Seahorse revisited (#2600)

* Refactor seahorse into a whitelist profile

* Refactor seahorse-tool as a whitelist profile

* Create seahorse-daemon.profile

* Add seahorse-daemon to firecfg

* Drop blacklist /tmp/.X11-unix from seahorse.profile

Thanks to @rusty-snake for pointing out blacklisting /tmp/.X11-unix is ridiculous for GUI's.

* Add non-GUI option to seahorse-daemon

3 files changed, 57 insertions, 16 deletions

diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile
new file mode 100644
index 000000000..1beb0edc6
--- /dev/null
+++ b/etc/seahorse-daemon.profile
@@ -0,0 +1,15 @@
+# Firejail profile for seahorse-daemon
+# Description: PGP encryption and signing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-daemon.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+
+memory-deny-write-execute
+
+# Redirect
+include seahorse.profile
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile
index 2e792c8e0..96f365a4b 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/seahorse-tool.profile
@@ -7,20 +7,11 @@ include seahorse-tool.local
 # added by included profile
 #include globals.local
 
-# dconf
-noblacklist ${HOME}/.config/dconf
+noblacklist ${DOWNLOADS}
 
-include disable-exec.inc
-include disable-xdg.inc
-include whitelist-var-common.inc
-
-apparmor
-ipc-namespace
-
-disable-mnt
 private-tmp
 
 memory-deny-write-execute
 
 # Redirect
-include gpg.profile
+include seahorse.profile
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 83aeb6aec..cd9f6c767 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -4,22 +4,57 @@
 # Persistent local customizations
 include seahorse.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
 # dconf
 noblacklist ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
+
+# gpg
+mkdir ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
 
 # ssh
+whitelist /etc/ld.so.preload
 noblacklist /etc/ssh
+whitelist /etc/ssh
 noblacklist /tmp/ssh-*
+whitelist /tmp/ssh-*
+mkdir ${HOME}/.ssh
 noblacklist ${HOME}/.ssh
+whitelist ${HOME}/.ssh
 
+include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
-ipc-namespace
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+# shell none - causes gpg to hang
+tracelog
+
+disable-mnt
+private-cache
+private-dev
 
-# Redirect
-include gpg.profile
+writable-run-user