From 144aee26f56156cb4ec0c674062c447d261802a4 Mon Sep 17 00:00:00 2001 From: bbhtt <62639087+bbhtt@users.noreply.github.com> Date: Thu, 31 Dec 2020 03:58:57 +0000 Subject: Improve whitelisting and dbus of Sylpheed and Claws-mail --- etc/profile-a-l/email-common.profile | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'etc/profile-a-l/email-common.profile') diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index df47f478d..9e7c15a9d 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile @@ -8,6 +8,7 @@ include email-common.local #include globals.local noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.signature # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications @@ -17,28 +18,35 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist ${DOCUMENTS} -whitelist ${DOWNLOADS} mkfile ${HOME}/.config/mimeapps.list -mkdir ${HOME}/.gnupg mkfile ${HOME}/.signature +mkdir ${HOME}/.gnupg whitelist ${HOME}/.config/mimeapps.list +whitelist ${HOME}/.mozilla/firefox/profiles.ini whitelist ${HOME}/.gnupg whitelist ${HOME}/.signature +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local whitelist ${HOME}/Mail + +whitelist ${RUNUSER}/gnupg whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all +machine-id netfilter no3d nodvd @@ -54,13 +62,12 @@ seccomp shell none tracelog +# disable-mnt private-cache private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg private-tmp -dbus-user none -dbus-system none - # encrypting and signing email writable-run-user @@ -70,3 +77,6 @@ writable-run-user #whitelist /var/mail #whitelist /var/spool/mail #writable-var + +read-only ${HOME}/.mozilla/firefox/profiles.ini +read-only ${HOME}/.signature -- cgit v1.2.3-70-g09d2