From 5532fbdb9749c5333ac03152f8c94fd364182d32 Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Sat, 29 Aug 2020 06:44:22 +0000 Subject: Switch kmail to whitelisting --- etc/profile-a-l/evolution.profile | 2 + etc/profile-a-l/kmail.profile | 77 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 76 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 2967218c7..4f0ebf630 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile @@ -39,6 +39,7 @@ whitelist ${HOME}/.cache/evolution whitelist ${HOME}/.config/evolution whitelist ${HOME}/.local/share/evolution whitelist ${HOME}/.local/share/pki +whitelist ${DOCUMENTS} whitelist ${DOWNLOADS} whitelist ${RUNUSER}/gnupg whitelist /usr/share/evolution @@ -70,6 +71,7 @@ shell none tracelog # disable-mnt +# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg # private-bin evolution private-cache private-dev diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index ab4ff10b9..635f698a8 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile @@ -9,6 +9,9 @@ include globals.local # kmail has problems launching akonadi in debian and ubuntu. # one solution is to have akonadi already running when kmail is started +noblacklist ${HOME}/.gnupg +# noblacklist ${HOME}/.kde/ +# noblacklist ${HOME}/.kde4/ noblacklist ${HOME}/.cache/akonadi* noblacklist ${HOME}/.cache/kmail2 noblacklist ${HOME}/.config/akonadi* @@ -19,7 +22,6 @@ noblacklist ${HOME}/.config/kmail2rc noblacklist ${HOME}/.config/kmailsearchindexingrc noblacklist ${HOME}/.config/mailtransports noblacklist ${HOME}/.config/specialmailcollectionsrc -noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/akonadi* noblacklist ${HOME}/.local/share/apps/korganizer noblacklist ${HOME}/.local/share/contacts @@ -30,6 +32,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2 noblacklist ${HOME}/.local/share/local-mail noblacklist ${HOME}/.local/share/notes noblacklist /tmp/akonadi-* +noblacklist /var/mail +noblacklist /var/spool/mail include disable-common.inc include disable-devel.inc @@ -37,10 +41,72 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc +mkdir ${HOME}/.gnupg +# mkdir ${HOME}/.kde/ +# mkdir ${HOME}/.kde4/ +mkdir ${HOME}/.cache/akonadi* +mkdir ${HOME}/.cache/kmail2 +mkdir ${HOME}/.config/akonadi* +mkdir ${HOME}/.config/baloorc +mkdir ${HOME}/.config/emaildefaults +mkdir ${HOME}/.config/emailidentities +mkdir ${HOME}/.config/kmail2rc +mkdir ${HOME}/.config/kmailsearchindexingrc +mkdir ${HOME}/.config/mailtransports +mkdir ${HOME}/.config/specialmailcollectionsrc +mkdir ${HOME}/.local/share/akonadi* +mkdir ${HOME}/.local/share/apps/korganizer +mkdir ${HOME}/.local/share/contacts +mkdir ${HOME}/.local/share/emailidentities +mkdir ${HOME}/.local/share/kmail2 +mkdir ${HOME}/.local/share/kxmlgui5/kmail +mkdir ${HOME}/.local/share/kxmlgui5/kmail2 +mkdir ${HOME}/.local/share/local-mail +mkdir ${HOME}/.local/share/notes +mkdir /tmp/akonadi-* +whitelist ${HOME}/.gnupg +# whitelist ${HOME}/.kde/ +# whitelist ${HOME}/.kde4/ +whitelist ${HOME}/.cache/akonadi* +whitelist ${HOME}/.cache/kmail2 +whitelist ${HOME}/.config/akonadi* +whitelist ${HOME}/.config/baloorc +whitelist ${HOME}/.config/emaildefaults +whitelist ${HOME}/.config/emailidentities +whitelist ${HOME}/.config/kmail2rc +whitelist ${HOME}/.config/kmailsearchindexingrc +whitelist ${HOME}/.config/mailtransports +whitelist ${HOME}/.config/specialmailcollectionsrc +whitelist ${HOME}/.local/share/akonadi* +whitelist ${HOME}/.local/share/apps/korganizer +whitelist ${HOME}/.local/share/contacts +whitelist ${HOME}/.local/share/emailidentities +whitelist ${HOME}/.local/share/kmail2 +whitelist ${HOME}/.local/share/kxmlgui5/kmail +whitelist ${HOME}/.local/share/kxmlgui5/kmail2 +whitelist ${HOME}/.local/share/local-mail +whitelist ${HOME}/.local/share/notes +whitelist ${DOWNLOADS} +whitelist ${DOCUMENTS} +whitelist ${RUNUSER}/gnupg +whitelist /tmp/akonadi-* +whitelist /usr/share/akonadi +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/kconf_update +whitelist /usr/share/kf5 +whitelist /usr/share/kservices5 +whitelist /usr/share/qlogging-categories5 +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc +include whitelist-runnuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc -# apparmor +apparmor caps.drop all netfilter nodvd @@ -56,7 +122,12 @@ protocol unix,inet,inet6,netlink seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set # tracelog +private-cache private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,gtk-2.0,gtk-3.0,groups,hostname,hosts,ld.so.preload,ld.so.cache,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg # private-tmp - interrupts connection to akonadi, breaks opening of email attachments -# writable-run-user is needed for signing and encrypting emails writable-run-user +writable-var + +# dbus-user none +dbus-system none -- cgit v1.2.3-70-g09d2