From 151c2b3746f4b0ae1c2150c8b54f9ecb854e95b5 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 20 Dec 2022 23:29:44 +0000 Subject: [PATCH 1/6] disable-programs.inc: add ssmtp support --- etc/inc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 858a0c9f6c3..cba82f4aad0 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -2,6 +2,7 @@ # Persistent customizations should go in a .local file. include disable-programs.local +blacklist /etc/ssmtp blacklist ${HOME}/.*coin blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.AndroidStudio* From 56073145a6f0fb276eaa7abbf86742ca87621e21 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 20 Dec 2022 23:33:54 +0000 Subject: [PATCH 2/6] Create ssmtp.profile --- etc/profile-m-z/ssmtp.profile | 70 +++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 etc/profile-m-z/ssmtp.profile diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile new file mode 100644 index 00000000000..ed35d04dc20 --- /dev/null +++ b/etc/profile-m-z/ssmtp.profile @@ -0,0 +1,70 @@ +# Firejail profile for ssmtp +# Description: Extremely simple MTA to get mail off the system to a mailhub +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ssmtp.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} +blacklist /usr/libexec + +noblacklist ${DOCUMENTS} +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +include disable-X11.inc + +mkfile ${HOME}/dead.letter +whitelist ${HOME}/dead.letter +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +#nogroups breaks app +noinput +nonewprivs +noprinters +#noroot breaks app +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +# private works but we loose ${HOME}/dead.letter +# which is useful to get notified on mail issues +#private +private-bin mailq,newaliases,sendmail,ssmtp +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces +read-only ${HOME} +read-write ${HOME}/dead.letter From efb11e62ced7da4082507e0e6f792218f1a7f0f7 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 20 Dec 2022 23:39:30 +0000 Subject: [PATCH 3/6] ssmtp: support Debian/Ubuntu --- etc/profile-m-z/ssmtp.profile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile index ed35d04dc20..6266ce68afd 100644 --- a/etc/profile-m-z/ssmtp.profile +++ b/etc/profile-m-z/ssmtp.profile @@ -10,6 +10,11 @@ include globals.local blacklist ${RUNUSER} blacklist /usr/libexec +noblacklist /etc/logcheck +noblacklist /etc/ssmtp +noblacklist /sbin +noblacklist /usr/sbin + noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc From 86eac884d4f372e6d2c377dd203c9ae87abb5e28 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 20 Dec 2022 23:41:59 +0000 Subject: [PATCH 4/6] README.md: add ssmtp to 'New profiles' section --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a8b2f5c02f3..39ce41e2268 100644 --- a/README.md +++ b/README.md @@ -336,7 +336,7 @@ Stats: ### New profiles: onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, -cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, +cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp From 54394daad4a038cfda8f02e1cde963e072676cf4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 20 Dec 2022 23:55:10 +0000 Subject: [PATCH 5/6] disable-common.inc: move ssmtp support to keep CI happy --- etc/inc/disable-programs.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index cba82f4aad0..b52bcaa1117 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -2,7 +2,6 @@ # Persistent customizations should go in a .local file. include disable-programs.local -blacklist /etc/ssmtp blacklist ${HOME}/.*coin blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.AndroidStudio* @@ -1182,6 +1181,7 @@ blacklist ${HOME}/yt-dlp.conf.txt blacklist ${RUNUSER}/*firefox* blacklist ${RUNUSER}/akonadi blacklist ${RUNUSER}/psd/*firefox* +blacklist /etc/ssmtp blacklist /tmp/.wine-* blacklist /tmp/akonadi-* blacklist /var/games/nethack From 63db243c5895eeac4aa0e685f9dafc1dfa9f4399 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 21 Dec 2022 01:09:47 +0000 Subject: [PATCH 6/6] ssmtp: improve dead.letter comment Suggested in [review](https://github.com/netblue30/firejail/pull/5544#pullrequestreview-1225322546). --- etc/profile-m-z/ssmtp.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile index 6266ce68afd..1a224e7b0f9 100644 --- a/etc/profile-m-z/ssmtp.profile +++ b/etc/profile-m-z/ssmtp.profile @@ -58,7 +58,7 @@ seccomp.block-secondary tracelog disable-mnt -# private works but we loose ${HOME}/dead.letter +# private works but then we lose ${HOME}/dead.letter # which is useful to get notified on mail issues #private private-bin mailq,newaliases,sendmail,ssmtp