github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3718] KDE Kontact: configuring Google calender, tasks and Contacts not possible #2342

New issue
Closed
opened 2026-05-05 09:01:43 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 09:01:43 -06:00
Owner
Copy link

Originally created by @MrFrank17 on GitHub (Nov 1, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3718

I have some issues using KDE Kontact with the standard firejail setup. It is not easy for me to reproduce these glitches, but here is one:

When adding or configuring the existing Google account
Screenshot_20201101_224337
this dialog pops up
Screenshot_20201101_224412
Once everything is setup, I cannot close that dialog with "OK" with firejail in place. After removing firejail (with firecfg --clean) and a restart it is possible

Using Kubuntu 20.10. default installation.
firejail version 0.9.62.4

Originally created by @MrFrank17 on GitHub (Nov 1, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3718 I have some issues using KDE Kontact with the standard firejail setup. It is not easy for me to reproduce these glitches, but here is one: When adding or configuring the existing Google account ![Screenshot_20201101_224337](https://user-images.githubusercontent.com/65424206/97816446-a8a4a780-1c95-11eb-9408-457393fae8d4.png) this dialog pops up ![Screenshot_20201101_224412](https://user-images.githubusercontent.com/65424206/97816461-c70aa300-1c95-11eb-8304-3e635fba2204.png) Once everything is setup, I cannot close that dialog with "OK" with firejail in place. After removing firejail (with firecfg --clean) and a restart it is possible Using Kubuntu 20.10. default installation. firejail version 0.9.62.4
gitea-mirror commented 2026-05-05 09:01:46 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 2, 2020):

There is no kontact profile, so it would be interesting which sandbox is started. Watch sudo firemon in a terminal. Also watch you syslog journalctl --boot --pager-end --follow.

<!-- gh-comment-id:720383765 --> @rusty-snake commented on GitHub (Nov 2, 2020): There is no kontact profile, so it would be interesting which sandbox is started. Watch `sudo firemon` in a terminal. Also watch you syslog `journalctl --boot --pager-end --follow`.
gitea-mirror commented 2026-05-05 09:01:47 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Nov 2, 2020):

Quite embarrassing, but I cannot make it fail today - I'll keep on trying ...

The communication to the Google seems to be handled by akonadi (output of firemon):

1667:frank::/usr/bin/firejail /usr/bin/akonadi_control
1670:frank::/usr/bin/firejail /usr/bin/akonadi_control
1677:frank::/usr/bin/akonadi_control
1709:frank::/usr/bin/akonadiserver
1726:frank::/usr/sbin/mysqld-akonadi --defaults-file=/home/frank/.local/share/akonadi/mysql.conf --datadir=/home/frank/.local/share/akonadi/db_data/ --socket=/run/user/
1786:frank::/usr/bin/akonadi_akonotes_resource --identifier akonadi_akonotes_resource_0
1787:frank::/usr/bin/akonadi_archivemail_agent --identifier akonadi_archivemail_agent
1788:frank::/usr/bin/akonadi_contacts_resource --identifier akonadi_contacts_resource_0
1789:frank::/usr/bin/akonadi_followupreminder_agent --identifier akonadi_followupreminder_agent
1791:frank::/usr/bin/akonadi_google_resource --identifier akonadi_google_resource_1
1793:frank::/usr/bin/akonadi_imap_resource --identifier akonadi_imap_resource_0
1795:frank::/usr/bin/akonadi_indexing_agent --identifier akonadi_indexing_agent
1800:frank::/usr/bin/akonadi_maildir_resource --identifier akonadi_maildir_resource_0
1802:frank::/usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
1803:frank::/usr/bin/akonadi_mailfilter_agent --identifier akonadi_mailfilter_agent
1806:frank::/usr/bin/akonadi_migration_agent --identifier akonadi_migration_agent
1808:frank::/usr/bin/akonadi_newmailnotifier_agent --identifier akonadi_newmailnotifier_agent
1810:frank::/usr/bin/akonadi_notes_agent --identifier akonadi_notes_agent
1811:frank::/usr/bin/akonadi_sendlater_agent --identifier akonadi_sendlater_agent
1813:frank::/usr/bin/akonadi_unifiedmailbox_agent --identifier akonadi_unifiedmailbox_agent

