Email part (2)

etc/inc/disable-programs.inc

@@ -316,11 +316,13 @@ blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/mutt
 blacklist ${HOME}/.config/mutter
 blacklist ${HOME}/.config/mypaint
 blacklist ${HOME}/.config/nano
 blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
+blacklist ${HOME}/.config/neomutt
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/newsbeuter
 blacklist ${HOME}/.config/newsflash
@@ -898,6 +900,7 @@ blacklist ${HOME}/.cache/evolution
 blacklist ${HOME}/.cache/falkon
 blacklist ${HOME}/.cache/feedreader
 blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/folks
 blacklist ${HOME}/.cache/font-manager
 blacklist ${HOME}/.cache/fossamail
 blacklist ${HOME}/.cache/fractal

etc/profile-a-l/claws-mail.profile

@@ -18,10 +18,14 @@ whitelist ${HOME}/.claws-mail
 
 whitelist /usr/share/doc/claws-mail
 
+# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.keyring.SystemPrompter
 # if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local)
-#ignore dbus-user none
-#dbus-user filter
-#dbus-user.talk org.freedesktop.Notifications
+# dbus-user.talk org.freedesktop.Notifications
+dbus-system none
 
 # Redirect
 include email-common.profile

etc/profile-a-l/email-common.profile

@@ -8,6 +8,7 @@ include email-common.local
 #include globals.local
 
 noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
 # and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
@@ -17,28 +18,35 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
 mkfile ${HOME}/.config/mimeapps.list
-mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.signature
+mkdir ${HOME}/.gnupg
 whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.signature
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
 whitelist ${HOME}/Mail
+
+whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
+machine-id
 netfilter
 no3d
 nodvd
@@ -54,13 +62,12 @@ seccomp
 shell none
 tracelog
 
+# disable-mnt
 private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 
-dbus-user none
-dbus-system none
-
 # encrypting and signing email
 writable-run-user
 
@@ -70,3 +77,6 @@ writable-run-user
 #whitelist /var/mail
 #whitelist /var/spool/mail
 #writable-var
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.signature

etc/profile-a-l/geary.profile

@@ -4,28 +4,83 @@
 # Persistent local customizations
 include geary.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
-
-# Users have Geary set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
-
-ignore dbus-user filter
-ignore dbus-system none
-ignore private-tmp
+include globals.local
 
+noblacklist ${HOME}/.cache/evolution
+noblacklist ${HOME}/.cache/folks
 noblacklist ${HOME}/.cache/geary
+noblacklist ${HOME}/.config/evolution
 noblacklist ${HOME}/.config/geary
+noblacklist ${HOME}/.local/share/evolution
 noblacklist ${HOME}/.local/share/geary
+noblacklist ${HOME}/.mozilla
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
+mkdir ${HOME}/.cache/evolution
+mkdir ${HOME}/.cache/folks
 mkdir ${HOME}/.cache/geary
+mkdir ${HOME}/.config/evolution
 mkdir ${HOME}/.config/geary
+mkdir ${HOME}/.local/share/evolution
 mkdir ${HOME}/.local/share/geary
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/evolution
+whitelist ${HOME}/.cache/folks
 whitelist ${HOME}/.cache/geary
+whitelist ${HOME}/.config/evolution
 whitelist ${HOME}/.config/geary
+whitelist ${HOME}/.local/share/evolution
 whitelist ${HOME}/.local/share/geary
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist /usr/share/geary
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# disable-mnt
+# Add ignore private-bin to geary.local for hyperlink support
+private-bin geary
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Geary
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.Contacts
+dbus-user.talk org.gnome.OnlineAccounts
+dbus-user.talk org.gnome.evolution.dataserver.AddressBook10
+dbus-user.talk org.gnome.evolution.dataserver.Sources5
+dbus-system none
 
-# allow Mozilla browsers
-# Redirect
-include firefox.profile
+read-only ${HOME}/.mozilla/firefox/profiles.ini

etc/profile-m-z/mutt.profile

@@ -1,22 +1,26 @@
 # Firejail profile for mutt
 # Description: Text-based mailreader supporting MIME, GPG, PGP and threading
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mutt.local
 # Persistent global definitions
 include globals.local
 
 noblacklist /var/mail
 noblacklist /var/spool/mail
+noblacklist ${DOCUMENTS}
 noblacklist ${HOME}/.Mail
 noblacklist ${HOME}/.bogofilter
 noblacklist ${HOME}/.cache/mutt
+noblacklist ${HOME}/.config/mutt
 noblacklist ${HOME}/.config/nano
 noblacklist ${HOME}/.elinks
 noblacklist ${HOME}/.emacs
 noblacklist ${HOME}/.emacs.d
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mail
+noblacklist ${HOME}/.mailcap
 noblacklist ${HOME}/.msmtprc
 noblacklist ${HOME}/.mutt
 noblacklist ${HOME}/.muttrc
@@ -34,14 +38,79 @@ noblacklist ${HOME}/sent
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
+mkdir ${HOME}/.Mail
+mkdir ${HOME}/.bogofilter
+mkdir ${HOME}/.cache/mutt
+mkdir ${HOME}/.config/mutt
+mkdir ${HOME}/.config/nano
+mkdir ${HOME}/.emacs.d
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.mail
+mkdir ${HOME}/.mutt
+mkdir ${HOME}/.vim
+mkdir ${HOME}/Mail
+mkdir ${HOME}/mail
+mkdir ${HOME}/postponed
+mkdir ${HOME}/sent
+mkfile ${HOME}/.elinks
+mkfile ${HOME}/.emacs
+mkfile ${HOME}/.mailcap
+mkfile ${HOME}/.msmtprc
+mkfile ${HOME}/.muttrc
+mkfile ${HOME}/.nanorc
+mkfile ${HOME}/.signature
+mkfile ${HOME}/.viminfo
+mkfile ${HOME}/.vimrc
+mkfile ${HOME}/.w3m
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.Mail
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.cache/mutt
+whitelist ${HOME}/.config/mutt
+whitelist ${HOME}/.config/nano
+whitelist ${HOME}/.elinks
+whitelist ${HOME}/.emacs
+whitelist ${HOME}/.emacs.d
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mail
+whitelist ${HOME}/.mailcap
+whitelist ${HOME}/.msmtprc
+whitelist ${HOME}/.mutt
+whitelist ${HOME}/.muttrc
+whitelist ${HOME}/.nanorc
+whitelist ${HOME}/.signature
+whitelist ${HOME}/.vim
+whitelist ${HOME}/.viminfo
+whitelist ${HOME}/.vimrc
+whitelist ${HOME}/.w3m
+whitelist ${HOME}/Mail
+whitelist ${HOME}/mail
+whitelist ${HOME}/postponed
+whitelist ${HOME}/sent
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/mutt
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
@@ -56,7 +125,20 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
+# disable-mnt
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
+private-tmp
 writable-run-user
 writable-var
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}/.elinks
+read-only ${HOME}/.nanorc
+read-only ${HOME}/.signature
+read-only ${HOME}/.w3m