Improvements to balsa,fractal,gajim,trojita (#3791)

* Improvements to balsa,fractal,gajim,trojita

* sort

* Add gpg plugin support to gajim,remove notifications dbus from trojita

* Add dbus policy from flatpak per @rusty-snake

* Add python* to private-bin; remove some dbus

Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>

4 files changed, 41 insertions, 9 deletions

diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index cda6b1aa0..d755fd803 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.balsa
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.signature
 noblacklist ${HOME}/mail
 noblacklist /var/mail
 noblacklist /var/spool/mail
@@ -24,10 +25,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.balsa
 mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
 whitelist ${HOME}/.balsa
 whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.signature
 whitelist ${HOME}/mail
 whitelist ${RUNUSER}/gnupg
 whitelist /usr/share/balsa
@@ -58,9 +61,9 @@ shell none
 tracelog
 
 # disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
 # Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
-private-bin balsa,balsa-ab
+private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
@@ -71,8 +74,9 @@ writable-var
 dbus-user filter
 dbus-user.own org.desktop.Balsa
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index c3af29e15..dc8d6e3ad 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.cache/fractal
 
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -49,6 +52,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.Fractal
 dbus-user.talk ca.desrt.dconf
-dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 85d9b9bd9..125ddf79c 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -6,6 +6,7 @@ include gajim.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.cache/gajim
 noblacklist ${HOME}/.config/gajim
 noblacklist ${HOME}/.local/share/gajim
@@ -20,19 +21,27 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# Comment the following line if you need to whitelist other folders than ~/Downloads
+# Comment the following line if you need to whitelist folders other than ~/Downloads
 include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/.local/share/gajim
+whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.cache/gajim
 whitelist ${HOME}/.config/gajim
 whitelist ${HOME}/.local/share/gajim
 whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -47,9 +56,24 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh
+private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
+private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.own org.gajim.Gajim
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.kde.kwalletd5
+dbus-user.talk org.mpris.MediaPlayer2.*
+dbus-system filter
+dbus-system.talk org.freedesktop.login1
+# Uncomment for location plugin support
+#dbus-system.talk org.freedesktop.GeoClue2
 
 join-or-start gajim
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index a8641af85..b82aadd13 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -57,7 +57,8 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
 read-only ${HOME}/.mozilla/firefox/profiles.ini