#!/usr/bin/env bash
set -euo pipefail
(
    exec bwrap \
     --ro-bind /usr/bin /usr/bin/ \
     --ro-bind /usr/share /usr/share/ \
     --ro-bind /usr/lib /usr/lib \
     --ro-bind /usr/lib64 /usr/lib64 \
     --symlink /usr/lib64 /lib64 \
     --symlink /usr/lib /lib \
     --symlink /usr/bin /bin \
     --symlink /usr/bin /sbin \
     --tmpfs /usr/lib/modules \
     --tmpfs /usr/lib/systemd \
     --tmpfs /usr/lib/gcc \
     --proc /proc \
     --dev /dev \
     --ro-bind /tmp/.X11-unix /tmp/.X11-unix \
     --ro-bind /etc/passwd /etc/passwd \
     --ro-bind /etc/group /etc/group \
     --ro-bind /etc/hostname /etc/hostname \
     --ro-bind /etc/hosts /etc/hosts \
     --ro-bind /etc/localtime /etc/localtime \
     --ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \
     --ro-bind /etc/resolv.conf /etc/resolv.conf \
     --ro-bind /etc/xdg /etc/xdg \
     --ro-bind /etc/gtk-2.0 /etc/gtk-2.0 \
     --ro-bind /etc/gtk-3.0 /etc/gtk-3.0 \
     --ro-bind /etc/X11 /etc/X11 \
     --ro-bind /etc/fonts /etc/fonts \
     --ro-bind /etc/mime.types /etc/mime.types \
     --ro-bind /etc/pulse /etc/pulse \
     --tmpfs /run \
     --ro-bind ~/.Xauthority /home/jail/.Xauthority \
     --bind ~/.mozilla /home/jail/.mozilla \
     --bind ~/.cache/mozilla /home/jail/.cache/mozilla \
     --bind ~/.cache/thunderbird /home/jail/.cache/thunderbird \
     --bind ~/.thunderbird /home/jail/.thunderbird \
     --bind ~/Downloads /home/jail/Downloads \
     --chdir /home/jail \
     --unsetenv XTERM_LOCALE \
     --unsetenv TERM \
     --unsetenv XTERM_VERSION \
     --unsetenv XTERM_SHELL \
     --unsetenv DBUS_SESSION_BUS_ADDRESS \
     --unsetenv XDG_RUNTIME_DIR \
     --unsetenv MAIL \
     --setenv SHELL /bin/false \
     --setenv HOME /home/jail \
     --setenv XAUTHORITY /home/jail/.Xauthority \
     --setenv USER nobody \
     --setenv LOGNAME nobody \
     --unshare-user-try \
     --unshare-pid \
     --unshare-uts \
     --unshare-cgroup \
     --new-session \
     --seccomp 10 \
     10< /usr/local/bin/seccomp_default_filter.bpf \
     /usr/bin/thunderbird
)

# todo:

#      --ro-bind /usr/share/locale /usr/share/locale \
#      --ro-bind /usr/share/X11 /usr/share/X11 \
#      --ro-bind /usr/share/gtk-3.0 /usr/share/gtk-3.0 \
#      --ro-bind /usr/share/fonts /usr/share/fonts \
#      --ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \
#      --ro-bind /usr/share/icons /usr/share/icons \
#      --ro-bind /usr/share/pixmaps /usr/share/pixmaps \
#      --ro-bind /usr/share/mime /usr/share/mime \
#      --ro-bind /usr/share/applications /usr/share/applications \
#      --ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \
#      --bind /var/cache/fontconfig