mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
Revert "Merge pull request #3607 from kortewegdevries/wemail"
This reverts commitbd1819a864, reversing changes made to807af3dce0. The hole PR looks like a single crap, it is not even syntactically correct. Has anyone at least started kmail with this profile before it was merged? See #3979, thanks @creideiki for reporting. > First, there are syntax errors. Several mkdir lines have file names containing asterisks. > This gives the following error: > > Error: "${HOME}/.cache/akonadi*" is an invalid filename: rejected character: "*" > > I am not sure what they intend to do, but whatever it is it's not working. > Especially confusing is the line > > mkdir /tmp/akonadi-* > > Yes, Akonadi creates a directory in /tmp, but its name is random and seems to have been created > using mkstemp(3) or similar. I'm not sure how Firejail is supposed to be able to pre-create it. > > Removing the asterisks makes Firejail at least accept the profile syntactically and try to run > the program. It is rejected by syntax. Has anyone tested? > At startup, Firejail now prints the following warning: > > *** > *** Warning: cannot whitelist ${DOCUMENTS} directory > *** Any file saved in this directory will be lost when the sandbox is closed. > *** Why was 'include disable-xdg.inc' added together with 'whitelist ${DOCUMENTS}', but no 'nobalcklist ${DOCUMENTS}'? It can not work. > The actual error is that PostgreSQL needs access to /usr/lib64/postgresql-13/ in order to run. > Adding the following line to kmail.profile fixes that: > > whitelist /usr/share/postgresql* Again, has anyone thested this? > The next problem is this message on the console: > > kf.config.core: Couldn't write "/home/creideiki/.config/kmail2rc" . Disk full? > > Which may have something to do with the profile creating a directory with that name: > > mkdir ${HOME}/.config/kmail2rc > > when it's supposed to be a file: > > $ stat ~/.config/kmail2rc > File: /home/creideiki/.config/kmail2rc > Size: 24660 Blocks: 56 IO Block: 4096 regular file Has anyone tested this or is this just a blind copy of the noblacklist from above with noblacklist replaced by mkdir? > However, the error message > > kf.config.core: Couldn't write "/home/creideiki/.config/kmail2rc" . Disk full? > > still appears. Looks like #1793. HAS ANYONE TESTED THIS PROFILE??! > Finally, when exiting KMail, it crashes with a SIGSEGV: > > *** KMail got signal 11 (Exiting) > *** Dead letters dumped. > KCrash: crashing... crashRecursionCounter = 2 > KCrash: Application Name = kmail path = /usr/bin pid = 20 > KCrash: Arguments: /usr/bin/kmail Has any... > I tried restoring an older kmail.profile, from commit319f2dc, and it has none of the above problems. ... I give up asking if anyone tested this. > Given the multitude of problems with commit5532fbd, I'd suggest reverting it until it can be fixed. Yes, definitely.
This commit is contained in:
rusty-snake
parent
7d0b11a084
commit
bb9107e2ae
2 changed files with 11 additions and 136 deletions
|
|
@ -6,16 +6,15 @@ include evolution.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.bogofilter
|
||||
noblacklist ${HOME}/.gnupg
|
||||
noblacklist ${HOME}/.mozilla
|
||||
noblacklist ${HOME}/.pki
|
||||
noblacklist ${HOME}/.cache/evolution
|
||||
noblacklist ${HOME}/.config/evolution
|
||||
noblacklist ${HOME}/.local/share/evolution
|
||||
noblacklist ${HOME}/.local/share/pki
|
||||
noblacklist /var/mail
|
||||
noblacklist /var/spool/mail
|
||||
noblacklist ${HOME}/.bogofilter
|
||||
noblacklist ${HOME}/.cache/evolution
|
||||
noblacklist ${HOME}/.config/evolution
|
||||
noblacklist ${HOME}/.gnupg
|
||||
noblacklist ${HOME}/.local/share/evolution
|
||||
noblacklist ${HOME}/.pki
|
||||
noblacklist ${HOME}/.local/share/pki
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
|
|
@ -23,42 +22,13 @@ include disable-exec.inc
|
|||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-shell.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.bogofilter
|
||||
mkdir ${HOME}/.gnupg
|
||||
mkdir ${HOME}/.pki
|
||||
mkdir ${HOME}/.cache/evolution
|
||||
mkdir ${HOME}/.config/evolution
|
||||
mkdir ${HOME}/.local/share/evolution
|
||||
mkdir ${HOME}/.local/share/pki
|
||||
whitelist ${HOME}/.bogofilter
|
||||
whitelist ${HOME}/.gnupg
|
||||
whitelist ${HOME}/.mozilla/firefox/profiles.ini
|
||||
whitelist ${HOME}/.pki
|
||||
whitelist ${HOME}/.cache/evolution
|
||||
whitelist ${HOME}/.config/evolution
|
||||
whitelist ${HOME}/.local/share/evolution
|
||||
whitelist ${HOME}/.local/share/pki
|
||||
whitelist ${DOCUMENTS}
|
||||
whitelist ${DOWNLOADS}
|
||||
whitelist ${RUNUSER}/gnupg
|
||||
whitelist /usr/share/evolution
|
||||
whitelist /usr/share/gnupg
|
||||
whitelist /usr/share/gnupg2
|
||||
whitelist /var/mail
|
||||
whitelist /var/spool/mail
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
apparmor
|
||||
caps.drop all
|
||||
netfilter
|
||||
# no3d breaks under wayland
|
||||
# no3d
|
||||
#no3d
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
|
|
@ -70,27 +40,7 @@ novideo
|
|||
protocol unix,inet,inet6
|
||||
seccomp
|
||||
shell none
|
||||
tracelog
|
||||
|
||||
# disable-mnt
|
||||
# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
|
||||
# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
|
||||
# private-bin evolution
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
|
||||
private-tmp
|
||||
writable-run-user
|
||||
writable-var
|
||||
|
||||
dbus-user filter
|
||||
dbus-user.own org.gnome.Evolution
|
||||
dbus-user.talk ca.desrt.dconf
|
||||
# Uncomment to have keyring access
|
||||
# dbus-user.talk org.freedesktop.secrets
|
||||
dbus-user.talk org.gnome.keyring.SystemPrompter
|
||||
dbus-user.talk org.gnome.OnlineAccounts
|
||||
dbus-user.talk org.freedesktop.Notifications
|
||||
dbus-system none
|
||||
|
||||
read-only ${HOME}/.mozilla/firefox/profiles.ini
|
||||
|
|
|
|||
|
|
@ -9,10 +9,6 @@ include globals.local
|
|||
# kmail has problems launching akonadi in debian and ubuntu.
|
||||
# one solution is to have akonadi already running when kmail is started
|
||||
|
||||
noblacklist ${HOME}/.gnupg
|
||||
# noblacklist ${HOME}/.kde/
|
||||
# noblacklist ${HOME}/.kde4/
|
||||
noblacklist ${HOME}/.mozilla
|
||||
noblacklist ${HOME}/.cache/akonadi*
|
||||
noblacklist ${HOME}/.cache/kmail2
|
||||
noblacklist ${HOME}/.config/akonadi*
|
||||
|
|
@ -23,6 +19,7 @@ noblacklist ${HOME}/.config/kmail2rc
|
|||
noblacklist ${HOME}/.config/kmailsearchindexingrc
|
||||
noblacklist ${HOME}/.config/mailtransports
|
||||
noblacklist ${HOME}/.config/specialmailcollectionsrc
|
||||
noblacklist ${HOME}/.gnupg
|
||||
noblacklist ${HOME}/.local/share/akonadi*
|
||||
noblacklist ${HOME}/.local/share/apps/korganizer
|
||||
noblacklist ${HOME}/.local/share/contacts
|
||||
|
|
@ -33,8 +30,6 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
|
|||
noblacklist ${HOME}/.local/share/local-mail
