etc/profile-m-z/neomutt.profile


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

# Firejail profile for neomutt
# Description: Mutt fork with advanced features and better documentation
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include neomutt.local
# Persistent global definitions
include globals.local

nodeny  ${DOCUMENTS}
nodeny  ${HOME}/.Mail
nodeny  ${HOME}/.bogofilter
nodeny  ${HOME}/.config/mutt
nodeny  ${HOME}/.config/nano
nodeny  ${HOME}/.config/neomutt
nodeny  ${HOME}/.elinks
nodeny  ${HOME}/.emacs
nodeny  ${HOME}/.emacs.d
nodeny  ${HOME}/.gnupg
nodeny  ${HOME}/.mail
nodeny  ${HOME}/.mailcap
nodeny  ${HOME}/.msmtprc
nodeny  ${HOME}/.mutt
nodeny  ${HOME}/.muttrc
nodeny  ${HOME}/.nanorc
nodeny  ${HOME}/.neomutt
nodeny  ${HOME}/.neomuttrc
nodeny  ${HOME}/.signature
nodeny  ${HOME}/.vim
nodeny  ${HOME}/.viminfo
nodeny  ${HOME}/.vimrc
nodeny  ${HOME}/.w3m
nodeny  ${HOME}/Mail
nodeny  ${HOME}/mail
nodeny  ${HOME}/postponed
nodeny  ${HOME}/sent
nodeny  /var/mail
nodeny  /var/spool/mail

deny  /tmp/.X11-unix
deny  ${RUNUSER}/wayland-*

include allow-lua.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.Mail
mkdir ${HOME}/.bogofilter
mkdir ${HOME}/.config/mutt
mkdir ${HOME}/.config/nano
mkdir ${HOME}/.config/neomutt
mkdir ${HOME}/.elinks
mkdir ${HOME}/.emacs.d
mkdir ${HOME}/.gnupg
mkdir ${HOME}/.mail
mkdir ${HOME}/.mutt
mkdir ${HOME}/.neomutt
mkdir ${HOME}/.vim
mkdir ${HOME}/.w3m
mkdir ${HOME}/Mail
mkdir ${HOME}/mail
mkdir ${HOME}/postponed
mkdir ${HOME}/sent
mkfile ${HOME}/.emacs
mkfile ${HOME}/.mailcap
mkfile ${HOME}/.msmtprc
mkfile ${HOME}/.muttrc
mkfile ${HOME}/.nanorc
mkfile ${HOME}/.neomuttrc
mkfile ${HOME}/.signature
mkfile ${HOME}/.viminfo
mkfile ${HOME}/.vimrc
allow  ${DOCUMENTS}
allow  ${DOWNLOADS}
allow  ${HOME}/.Mail
allow  ${HOME}/.bogofilter
allow  ${HOME}/.config/mutt
allow  ${HOME}/.config/nano
allow  ${HOME}/.config/neomutt
allow  ${HOME}/.elinks
allow  ${HOME}/.emacs
allow  ${HOME}/.emacs.d
allow  ${HOME}/.gnupg
allow  ${HOME}/.mail
allow  ${HOME}/.mailcap
allow  ${HOME}/.msmtprc
allow  ${HOME}/.mutt
allow  ${HOME}/.muttrc
allow  ${HOME}/.nanorc
allow  ${HOME}/.neomutt
allow  ${HOME}/.neomuttrc
allow  ${HOME}/.signature
allow  ${HOME}/.vim
allow  ${HOME}/.viminfo
allow  ${HOME}/.vimrc
allow  ${HOME}/.w3m
allow  ${HOME}/Mail
allow  ${HOME}/mail
allow  ${HOME}/postponed
allow  ${HOME}/sent
allow  /usr/share/gnupg
allow  /usr/share/gnupg2
allow  /usr/share/neomutt
allow  /var/mail
allow  /var/spool/mail
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
ipc-namespace
machine-id
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
shell none
tracelog

# disable-mnt
private-cache
private-dev
private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
private-tmp
writable-run-user
writable-var

dbus-user none
dbus-system none

memory-deny-write-execute
read-only ${HOME}/.elinks
read-only ${HOME}/.nanorc
read-only ${HOME}/.signature
read-only ${HOME}/.w3m