| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the usr.sbin.mysqld-akonadi apparmor profile, enforced by default in ubuntu and
debian testing (and probably opensuse), doesn't play well with a number of firejail options.
the reason for this is that once the no_new_privs bit is set, apparmor profile
transitions are forbidden.
enforcing our own apparmor policy instead is also no solution, because
these programs don't even start without d-bus.
relaxing the kmail profile was necessary so that kmail can fire up akonadi itself,
just in case akonadi has not been started earlier already by another program.
this is always an issue when kmail is the only installed akonadi client, but
there may be more circumstances. for reasons outlined above this doesn't help
debian and ubuntu (opensuse?) users though :-/
a brief summary of the seccomp exceptions: chroot is needed for qt webengine,
io_prioset for the akonadi indexing agent, io_getevents, io_submit, io_setup
are needed for mysqld. when akonadi has an sqlite3 backend, less exceptions
to the seccomp filter are necessary, but mysqld is the default.
in the future all kontact suite profiles (itm only kmail, knotes) should
probably be redirections to akonadi_control, but the issues with apparmor
make this somewhat impractical for now (options like 'protocol' couldn't go to
akonadi_control.local any more, if current kmail redirected to there).
|
| |
|
|\ |
|
| | |
|
|/
|
|
|
| |
as it is now, there is no support for a full akonadi session inside
the knotes sandbox, but knotes can connect to akonadi and should work fine
|
| |
|
| |
|
|\ |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
further to 8aec7694cb4c7c0d07b333b689ab19faacb519f9
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
tor flavours
|
| | |
|
|/ |
|
|\
| |
| | |
Blacklist the monero wallets directory
|
| |
| |
| | |
~/Monero/wallets is the default path suggested by the official wallet application, but it can be changed by user.
|
|/ |
|
|
|
|
|
| |
Latest versions of TelegramDesktop supports both old (~/.TelegramDesktop) and
new (~/.local/share/TelegramDesktop) location of sensitive data files.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
configuration files should be available to all Qt apps.
qt5ct is used e.g. by Manjaro for their theming.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
an alternative to PDFSam
|
|
|
|
|
|
| |
such as AOSP, LineageOS/CyanogenMod, etc.
Use like: firejail --profile=/etc/firejail/aosp.profile /bin/bash
|
|
|
|
|
|
|
| |
* okular needs kdeinit4 for open file dialog since recently
* memory-deny-write-execute should be a safe addition for
desktop use of dnscrypt and unbound
* cleanup works
|