Configuration for cloud providers is sensitive information; it should be
in the default block list. I didn't see profiles for gcloud or awscli,
so haven't added any exclusions.
boto and kubectl are not provider-specific, but also store credentials for
whichever platforms they happen to be being used with.
the usr.sbin.mysqld-akonadi apparmor profile, enforced by default in ubuntu and
debian testing (and probably opensuse), doesn't play well with a number of firejail options.
the reason for this is that once the no_new_privs bit is set, apparmor profile
transitions are forbidden.
enforcing our own apparmor policy instead is also no solution, because
these programs don't even start without d-bus.
relaxing the kmail profile was necessary so that kmail can fire up akonadi itself,
just in case akonadi has not been started earlier already by another program.
this is always an issue when kmail is the only installed akonadi client, but
there may be more circumstances. for reasons outlined above this doesn't help
debian and ubuntu (opensuse?) users though :-/
a brief summary of the seccomp exceptions: chroot is needed for qt webengine,
io_prioset for the akonadi indexing agent, io_getevents, io_submit, io_setup
are needed for mysqld. when akonadi has an sqlite3 backend, less exceptions
to the seccomp filter are necessary, but mysqld is the default.
in the future all kontact suite profiles (itm only kmail, knotes) should
probably be redirections to akonadi_control, but the issues with apparmor
make this somewhat impractical for now (options like 'protocol' couldn't go to
akonadi_control.local any more, if current kmail redirected to there).
Using Arch Linux (Gnome Shell 3.26.2, Mutter WM, as in [#1711](https://github.com/netblue30/firejail/issues/1711)). After playing with several Gnome apps and `private-lib` conditions, it looks like there's progress to report. I made a few PR's today on the same topic, usually leaving things commented as to leave room for more eyes to double-check. In this case I took the liberty to throw in an uncommented one for eog. Please respond or rectify if this was uncalled for.
