diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/akonadi_control.profile | 12 | ||||
-rw-r--r-- | etc/disable-programs.inc | 3 | ||||
-rw-r--r-- | etc/kmail.profile | 14 | ||||
-rw-r--r-- | etc/knotes.profile | 3 |
4 files changed, 20 insertions, 12 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 0443774dd..296b25b83 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -7,9 +7,13 @@ include /etc/firejail/globals.local | |||
7 | noblacklist ${HOME}/.cache/akonadi* | 7 | noblacklist ${HOME}/.cache/akonadi* |
8 | noblacklist ${HOME}/.config/akonadi* | 8 | noblacklist ${HOME}/.config/akonadi* |
9 | noblacklist ${HOME}/.config/baloorc | 9 | noblacklist ${HOME}/.config/baloorc |
10 | noblacklist ${HOME}/.local/share/akonadi/* | 10 | noblacklist ${HOME}/.config/emailidentities |
11 | noblacklist ${HOME}/.config/kmail2rc | ||
12 | noblacklist ${HOME}/.local/share/akonadi* | ||
11 | noblacklist ${HOME}/.local/share/contacts | 13 | noblacklist ${HOME}/.local/share/contacts |
12 | noblacklist ${HOME}/.local/share/local-mail | 14 | noblacklist ${HOME}/.local/share/local-mail |
15 | noblacklist ${HOME}/.local/share/notes | ||
16 | noblacklist /tmp/akonadi-* | ||
13 | noblacklist /usr/sbin | 17 | noblacklist /usr/sbin |
14 | 18 | ||
15 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
@@ -19,8 +23,8 @@ include /etc/firejail/disable-programs.inc | |||
19 | 23 | ||
20 | include /etc/firejail/whitelist-var-common.inc | 24 | include /etc/firejail/whitelist-var-common.inc |
21 | 25 | ||
22 | # depending on your setup it might be possible to | 26 | # the default mysqld-akonadi apparmor profile in debian and ubuntu |
23 | # enable some of the commented options below | 27 | # is not compatible with the commented options below |
24 | 28 | ||
25 | # apparmor | 29 | # apparmor |
26 | caps.drop all | 30 | caps.drop all |
@@ -30,7 +34,7 @@ netfilter | |||
30 | nodvd | 34 | nodvd |
31 | nogroups | 35 | nogroups |
32 | # nonewprivs | 36 | # nonewprivs |
33 | # noroot | 37 | noroot |
34 | nosound | 38 | nosound |
35 | notv | 39 | notv |
36 | novideo | 40 | novideo |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index de88cbc24..96cc9b48c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -349,7 +349,7 @@ blacklist ${HOME}/.local/share/SuperHexagon | |||
349 | blacklist ${HOME}/.local/share/TelegramDesktop | 349 | blacklist ${HOME}/.local/share/TelegramDesktop |
350 | blacklist ${HOME}/.local/share/Terraria | 350 | blacklist ${HOME}/.local/share/Terraria |
351 | blacklist ${HOME}/.local/share/TpLogger | 351 | blacklist ${HOME}/.local/share/TpLogger |
352 | blacklist ${HOME}/.local/share/akonadi/* | 352 | blacklist ${HOME}/.local/share/akonadi* |
353 | blacklist ${HOME}/.local/share/akregator | 353 | blacklist ${HOME}/.local/share/akregator |
354 | blacklist ${HOME}/.local/share/aspyr-media | 354 | blacklist ${HOME}/.local/share/aspyr-media |
355 | blacklist ${HOME}/.local/share/baloo | 355 | blacklist ${HOME}/.local/share/baloo |
@@ -495,6 +495,7 @@ blacklist ${HOME}/.xpdfrc | |||
495 | blacklist ${HOME}/.zoom | 495 | blacklist ${HOME}/.zoom |
496 | blacklist ${HOME}/Arduino | 496 | blacklist ${HOME}/Arduino |
497 | blacklist ${HOME}/wallet.dat | 497 | blacklist ${HOME}/wallet.dat |
498 | blacklist /tmp/akonadi-* | ||
498 | blacklist /tmp/ssh-* | 499 | blacklist /tmp/ssh-* |
499 | 500 | ||
500 | # ~/.cache directory | 501 | # ~/.cache directory |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 952af55c8..e33eae84f 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -5,20 +5,22 @@ include /etc/firejail/kmail.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # if akonadi has a mysql backend, starting it inside this sandbox will fail. | 8 | # kmail has problems launching akonadi in debian and ubuntu. |
9 | # one solution is to have akonadi already running when kmail is launched | 9 | # one solution is to have akonadi already running when kmail is started |
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/akonadi* | 11 | noblacklist ${HOME}/.cache/akonadi* |
12 | noblacklist ${HOME}/.config/akonadi* | 12 | noblacklist ${HOME}/.config/akonadi* |
13 | noblacklist ${HOME}/.config/baloorc | 13 | noblacklist ${HOME}/.config/baloorc |
14 | noblacklist ${HOME}/.config/emailidentities | 14 | noblacklist ${HOME}/.config/emailidentities |
15 | noblacklist ${HOME}/.config/kmail2rc | 15 | noblacklist ${HOME}/.config/kmail2rc |
16 | noblacklist ${HOME}/.local/share/akonadi/* | 16 | noblacklist ${HOME}/.gnupg |
17 | noblacklist ${HOME}/.local/share/akonadi* | ||
17 | noblacklist ${HOME}/.local/share/contacts | 18 | noblacklist ${HOME}/.local/share/contacts |
18 | noblacklist ${HOME}/.local/share/emailidentities | 19 | noblacklist ${HOME}/.local/share/emailidentities |
19 | noblacklist ${HOME}/.local/share/kmail2 | 20 | noblacklist ${HOME}/.local/share/kmail2 |
20 | noblacklist ${HOME}/.local/share/local-mail | 21 | noblacklist ${HOME}/.local/share/local-mail |
21 | noblacklist ${HOME}/.gnupg | 22 | noblacklist ${HOME}/.local/share/notes |
23 | noblacklist /tmp/akonadi-* | ||
22 | 24 | ||
23 | include /etc/firejail/disable-common.inc | 25 | include /etc/firejail/disable-common.inc |
24 | include /etc/firejail/disable-devel.inc | 26 | include /etc/firejail/disable-devel.inc |
@@ -36,8 +38,8 @@ nosound | |||
36 | notv | 38 | notv |
37 | novideo | 39 | novideo |
38 | protocol unix,inet,inet6,netlink | 40 | protocol unix,inet,inet6,netlink |
39 | # we need to allow chroot and ioprio_set system calls | 41 | # we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls |
40 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 42 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
41 | # tracelog | 43 | # tracelog |
42 | # writable-run-user is needed for signing and encrypting emails | 44 | # writable-run-user is needed for signing and encrypting emails |
43 | writable-run-user | 45 | writable-run-user |
diff --git a/etc/knotes.profile b/etc/knotes.profile index 091c3a8e5..85b267f8b 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -7,7 +7,8 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/akonadi* | 8 | noblacklist ${HOME}/.config/akonadi* |
9 | noblacklist ${HOME}/.config/knotesrc | 9 | noblacklist ${HOME}/.config/knotesrc |
10 | noblacklist ${HOME}/.local/share/akonadi/* | 10 | noblacklist ${HOME}/.local/share/akonadi* |
11 | noblacklist /tmp/akonadi-* | ||
11 | 12 | ||
12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |