# Local firejail profile for neomutt
name neomutt
quiet

whitelist ${HOME}/.Mail
whitelist ${HOME}/.cache/mutt
whitelist ${HOME}/.mail
whitelist ${HOME}/.msmtprc
whitelist ${HOME}/.signature
whitelist ${HOME}/.vim
whitelist ${HOME}/.viminfo
whitelist ${HOME}/.vimrc
whitelist ${HOME}/.local/share/mail/
whitelist ${HOME}/.config/mutt/
whitelist ${HOME}/.mbsyncrc
whitelist ${HOME}/.config/mbsync
whitelist ${HOME}/.config/msmtp
whitelist ${HOME}/.w3m

noblacklist ${HOME}/.Mail
noblacklist ${HOME}/.cache/mutt
noblacklist ${HOME}/.mail
noblacklist ${HOME}/.msmtprc
noblacklist ${HOME}/.signature
noblacklist ${HOME}/.vim
noblacklist ${HOME}/.viminfo
noblacklist ${HOME}/.vimrc
noblacklist ${HOME}/.local/share/mail/
noblacklist ${HOME}/.config/mutt/
noblacklist ${HOME}/.mbsyncrc
noblacklist ${HOME}/.config/mbsync
noblacklist ${HOME}/.config/msmtp
noblacklist ${HOME}/.w3m

# Access to GPG for encrypting/decrypting/signing mail and passwords with pass
whitelist ${HOME}/.gnupg
noblacklist ${HOME}/.gnupg
whitelist ${RUNUSER}/gnupg

# This assumes you keep mail account passwords under a separate directory named mail
# This to avoid exposing all passwords to the sandbox, only necessary ones
whitelist ${HOME}/.local/share/password-store/mail
noblacklist ${HOME}/.local/share/password-store/mail

# abook
whitelist ${HOME}/.config/abook
whitelist ${HOME}/.local/share/abook

#include whitelist-runuser-common.inc
writable-run-user
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

# Required for using msmtp with passwordeval 
apparmor
caps.drop all
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
disable-mnt
machine-id

whitelist /dev/mapper
whitelist /dev/fd
whitelist /dev/full
whitelist /dev/log
whitelist /dev/null
whitelist /dev/ptmx
whitelist /dev/pts
whitelist /dev/random
whitelist /dev/shm
whitelist /dev/stderr
whitelist /dev/stdin
whitelist /dev/stdout
whitelist /dev/tty
whitelist /dev/urandom
whitelist /dev/zero