search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.82k stars 567 forks source link

KDE Kontact: configuring Google calender, tasks and Contacts not possible #3718

Closed MrFrank17 closed 3 years ago

MrFrank17 commented 4 years ago

I have some issues using KDE Kontact with the standard firejail setup. It is not easy for me to reproduce these glitches, but here is one:

When adding or configuring the existing Google account Screenshot_20201101_224337 this dialog pops up Screenshot_20201101_224412 Once everything is setup, I cannot close that dialog with "OK" with firejail in place. After removing firejail (with firecfg --clean) and a restart it is possible

Using Kubuntu 20.10. default installation. firejail version 0.9.62.4

rusty-snake commented 4 years ago

There is no kontact profile, so it would be interesting which sandbox is started. Watch sudo firemon in a terminal. Also watch you syslog journalctl --boot --pager-end --follow.

MrFrank17 commented 4 years ago

Quite embarrassing, but I cannot make it fail today - I'll keep on trying ...

The communication to the Google seems to be handled by akonadi (output of firemon):

1667:frank::/usr/bin/firejail /usr/bin/akonadi_control 1670:frank::/usr/bin/firejail /usr/bin/akonadi_control 1677:frank::/usr/bin/akonadi_control 1709:frank::/usr/bin/akonadiserver 1726:frank::/usr/sbin/mysqld-akonadi --defaults-file=/home/frank/.local/share/akonadi/mysql.conf --datadir=/home/frank/.local/share/akonadi/db_data/ --socket=/run/user/ 1786:frank::/usr/bin/akonadi_akonotes_resource --identifier akonadi_akonotes_resource_0 1787:frank::/usr/bin/akonadi_archivemail_agent --identifier akonadi_archivemail_agent 1788:frank::/usr/bin/akonadi_contacts_resource --identifier akonadi_contacts_resource_0 1789:frank::/usr/bin/akonadi_followupreminder_agent --identifier akonadi_followupreminder_agent 1791:frank::/usr/bin/akonadi_google_resource --identifier akonadi_google_resource_1 1793:frank::/usr/bin/akonadi_imap_resource --identifier akonadi_imap_resource_0 1795:frank::/usr/bin/akonadi_indexing_agent --identifier akonadi_indexing_agent 1800:frank::/usr/bin/akonadi_maildir_resource --identifier akonadi_maildir_resource_0 1802:frank::/usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent 1803:frank::/usr/bin/akonadi_mailfilter_agent --identifier akonadi_mailfilter_agent 1806:frank::/usr/bin/akonadi_migration_agent --identifier akonadi_migration_agent 1808:frank::/usr/bin/akonadi_newmailnotifier_agent --identifier akonadi_newmailnotifier_agent 1810:frank::/usr/bin/akonadi_notes_agent --identifier akonadi_notes_agent 1811:frank::/usr/bin/akonadi_sendlater_agent --identifier akonadi_sendlater_agent 1813:frank::/usr/bin/akonadi_unifiedmailbox_agent --identifier akonadi_unifiedmailbox_agent

Also it seems there is an access violation, which, however, is not affecting me:

Nov 02 21:07:26 frank-laptop firejail[6223]: blacklist violation - sandbox 1667, exe akonadigoogle, syscall access, path /home/frank/.config/kwalletrc

MrFrank17 commented 4 years ago

I had a bit more time to have a look, but I could not reproduce my original problem. Another problem seems to be within Kontact: deleting a task or a contact is not synced to my Google account. But this is also the case without firejail running, so this is Kontact related. Sorry for falsely blaming firejail ...

MrFrank17 commented 4 years ago

A follow up question:

You already mentioned that there is no profile for Kontact, however, there is one for KMail, which is correctly used if KMail is separately started (as it should be). As KMail is embedded within Kontact (same with KNotes): should there be a firejail profile for Kontact, which (re-)uses the profiles of the all the embedded components? I checked with sudo firemon and firejail --list, but the KMail profile is not used when Kontact is started.

rusty-snake commented 3 years ago

should there be a firejail profile for Kontact, which (re-)uses the profiles of the all the embedded components?

how do you mean?

MrFrank17 commented 3 years ago

Well, basically I wanted to ask if is technical feasible to include the profiles of kmail & knotes in a new kontact profile ...

rusty-snake commented 3 years ago

There two issues when you create a profile by including two other profiles:

  1. A profile allows things which a required, but also adds restrictions where possible. For example I already saw things like 
    # Allow foobar
include foobar.profile

    The issues is that (A) things in foobar.profile can break your program and (B) commands in your profile can break foobar.

  2. order matters. Even if both profiles are nearly the same, it can fail. A noblacklist must come before the blacklist, meaning if A.profile and B.profile include disable-programs, B.profiles noblacklist has no effect.

Now that knotes is a redirect profile to kmail, you can start with this kontact.profile:

# Firejail profile for kontact
# Description: DESCRIPTION
# This file is overwritten after every install/update
# Persistent local customizations
include kontact.local
# Persistent global definitions
# added by included profile
#include globals.local

#
## kontact specific commands
#

# Redirect
include knotes.profile
MrFrank17 commented 3 years ago

Thanks, I will give it a try!

rusty-snake commented 3 years ago

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.