Thunderbird accesses ~/.mozilla even when blacklisted

[acrobat1]

I'd like Thunderbird to leave alone the .mozilla directory (since I don't directly click on links in email), so I've added blacklist ~/.mozilla to my thunderbird profile, but it doesn't work :

blacklist violation - sandbox 22475, exe thunderbird, syscall access, path /home/debian/.mozilla

is there any workaround for this?

As I've said, I don't think Thunderbird absolutely needs to access the .mozilla directory, at least not in the way I use Thunderbird: since the purpose of sandboxing is to isolate processes as much as possible, I'd really like to cut access to .mozilla in this case.

[netblue30]

You need to add the following two lines at the top of /etc/firejail/thunderbird.profile:

blacklist ~/.mozilla
blacklist ~/.cache/mozilla

If you add them at the end, it will have no effect. Also, take a look at the whitelists in /etc/firejail/firefox.profile, you might want to blacklist some other directories. The default Firefox and Thunderbird profiles are quite generic, good for all kind of use cases, such as reading PDF files, playing audio files etc.

[curiosity-seeker]

As I've said, I don't think Thunderbird absolutely needs to access the .mozilla directory

Neither do I. I'm using a customized thunderbird.profile that doesn't include firefox.profile. And Firefox still opens when I click links in emails.

However, I remember that I had problems until it worked as it should. After some trial and error I finally deleted mimeTypes.rdf in ~./thunderbird/, and when Thunderbird asked me the next time which application to use (for links, pdf files, xls files, etc.) I always pointed it to /usr/bin/xdg-open.

[acrobat1]

You need to add the following two lines at the top of /etc/firejail/thunderbird.profile:

blacklist ~/.mozilla                                                            
blacklist ~/.cache/mozilla

If you add them at the end, it will have no effect.

Thanks a lot, I really wasn't aware of that. So my understanding would be that arguments in a profile will be processed in order, kinda like firewall rules?

Also, take a look at the whitelists in /etc/firejail/firefox.profile, you might want to blacklist some other directories. The default Firefox and Thunderbird profiles are quite generic, good for all kind of use cases, such as reading PDF files, playing audio files etc.

Yes, I thought so : therefore I wrote my own (kinda restricted) profile for Thunderbird

#Firejail profile for Mozilla Thunderbird

#blacklist .mozilla
blacklist ~/.mozilla

#blacklist fonts
blacklist ~/.cache/fontconfig

#blacklist AMD
blacklist ~/.AMD

noblacklist ~/.thunderbird
mkdir ~/.thunderbird
whitelist ~/.thunderbird

noblacklist ~/.cache/thunderbird
mkdir ~/.cache/thunderbird
whitelist ~/.cache/thunderbird

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

caps.drop all 
netfilter
nonewprivs
noroot
nogroups
no3d
protocol unix,inet,inet6,netlink
seccomp
tracelog

#private-dev
private-dev

noblacklist ~/.gnupg
mkdir ~/.gnupg
whitelist ~/.gnupg

#include /etc/firejail/firefox.profile

After trying with the --audit option, I get this

INFO: starting /usr/lib/x86_64-linux-gnu/firejail/faudit.
GOOD: process 2 is running in a PID namespace.
INFO: container/sandbox firejail.

GOOD: seccomp BPF enabled.
checking syscalls: mount... umount2... ptrace... swapon... swapoff... init_module... delete_module... chroot... pivot_root... iopl... ioperm... 

GOOD: all capabilities are disabled.

GOOD: I cannot access files in /home/user/.ssh directory.
GOOD: I cannot access files in /home/user/.gnupg directory.
GOOD: I cannot access files in /home/user/.mozilla directory.
GOOD: I cannot access files in /home/user/.config/chromium directory.
GOOD: I cannot access files in /home/user/.icedove directory.
UGLY: I can access files in /home/user/.thunderbird directory. Use "firejail --blacklist=/home/debian8/.thunderbird" to block it.

GOOD: SSH server not available on localhost.
GOOD: HTTP server not available on localhost.
MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. You can use "--protocol" to disable the socket.

MAYBE: D-Bus socket @/tmp/dbus-BPVnDCl3PG is available

MAYBE: X11 socket /tmp/.X11-unix/X0 is available
MAYBE: X11 socket @/tmp/.X11-unix/X0 is available

INFO: files visible in /dev directory: ptmx, pts, tty, urandom, random, full, null, zero, shm, log, snd, 
GOOD: Access to /dev directory is restricted.

which looks kinda OK for my needs, the only issue being that if clicking on a link, it will still be opened in the predefined browser, although in a private temporary sandbox : is there any way to avoid this completely?

[netblue30]

Thanks a lot, I really wasn't aware of that. So my understanding would be that arguments in a profile will be processed in order, kinda like firewall rules?

You are right, in some cases you can later undo what you did before.

if clicking on a link, it will still be opened in the predefined browser

For various reasons, both Firefox and Chromium keep only one instance of the program running. When you click on a link in Thunderbird, if another instance of the browser is running, it will open a new tab (or window) into the existing browser. The way I use it, I start Firefox in a separate sandbox before starting Thunderbird - the two sandboxes manage to communicate somehow!