From e8a5e0d3302547c40df2eb7b40a746f5ced3c10e Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Sat, 18 Jan 2020 11:03:32 +0000
Subject: refactor claws-mail and sylpheed as whitelist profiles (#3162)

* refactor claws-mail as whitelist profile

* refactor sylpheed as whitelist profile

* Create email-common.profile

* safeguard ${DOCUMENTS}

* Add disable-xdg to email-common.profile

Thanks @rusty-snake for the review.
---
 etc/claws-mail.profile   | 43 +++---------------------------
 etc/email-common.profile | 68 ++++++++++++++++++++++++++++++++++++++++++++++++
 etc/sylpheed.profile     | 11 +++-----
 3 files changed, 76 insertions(+), 46 deletions(-)
 create mode 100644 etc/email-common.profile

diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 44124f4a3..a1c44c91d 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -7,46 +7,11 @@ include claws-mail.local
 include globals.local
 
 noblacklist ${HOME}/.claws-mail
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.signature
-# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your claws-mail.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
-noblacklist ${HOME}/Mail
 
-noblacklist ${DOCUMENTS}
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+mkdir ${HOME}/.claws-mail
+whitelist ${HOME}/.claws-mail
 
 whitelist /usr/share/doc/claws-mail
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-include whitelist-usr-share-common.inc
 
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-cache
-private-dev
-private-tmp
-
-# If you want to read local mail stored in /var/mail, add the following to claws-mail.local:
-# noblacklist /var/mail
-# noblacklist /var/spool/mail
-# writable-var
+# Redirect
+include email-common.profile
\ No newline at end of file
diff --git a/etc/email-common.profile b/etc/email-common.profile
new file mode 100644
index 000000000..f9d96858b
--- /dev/null
+++ b/etc/email-common.profile
@@ -0,0 +1,68 @@
+# Firejail profile for email-common
+# Description: Common profile for claws-mail and sylpheed email clients
+# This file is overwritten after every install/update
+# Persistent local customizations
+include email-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
+# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+noblacklist ${HOME}/Mail
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+mkfile ${HOME}/.config/mimeapps.list
+mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
+whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
+whitelist ${HOME}/Mail
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+# encrypting and signing email
+read-only ${HOME}/.config/mimeapps.list
+writable-run-user
+
+# If you want to read local mail stored in /var/mail, add the following to email-common.local:
+# whitelist /var/mail
+# whitelist /var/spool/mail
+# writable-var
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile
index 8e99fe1d6..4344fe73a 100644
--- a/etc/sylpheed.profile
+++ b/etc/sylpheed.profile
@@ -4,17 +4,14 @@
 # Persistent local customizations
 include sylpheed.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 noblacklist ${HOME}/.sylpheed-2.0
-# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your sylpheed.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
 
-blacklist ${HOME}/.claws-mail
+mkdir ${HOME}/.sylpheed-2.0
+whitelist ${HOME}/.sylpheed-2.0
 
-nowhitelist /usr/share/doc/claws-mail
 whitelist /usr/share/sylpheed
 
 # Redirect
-include claws-mail.profile
+include email-common.profile
-- 
cgit v1.2.3-70-g09d2