Improve whitelisting and dbus of Sylpheed and Claws-mail

author: bbhtt <62639087+bbhtt@users.noreply.github.com> 2020-12-31 03:58:57 +0000
committer: bbhtt <62639087+bbhtt@users.noreply.github.com> 2020-12-31 03:58:57 +0000
commit: 144aee26f56156cb4ec0c674062c447d261802a4 (patch)
tree: 4512bc6cd552355f53c404bd25ad7400eafbdf55 /etc/profile-a-l
parent: Add folks cache directory (diff)
download: firejail-144aee26f56156cb4ec0c674062c447d261802a4.tar.gz
firejail-144aee26f56156cb4ec0c674062c447d261802a4.tar.zst
firejail-144aee26f56156cb4ec0c674062c447d261802a4.zip
2 files changed, 23 insertions, 9 deletions
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 69196c578..c060279df 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -18,10 +18,14 @@ whitelist ${HOME}/.claws-mail
 whitelist /usr/share/doc/claws-mail
+# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.keyring.SystemPrompter
 # if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local)
-#ignore dbus-user none
+# dbus-user.talk org.freedesktop.Notifications
-#dbus-user filter
+dbus-system none
-#dbus-user.talk org.freedesktop.Notifications
 # Redirect
 include email-common.profile
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index df47f478d..9e7c15a9d 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -8,6 +8,7 @@ include email-common.local
 #include globals.local
 noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
 # and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
@@ -17,28 +18,35 @@ noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
 mkfile ${HOME}/.config/mimeapps.list
-mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.signature
+mkdir ${HOME}/.gnupg
 whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.signature
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
 whitelist ${HOME}/Mail
+whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
+machine-id
 netfilter
 no3d
 nodvd
@@ -54,13 +62,12 @@ seccomp
 shell none
 tracelog
+# disable-mnt
 private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
-dbus-user none
-dbus-system none
 # encrypting and signing email
 writable-run-user
@@ -70,3 +77,6 @@ writable-run-user
 #whitelist /var/mail
 #whitelist /var/spool/mail
 #writable-var
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.signature
author	bbhtt <62639087+bbhtt@users.noreply.github.com>	2020-12-31 03:58:57 +0000
committer	bbhtt <62639087+bbhtt@users.noreply.github.com>	2020-12-31 03:58:57 +0000
commit	144aee26f56156cb4ec0c674062c447d261802a4 (patch)
tree	4512bc6cd552355f53c404bd25ad7400eafbdf55 /etc/profile-a-l
parent	Add folks cache directory (diff)
download	firejail-144aee26f56156cb4ec0c674062c447d261802a4.tar.gz firejail-144aee26f56156cb4ec0c674062c447d261802a4.tar.zst firejail-144aee26f56156cb4ec0c674062c447d261802a4.zip