aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/akonadi_control.profile12
-rw-r--r--etc/disable-programs.inc3
-rw-r--r--etc/kmail.profile14
-rw-r--r--etc/knotes.profile3
4 files changed, 20 insertions, 12 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 0443774dd..296b25b83 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -7,9 +7,13 @@ include /etc/firejail/globals.local
7noblacklist ${HOME}/.cache/akonadi* 7noblacklist ${HOME}/.cache/akonadi*
8noblacklist ${HOME}/.config/akonadi* 8noblacklist ${HOME}/.config/akonadi*
9noblacklist ${HOME}/.config/baloorc 9noblacklist ${HOME}/.config/baloorc
10noblacklist ${HOME}/.local/share/akonadi/* 10noblacklist ${HOME}/.config/emailidentities
11noblacklist ${HOME}/.config/kmail2rc
12noblacklist ${HOME}/.local/share/akonadi*
11noblacklist ${HOME}/.local/share/contacts 13noblacklist ${HOME}/.local/share/contacts
12noblacklist ${HOME}/.local/share/local-mail 14noblacklist ${HOME}/.local/share/local-mail
15noblacklist ${HOME}/.local/share/notes
16noblacklist /tmp/akonadi-*
13noblacklist /usr/sbin 17noblacklist /usr/sbin
14 18
15include /etc/firejail/disable-common.inc 19include /etc/firejail/disable-common.inc
@@ -19,8 +23,8 @@ include /etc/firejail/disable-programs.inc
19 23
20include /etc/firejail/whitelist-var-common.inc 24include /etc/firejail/whitelist-var-common.inc
21 25
22# depending on your setup it might be possible to 26# the default mysqld-akonadi apparmor profile in debian and ubuntu
23# enable some of the commented options below 27# is not compatible with the commented options below
24 28
25# apparmor 29# apparmor
26caps.drop all 30caps.drop all
@@ -30,7 +34,7 @@ netfilter
30nodvd 34nodvd
31nogroups 35nogroups
32# nonewprivs 36# nonewprivs
33# noroot 37noroot
34nosound 38nosound
35notv 39notv
36novideo 40novideo
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index de88cbc24..96cc9b48c 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -349,7 +349,7 @@ blacklist ${HOME}/.local/share/SuperHexagon
349blacklist ${HOME}/.local/share/TelegramDesktop 349blacklist ${HOME}/.local/share/TelegramDesktop
350blacklist ${HOME}/.local/share/Terraria 350blacklist ${HOME}/.local/share/Terraria
351blacklist ${HOME}/.local/share/TpLogger 351blacklist ${HOME}/.local/share/TpLogger
352blacklist ${HOME}/.local/share/akonadi/* 352blacklist ${HOME}/.local/share/akonadi*
353blacklist ${HOME}/.local/share/akregator 353blacklist ${HOME}/.local/share/akregator
354blacklist ${HOME}/.local/share/aspyr-media 354blacklist ${HOME}/.local/share/aspyr-media
355blacklist ${HOME}/.local/share/baloo 355blacklist ${HOME}/.local/share/baloo
@@ -495,6 +495,7 @@ blacklist ${HOME}/.xpdfrc
495blacklist ${HOME}/.zoom 495blacklist ${HOME}/.zoom
496blacklist ${HOME}/Arduino 496blacklist ${HOME}/Arduino
497blacklist ${HOME}/wallet.dat 497blacklist ${HOME}/wallet.dat
498blacklist /tmp/akonadi-*
498blacklist /tmp/ssh-* 499blacklist /tmp/ssh-*
499 500
500# ~/.cache directory 501# ~/.cache directory
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 952af55c8..e33eae84f 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,20 +5,22 @@ include /etc/firejail/kmail.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# if akonadi has a mysql backend, starting it inside this sandbox will fail. 8# kmail has problems launching akonadi in debian and ubuntu.
9# one solution is to have akonadi already running when kmail is launched 9# one solution is to have akonadi already running when kmail is started
10 10
11noblacklist ${HOME}/.cache/akonadi* 11noblacklist ${HOME}/.cache/akonadi*
12noblacklist ${HOME}/.config/akonadi* 12noblacklist ${HOME}/.config/akonadi*
13noblacklist ${HOME}/.config/baloorc 13noblacklist ${HOME}/.config/baloorc
14noblacklist ${HOME}/.config/emailidentities 14noblacklist ${HOME}/.config/emailidentities
15noblacklist ${HOME}/.config/kmail2rc 15noblacklist ${HOME}/.config/kmail2rc
16noblacklist ${HOME}/.local/share/akonadi/* 16noblacklist ${HOME}/.gnupg
17noblacklist ${HOME}/.local/share/akonadi*
17noblacklist ${HOME}/.local/share/contacts 18noblacklist ${HOME}/.local/share/contacts
18noblacklist ${HOME}/.local/share/emailidentities 19noblacklist ${HOME}/.local/share/emailidentities
19noblacklist ${HOME}/.local/share/kmail2 20noblacklist ${HOME}/.local/share/kmail2
20noblacklist ${HOME}/.local/share/local-mail 21noblacklist ${HOME}/.local/share/local-mail
21noblacklist ${HOME}/.gnupg 22noblacklist ${HOME}/.local/share/notes
23noblacklist /tmp/akonadi-*
22 24
23include /etc/firejail/disable-common.inc 25include /etc/firejail/disable-common.inc
24include /etc/firejail/disable-devel.inc 26include /etc/firejail/disable-devel.inc
@@ -36,8 +38,8 @@ nosound
36notv 38notv
37novideo 39novideo
38protocol unix,inet,inet6,netlink 40protocol unix,inet,inet6,netlink
39# we need to allow chroot and ioprio_set system calls 41# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
40seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 42seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
41# tracelog 43# tracelog
42# writable-run-user is needed for signing and encrypting emails 44# writable-run-user is needed for signing and encrypting emails
43writable-run-user 45writable-run-user
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 091c3a8e5..85b267f8b 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -7,7 +7,8 @@ include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.config/akonadi* 8noblacklist ${HOME}/.config/akonadi*
9noblacklist ${HOME}/.config/knotesrc 9noblacklist ${HOME}/.config/knotesrc
10noblacklist ${HOME}/.local/share/akonadi/* 10noblacklist ${HOME}/.local/share/akonadi*
11noblacklist /tmp/akonadi-*
11 12
12include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 21:37:55 +0000