Merge pull request #3607 from kortewegdevries/wemail

Switch mails to whitelisting
author: netblue30 <netblue30@protonmail.com> 2020-10-25 07:17:01 -0500
committer: GitHub <noreply@github.com> 2020-10-25 07:17:01 -0500
commit: bd1819a8641e0eeae016846b28a41e625bcc215b (patch)
tree: 96bbfeea9759e151a6ee402a63f14874c891ad03 /etc
parent: check that profiles are sorted (diff)
parent: Add note about private-bin (diff)
download: firejail-bd1819a8641e0eeae016846b28a41e625bcc215b.tar.gz
firejail-bd1819a8641e0eeae016846b28a41e625bcc215b.tar.zst
firejail-bd1819a8641e0eeae016846b28a41e625bcc215b.zip
2 files changed, 133 insertions, 8 deletions
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 422200ffe..1355c4337 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,16 @@ include evolution.local
 # Persistent global definitions
 include globals.local
-noblacklist /var/mail
-noblacklist /var/spool/mail
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/evolution
 noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist /var/mail
+noblacklist /var/spool/mail
 include disable-common.inc
 include disable-devel.inc
@@ -22,13 +23,42 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.bogofilter
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.cache/evolution
+mkdir ${HOME}/.config/evolution
+mkdir ${HOME}/.local/share/evolution
+mkdir ${HOME}/.local/share/pki
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.cache/evolution
+whitelist ${HOME}/.config/evolution
+whitelist ${HOME}/.local/share/evolution
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/evolution
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 # no3d breaks under wayland
-#no3d
+# no3d
 nodvd
 nogroups
 nonewprivs
@@ -40,7 +70,27 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
+# private-bin evolution
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
+writable-run-user
 writable-var
+dbus-user filter
+dbus-user.own org.gnome.Evolution
+dbus-user.talk ca.desrt.dconf
+# Uncomment to have keyring access
+# dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+dbus-user.talk org.gnome.OnlineAccounts
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index ab4ff10b9..43060dd61 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,6 +9,10 @@ include globals.local
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.kde/
+# noblacklist ${HOME}/.kde4/
+noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/akonadi*
 noblacklist ${HOME}/.cache/kmail2
 noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.config/kmailsearchindexingrc
 noblacklist ${HOME}/.config/mailtransports
 noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/akonadi*
 noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
 noblacklist /tmp/akonadi-*
+noblacklist /var/mail
+noblacklist /var/spool/mail
 include disable-common.inc
 include disable-devel.inc
@@ -37,10 +42,73 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.kde/
+# mkdir ${HOME}/.kde4/
+mkdir ${HOME}/.cache/akonadi*
+mkdir ${HOME}/.cache/kmail2
+mkdir ${HOME}/.config/akonadi*
+mkdir ${HOME}/.config/baloorc
+mkdir ${HOME}/.config/emaildefaults
+mkdir ${HOME}/.config/emailidentities
+mkdir ${HOME}/.config/kmail2rc
+mkdir ${HOME}/.config/kmailsearchindexingrc
+mkdir ${HOME}/.config/mailtransports
+mkdir ${HOME}/.config/specialmailcollectionsrc
+mkdir ${HOME}/.local/share/akonadi*
+mkdir ${HOME}/.local/share/apps/korganizer
+mkdir ${HOME}/.local/share/contacts
+mkdir ${HOME}/.local/share/emailidentities
+mkdir ${HOME}/.local/share/kmail2
+mkdir ${HOME}/.local/share/kxmlgui5/kmail
+mkdir ${HOME}/.local/share/kxmlgui5/kmail2
+mkdir ${HOME}/.local/share/local-mail
+mkdir ${HOME}/.local/share/notes
+mkdir /tmp/akonadi-*
