From 155c5c54b2a59e547480c77962d2cbd32fdfa547 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 24 Mar 2018 09:17:16 -0400 Subject: Fixup gnome-recipes and add it to firecfg --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'RELNOTES') diff --git a/RELNOTES b/RELNOTES index a031e697e..be196b1e3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -27,7 +27,7 @@ firejail (0.9.53) baseline; urgency=low * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, * new profiles: discord-canary, pycharm-community, pycharm-professional, * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, - * new profiles: falkon, gnome-builder, asunder, VS Code, + * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes -- netblue30 Thu, 1 Mar 2018 08:00:00 -0500 firejail (0.9.52) baseline; urgency=low -- cgit v1.2.3-54-g00ecf From ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 24 Mar 2018 17:00:18 +0100 Subject: add basic akonadi integration as it is now, there is no support for a full akonadi session inside the knotes sandbox, but knotes can connect to akonadi and should work fine --- README.md | 3 ++- RELNOTES | 2 +- etc/akonadi_control.profile | 44 ++++++++++++++++++++++++++++++++++++++++++++ etc/disable-programs.inc | 8 ++++++++ etc/kmail.profile | 21 ++++++++++++++++++--- etc/knotes.profile | 10 ++++++++-- src/firecfg/firecfg.config | 1 + 7 files changed, 82 insertions(+), 7 deletions(-) create mode 100644 etc/akonadi_control.profile (limited to 'RELNOTES') diff --git a/README.md b/README.md index 90e3f7fcc..248ba6ebc 100644 --- a/README.md +++ b/README.md @@ -246,4 +246,5 @@ firefox-common-addons.inc in firefox-common.profile. Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, -tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder +tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, +akonadi_control diff --git a/RELNOTES b/RELNOTES index e7852663e..4ffcd1212 100644 --- a/RELNOTES +++ b/RELNOTES @@ -27,7 +27,7 @@ firejail (0.9.53) baseline; urgency=low * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed, * new profiles: discord-canary, pycharm-community, pycharm-professional, * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine, VS Code, - * new profiles: falkon, gnome-builder, asunder + * new profiles: falkon, gnome-builder, asunder, akonadi_control -- netblue30 Thu, 1 Mar 2018 08:00:00 -0500 firejail (0.9.52) baseline; urgency=low diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile new file mode 100644 index 000000000..44184b76a --- /dev/null +++ b/etc/akonadi_control.profile @@ -0,0 +1,44 @@ +# Firejail profile for akonadi_control +# Persistent local customizations +include /etc/firejail/akonadi_control.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.cache/akonadi* +noblacklist ${HOME}/.config/akonadi* +noblacklist ${HOME}/.config/baloorc +noblacklist ${HOME}/.local/share/akonadi/* +noblacklist ${HOME}/.local/share/contacts +noblacklist ${HOME}/.local/share/local-mail +noblacklist /usr/sbin + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +include /etc/firejail/whitelist-var-common.inc + +# depending on your setup it might be possible to +# enable some of the commented options below + +caps.drop all +ipc-namespace +no3d +netfilter +nodvd +nogroups +# nonewprivs +# noroot +nosound +notv +novideo +# protocol unix,inet,inet6 +# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice # we need to allow io_getevents, ioprio_set, io_setup, io_submit system calls +tracelog + +private-dev +# private-tmp - breaks programs that depend on akonadi + +noexec ${HOME} +noexec /tmp diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0d542c6d8..586c50a60 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack blacklist ${HOME}/.config/Thunar blacklist ${HOME}/.config/VirtualBox blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/akonadi* blacklist ${HOME}/.config/akregatorrc blacklist ${HOME}/.config/ardour4 blacklist ${HOME}/.config/ardour5 @@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam blacklist ${HOME}/.config/digikamrc blacklist ${HOME}/.config/dolphinrc blacklist ${HOME}/.config/dragonplayerrc +blacklist ${HOME}/.config/emailidentities blacklist ${HOME}/.config/enchant blacklist ${HOME}/.config/eog blacklist ${HOME}/.config/epiphany @@ -144,6 +146,7 @@ blacklist ${HOME}/.config/katevirc blacklist ${HOME}/.config/kdenliverc blacklist ${HOME}/.config/kgetrc blacklist ${HOME}/.config/klipperrc +blacklist ${HOME}/.config/kmail2rc blacklist ${HOME}/.config/kritarc blacklist ${HOME}/.config/kwriterc blacklist ${HOME}/.config/kdeconnect @@ -346,12 +349,14 @@ blacklist ${HOME}/.local/share/SuperHexagon blacklist ${HOME}/.local/share/TelegramDesktop blacklist ${HOME}/.local/share/Terraria blacklist ${HOME}/.local/share/TpLogger +blacklist ${HOME}/.local/share/akonadi/* blacklist ${HOME}/.local/share/akregator blacklist ${HOME}/.local/share/aspyr-media blacklist ${HOME}/.local/share/baloo blacklist ${HOME}/.local/share/caja-python blacklist ${HOME}/.local/share/cdprojektred blacklist ${HOME}/.local/share/clipit +blacklist ${HOME}/.local/share/contacts blacklist ${HOME}/.local/share/data/Mumble blacklist ${HOME}/.local/share/data/MusE blacklist ${HOME}/.local/share/data/MuseScore @@ -376,11 +381,13 @@ blacklist ${HOME}/.local/share/kaffeine blacklist ${HOME}/.local/share/kate blacklist ${HOME}/.local/share/kdenlive blacklist ${HOME}/.local/share/kget +blacklist ${HOME}/.local/share/kmail2 blacklist ${HOME}/.local/share/krita blacklist ${HOME}/.local/share/ktorrentrc blacklist ${HOME}/.local/share/ktorrent blacklist ${HOME}/.local/share/kwrite blacklist ${HOME}/.local/share/liferea +blacklist ${HOME}/.local/share/local-mail blacklist ${HOME}/.local/share/lollypop blacklist ${HOME}/.local/share/maps-places.json blacklist ${HOME}/.local/share/meld @@ -495,6 +502,7 @@ blacklist ${HOME}/.cache/Franz blacklist ${HOME}/.cache/INRIA blacklist ${HOME}/.cache/MusicBrainz blacklist ${HOME}/.cache/QuiteRss +blacklist ${HOME}/.cache/akonadi* blacklist ${HOME}/.cache/attic blacklist ${HOME}/.cache/borg blacklist ${HOME}/.cache/calibre diff --git a/etc/kmail.profile b/etc/kmail.profile index ca774f4ec..1b3255d61 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -5,6 +5,18 @@ include /etc/firejail/kmail.local # Persistent global definitions include /etc/firejail/globals.local +# akonadi with mysql backend fails to run inside this sandbox +# and should be started in advance + +noblacklist ${HOME}/.cache/akonadi* +noblacklist ${HOME}/.config/akonadi* +noblacklist ${HOME}/.config/baloorc +noblacklist ${HOME}/.config/emailidentities +noblacklist ${HOME}/.config/kmail2rc +noblacklist ${HOME}/.local/share/akonadi/* +noblacklist ${HOME}/.local/share/contacts +noblacklist ${HOME}/.local/share/kmail2 +noblacklist ${HOME}/.local/share/local-mail noblacklist ${HOME}/.gnupg include /etc/firejail/disable-common.inc @@ -22,11 +34,14 @@ nosound notv novideo protocol unix,inet,inet6,netlink -# blacklisting of chroot system calls breaks kmail -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice +# we need to allow chroot and ioprio_set system calls +seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice # tracelog # writable-run-user is needed for signing and encrypting emails writable-run-user private-dev -# private-tmp - breaks akonadi and opening of email attachments +# private-tmp - interrupts connection to akonadi, breaks opening of email attachments + +noexec ${HOME} +noexec /tmp diff --git a/etc/knotes.profile b/etc/knotes.profile index 94ada7855..091c3a8e5 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile @@ -5,10 +5,12 @@ include /etc/firejail/knotes.local # Persistent global definitions include /etc/firejail/globals.local +noblacklist ${HOME}/.config/akonadi* noblacklist ${HOME}/.config/knotesrc +noblacklist ${HOME}/.local/share/akonadi/* include /etc/firejail/disable-common.inc -# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc @@ -22,10 +24,14 @@ nonewprivs noroot nosound notv +novideo protocol unix seccomp shell none tracelog private-dev -#private-tmp - problems on kubuntu 17.04 +# private-tmp - interrupts connection to akonadi + +noexec ${HOME} +noexec /tmp diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e29f95886..c39c1144e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -16,6 +16,7 @@ VirtualBox Wire Xephyr abrowser +# akonadi_control - enable later akregator amarok amule -- cgit v1.2.3-54-g00ecf