2 files changed, 159 insertions, 0 deletions
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
new file mode 100644
index 000000000..a401ac592
--- /dev/null
+++ b/etc/profile-a-l/balsa.profile
@@ -0,0 +1,78 @@
+# Firejail profile for balsa
+# Description: GNOME mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include balsa.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.balsa
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/mail
+noblacklist /var/mail
+noblacklist /var/spool/mail
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.balsa
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/mail
+whitelist ${HOME}/.balsa
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/mail
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/balsa
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin balsa,balsa-ab
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+writable-var
+dbus-user filter
+dbus-user.own org.desktop.Balsa
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
new file mode 100644
index 000000000..cf3a69fd7
--- /dev/null
+++ b/etc/profile-a-l/kube.profile
@@ -0,0 +1,81 @@
+# Firejail profile for kube
+# Description: Qt mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kube.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/kube
+noblacklist ${HOME}/.config/kube
+noblacklist ${HOME}/.config/sink
+noblacklist ${HOME}/.local/share/kube
+noblacklist ${HOME}/.local/share/sink
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/kube
+mkdir ${HOME}/.config/kube
+mkdir ${HOME}/.config/sink
+mkdir ${HOME}/.local/share/kube
+mkdir ${HOME}/.local/share/sink
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/kube
+whitelist ${HOME}/.config/kube
+whitelist ${HOME}/.config/sink
+whitelist ${HOME}/.local/share/kube
+whitelist ${HOME}/.local/share/sink
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/kube
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin kube,sink_synchronizer
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+read-only ${HOME}/.mozilla/firefox/profiles.ini

diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile new file mode 100644 index 000000000..a401ac592 --- /dev/null +++ b/etc/profile-a-l/balsa.profile
@@ -0,0 +1,78 @@
	1	# Firejail profile for balsa
	2	# Description: GNOME mail client
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include balsa.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.balsa
	10	noblacklist ${HOME}/.gnupg
	11	noblacklist ${HOME}/.mozilla
	12	noblacklist ${HOME}/mail
	13	noblacklist /var/mail
	14	noblacklist /var/spool/mail
	15
	16	include disable-common.inc
	17	include disable-devel.inc
	18	include disable-exec.inc
	19	include disable-interpreters.inc
	20	include disable-passwdmgr.inc
	21	include disable-programs.inc
	22	include disable-shell.inc
	23	include disable-xdg.inc
	24
	25	mkdir ${HOME}/.balsa
	26	mkdir ${HOME}/.gnupg
	27	mkdir ${HOME}/mail
	28	whitelist ${HOME}/.balsa
	29	whitelist ${HOME}/.gnupg
	30	whitelist ${HOME}/.mozilla/firefox/profiles.ini
	31	whitelist ${HOME}/mail
	32	whitelist ${RUNUSER}/gnupg
	33	whitelist /usr/share/balsa
	34	whitelist /usr/share/gnupg
	35	whitelist /usr/share/gnupg2
	36	whitelist /var/mail
	37	whitelist /var/spool/mail
	38	include whitelist-common.inc
	39	include whitelist-runuser-common.inc
	40	include whitelist-usr-share-common.inc
	41	include whitelist-var-common.inc
	42
	43	apparmor
	44	caps.drop all
	45	netfilter
	46	no3d
	47	nodvd
	48	nogroups
	49	nonewprivs
	50	noroot
	51	nosound
	52	notv
	53	nou2f
	54	novideo
	55	protocol unix,inet,inet6
	56	seccomp
	57	shell none
	58	tracelog
	59
	60	# disable-mnt
	61	# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
	62	# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
	63	private-bin balsa,balsa-ab
	64	private-cache
	65	private-dev
	66	private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
	67	private-tmp
	68	writable-run-user
	69	writable-var
	70
	71	dbus-user filter
	72	dbus-user.own org.desktop.Balsa
	73	dbus-user.talk ca.desrt.dconf
	74	dbus-user.talk org.freedesktop.secrets
	75	dbus-user.talk org.freedesktop.Notifications
	76	dbus-system none
	77
	78	read-only ${HOME}/.mozilla/firefox/profiles.ini


diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile new file mode 100644 index 000000000..cf3a69fd7 --- /dev/null +++ b/etc/profile-a-l/kube.profile
@@ -0,0 +1,81 @@
	1	# Firejail profile for kube
	2	# Description: Qt mail client
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include kube.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.gnupg
	10	noblacklist ${HOME}/.mozilla
	11	noblacklist ${HOME}/.cache/kube
	12	noblacklist ${HOME}/.config/kube
	13	noblacklist ${HOME}/.config/sink
	14	noblacklist ${HOME}/.local/share/kube
	15	noblacklist ${HOME}/.local/share/sink
	16
	17	include disable-common.inc
	18	include disable-devel.inc
	19	include disable-exec.inc
	20	include disable-interpreters.inc
	21	include disable-passwdmgr.inc
	22	include disable-programs.inc
	23	include disable-shell.inc
	24	include disable-xdg.inc
	25
	26	mkdir ${HOME}/.gnupg
	27	mkdir ${HOME}/.cache/kube
	28	mkdir ${HOME}/.config/kube
	29	mkdir ${HOME}/.config/sink
	30	mkdir ${HOME}/.local/share/kube
	31	mkdir ${HOME}/.local/share/sink
	32	whitelist ${HOME}/.gnupg
	33	whitelist ${HOME}/.mozilla/firefox/profiles.ini
	34	whitelist ${HOME}/.cache/kube
	35	whitelist ${HOME}/.config/kube
	36	whitelist ${HOME}/.config/sink
	37	whitelist ${HOME}/.local/share/kube
	38	whitelist ${HOME}/.local/share/sink
	39	whitelist ${RUNUSER}/gnupg
	40	whitelist /usr/share/kube
	41	whitelist /usr/share/gnupg
	42	whitelist /usr/share/gnupg2
	43	include whitelist-common.inc
	44	include whitelist-runuser-common.inc
	45	include whitelist-usr-share-common.inc
	46	include whitelist-var-common.inc
	47
	48	apparmor
	49	caps.drop all
	50	netfilter
	51	no3d
	52	nodvd
	53	nogroups
	54	nonewprivs
	55	noroot
	56	nosound
	57	notv
	58	nou2f
	59	novideo
	60	protocol unix,inet,inet6
	61	seccomp
	62	shell none
	63	tracelog
	64
	65	# disable-mnt
	66	# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
	67	# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
	68	private-bin kube,sink_synchronizer
	69	private-cache
	70	private-dev
	71	private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
	72	private-tmp
	73	writable-run-user
	74
	75	dbus-user filter
	76	dbus-user.talk ca.desrt.dconf
	77	dbus-user.talk org.freedesktop.secrets
	78	dbus-user.talk org.freedesktop.Notifications
	79	dbus-system none
	80
	81	read-only ${HOME}/.mozilla/firefox/profiles.ini