fix akonadi_control, enable it in firecfg for a better default

2 files changed, 5 insertions, 3 deletions

diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index fb299a518..0443774dd 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -22,6 +22,7 @@ include /etc/firejail/whitelist-var-common.inc
 # depending on your setup it might be possible to
 # enable some of the commented options below
 
+# apparmor
 caps.drop all
 ipc-namespace
 no3d
@@ -34,7 +35,7 @@ nosound
 notv
 novideo
 # protocol unix,inet,inet6
-# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice # we need to allow io_getevents, ioprio_set, io_setup, io_submit system calls
+# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 tracelog
 
 private-dev
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 1b3255d61..3ee8370cb 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,8 +5,8 @@ include /etc/firejail/kmail.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# akonadi with mysql backend fails to run inside this sandbox
-# and should be started in advance
+# if akonadi has a mysql backend, starting it inside this sandbox will fail
+# one solution is to have akonadi already running when kmail is launched
 
 noblacklist ${HOME}/.cache/akonadi*
 noblacklist ${HOME}/.config/akonadi*
@@ -24,6 +24,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
+# apparmor
 caps.drop all
 netfilter
 nodvd