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.kde/
+# whitelist ${HOME}/.kde4/
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/akonadi*
+whitelist ${HOME}/.cache/kmail2
+whitelist ${HOME}/.config/akonadi*
+whitelist ${HOME}/.config/baloorc
+whitelist ${HOME}/.config/emaildefaults
+whitelist ${HOME}/.config/emailidentities
+whitelist ${HOME}/.config/kmail2rc
+whitelist ${HOME}/.config/kmailsearchindexingrc
+whitelist ${HOME}/.config/mailtransports
+whitelist ${HOME}/.config/specialmailcollectionsrc
+whitelist ${HOME}/.local/share/akonadi*
+whitelist ${HOME}/.local/share/apps/korganizer
+whitelist ${HOME}/.local/share/contacts
+whitelist ${HOME}/.local/share/emailidentities
+whitelist ${HOME}/.local/share/kmail2
+whitelist ${HOME}/.local/share/kxmlgui5/kmail
+whitelist ${HOME}/.local/share/kxmlgui5/kmail2
+whitelist ${HOME}/.local/share/local-mail
+whitelist ${HOME}/.local/share/notes
+whitelist ${DOWNLOADS}
+whitelist ${DOCUMENTS}
+whitelist ${RUNUSER}/gnupg
+whitelist /tmp/akonadi-*
+whitelist /usr/share/akonadi
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/kconf_update
+whitelist /usr/share/kf5
+whitelist /usr/share/kservices5
+whitelist /usr/share/qlogging-categories5
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runnuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# apparmor
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
-# writable-run-user is needed for signing and encrypting emails
 writable-run-user
+writable-var
+# dbus-user none
+dbus-system none
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+\ No newline at end of file
author	netblue30 <netblue30@protonmail.com>	2020-10-25 07:17:01 -0500
committer	GitHub <noreply@github.com>	2020-10-25 07:17:01 -0500
commit	bd1819a8641e0eeae016846b28a41e625bcc215b (patch)
tree	96bbfeea9759e151a6ee402a63f14874c891ad03 /etc
parent	check that profiles are sorted (diff)
parent	Add note about private-bin (diff)
download	firejail-bd1819a8641e0eeae016846b28a41e625bcc215b.tar.gz firejail-bd1819a8641e0eeae016846b28a41e625bcc215b.tar.zst firejail-bd1819a8641e0eeae016846b28a41e625bcc215b.zip

diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..1355c4337 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,16 @@ include evolution.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist /var/mail
10	noblacklist /var/spool/mail
11	noblacklist ${HOME}/.bogofilter	9	noblacklist ${HOME}/.bogofilter
		10	noblacklist ${HOME}/.gnupg
		11	noblacklist ${HOME}/.mozilla
		12	noblacklist ${HOME}/.pki
12	noblacklist ${HOME}/.cache/evolution	13	noblacklist ${HOME}/.cache/evolution
13	noblacklist ${HOME}/.config/evolution	14	noblacklist ${HOME}/.config/evolution
14	noblacklist ${HOME}/.gnupg
15	noblacklist ${HOME}/.local/share/evolution	15	noblacklist ${HOME}/.local/share/evolution
16	noblacklist ${HOME}/.pki
17	noblacklist ${HOME}/.local/share/pki	16	noblacklist ${HOME}/.local/share/pki
		17	noblacklist /var/mail
		18	noblacklist /var/spool/mail
18		19
19	include disable-common.inc	20	include disable-common.inc
20	include disable-devel.inc	21	include disable-devel.inc
@@ -22,13 +23,42 @@ include disable-exec.inc
22	include disable-interpreters.inc	23	include disable-interpreters.inc
23	include disable-passwdmgr.inc	24	include disable-passwdmgr.inc
24	include disable-programs.inc	25	include disable-programs.inc
		26	include disable-shell.inc
		27	include disable-xdg.inc
25		28
		29	mkdir ${HOME}/.bogofilter
		30	mkdir ${HOME}/.gnupg
		31	mkdir ${HOME}/.pki
		32	mkdir ${HOME}/.cache/evolution
		33	mkdir ${HOME}/.config/evolution
		34	mkdir ${HOME}/.local/share/evolution
		35	mkdir ${HOME}/.local/share/pki
		36	whitelist ${HOME}/.bogofilter
		37	whitelist ${HOME}/.gnupg