Also it seems there is an access violation, which, however, is not affecting me:

Nov 02 21:07:26 frank-laptop firejail[6223]: blacklist violation - sandbox 1667, exe akonadi_google_, syscall access, path /home/frank/.config/kwalletrc

<!-- gh-comment-id:720706219 --> @MrFrank17 commented on GitHub (Nov 2, 2020): Quite embarrassing, but I cannot make it fail today - I'll keep on trying ... The communication to the Google seems to be handled by akonadi (output of firemon): > 1667:frank::/usr/bin/firejail /usr/bin/akonadi_control 1670:frank::/usr/bin/firejail /usr/bin/akonadi_control 1677:frank::/usr/bin/akonadi_control 1709:frank::/usr/bin/akonadiserver 1726:frank::/usr/sbin/mysqld-akonadi --defaults-file=/home/frank/.local/share/akonadi/mysql.conf --datadir=/home/frank/.local/share/akonadi/db_data/ --socket=/run/user/ 1786:frank::/usr/bin/akonadi_akonotes_resource --identifier akonadi_akonotes_resource_0 1787:frank::/usr/bin/akonadi_archivemail_agent --identifier akonadi_archivemail_agent 1788:frank::/usr/bin/akonadi_contacts_resource --identifier akonadi_contacts_resource_0 1789:frank::/usr/bin/akonadi_followupreminder_agent --identifier akonadi_followupreminder_agent 1791:frank::/usr/bin/akonadi_google_resource --identifier akonadi_google_resource_1 1793:frank::/usr/bin/akonadi_imap_resource --identifier akonadi_imap_resource_0 1795:frank::/usr/bin/akonadi_indexing_agent --identifier akonadi_indexing_agent 1800:frank::/usr/bin/akonadi_maildir_resource --identifier akonadi_maildir_resource_0 1802:frank::/usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent 1803:frank::/usr/bin/akonadi_mailfilter_agent --identifier akonadi_mailfilter_agent 1806:frank::/usr/bin/akonadi_migration_agent --identifier akonadi_migration_agent 1808:frank::/usr/bin/akonadi_newmailnotifier_agent --identifier akonadi_newmailnotifier_agent 1810:frank::/usr/bin/akonadi_notes_agent --identifier akonadi_notes_agent 1811:frank::/usr/bin/akonadi_sendlater_agent --identifier akonadi_sendlater_agent 1813:frank::/usr/bin/akonadi_unifiedmailbox_agent --identifier akonadi_unifiedmailbox_agent Also it seems there is an access violation, which, however, is not affecting me: > Nov 02 21:07:26 frank-laptop firejail[6223]: blacklist violation - sandbox 1667, exe akonadi_google_, syscall access, path /home/frank/.config/kwalletrc
gitea-mirror commented 2026-05-05 09:01:48 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Nov 6, 2020):

I had a bit more time to have a look, but I could not reproduce my original problem.
Another problem seems to be within Kontact: deleting a task or a contact is not synced to my Google account. But this is also the case without firejail running, so this is Kontact related.
Sorry for falsely blaming firejail ...

<!-- gh-comment-id:723282419 --> @MrFrank17 commented on GitHub (Nov 6, 2020): I had a bit more time to have a look, but I could not reproduce my original problem. Another problem seems to be within Kontact: deleting a task or a contact is not synced to my Google account. But this is also the case without firejail running, so this is Kontact related. Sorry for falsely blaming firejail ...
gitea-mirror commented 2026-05-05 09:01:48 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Nov 13, 2020):

A follow up question:

You already mentioned that there is no profile for Kontact, however, there is one for KMail, which is correctly used if KMail is separately started (as it should be). As KMail is embedded within Kontact (same with KNotes): should there be a firejail profile for Kontact, which (re-)uses the profiles of the all the embedded components? I checked with sudo firemon and firejail --list, but the KMail profile is not used when Kontact is started.

