From ecbf5ddb450ba0ad86d9a892e9bc14d52ad86fa4 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 24 Mar 2018 17:00:18 +0100 Subject: add basic akonadi integration as it is now, there is no support for a full akonadi session inside the knotes sandbox, but knotes can connect to akonadi and should work fine --- etc/akonadi_control.profile | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 etc/akonadi_control.profile (limited to 'etc/akonadi_control.profile') diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile new file mode 100644 index 000000000..44184b76a --- /dev/null +++ b/etc/akonadi_control.profile @@ -0,0 +1,44 @@ +# Firejail profile for akonadi_control +# Persistent local customizations +include /etc/firejail/akonadi_control.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.cache/akonadi* +noblacklist ${HOME}/.config/akonadi* +noblacklist ${HOME}/.config/baloorc +noblacklist ${HOME}/.local/share/akonadi/* +noblacklist ${HOME}/.local/share/contacts +noblacklist ${HOME}/.local/share/local-mail +noblacklist /usr/sbin + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +include /etc/firejail/whitelist-var-common.inc + +# depending on your setup it might be possible to +# enable some of the commented options below + +caps.drop all +ipc-namespace +no3d +netfilter +nodvd +nogroups +# nonewprivs +# noroot +nosound +notv +novideo +# protocol unix,inet,inet6 +# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice # we need to allow io_getevents, ioprio_set, io_setup, io_submit system calls +tracelog + +private-dev +# private-tmp - breaks programs that depend on akonadi + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf