (diff)
download	firejail-c93ac418630fbf73d670fd502f5e14ba9fd49d44.tar.gz firejail-c93ac418630fbf73d670fd502f5e14ba9fd49d44.tar.zst firejail-c93ac418630fbf73d670fd502f5e14ba9fd49d44.zip

diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 661356ff6..fb66016a9 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile
@@ -7,76 +7,20 @@ include balsa.local
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.balsa	9	noblacklist ${HOME}/.balsa
10	noblacklist ${HOME}/.gnupg
11	noblacklist ${HOME}/.mozilla
12	noblacklist ${HOME}/.signature
13	noblacklist ${HOME}/mail	10	noblacklist ${HOME}/mail
14	noblacklist /var/mail
15	noblacklist /var/spool/mail
16		11
17	include disable-common.inc
18	include disable-devel.inc
19	include disable-exec.inc
20	include disable-interpreters.inc
21	include disable-programs.inc
22	include disable-shell.inc	12	include disable-shell.inc
23	include disable-xdg.inc
24		13
25	mkdir ${HOME}/.balsa	14	mkdir ${HOME}/.balsa
26	mkdir ${HOME}/.gnupg
27	mkfile ${HOME}/.signature
28	mkdir ${HOME}/mail	15	mkdir ${HOME}/mail
29	whitelist ${HOME}/.balsa	16	whitelist ${HOME}/.balsa
30	whitelist ${HOME}/.gnupg
31	whitelist ${HOME}/.mozilla/firefox/profiles.ini
32	whitelist ${HOME}/.signature
33	whitelist ${HOME}/mail	17	whitelist ${HOME}/mail
34	whitelist ${RUNUSER}/gnupg
35	whitelist /usr/share/balsa	18	whitelist /usr/share/balsa
36	whitelist /usr/share/gnupg
37	whitelist /usr/share/gnupg2
38	whitelist /var/mail
39	whitelist /var/spool/mail
40	include whitelist-common.inc
41	include whitelist-runuser-common.inc
42	include whitelist-usr-share-common.inc
43	include whitelist-var-common.inc
44		19
45	apparmor	20	# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg.
46	caps.drop all	21	#private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
47	netfilter
48	no3d
49	nodvd
50	nogroups
51	noinput
52	nonewprivs
53	noroot
54	nosound
55	notv
56	nou2f
57	novideo
58	protocol unix,inet,inet6
59	seccomp
60	tracelog
61		22
62	# disable-mnt
63	# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
64	# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
65	private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
66	private-cache
67	private-dev
68	private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
69	private-tmp
70	writable-run-user
71	writable-var
72
73	dbus-user filter
74	dbus-user.own org.desktop.Balsa	23	dbus-user.own org.desktop.Balsa
75	dbus-user.talk ca.desrt.dconf
76	dbus-user.talk org.freedesktop.Notifications
77	dbus-user.talk org.freedesktop.secrets
78	dbus-user.talk org.gnome.keyring.SystemPrompter
79	dbus-system none
80		24
81	read-only ${HOME}/.mozilla/firefox/profiles.ini	25	# Redirect
82	restrict-namespaces	26	include email-common.profile


diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index ce7b30122..e0f1bca94 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile
@@ -20,17 +20,5 @@ whitelist /usr/share/doc/claws-mail
20		20
21	# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2	21	# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
22		22
23	dbus-user filter
24	dbus-user.talk ca.desrt.dconf
25	# Add the next line to your claws-mail.local if you use the notification plugin.
26	# dbus-user.talk org.freedesktop.Notifications
27	dbus-user.talk org.freedesktop.secrets
28	dbus-user.talk org.gnome.keyring
29	dbus-user.talk org.gnome.keyring.PrivatePrompter
30	dbus-user.talk org.gnome.keyring.SystemPrompter
31	dbus-user.talk org.gnome.seahorse
32	dbus-user.talk org.gnome.seahorse.Application
33	dbus-user.talk org.mozilla.*
34
35	# Redirect	23	# Redirect
36	include email-common.profile	24	include email-common.profile


diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 86fb27514..0bdfe995e 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile
@@ -1,5 +1,5 @@
1	# Firejail profile for email-common	1	# Firejail profile for email-common
2	# Description: Common profile for claws-mail and sylpheed email clients	2	# Description: Common profile for GUI mail clients
3	# This file is overwritten after every install/update	3	# This file is overwritten after every install/update
4	# Persistent local customizations	4	# Persistent local customizations
5	include email-common.local	5	include email-common.local
@@ -14,6 +14,8 @@ noblacklist ${HOME}/.signature
14	# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local	14	# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
15	# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications	15	# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
16	noblacklist ${HOME}/Mail	16	noblacklist ${HOME}/Mail
		17	noblacklist /var/mail
		18	noblacklist /var/spool/mail
17		19
18	noblacklist ${DOCUMENTS}	20	noblacklist ${DOCUMENTS}
19		21
@@ -38,6 +40,8 @@ whitelist ${HOME}/Mail
38	whitelist ${RUNUSER}/gnupg	40	whitelist ${RUNUSER}/gnupg
39	whitelist /usr/share/gnupg	41	whitelist /usr/share/gnupg
40	whitelist /usr/share/gnupg2	42	whitelist /usr/share/gnupg2
		43	whitelist /var/mail
		44	whitelist /var/spool/mail
41	include whitelist-common.inc	45	include whitelist-common.inc
42	include whitelist-runuser-common.inc	46	include whitelist-runuser-common.inc
43	include whitelist-usr-share-common.inc	47	include whitelist-usr-share-common.inc
@@ -69,16 +73,17 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnup
69	private-tmp	73	private-tmp
70	# encrypting and signing email	74	# encrypting and signing email
71	writable-run-user	75	writable-run-user
		76	writable-var
72		77
		78	dbus-user filter
		79	dbus-user.talk ca.desrt.dconf
		80	dbus-user.talk org.freedesktop.Notifications
		81	dbus-user.talk org.freedesktop.secrets
		82	dbus-user.talk org.gnome.keyring.*
		83	dbus-user.talk org.gnome.seahorse.*
		84	dbus-user.talk org.mozilla.*
73	dbus-system none	85	dbus-system none
74		86
75	# If you want to read local mail stored in /var/mail, add the following to email-common.local:
76	#noblacklist /var/mail
77	#noblacklist /var/spool/mail
78	#whitelist /var/mail
79	#whitelist /var/spool/mail
80	#writable-var
81
82	read-only ${HOME}/.mozilla/firefox/profiles.ini	87	read-only ${HOME}/.mozilla/firefox/profiles.ini
83	read-only ${HOME}/.signature	88	read-only ${HOME}/.signature
84	restrict-namespaces	89	restrict-namespaces