diff options
author | kortewegdevries <kortewegdevries@protonmail.ch> | 2020-08-28 11:37:57 +0000 |
---|---|---|
committer | kortewegdevries <kortewegdevries@protonmail.ch> | 2020-08-28 11:37:57 +0000 |
commit | 6c4f97a3cd80779faedacd1424f66227ef38eba9 (patch) | |
tree | 5fcefc2095244ddb1ef74a80b55b1aa3e56756a2 /etc | |
parent | expose pulseaudio in chroot if FIREJAIL_CHROOT_PULSE is set (diff) | |
download | firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.tar.gz firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.tar.zst firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.zip |
Switch Evolution to whitelisting
Diffstat (limited to 'etc')
-rw-r--r-- | etc/profile-a-l/evolution.profile | 60 |
1 files changed, 55 insertions, 5 deletions
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..17476aaec 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile | |||
@@ -6,15 +6,16 @@ include evolution.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /var/mail | ||
10 | noblacklist /var/spool/mail | ||
11 | noblacklist ${HOME}/.bogofilter | 9 | noblacklist ${HOME}/.bogofilter |
10 | # Uncomment for gpg | ||
11 | # noblacklist ${HOME}/.gnupg | ||
12 | noblacklist ${HOME}/.pki | ||
12 | noblacklist ${HOME}/.cache/evolution | 13 | noblacklist ${HOME}/.cache/evolution |
13 | noblacklist ${HOME}/.config/evolution | 14 | noblacklist ${HOME}/.config/evolution |
14 | noblacklist ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.local/share/evolution | 15 | noblacklist ${HOME}/.local/share/evolution |
16 | noblacklist ${HOME}/.pki | ||
17 | noblacklist ${HOME}/.local/share/pki | 16 | noblacklist ${HOME}/.local/share/pki |
17 | noblacklist /var/mail | ||
18 | noblacklist /var/spool/mail | ||
18 | 19 | ||
19 | include disable-common.inc | 20 | include disable-common.inc |
20 | include disable-devel.inc | 21 | include disable-devel.inc |
@@ -22,13 +23,44 @@ include disable-exec.inc | |||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-shell.inc | ||
27 | include disable-xdg.inc | ||
25 | 28 | ||
29 | mkdir ${HOME}/.bogofilter | ||
30 | # Uncomment for gpg | ||
31 | # mkdir ${HOME}/.gnupg | ||
32 | mkdir ${HOME}/.pki | ||
33 | mkdir ${HOME}/.cache/evolution | ||
34 | mkdir ${HOME}/.config/evolution | ||
35 | mkdir ${HOME}/.local/share/evolution | ||
36 | mkdir ${HOME}/.local/share/pki | ||
37 | whitelist ${HOME}/.bogofilter | ||
38 | # Uncomment for gpg | ||
39 | # whitelist ${HOME}/.gnupg | ||
40 | whitelist ${HOME}/.pki | ||
41 | whitelist ${HOME}/.cache/evolution | ||
42 | whitelist ${HOME}/.config/evolution | ||
43 | whitelist ${HOME}/.local/share/evolution | ||
44 | whitelist ${HOME}/.local/share/pki | ||
45 | whitelist ${DOWNLOADS} | ||
46 | # Uncomment for gpg | ||
47 | # whitelist ${RUNUSER}/gnupg | ||
48 | whitelist /usr/share/evolution | ||
49 | # Uncomment for gpg | ||
50 | # whitelist /usr/share/gnupg | ||
51 | # whitelist /usr/share/gnupg2 | ||
52 | whitelist /var/mail | ||
53 | whitelist /var/spool/mail | ||
54 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | 55 | include whitelist-runuser-common.inc |
56 | include whitelist-usr-share-common.inc | ||
57 | include whitelist-var-common.inc | ||
27 | 58 | ||
59 | apparmor | ||
28 | caps.drop all | 60 | caps.drop all |
29 | netfilter | 61 | netfilter |
30 | # no3d breaks under wayland | 62 | # no3d breaks under wayland |
31 | #no3d | 63 | # no3d |
32 | nodvd | 64 | nodvd |
33 | nogroups | 65 | nogroups |
34 | nonewprivs | 66 | nonewprivs |
@@ -40,7 +72,25 @@ novideo | |||
40 | protocol unix,inet,inet6 | 72 | protocol unix,inet,inet6 |
41 | seccomp | 73 | seccomp |
42 | shell none | 74 | shell none |
75 | tracelog | ||
43 | 76 | ||
77 | disable-mnt | ||
78 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
79 | private-bin evolution | ||
80 | private-cache | ||
44 | private-dev | 81 | private-dev |
82 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gtk-2.0,gtk-3.0,groups,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
45 | private-tmp | 83 | private-tmp |
84 | writable-run-user | ||
46 | writable-var | 85 | writable-var |
86 | |||
87 | dbus-user filter | ||
88 | dbus-user.own org.gnome.Evolution | ||
89 | dbus-user.talk ca.desrt.dconf | ||
90 | # Uncomment to have keyring access | ||
91 | # dbus-user.talk org.freedesktop.secrets | ||
92 | dbus-user.talk org.freedesktop.Notifications | ||
93 | dbus-system none | ||
94 | |||
95 | # Comment to use gpg | ||
96 | read-only ${HOME}/.gnupg | ||