		38	whitelist ${HOME}/.mozilla/firefox/profiles.ini
		39	whitelist ${HOME}/.pki
		40	whitelist ${HOME}/.cache/evolution
		41	whitelist ${HOME}/.config/evolution
		42	whitelist ${HOME}/.local/share/evolution
		43	whitelist ${HOME}/.local/share/pki
		44	whitelist ${DOCUMENTS}
		45	whitelist ${DOWNLOADS}
		46	whitelist ${RUNUSER}/gnupg
		47	whitelist /usr/share/evolution
		48	whitelist /usr/share/gnupg
		49	whitelist /usr/share/gnupg2
		50	whitelist /var/mail
		51	whitelist /var/spool/mail
		52	include whitelist-common.inc
26	include whitelist-runuser-common.inc	53	include whitelist-runuser-common.inc
		54	include whitelist-usr-share-common.inc
		55	include whitelist-var-common.inc
27		56
		57	apparmor
28	caps.drop all	58	caps.drop all
29	netfilter	59	netfilter
30	# no3d breaks under wayland	60	# no3d breaks under wayland
31	#no3d	61	# no3d
32	nodvd	62	nodvd
33	nogroups	63	nogroups
34	nonewprivs	64	nonewprivs
@@ -40,7 +70,27 @@ novideo
40	protocol unix,inet,inet6	70	protocol unix,inet,inet6
41	seccomp	71	seccomp
42	shell none	72	shell none
		73	tracelog
43		74
		75	# disable-mnt
		76	# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
		77	# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
		78	# private-bin evolution
		79	private-cache
44	private-dev	80	private-dev
		81	private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
45	private-tmp	82	private-tmp
		83	writable-run-user
46	writable-var	84	writable-var
		85
		86	dbus-user filter
		87	dbus-user.own org.gnome.Evolution
		88	dbus-user.talk ca.desrt.dconf
		89	# Uncomment to have keyring access
		90	# dbus-user.talk org.freedesktop.secrets
		91	dbus-user.talk org.gnome.keyring.SystemPrompter
		92	dbus-user.talk org.gnome.OnlineAccounts
		93	dbus-user.talk org.freedesktop.Notifications
		94	dbus-system none
		95
		96	read-only ${HOME}/.mozilla/firefox/profiles.ini


diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index ab4ff10b9..43060dd61 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile
@@ -9,6 +9,10 @@ include globals.local
9	# kmail has problems launching akonadi in debian and ubuntu.	9	# kmail has problems launching akonadi in debian and ubuntu.
10	# one solution is to have akonadi already running when kmail is started	10	# one solution is to have akonadi already running when kmail is started
11		11
		12	noblacklist ${HOME}/.gnupg
		13	# noblacklist ${HOME}/.kde/
		14	# noblacklist ${HOME}/.kde4/
		15	noblacklist ${HOME}/.mozilla
12	noblacklist ${HOME}/.cache/akonadi*	16	noblacklist ${HOME}/.cache/akonadi*
13	noblacklist ${HOME}/.cache/kmail2	17	noblacklist ${HOME}/.cache/kmail2
14	noblacklist ${HOME}/.config/akonadi*	18	noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc
19	noblacklist ${HOME}/.config/kmailsearchindexingrc	23	noblacklist ${HOME}/.config/kmailsearchindexingrc
20	noblacklist ${HOME}/.config/mailtransports	24	noblacklist ${HOME}/.config/mailtransports
21	noblacklist ${HOME}/.config/specialmailcollectionsrc	25	noblacklist ${HOME}/.config/specialmailcollectionsrc
22	noblacklist ${HOME}/.gnupg
23	noblacklist ${HOME}/.local/share/akonadi*	26	noblacklist ${HOME}/.local/share/akonadi*
24	noblacklist ${HOME}/.local/share/apps/korganizer	27	noblacklist ${HOME}/.local/share/apps/korganizer
25	noblacklist ${HOME}/.local/share/contacts	28	noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
30	noblacklist ${HOME}/.local/share/local-mail	33	noblacklist ${HOME}/.local/share/local-mail
31	noblacklist ${HOME}/.local/share/notes	34	noblacklist ${HOME}/.local/share/notes
32	noblacklist /tmp/akonadi-*	35	noblacklist /tmp/akonadi-*
		36	noblacklist /var/mail
		37	noblacklist /var/spool/mail
33		38
34	include disable-common.inc	39	include disable-common.inc
35	include disable-devel.inc	40	include disable-devel.inc
@@ -37,10 +42,73 @@ include disable-exec.inc
37	include disable-interpreters.inc	42	include disable-interpreters.inc
38	include disable-passwdmgr.inc	43	include disable-passwdmgr.inc
39	include disable-programs.inc	44	include disable-programs.inc
		45	include disable-xdg.inc
40		46
		47	mkdir ${HOME}/.gnupg
		48	# mkdir ${HOME}/.kde/
		49	# mkdir ${HOME}/.kde4/
		50	mkdir ${HOME}/.cache/akonadi*
		51	mkdir ${HOME}/.cache/kmail2
		52	mkdir ${HOME}/.config/akonadi*
		53	mkdir ${HOME}/.config/baloorc
		54	mkdir ${HOME}/.config/emaildefaults
		55	mkdir ${HOME}/.config/emailidentities
		56	mkdir ${HOME}/.config/kmail2rc
		57	mkdir ${HOME}/.config/kmailsearchindexingrc
		58	mkdir ${HOME}/.config/mailtransports
		59	mkdir ${HOME}/.config/specialmailcollectionsrc
		60	mkdir ${HOME}/.local/share/akonadi*
		61	mkdir ${HOME}/.local/share/apps/korganizer
		62	mkdir ${HOME}/.local/share/contacts
		63	mkdir ${HOME}/.local/share/emailidentities
		64	mkdir ${HOME}/.local/share/kmail2
		65	mkdir ${HOME}/.local/share/kxmlgui5/kmail
		66	mkdir ${HOME}/.local/share/kxmlgui5/kmail2
		67	mkdir ${HOME}/.local/share/local-mail
		68	mkdir ${HOME}/.local/share/notes
		69	mkdir /tmp/akonadi-*
		70	whitelist ${HOME}/.gnupg
		71	# whitelist ${HOME}/.kde/
		72	# whitelist ${HOME}/.kde4/
		73	whitelist ${HOME}/.mozilla/firefox/profiles.ini
		74	whitelist ${HOME}/.cache/akonadi*
		75	whitelist ${HOME}/.cache/kmail2
		76	whitelist ${HOME}/.config/akonadi*
		77	whitelist ${HOME}/.config/baloorc
		78	whitelist ${HOME}/.config/emaildefaults
		79	whitelist ${HOME}/.config/emailidentities
		80	whitelist ${HOME}/.config/kmail2rc
		81	whitelist ${HOME}/.config/kmailsearchindexingrc
		82	whitelist ${HOME}/.config/mailtransports
		83	whitelist ${HOME}/.config/specialmailcollectionsrc
		84	whitelist ${HOME}/.local/share/akonadi*
		85	whitelist ${HOME}/.local/share/apps/korganizer
		86	whitelist ${HOME}/.local/share/contacts
		87	whitelist ${HOME}/.local/share/emailidentities
		88	whitelist ${HOME}/.local/share/kmail2
		89	whitelist ${HOME}/.local/share/kxmlgui5/kmail
		90	whitelist ${HOME}/.local/share/kxmlgui5/kmail2
		91	whitelist ${HOME}/.local/share/local-mail
		92	whitelist ${HOME}/.local/share/notes
		93	whitelist ${DOWNLOADS}
		94	whitelist ${DOCUMENTS}
		95	whitelist ${RUNUSER}/gnupg
		96	whitelist /tmp/akonadi-*
		97	whitelist /usr/share/akonadi
		98	whitelist /usr/share/gnupg
		99	whitelist /usr/share/gnupg2
		100	whitelist /usr/share/kconf_update
		101	whitelist /usr/share/kf5
		102	whitelist /usr/share/kservices5
		103	whitelist /usr/share/qlogging-categories5
		104	whitelist /var/mail
		105	whitelist /var/spool/mail
		106	include whitelist-common.inc
		107	include whitelist-runnuser-common.inc
		108	include whitelist-usr-share-common.inc
41	include whitelist-var-common.inc	109	include whitelist-var-common.inc
42		110
43	# apparmor	111	apparmor
44	caps.drop all	112	caps.drop all
45	netfilter	113	netfilter
46	nodvd	114	nodvd
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink
56	seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set	124	seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
57	# tracelog	125	# tracelog
58		126
		127	private-cache
59	private-dev	128	private-dev
		129	private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
60	# private-tmp - interrupts connection to akonadi, breaks opening of email attachments	130	# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
61	# writable-run-user is needed for signing and encrypting emails
62	writable-run-user	131	writable-run-user
		132	writable-var
		133
		134	# dbus-user none
		135	dbus-system none
		136
		137	read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file