From a8a8e33bc17263db763cd7bd803314f8d5dbd2c5 Mon Sep 17 00:00:00 2001 From: bbhtt <62639087+bbhtt@users.noreply.github.com> Date: Mon, 28 Dec 2020 13:10:15 +0000 Subject: Add whitelisting to mutt; improve geary, new profile for neomutt --- etc/profile-a-l/geary.profile | 61 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 49 insertions(+), 12 deletions(-) (limited to 'etc/profile-a-l/geary.profile') diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index f4e5a392f..3f96d8b25 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile @@ -4,19 +4,21 @@ # Persistent local customizations include geary.local # Persistent global definitions -# added by included profile -#include globals.local - -# Users have Geary set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories - -ignore dbus-user filter -ignore dbus-system none -ignore private-tmp +include globals.local noblacklist ${HOME}/.cache/geary noblacklist ${HOME}/.config/geary noblacklist ${HOME}/.local/share/geary +noblacklist ${HOME}/.mozilla + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.cache/geary mkdir ${HOME}/.config/geary @@ -24,8 +26,43 @@ mkdir ${HOME}/.local/share/geary whitelist ${HOME}/.cache/geary whitelist ${HOME}/.config/geary whitelist ${HOME}/.local/share/geary +whitelist ${HOME}/.mozilla/firefox/profiles.ini +whitelist ${DOWNLOADS} whitelist /usr/share/geary +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +# disable-mnt +# Add ignore private-bin to geary.local for hyperlink support +private-bin geary +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Geary +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.secrets +dbus-system none -# allow Mozilla browsers -# Redirect -include firefox.profile +read-only ${HOME}/.mozilla/firefox/profiles.ini -- cgit v1.2.3-70-g09d2