seahorse refactoring (#5543)

* seahorse: fixes and hardening * seahorse-daemon: hardening * seahorse-tool: move private-etc items to seahorse * seahorse: unbreak nautilus file encryption As suggested [in review](https://github.com/netblue30/firejail/pull/5543#pullrequestreview-1225250520). * seahorse-tool: move private-tmp to seahorse * seahorse: add private-tmp * seahorse: fix access to ssh-agent socket
author: glitsj16 <glitsj16@users.noreply.github.com> 2022-12-21 23:35:59 +0000
committer: GitHub <noreply@github.com> 2022-12-21 23:35:59 +0000
commit: 5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad (patch)
tree: feaa2da04dbff3c93135968f434858b6442147ac /etc/profile-m-z
parent: Fix mDNS name resolution with wrc (#5541) (diff)
download: firejail-5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad.tar.gz
firejail-5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad.tar.zst
firejail-5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad.zip
3 files changed, 6 insertions, 7 deletions
diff --git a/etc/profile-m-z/seahorse-daemon.profile b/etc/profile-m-z/seahorse-daemon.profile
index 6410da4d8..b3ead7191 100644
--- a/etc/profile-m-z/seahorse-daemon.profile
+++ b/etc/profile-m-z/seahorse-daemon.profile
@@ -8,6 +8,9 @@ include seahorse-daemon.local
 # added by included profile
 #include globals.local
+blacklist ${RUNUSER}/wayland-*
+include disable-X11.inc
 memory-deny-write-execute
 # Redirect
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index 9ef174606..e5c9e6b10 100644
--- a/etc/profile-m-z/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -7,9 +7,5 @@ include seahorse-tool.local
 # added by included profile
 #include globals.local
-# private-etc workaround for: #2877
-private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd
-private-tmp
 # Redirect
 include seahorse.profile
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 0b7232cc4..e6f51bff9 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -6,8 +6,6 @@ include seahorse.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
 noblacklist ${HOME}/.gnupg
 # Allow ssh (blacklisted by disable-common.inc)
@@ -59,12 +57,14 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,login.defs,nsswitch.conf,pango,passwd,pkcs11,pki,protocols,resolv.conf,rpc,services,ssh,ssl,xdg
+private-tmp
 writable-run-user
 dbus-user filter
 dbus-user.own org.gnome.seahorse
 dbus-user.own org.gnome.seahorse.Application
+dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
author	glitsj16 <glitsj16@users.noreply.github.com>	2022-12-21 23:35:59 +0000
committer	GitHub <noreply@github.com>	2022-12-21 23:35:59 +0000
commit	5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad (patch)
tree	feaa2da04dbff3c93135968f434858b6442147ac /etc/profile-m-z
parent	Fix mDNS name resolution with wrc (#5541) (diff)
download	firejail-5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad.tar.gz firejail-5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad.tar.zst firejail-5bb73dbcddca0c73f1689a0a2f7a07dc1c2388ad.zip