Switch Evolution to whitelisting

author: kortewegdevries <kortewegdevries@protonmail.ch> 2020-08-28 11:37:57 +0000
committer: kortewegdevries <kortewegdevries@protonmail.ch> 2020-08-28 11:37:57 +0000
commit: 6c4f97a3cd80779faedacd1424f66227ef38eba9 (patch)
tree: 5fcefc2095244ddb1ef74a80b55b1aa3e56756a2 /etc
parent: expose pulseaudio in chroot if FIREJAIL_CHROOT_PULSE is set (diff)
download: firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.tar.gz
firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.tar.zst
firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.zip
1 files changed, 55 insertions, 5 deletions
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 422200ffe..17476aaec 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,16 @@ include evolution.local
 # Persistent global definitions
 include globals.local
-noblacklist /var/mail
-noblacklist /var/spool/mail
 noblacklist ${HOME}/.bogofilter
+# Uncomment for gpg
+# noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/evolution
 noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist /var/mail
+noblacklist /var/spool/mail
 include disable-common.inc
 include disable-devel.inc
@@ -22,13 +23,44 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.bogofilter
+# Uncomment for gpg
+# mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.cache/evolution
+mkdir ${HOME}/.config/evolution
+mkdir ${HOME}/.local/share/evolution
+mkdir ${HOME}/.local/share/pki
+whitelist ${HOME}/.bogofilter
+# Uncomment for gpg
+# whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.cache/evolution
+whitelist ${HOME}/.config/evolution
+whitelist ${HOME}/.local/share/evolution
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+# Uncomment for gpg
+# whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/evolution
+# Uncomment for gpg
+# whitelist /usr/share/gnupg
+# whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
 netfilter
 # no3d breaks under wayland
-#no3d
+# no3d
 nodvd
 nogroups
 nonewprivs
@@ -40,7 +72,25 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
+disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+private-bin evolution
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gtk-2.0,gtk-3.0,groups,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
+writable-run-user
 writable-var
+dbus-user filter
+dbus-user.own org.gnome.Evolution
+dbus-user.talk ca.desrt.dconf
+# Uncomment to have keyring access
+# dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+# Comment to use gpg
+read-only ${HOME}/.gnupg
author	kortewegdevries <kortewegdevries@protonmail.ch>	2020-08-28 11:37:57 +0000
committer	kortewegdevries <kortewegdevries@protonmail.ch>	2020-08-28 11:37:57 +0000
commit	6c4f97a3cd80779faedacd1424f66227ef38eba9 (patch)
tree	5fcefc2095244ddb1ef74a80b55b1aa3e56756a2 /etc
parent	expose pulseaudio in chroot if FIREJAIL_CHROOT_PULSE is set (diff)
download	firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.tar.gz firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.tar.zst firejail-6c4f97a3cd80779faedacd1424f66227ef38eba9.zip

diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..17476aaec 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,16 @@ include evolution.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	noblacklist /var/mail
10	noblacklist /var/spool/mail
11	noblacklist ${HOME}/.bogofilter	9	noblacklist ${HOME}/.bogofilter
		10	# Uncomment for gpg
		11	# noblacklist ${HOME}/.gnupg
		12	noblacklist ${HOME}/.pki
12	noblacklist ${HOME}/.cache/evolution	13	noblacklist ${HOME}/.cache/evolution
13	noblacklist ${HOME}/.config/evolution	14	noblacklist ${HOME}/.config/evolution
14	noblacklist ${HOME}/.gnupg
15	noblacklist ${HOME}/.local/share/evolution	15	noblacklist ${HOME}/.local/share/evolution
16	noblacklist ${HOME}/.pki
17	noblacklist ${HOME}/.local/share/pki	16	noblacklist ${HOME}/.local/share/pki
		17	noblacklist /var/mail
		18	noblacklist /var/spool/mail
18		19
19	include disable-common.inc	20	include disable-common.inc
20	include disable-devel.inc	21	include disable-devel.inc
@@ -22,13 +23,44 @@ include disable-exec.inc
22	include disable-interpreters.inc	23	include disable-interpreters.inc
23	include disable-passwdmgr.inc	24	include disable-passwdmgr.inc
24	include disable-programs.inc	25	include disable-programs.inc
		26	include disable-shell.inc
		27	include disable-xdg.inc
25		28
		29	mkdir ${HOME}/.bogofilter
		30	# Uncomment for gpg
		31	# mkdir ${HOME}/.gnupg
		32	mkdir ${HOME}/.pki
		33	mkdir ${HOME}/.cache/evolution
		34	mkdir ${HOME}/.config/evolution
		35	mkdir ${HOME}/.local/share/evolution
		36	mkdir ${HOME}/.local/share/pki
		37	whitelist ${HOME}/.bogofilter
		38	# Uncomment for gpg
		39	# whitelist ${HOME}/.gnupg
		40	whitelist ${HOME}/.pki
		41	whitelist ${HOME}/.cache/evolution
		42	whitelist ${HOME}/.config/evolution
		43	whitelist ${HOME}/.local/share/evolution
		44	whitelist ${HOME}/.local/share/pki
		45	whitelist ${DOWNLOADS}
		46	# Uncomment for gpg
		47	# whitelist ${RUNUSER}/gnupg
		48	whitelist /usr/share/evolution
		49	# Uncomment for gpg
		50	# whitelist /usr/share/gnupg
		51	# whitelist /usr/share/gnupg2
		52	whitelist /var/mail
		53	whitelist /var/spool/mail
		54	include whitelist-common.inc
26	include whitelist-runuser-common.inc	55	include whitelist-runuser-common.inc
		56	include whitelist-usr-share-common.inc
		57	include whitelist-var-common.inc
27		58
		59	apparmor
28	caps.drop all	60	caps.drop all
29	netfilter	61	netfilter
30	# no3d breaks under wayland	62	# no3d breaks under wayland
31	#no3d	63	# no3d
32	nodvd	64	nodvd
33	nogroups	65	nogroups
34	nonewprivs	66	nonewprivs
@@ -40,7 +72,25 @@ novideo
40	protocol unix,inet,inet6	72	protocol unix,inet,inet6
41	seccomp	73	seccomp
42	shell none	74	shell none
		75	tracelog
43		76
		77	disable-mnt
		78	# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
		79	private-bin evolution
		80	private-cache
44	private-dev	81	private-dev
		82	private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gtk-2.0,gtk-3.0,groups,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
45	private-tmp	83	private-tmp
		84	writable-run-user
46	writable-var	85	writable-var
		86
		87	dbus-user filter
		88	dbus-user.own org.gnome.Evolution
		89	dbus-user.talk ca.desrt.dconf
		90	# Uncomment to have keyring access
		91	# dbus-user.talk org.freedesktop.secrets
		92	dbus-user.talk org.freedesktop.Notifications
		93	dbus-system none
		94
		95	# Comment to use gpg
		96	read-only ${HOME}/.gnupg