From a8a8e33bc17263db763cd7bd803314f8d5dbd2c5 Mon Sep 17 00:00:00 2001 From: bbhtt <62639087+bbhtt@users.noreply.github.com> Date: Mon, 28 Dec 2020 13:10:15 +0000 Subject: Add whitelisting to mutt; improve geary, new profile for neomutt --- etc/inc/disable-programs.inc | 2 + etc/profile-a-l/geary.profile | 61 +++++++++++++---- etc/profile-m-z/mutt.profile | 75 ++++++++++++++++++++- etc/profile-m-z/neomutt.profile | 143 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 268 insertions(+), 13 deletions(-) create mode 100644 etc/profile-m-z/neomutt.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 07fefec8c..60b586ae2 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -316,11 +316,13 @@ blacklist ${HOME}/.config/mpd blacklist ${HOME}/.config/mps-youtube blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/mupen64plus +blacklist ${HOME}/.config/mutt blacklist ${HOME}/.config/mutter blacklist ${HOME}/.config/mypaint blacklist ${HOME}/.config/nano blacklist ${HOME}/.config/nautilus blacklist ${HOME}/.config/nemo +blacklist ${HOME}/.config/neomutt blacklist ${HOME}/.config/netsurf blacklist ${HOME}/.config/newsbeuter blacklist ${HOME}/.config/newsflash diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index f4e5a392f..3f96d8b25 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile @@ -4,19 +4,21 @@ # Persistent local customizations include geary.local # Persistent global definitions -# added by included profile -#include globals.local - -# Users have Geary set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories - -ignore dbus-user filter -ignore dbus-system none -ignore private-tmp +include globals.local noblacklist ${HOME}/.cache/geary noblacklist ${HOME}/.config/geary noblacklist ${HOME}/.local/share/geary +noblacklist ${HOME}/.mozilla + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.cache/geary mkdir ${HOME}/.config/geary @@ -24,8 +26,43 @@ mkdir ${HOME}/.local/share/geary whitelist ${HOME}/.cache/geary whitelist ${HOME}/.config/geary whitelist ${HOME}/.local/share/geary +whitelist ${HOME}/.mozilla/firefox/profiles.ini +whitelist ${DOWNLOADS} whitelist /usr/share/geary +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +# disable-mnt +# Add ignore private-bin to geary.local for hyperlink support +private-bin geary +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Geary +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.secrets +dbus-system none -# allow Mozilla browsers -# Redirect -include firefox.profile +read-only ${HOME}/.mozilla/firefox/profiles.ini diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 1ce12f54f..87e7c7f06 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -1,5 +1,6 @@ # Firejail profile for mutt # Description: Text-based mailreader supporting MIME, GPG, PGP and threading +quiet # This file is overwritten after every install/update # Persistent local customizations include mutt.local @@ -10,13 +11,14 @@ noblacklist /var/mail noblacklist /var/spool/mail noblacklist ${HOME}/.Mail noblacklist ${HOME}/.bogofilter -noblacklist ${HOME}/.cache/mutt +noblacklist ${HOME}/.config/mutt noblacklist ${HOME}/.config/nano noblacklist ${HOME}/.elinks noblacklist ${HOME}/.emacs noblacklist ${HOME}/.emacs.d noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.mail +noblacklist ${HOME}/.mailcap noblacklist ${HOME}/.msmtprc noblacklist ${HOME}/.mutt noblacklist ${HOME}/.muttrc @@ -34,14 +36,77 @@ noblacklist ${HOME}/sent blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* +include allow-perl.inc +include allow-python.inc + include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc +mkfile ${HOME}/.elinks +mkfile ${HOME}/.emacs +mkfile ${HOME}/.mailcap +mkfile ${HOME}/.msmtprc +mkfile ${HOME}/.muttrc +mkfile ${HOME}/.nanorc +mkfile ${HOME}/.signature +mkfile ${HOME}/.vimrc +mkfile ${HOME}/.viminfo +mkfile ${HOME}/.vimrc +mkfile ${HOME}/.w3m +mkdir ${HOME}/.Mail +mkdir ${HOME}/.bogofilter +mkdir ${HOME}/.config/mutt +mkdir ${HOME}/.config/nano +mkdir ${HOME}/.emacs.d +mkdir ${HOME}/.gnupg +mkdir ${HOME}/.mail +mkdir ${HOME}/.mutt +mkdir ${HOME}/.vim +mkdir ${HOME}/Mail +mkdir ${HOME}/mail +mkdir ${HOME}/postponed +mkdir ${HOME}/sent +whitelist ${HOME}/.Mail +whitelist ${HOME}/.bogofilter +whitelist ${HOME}/.config/mutt +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.elinks +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.gnupg +whitelist ${HOME}/.mail +whitelist ${HOME}/.mailcap +whitelist ${HOME}/.msmtprc +whitelist ${HOME}/.mutt +whitelist ${HOME}/.muttrc +whitelist ${HOME}/.nanorc +whitelist ${HOME}/.signature +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/.vimrc +whitelist ${HOME}/.w3m +whitelist ${HOME}/Mail +whitelist ${HOME}/mail +whitelist ${HOME}/postponed +whitelist ${HOME}/sent +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/mutt +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +apparmor caps.drop all netfilter no3d @@ -56,7 +121,15 @@ novideo protocol unix,inet,inet6 seccomp shell none +tracelog +# disable-mnt +private-cache private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg +private-tmp writable-run-user writable-var + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile new file mode 100644 index 000000000..d71dc618b --- /dev/null +++ b/etc/profile-m-z/neomutt.profile @@ -0,0 +1,143 @@ +# Firejail profile for neomutt +# Description: Mutt fork with advanced features and better documentation +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include neomutt.local +# Persistent global definitions +include globals.local + +noblacklist /var/mail +noblacklist /var/spool/mail +noblacklist ${HOME}/.Mail +noblacklist ${HOME}/.bogofilter +noblacklist ${HOME}/.config/mutt +noblacklist ${HOME}/.config/nano +noblacklist ${HOME}/.config/neomutt +noblacklist ${HOME}/.elinks +noblacklist ${HOME}/.emacs +noblacklist ${HOME}/.emacs.d +noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mail +noblacklist ${HOME}/.mailcap +noblacklist ${HOME}/.msmtprc +noblacklist ${HOME}/.mutt +noblacklist ${HOME}/.muttrc +noblacklist ${HOME}/.nanorc +noblacklist ${HOME}/.neomutt +noblacklist ${HOME}/.neomuttrc +noblacklist ${HOME}/.signature +noblacklist ${HOME}/.vim +noblacklist ${HOME}/.viminfo +noblacklist ${HOME}/.vimrc +noblacklist ${HOME}/.w3m +noblacklist ${HOME}/Mail +noblacklist ${HOME}/mail +noblacklist ${HOME}/postponed +noblacklist ${HOME}/sent + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include allow-lua.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkfile ${HOME}/.elinks +mkfile ${HOME}/.emacs +mkfile ${HOME}/.mailcap +mkfile ${HOME}/.msmtprc +mkfile ${HOME}/.muttrc +mkfile ${HOME}/.nanorc +mkfile ${HOME}/.neomuttrc +mkfile ${HOME}/.signature +mkfile ${HOME}/.vimrc +mkfile ${HOME}/.viminfo +mkfile ${HOME}/.vimrc +mkfile ${HOME}/.w3m +mkdir ${HOME}/.Mail +mkdir ${HOME}/.bogofilter +mkdir ${HOME}/.config/mutt +mkdir ${HOME}/.config/nano +mkdir ${HOME}/.config/neomutt +mkdir ${HOME}/.emacs.d +mkdir ${HOME}/.gnupg +mkdir ${HOME}/.mail +mkdir ${HOME}/.mutt +mkdir ${HOME}/.neomutt +mkdir ${HOME}/.vim +mkdir ${HOME}/Mail +mkdir ${HOME}/mail +mkdir ${HOME}/postponed +mkdir ${HOME}/sent +whitelist ${HOME}/.Mail +whitelist ${HOME}/.bogofilter +whitelist ${HOME}/.config/mutt +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.config/neomutt +whitelist ${HOME}/.elinks +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.gnupg +whitelist ${HOME}/.mail +whitelist ${HOME}/.mailcap +whitelist ${HOME}/.msmtprc +whitelist ${HOME}/.mutt +whitelist ${HOME}/.muttrc +whitelist ${HOME}/.nanorc +whitelist ${HOME}/.neomutt +whitelist ${HOME}/.neomuttrc +whitelist ${HOME}/.signature +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/.vimrc +whitelist ${HOME}/.w3m +whitelist ${HOME}/Mail +whitelist ${HOME}/mail +whitelist ${HOME}/postponed +whitelist ${HOME}/sent +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/neomutt +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +# disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg +private-tmp +writable-run-user +writable-var + +dbus-user none +dbus-system none -- cgit v1.2.3-70-g09d2