feat(profile): improve integration with kde

see #496

apparmor.d/groups/freedesktop/polkit-kde-authentication-agent

@@ -31,6 +31,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
   @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
 
   /etc/machine-id r,
+  /etc/xdg/plasmarc r,
   /var/lib/dbus/machine-id r,
 
   owner @{user_config_dirs}/breezerc r,

apparmor.d/groups/freedesktop/xdg-dbus-proxy

@@ -31,6 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.var/app/*/.local/share/*/logs/* rw,
   owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,
 
+        @{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
   owner @{run}/flatpak/doc/** r,
   owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,

apparmor.d/groups/gnome/kgx

@@ -25,9 +25,11 @@ profile kgx @{exec_path} {
   @{bin}/@{shells}           rUx,
 
   # Some CLI program can be launched directly from Gnome Shell
+  @{bin}/btop                rPUx,
   @{bin}/htop                 rPx,
   @{bin}/micro               rPUx,
   @{bin}/nvtop                rPx,
+  @{bin}/nvtop                rPx,
   @{bin}/vim                  rUx,
 
   @{open_path}                rPx -> child-open-help,

apparmor.d/groups/kde/dolphin

@@ -16,6 +16,7 @@ profile dolphin @{exec_path} {
   include <abstractions/deny-sensitive-home>
   include <abstractions/devices-usb>
   include <abstractions/disks-read>
+  include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
@@ -28,13 +29,17 @@ profile dolphin @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/ldd            rix,
+  @{bin}/lsb_release    rPx -> lsb_release,
+  @{lib}/{,@{multiarch}/}utempter/utempter rPx,
   @{thunderbird_path}   rPx,
+
   #aa:exec kioworker
 
   /usr/share/kf5/kmoretools/{,**} r,
   /usr/share/kio/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes5/{,**} r,
+  /usr/share/misc/termcap r,
 
   /etc/fstab r,
   /etc/machine-id r,
@@ -84,9 +89,10 @@ profile dolphin @{exec_path} {
 
   owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int},
 
+        @{run}/issue r,
         @{run}/mount/utab r,
-  owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
   owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
   @{sys}/bus/ r,
   @{sys}/bus/*/devices/ r,

apparmor.d/groups/kde/drkonqi

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi
 profile drkonqi @{exec_path} {
   include <abstractions/base>
+  include <abstractions/graphics>
   include <abstractions/kde-strict>
 
   network inet stream,
@@ -22,11 +23,17 @@ profile drkonqi @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/lsb_release    rPx -> lsb_release,
+
   /usr/share/drkonqi/{,**} r,
   /usr/share/knotifications{5,6}/*.notifyrc r,
 
+  owner @{user_cache_dirs}/drkonqi/ rw,
+  owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**,
   owner @{user_cache_dirs}/kcrash-metadata/* w,
 
+  owner @{user_config_dirs}/drkonqirc r,
+
   /dev/tty r,
 
   include if exists <local/drkonqi>

apparmor.d/groups/kde/kde-powerdevil

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}org_kde_powerdevil
 profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>

apparmor.d/groups/kde/kioworker

@@ -91,6 +91,7 @@ profile kioworker @{exec_path} {
         @{run}/mount/utab r,
   owner @{run}/user/@{uid}/#@{int} rw,
   owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int},
+  owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/groups/kde/konsole

@@ -30,6 +30,14 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{lib}/libheif/**                         mr,
   @{lib}/{,@{multiarch}/}utempter/utempter rPx,
 
+  # Some CLI program can be launched directly from KDE
+  @{bin}/btop                rPUx,
+  @{bin}/htop                 rPx,
+  @{bin}/micro               rPUx,
+  @{bin}/nvtop                rPx,
+  @{bin}/nvtop                rPx,
+  @{bin}/vim                  rUx,
+
   /usr/share/color-schemes/{,**} r,
   /usr/share/kf6/{,**} r,
   /usr/share/knotifications{5,6}/konsole.notifyrc r,

apparmor.d/groups/kde/kscreenlocker_greet

@@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} {
   owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
   owner @{user_config_dirs}/kdedefaults/plasmarc r,
   owner @{user_config_dirs}/kscreenlockerrc r,
+  owner @{user_config_dirs}/kscreenlockerrc.lock rwk,
   owner @{user_config_dirs}/ksmserverrc r,
   owner @{user_config_dirs}/plasmarc r,
   owner @{user_config_dirs}/plasmashellrc r,

apparmor.d/groups/kde/ksplashqml

@@ -22,6 +22,7 @@ profile ksplashqml @{exec_path} {
   /usr/share/plasma/** r,
 
   /etc/machine-id r,
+  /etc/xdg/plasmarc r,
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/ksplash/ rw,

apparmor.d/groups/kde/kwin_wayland

@@ -104,6 +104,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   owner @{user_share_dirs}/kscreen/* r,
   owner @{user_share_dirs}/kwin/scripts/{,**} r,
 
