Seahorse revisited (#2600)

* Refactor seahorse into a whitelist profile

* Refactor seahorse-tool as a whitelist profile

* Create seahorse-daemon.profile

* Add seahorse-daemon to firecfg

* Drop blacklist /tmp/.X11-unix from seahorse.profile

Thanks to @rusty-snake for pointing out blacklisting /tmp/.X11-unix is ridiculous for GUI's.

* Add non-GUI option to seahorse-daemon

1 files changed, 40 insertions, 5 deletions

diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 83aeb6aec..cd9f6c767 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -4,22 +4,57 @@
 # Persistent local customizations
 include seahorse.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 # dconf
 noblacklist ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
+
+# gpg
+mkdir ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
 
 # ssh
+whitelist /etc/ld.so.preload
 noblacklist /etc/ssh
+whitelist /etc/ssh
 noblacklist /tmp/ssh-*
+whitelist /tmp/ssh-*
+mkdir ${HOME}/.ssh
 noblacklist ${HOME}/.ssh
+whitelist ${HOME}/.ssh
 
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
-ipc-namespace
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+# shell none - causes gpg to hang
+tracelog
+
+disable-mnt
+private-cache
+private-dev
 
-# Redirect
-include gpg.profile
+writable-run-user