Tighten Evince AppArmor policy
The AppArmor policy we currently apply to Evince and Totem allows them
to read and write any file anywhere in /home/amnesia
, regardless of
the extension; except that a blacklist protects a set of important
private files, such as GnuPG keyrings. And of course the blacklist is,
and will always be, incomplete.
Blueprint: https://tails.boum.org/blueprint/harden_AppArmor_profiles/
Parent Task: #9534 (closed)
Related issues
- Related to #11578 (closed)
Original created by @intrigeri on 9533 (Redmine)