Tighten Evince AppArmor policy

The AppArmor policy we currently apply to Evince and Totem allows them to read and write any file anywhere in /home/amnesia, regardless of the extension; except that a blacklist protects a set of important private files, such as GnuPG keyrings. And of course the blacklist is, and will always be, incomplete.

Blueprint: https://tails.boum.org/blueprint/harden_AppArmor_profiles/

Parent Task: #9534 (closed)

Related issues

Related to #11578 (closed)

Original created by @intrigeri on 9533 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information