|
||||
noblacklist ${HOME}/.local/share/notes
|
||||
noblacklist /tmp/akonadi-*
|
||||
noblacklist /var/mail
|
||||
noblacklist /var/spool/mail
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
|
|
@ -42,73 +37,10 @@ include disable-exec.inc
|
|||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.gnupg
|
||||
# mkdir ${HOME}/.kde/
|
||||
# mkdir ${HOME}/.kde4/
|
||||
mkdir ${HOME}/.cache/akonadi*
|
||||
mkdir ${HOME}/.cache/kmail2
|
||||
mkdir ${HOME}/.config/akonadi*
|
||||
mkdir ${HOME}/.config/baloorc
|
||||
mkdir ${HOME}/.config/emaildefaults
|
||||
mkdir ${HOME}/.config/emailidentities
|
||||
mkdir ${HOME}/.config/kmail2rc
|
||||
mkdir ${HOME}/.config/kmailsearchindexingrc
|
||||
mkdir ${HOME}/.config/mailtransports
|
||||
mkdir ${HOME}/.config/specialmailcollectionsrc
|
||||
mkdir ${HOME}/.local/share/akonadi*
|
||||
mkdir ${HOME}/.local/share/apps/korganizer
|
||||
mkdir ${HOME}/.local/share/contacts
|
||||
mkdir ${HOME}/.local/share/emailidentities
|
||||
mkdir ${HOME}/.local/share/kmail2
|
||||
mkdir ${HOME}/.local/share/kxmlgui5/kmail
|
||||
mkdir ${HOME}/.local/share/kxmlgui5/kmail2
|
||||
mkdir ${HOME}/.local/share/local-mail
|
||||
mkdir ${HOME}/.local/share/notes
|
||||
mkdir /tmp/akonadi-*
|
||||
whitelist ${HOME}/.gnupg
|
||||
# whitelist ${HOME}/.kde/
|
||||
# whitelist ${HOME}/.kde4/
|
||||
whitelist ${HOME}/.mozilla/firefox/profiles.ini
|
||||
whitelist ${HOME}/.cache/akonadi*
|
||||
whitelist ${HOME}/.cache/kmail2
|
||||
whitelist ${HOME}/.config/akonadi*
|
||||
whitelist ${HOME}/.config/baloorc
|
||||
whitelist ${HOME}/.config/emaildefaults
|
||||
whitelist ${HOME}/.config/emailidentities
|
||||
whitelist ${HOME}/.config/kmail2rc
|
||||
whitelist ${HOME}/.config/kmailsearchindexingrc
|
||||
whitelist ${HOME}/.config/mailtransports
|
||||
whitelist ${HOME}/.config/specialmailcollectionsrc
|
||||
whitelist ${HOME}/.local/share/akonadi*
|
||||
whitelist ${HOME}/.local/share/apps/korganizer
|
||||
whitelist ${HOME}/.local/share/contacts
|
||||
whitelist ${HOME}/.local/share/emailidentities
|
||||
whitelist ${HOME}/.local/share/kmail2
|
||||
whitelist ${HOME}/.local/share/kxmlgui5/kmail
|
||||
whitelist ${HOME}/.local/share/kxmlgui5/kmail2
|
||||
whitelist ${HOME}/.local/share/local-mail
|
||||
whitelist ${HOME}/.local/share/notes
|
||||
whitelist ${DOWNLOADS}
|
||||
whitelist ${DOCUMENTS}
|
||||
whitelist ${RUNUSER}/gnupg
|
||||
whitelist /tmp/akonadi-*
|
||||
whitelist /usr/share/akonadi
|
||||
whitelist /usr/share/gnupg
|
||||
whitelist /usr/share/gnupg2
|
||||
whitelist /usr/share/kconf_update
|
||||
whitelist /usr/share/kf5
|
||||
whitelist /usr/share/kservices5
|
||||
whitelist /usr/share/qlogging-categories5
|
||||
whitelist /var/mail
|
||||
whitelist /var/spool/mail
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
apparmor
|
||||
# apparmor
|
||||
caps.drop all
|
||||
netfilter
|
||||
nodvd
|
||||
|
|
@ -124,14 +56,7 @@ protocol unix,inet,inet6,netlink
|
|||
seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
|
||||
# tracelog
|
||||
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
|
||||
# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
|
||||
# writable-run-user is needed for signing and encrypting emails
|
||||
writable-run-user
|
||||
writable-var
|
||||
|
||||
# dbus-user none
|
||||
dbus-system none
|
||||
|
||||
read-only ${HOME}/.mozilla/firefox/profiles.ini
|
||||
Loading…
Add table
Add a link
Reference in a new issue