<!-- gh-comment-id:726850839 --> @MrFrank17 commented on GitHub (Nov 13, 2020): A follow up question: You already mentioned that there is no profile for Kontact, however, there is one for KMail, which is correctly used if KMail is separately started (as it should be). As KMail is embedded within Kontact (same with KNotes): should there be a firejail profile for Kontact, which (re-)uses the profiles of the all the embedded components? I checked with `sudo firemon` and `firejail --list`, but the KMail profile is not used when Kontact is started.
gitea-mirror commented 2026-05-05 09:01:49 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 16, 2020):

should there be a firejail profile for Kontact, which (re-)uses the profiles of the all the embedded components?

how do you mean?

<!-- gh-comment-id:746771886 --> @rusty-snake commented on GitHub (Dec 16, 2020): > should there be a firejail profile for Kontact, which (re-)uses the profiles of the all the embedded components? how do you mean?
gitea-mirror commented 2026-05-05 09:01:50 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Dec 18, 2020):

Well, basically I wanted to ask if is technical feasible to include the profiles of kmail & knotes in a new kontact profile ...

<!-- gh-comment-id:748307602 --> @MrFrank17 commented on GitHub (Dec 18, 2020): Well, basically I wanted to ask if is technical feasible to include the profiles of kmail & knotes in a new kontact profile ...
gitea-mirror commented 2026-05-05 09:01:51 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 19, 2020):

There two issues when you create a profile by including two other profiles:

  1. A profile allows things which a required, but also adds restrictions where possible. For example I already saw things like
# Allow foobar
include foobar.profile

The issues is that (A) things in foobar.profile can break your program and (B) commands in your profile can break foobar.
2. order matters. Even if both profiles are nearly the same, it can fail. A noblacklist must come before the blacklist, meaning if A.profile and B.profile include disable-programs, B.profiles noblacklist has no effect.

Now that knotes is a redirect profile to kmail, you can start with this kontact.profile:

# Firejail profile for kontact
# Description: DESCRIPTION
# This file is overwritten after every install/update
# Persistent local customizations
include kontact.local
# Persistent global definitions
# added by included profile
#include globals.local

#
## kontact specific commands
#

# Redirect
include knotes.profile
<!-- gh-comment-id:748446652 --> @rusty-snake commented on GitHub (Dec 19, 2020): There two issues when you create a profile by `including` two other profiles: 1. A profile allows things which a required, but also adds restrictions where possible. For example I already saw things like ``` # Allow foobar include foobar.profile ``` The issues is that (A) things in foobar.profile can break your program and (B) commands in your profile can break foobar. 2. order matters. Even if both profiles are nearly the same, it can fail. A `noblacklist` must come before the `blacklist`, meaning if A.profile and B.profile include disable-programs, B.profiles `noblacklist` has no effect. --- Now that knotes is a redirect profile to kmail, you can start with this `kontact.profile`: ``` # Firejail profile for kontact # Description: DESCRIPTION # This file is overwritten after every install/update # Persistent local customizations include kontact.local # Persistent global definitions # added by included profile #include globals.local # ## kontact specific commands # # Redirect include knotes.profile ```
gitea-mirror commented 2026-05-05 09:01:52 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Jan 2, 2021):

Thanks, I will give it a try!

<!-- gh-comment-id:753537835 --> @MrFrank17 commented on GitHub (Jan 2, 2021): Thanks, I will give it a try!
gitea-mirror commented 2026-05-05 09:01:53 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 6, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

<!-- gh-comment-id:814168337 --> @rusty-snake commented on GitHub (Apr 6, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2342
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?