Initial commit

entrypoint.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+gpg --generate-key --batch gpg-keygen-params.txt
+pass init proton
+/usr/bin/protonmail-bridge --cli
+
+# TODO: login on cli
+

gpg-keygen-params.txt

@@ -0,0 +1,6 @@
+%no-protection
+Key-Type:RSA
+Key-Length:2048
+Name-Real:proton
+Expire-Date:0
+%commit

isolated-protonmail-bridge.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+HERE="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
+JAIL_HOME=/home/proton
+DEFAULT_BIN=entrypoint.sh
+BIN="${1:-${DEFAULT_BIN}}"
+
+nsjail -Mo                                                                                     \
+       --disable_clone_newnet                                                                  \
+       --cwd "${JAIL_HOME}"                                                                    \
+       --tmpfsmount /                                                                          \
+       --tmpfsmount /tmp --tmpfsmount /run                                                     \
+       --bindmount_ro "${HERE}/entrypoint.sh:${JAIL_HOME}/entrypoint.sh"                       \
+       --bindmount_ro "${HERE}/gpg-keygen-params.txt:${JAIL_HOME}/gpg-keygen-params.txt"       \
+       --bindmount_ro /bin --bindmount_ro /sbin                                                \
+       --bindmount_ro /usr --bindmount_ro /lib --bindmount_ro /lib64                           \
+       --bindmount_ro /dev/null --bindmount_ro /dev/urandom --bindmount_ro /dev/random         \
+       --env HOME=/home/proton                                                                 \
+       --env PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin                 \
+       -- ${BIN}
+