From 6c4f97a3cd80779faedacd1424f66227ef38eba9 Mon Sep 17 00:00:00 2001 From: kortewegdevries Date: Fri, 28 Aug 2020 11:37:57 +0000 Subject: Switch Evolution to whitelisting --- etc/profile-a-l/evolution.profile | 60 +++++++++++++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..17476aaec 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile @@ -6,15 +6,16 @@ include evolution.local # Persistent global definitions include globals.local -noblacklist /var/mail -noblacklist /var/spool/mail noblacklist ${HOME}/.bogofilter +# Uncomment for gpg +# noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.pki noblacklist ${HOME}/.cache/evolution noblacklist ${HOME}/.config/evolution -noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/evolution -noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +noblacklist /var/mail +noblacklist /var/spool/mail include disable-common.inc include disable-devel.inc @@ -22,13 +23,44 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +mkdir ${HOME}/.bogofilter +# Uncomment for gpg +# mkdir ${HOME}/.gnupg +mkdir ${HOME}/.pki +mkdir ${HOME}/.cache/evolution +mkdir ${HOME}/.config/evolution +mkdir ${HOME}/.local/share/evolution +mkdir ${HOME}/.local/share/pki +whitelist ${HOME}/.bogofilter +# Uncomment for gpg +# whitelist ${HOME}/.gnupg +whitelist ${HOME}/.pki +whitelist ${HOME}/.cache/evolution +whitelist ${HOME}/.config/evolution +whitelist ${HOME}/.local/share/evolution +whitelist ${HOME}/.local/share/pki +whitelist ${DOWNLOADS} +# Uncomment for gpg +# whitelist ${RUNUSER}/gnupg +whitelist /usr/share/evolution +# Uncomment for gpg +# whitelist /usr/share/gnupg +# whitelist /usr/share/gnupg2 +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +apparmor caps.drop all netfilter # no3d breaks under wayland -#no3d +# no3d nodvd nogroups nonewprivs @@ -40,7 +72,25 @@ novideo protocol unix,inet,inet6 seccomp shell none +tracelog +disable-mnt +# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg +private-bin evolution +private-cache private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gtk-2.0,gtk-3.0,groups,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg private-tmp +writable-run-user writable-var + +dbus-user filter +dbus-user.own org.gnome.Evolution +dbus-user.talk ca.desrt.dconf +# Uncomment to have keyring access +# dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.freedesktop.Notifications +dbus-system none + +# Comment to use gpg +read-only ${HOME}/.gnupg -- cgit v1.2.3-54-g00ecf