refactor claws-mail and sylpheed as whitelist profiles (#3162)

* refactor claws-mail as whitelist profile * refactor sylpheed as whitelist profile * Create email-common.profile * safeguard ${DOCUMENTS} * Add disable-xdg to email-common.profile Thanks @rusty-snake for the review.
author: glitsj16 <glitsj16@users.noreply.github.com> 2020-01-18 11:03:32 +0000
committer: GitHub <noreply@github.com> 2020-01-18 11:03:32 +0000
commit: e8a5e0d3302547c40df2eb7b40a746f5ced3c10e (patch)
tree: c63d48704132b12df09cff047a0a8ef00bd6cf5c /etc
parent: Merge pull request #3161 from rusty-snake/bl-wayland (diff)
download: firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.tar.gz
firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.tar.zst
firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.zip
3 files changed, 76 insertions, 46 deletions
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 44124f4a3..a1c44c91d 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -7,46 +7,11 @@ include claws-mail.local
 include globals.local
 noblacklist ${HOME}/.claws-mail
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.signature
-# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your claws-mail.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
-noblacklist ${HOME}/Mail
-noblacklist ${DOCUMENTS}
+mkdir ${HOME}/.claws-mail
-include disable-common.inc
+whitelist ${HOME}/.claws-mail
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
 whitelist /usr/share/doc/claws-mail
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-include whitelist-usr-share-common.inc
-caps.drop all
+# Redirect
-netfilter
+include email-common.profile
+\ No newline at end of file
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-private-cache
-private-dev
-private-tmp
-# If you want to read local mail stored in /var/mail, add the following to claws-mail.local:
-# noblacklist /var/mail
-# noblacklist /var/spool/mail
-# writable-var
diff --git a/etc/email-common.profile b/etc/email-common.profile
new file mode 100644
index 000000000..f9d96858b
--- /dev/null
+++ b/etc/email-common.profile
@@ -0,0 +1,68 @@
+# Firejail profile for email-common
+# Description: Common profile for claws-mail and sylpheed email clients
+# This file is overwritten after every install/update
+# Persistent local customizations
+include email-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
+# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+noblacklist ${HOME}/Mail
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+mkfile ${HOME}/.config/mimeapps.list
+mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
+whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
+whitelist ${HOME}/Mail
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
+# encrypting and signing email
+read-only ${HOME}/.config/mimeapps.list
+writable-run-user
+# If you want to read local mail stored in /var/mail, add the following to email-common.local:
+# whitelist /var/mail
+# whitelist /var/spool/mail
+# writable-var
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile
index 8e99fe1d6..4344fe73a 100644
--- a/etc/sylpheed.profile
+++ b/etc/sylpheed.profile
@@ -4,17 +4,14 @@
 # Persistent local customizations
 include sylpheed.local
 # Persistent global definitions
-# added by included profile
+include globals.local
-#include globals.local
 noblacklist ${HOME}/.sylpheed-2.0
-# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your sylpheed.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
-blacklist ${HOME}/.claws-mail
+mkdir ${HOME}/.sylpheed-2.0
+whitelist ${HOME}/.sylpheed-2.0
-nowhitelist /usr/share/doc/claws-mail
 whitelist /usr/share/sylpheed
 # Redirect
-include claws-mail.profile
+include email-common.profile
author	glitsj16 <glitsj16@users.noreply.github.com>	2020-01-18 11:03:32 +0000
committer	GitHub <noreply@github.com>	2020-01-18 11:03:32 +0000
commit	e8a5e0d3302547c40df2eb7b40a746f5ced3c10e (patch)
tree	c63d48704132b12df09cff047a0a8ef00bd6cf5c /etc
parent	Merge pull request #3161 from rusty-snake/bl-wayland (diff)
download	firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.tar.gz firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.tar.zst firejail-e8a5e0d3302547c40df2eb7b40a746f5ced3c10e.zip

diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 44124f4a3..a1c44c91d 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile
@@ -7,46 +7,11 @@ include claws-mail.local
7	include globals.local	7	include globals.local
8		8
9	noblacklist ${HOME}/.claws-mail	9	noblacklist ${HOME}/.claws-mail
10	noblacklist ${HOME}/.gnupg
11	noblacklist ${HOME}/.signature
12	# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your claws-mail.local
13	# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
14	noblacklist ${HOME}/Mail
15		10
16	noblacklist ${DOCUMENTS}	11	mkdir ${HOME}/.claws-mail
17	include disable-common.inc	12	whitelist ${HOME}/.claws-mail
18	include disable-devel.inc
19	include disable-exec.inc
20	include disable-interpreters.inc
21	include disable-passwdmgr.inc
22	include disable-programs.inc
23	include disable-xdg.inc
24		13
25	whitelist /usr/share/doc/claws-mail	14	whitelist /usr/share/doc/claws-mail
26	whitelist /usr/share/gnupg
27	whitelist /usr/share/gnupg2
28	include whitelist-usr-share-common.inc
29		15
30	caps.drop all	16	# Redirect
31	netfilter	17	include email-common.profile \ No newline at end of file
32	no3d
33	nodvd
34	nogroups
35	nonewprivs
36	noroot
37	nosound
38	notv
39	nou2f
40	novideo
41	protocol unix,inet,inet6
42	seccomp
43	shell none
44
45	private-cache
46	private-dev
47	private-tmp
48
49	# If you want to read local mail stored in /var/mail, add the following to claws-mail.local:
50	# noblacklist /var/mail
51	# noblacklist /var/spool/mail
52	# writable-var


diff --git a/etc/email-common.profile b/etc/email-common.profile new file mode 100644 index 000000000..f9d96858b --- /dev/null +++ b/etc/email-common.profile
@@ -0,0 +1,68 @@
		1	# Firejail profile for email-common
		2	# Description: Common profile for claws-mail and sylpheed email clients
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include email-common.local
		6	# Persistent global definitions
		7	# added by caller profile
		8	#include globals.local
		9
		10	noblacklist ${HOME}/.gnupg
		11	noblacklist ${HOME}/.signature
		12	# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
		13	# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
		14	noblacklist ${HOME}/Mail
		15
		16	noblacklist ${DOCUMENTS}
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-interpreters.inc
		21	include disable-passwdmgr.inc
		22	include disable-programs.inc
		23	include disable-xdg.inc
		24
		25	whitelist ${DOCUMENTS}
		26	whitelist ${DOWNLOADS}
		27	mkfile ${HOME}/.config/mimeapps.list
		28	mkdir ${HOME}/.gnupg
		29	mkfile ${HOME}/.signature
		30	whitelist ${HOME}/.config/mimeapps.list
		31	whitelist ${HOME}/.gnupg
		32	whitelist ${HOME}/.signature
		33	# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
		34	whitelist ${HOME}/Mail
		35	whitelist /usr/share/gnupg
		36	whitelist /usr/share/gnupg2
		37	include whitelist-common.inc
		38	include whitelist-usr-share-common.inc
		39	include whitelist-var-common.inc
		40
		41	caps.drop all
		42	netfilter
		43	no3d
		44	nodvd
		45	nogroups
		46	nonewprivs
		47	noroot
		48	nosound
		49	notv
		50	nou2f
		51	novideo
		52	protocol unix,inet,inet6
		53	seccomp
		54	shell none
		55	tracelog
		56
		57	private-cache
		58	private-dev
		59	private-tmp
		60
		61	# encrypting and signing email
		62	read-only ${HOME}/.config/mimeapps.list
		63	writable-run-user
		64
		65	# If you want to read local mail stored in /var/mail, add the following to email-common.local:
		66	# whitelist /var/mail
		67	# whitelist /var/spool/mail
		68	# writable-var


diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile index 8e99fe1d6..4344fe73a 100644 --- a/etc/sylpheed.profile +++ b/etc/sylpheed.profile
@@ -4,17 +4,14 @@
4	# Persistent local customizations	4	# Persistent local customizations
5	include sylpheed.local	5	include sylpheed.local
6	# Persistent global definitions	6	# Persistent global definitions
7	# added by included profile	7	include globals.local
8	#include globals.local
9		8
10	noblacklist ${HOME}/.sylpheed-2.0	9	noblacklist ${HOME}/.sylpheed-2.0
11	# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your sylpheed.local
12	# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
13		10
14	blacklist ${HOME}/.claws-mail	11	mkdir ${HOME}/.sylpheed-2.0
		12	whitelist ${HOME}/.sylpheed-2.0
15		13
16	nowhitelist /usr/share/doc/claws-mail
17	whitelist /usr/share/sylpheed	14	whitelist /usr/share/sylpheed
18		15
19	# Redirect	16	# Redirect
20	include claws-mail.profile	17	include email-common.profile