From cde712aec5453a9ee204fcf31b4223a07075681a Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 4 Jan 2023 21:13:22 +0000 Subject: balsa: refactor as email-common.profile redirect --- etc/profile-a-l/balsa.profile | 61 ++----------------------------------------- 1 file changed, 2 insertions(+), 59 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 661356ff6..c3a3dcf57 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile @@ -7,76 +7,19 @@ include balsa.local include globals.local noblacklist ${HOME}/.balsa -noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.mozilla -noblacklist ${HOME}/.signature noblacklist ${HOME}/mail -noblacklist /var/mail -noblacklist /var/spool/mail -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc include disable-shell.inc -include disable-xdg.inc mkdir ${HOME}/.balsa -mkdir ${HOME}/.gnupg -mkfile ${HOME}/.signature mkdir ${HOME}/mail whitelist ${HOME}/.balsa -whitelist ${HOME}/.gnupg -whitelist ${HOME}/.mozilla/firefox/profiles.ini -whitelist ${HOME}/.signature whitelist ${HOME}/mail -whitelist ${RUNUSER}/gnupg whitelist /usr/share/balsa -whitelist /usr/share/gnupg -whitelist /usr/share/gnupg2 -whitelist /var/mail -whitelist /var/spool/mail -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc -apparmor -caps.drop all -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -tracelog - -# disable-mnt -# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg -# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm -private-cache -private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg -private-tmp -writable-run-user -writable-var -dbus-user filter dbus-user.own org.desktop.Balsa -dbus-user.talk ca.desrt.dconf -dbus-user.talk org.freedesktop.Notifications -dbus-user.talk org.freedesktop.secrets -dbus-user.talk org.gnome.keyring.SystemPrompter -dbus-system none -read-only ${HOME}/.mozilla/firefox/profiles.ini -restrict-namespaces +# Redirect +include email-common.profile -- cgit v1.2.3-70-g09d2 From 25789fe3f6a4787fa4298d930223fb4d91cba61c Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 4 Jan 2023 21:15:37 +0000 Subject: claws-mail: refactoring --- etc/profile-a-l/claws-mail.profile | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index ce7b30122..e0f1bca94 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile @@ -20,17 +20,5 @@ whitelist /usr/share/doc/claws-mail # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 -dbus-user filter -dbus-user.talk ca.desrt.dconf -# Add the next line to your claws-mail.local if you use the notification plugin. -# dbus-user.talk org.freedesktop.Notifications -dbus-user.talk org.freedesktop.secrets -dbus-user.talk org.gnome.keyring -dbus-user.talk org.gnome.keyring.PrivatePrompter -dbus-user.talk org.gnome.keyring.SystemPrompter -dbus-user.talk org.gnome.seahorse -dbus-user.talk org.gnome.seahorse.Application -dbus-user.talk org.mozilla.* - # Redirect include email-common.profile -- cgit v1.2.3-70-g09d2 From 8eba8de944ae88204571453b17e17253284ac822 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 4 Jan 2023 21:20:37 +0000 Subject: email-common: refactoring No longer used for claws-mail and sylpheed only. --- etc/profile-a-l/email-common.profile | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 86fb27514..2c57dc108 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile @@ -1,5 +1,5 @@ # Firejail profile for email-common -# Description: Common profile for claws-mail and sylpheed email clients +# Description: Common profile for GUI mail clients # This file is overwritten after every install/update # Persistent local customizations include email-common.local @@ -14,6 +14,8 @@ noblacklist ${HOME}/.signature # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications noblacklist ${HOME}/Mail +noblacklist /var/mail +noblacklist /var/spool/mail noblacklist ${DOCUMENTS} @@ -38,6 +40,8 @@ whitelist ${HOME}/Mail whitelist ${RUNUSER}/gnupg whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 +whitelist /var/mail +whitelist /var/spool/mail include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -69,16 +73,20 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnup private-tmp # encrypting and signing email writable-run-user +writable-var +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.gnome.keyring +dbus-user.talk org.gnome.keyring.PrivatePrompter +dbus-user.talk org.gnome.keyring.SystemPrompter +dbus-user.talk org.gnome.seahorse +dbus-user.talk org.gnome.seahorse.Application +dbus-user.talk org.mozilla.* dbus-system none -# If you want to read local mail stored in /var/mail, add the following to email-common.local: -#noblacklist /var/mail -#noblacklist /var/spool/mail -#whitelist /var/mail -#whitelist /var/spool/mail -#writable-var - read-only ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.signature restrict-namespaces -- cgit v1.2.3-70-g09d2 From d9ca879cf71abe04b229022d13a2302ac55b6308 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 6 Jan 2023 01:04:13 +0000 Subject: balsa: re-add private-bin comment for gpg Pointed out in review that this comment was removed by mistake. --- etc/profile-a-l/balsa.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index c3a3dcf57..b9245d992 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile @@ -17,6 +17,7 @@ whitelist ${HOME}/.balsa whitelist ${HOME}/mail whitelist /usr/share/balsa +# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg. private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm dbus-user.own org.desktop.Balsa -- cgit v1.2.3-70-g09d2 From c6cabe300b95bbdbd294070dc13aade1cf5ffecd Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 6 Jan 2023 14:32:40 +0000 Subject: email-common: simplify D-Bus filtering Suggested in review. --- etc/profile-a-l/email-common.profile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 2c57dc108..0bdfe995e 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile @@ -79,11 +79,8 @@ dbus-user filter dbus-user.talk ca.desrt.dconf dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.secrets -dbus-user.talk org.gnome.keyring -dbus-user.talk org.gnome.keyring.PrivatePrompter -dbus-user.talk org.gnome.keyring.SystemPrompter -dbus-user.talk org.gnome.seahorse -dbus-user.talk org.gnome.seahorse.Application +dbus-user.talk org.gnome.keyring.* +dbus-user.talk org.gnome.seahorse.* dbus-user.talk org.mozilla.* dbus-system none -- cgit v1.2.3-70-g09d2 From 1958fa732b72a223691ff27f873368ce4273e2bb Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 7 Jan 2023 12:38:02 +0000 Subject: balsa: drop private-bin Supporting 'level 1 hack' to allow opening hyperlinks with firefox needs xdg-open (besides bash,sh). Adding xdg-open to private-bin is not enough, as it pulls in a long list of other commands and that's pretty unmaintainable IMO. So I opted to drop private-bin here. --- etc/profile-a-l/balsa.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index b9245d992..fb66016a9 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile @@ -18,7 +18,7 @@ whitelist ${HOME}/mail whitelist /usr/share/balsa # Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg. -private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm +#private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm dbus-user.own org.desktop.Balsa -- cgit v1.2.3-70-g09d2