From be248ccc236969d3488e36f2f934e3f2c37539a2 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 24 Mar 2018 22:33:23 +0100 Subject: fix akonadi_control, enable it in firecfg for a better default --- etc/akonadi_control.profile | 3 ++- etc/kmail.profile | 5 +++-- src/firecfg/firecfg.config | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index fb299a518..0443774dd 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile @@ -22,6 +22,7 @@ include /etc/firejail/whitelist-var-common.inc # depending on your setup it might be possible to # enable some of the commented options below +# apparmor caps.drop all ipc-namespace no3d @@ -34,7 +35,7 @@ nosound notv novideo # protocol unix,inet,inet6 -# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice # we need to allow io_getevents, ioprio_set, io_setup, io_submit system calls +# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice tracelog private-dev diff --git a/etc/kmail.profile b/etc/kmail.profile index 1b3255d61..3ee8370cb 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -5,8 +5,8 @@ include /etc/firejail/kmail.local # Persistent global definitions include /etc/firejail/globals.local -# akonadi with mysql backend fails to run inside this sandbox -# and should be started in advance +# if akonadi has a mysql backend, starting it inside this sandbox will fail +# one solution is to have akonadi already running when kmail is launched noblacklist ${HOME}/.cache/akonadi* noblacklist ${HOME}/.config/akonadi* @@ -24,6 +24,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +# apparmor caps.drop all netfilter nodvd diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 73510c951..2ffaa8b98 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -16,7 +16,7 @@ VirtualBox Wire Xephyr abrowser -# akonadi_control - enable later +akonadi_control akregator amarok amule -- cgit v1.2.3-54-g00ecf