# Last Modified: Mon Mar  9 16:55:36 2009
# Evince profile for Intrepid
# Pretty permissive on read access except for the sensitive areas of $HOME
# No execute permissiosn whatsoever -- should stop PDF buffer overflow exploits.
#include <tunables/global>

/usr/bin/evince {
  #include <abstractions/base>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/dbus>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  /usr/** r,
  /usr/*/ r,
  @{HOME}/** rw,
  @{HOME}/ rw,
  @{HOME}/*/ rw,
 deny @{HOME}/.ssh/** rw,
deny @{HOME}/Private/.ssh/** rw,
deny @{HOME}/.Private/.ssh/** rw,
 deny @{HOME}/.gnupg/** rw,
deny @{HOME}/Private/.gnupg/** rw,
deny @{HOME}/.Private/.gnupg/** rw,
  /etc/pulse/** r,
    /dev/shm/ r,
      /dev/shm/** rw,
    /etc/ r,
    /etc/** r,
    /etc/*/ r,
deny /proc/** r,
deny /proc/*/ r,
deny /usr/bin/launchpad-integration rwx,
  /tmp/ rw,
  owner /tmp/** rw,


}