enable email encryption for thunderbird, kmail

see #1653 #1572

2 files changed, 7 insertions, 5 deletions

diff --git a/etc/kmail.profile b/etc/kmail.profile
index 7aad57987..ca774f4ec 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -25,6 +25,8 @@ protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks kmail
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # tracelog
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
 
 private-dev
-# private-tmp
+# private-tmp - breaks akonadi and opening of email attachments
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 226781332..6045d6d17 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -21,14 +21,14 @@ whitelist ${HOME}/.cache/thunderbird
 whitelist ${HOME}/.gnupg
 # whitelist ${HOME}/.icedove
 whitelist ${HOME}/.thunderbird
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
 
 # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
 ignore private-tmp
-# machine-id breaks pulse audio; it should work fine in setups where sound is not required
-#machine-id
+# machine-id breaks audio in browsers; enable it when sound is not required
+# machine-id
 read-only ${HOME}/.config/mimeapps.list
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
 
 # allow browsers
 # Redirect