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+
   @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/ r,

apparmor.d/groups/kde/plasmashell

@@ -59,6 +59,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   /opt/**/share/icons/{,**} r,
   /opt/*/**/*.desktop r,
   /opt/*/**/*.png r,
+  /usr/share/*/icons/{,**} r,
   /usr/share/akonadi/{,**} r,
   /usr/share/desktop-base/{,**} r,
   /usr/share/desktop-directories/kf5-*.directory r,
@@ -93,6 +94,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   @{MOUNTS}/ r,
 
         @{HOME}/ r,
+  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
   owner @{user_pictures_dirs}/{,**} r,
@@ -186,6 +188,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
         @{run}/mount/utab r,
         @{run}/user/@{uid}/gvfs/ r,
   owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
   owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/kdesud_:@{int} w,
   owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
@@ -205,6 +208,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
 
         @{PROC}/ r,
+        @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/stat r,
         @{PROC}/cmdline r,
         @{PROC}/diskstats r,

apparmor.d/groups/kde/systemsettings

@@ -9,7 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/systemsettings
 profile systemsettings @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/bus-session>
+  include <abstractions/cups-client>
+  include <abstractions/dconf-write>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
@@ -22,7 +25,9 @@ profile systemsettings @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path} rix,
   @{bin}/cat rix,
+  @{bin}/eglinfo rPUx,
   @{bin}/kcminit rPx,
   @{bin}/lspci rPx,
   @{bin}/openssl rix,
@@ -38,7 +43,8 @@ profile systemsettings @{exec_path} {
   /usr/share/kcmkeys/{,*.kksrc} r,
   /usr/share/kglobalaccel/* r,
   /usr/share/kinfocenter/{,**} r,
-  /usr/share/kinfocenter/{,**} r,
+  /usr/share/knotifications{5,6}/{,**} r,
+  /usr/share/solid/{,**} r,
   /usr/share/kpackage/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes5/{,**} r,
@@ -46,9 +52,9 @@ profile systemsettings @{exec_path} {
   /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r,
   /usr/share/plasma/{,**} r,
   /usr/share/sddm/themes/{,**} r,
-  /usr/share/sddm/themes/{,**} r,
   /usr/share/systemsettings/{,**} r,
   /usr/share/wallpapers/{,**} r,
+  /usr/share/thumbnailers/{,**} r,
 
   /etc/fstab r,
   /etc/machine-id r,
@@ -56,10 +62,19 @@ profile systemsettings @{exec_path} {
   /etc/xdg/plasmanotifyrc r,
   /etc/xdg/ui/ui_standards.rc r,
   /var/lib/dbus/machine-id r,
+  /etc/xdg/* r,
+
+  /var/cache/cracklib/cracklib_dict.* r,
+  /var/cache/samba/ rw,
+  /var/lib/AccountsService/icons/* r,
+  /var/lib/flatpak/repo/{,**} r,
+
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
   owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/kinfocenter/{,**} rwl,
+  owner @{user_cache_dirs}/kcrash-metadata/*.ini rw,
+  owner @{user_cache_dirs}/kinfocenter/{,**} rwlk,
   owner @{user_cache_dirs}/ksvg-elements rw,
   owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
   owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
@@ -69,22 +84,24 @@ profile systemsettings @{exec_path} {
   owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**,
 
   owner @{user_config_dirs}/{P,p}lasma* r,
+  owner @{user_config_dirs}/*rc r,
   owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk,
+  owner @{user_config_dirs}/emaildefaults r,
   owner @{user_config_dirs}/kactivitymanagerdrc r,
   owner @{user_config_dirs}/kde.org/{,**} rwlk,
   owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
   owner @{user_config_dirs}/kdedefaults/plasmarc r,
-  owner @{user_config_dirs}/khotkeysrc r,
   owner @{user_config_dirs}/kinfocenterrc* rwlk,
-  owner @{user_config_dirs}/kscreenlockerrc r,
-  owner @{user_config_dirs}/kxkbrc r,
+  owner @{user_config_dirs}/libaccounts-glib/ rw,
+  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
   owner @{user_config_dirs}/menus/ r,
   owner @{user_config_dirs}/menus/applications-merged/ r,
-  owner @{user_config_dirs}/plasmarc r,
   owner @{user_config_dirs}/session/ rw,
   owner @{user_config_dirs}/session/** rwlk,
   owner @{user_config_dirs}/systemsettingsrc.lock rwk,
   owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_share_dirs}/baloo/index r,
 
   owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk,
   owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
@@ -98,12 +115,25 @@ profile systemsettings @{exec_path} {
   owner @{user_share_dirs}/systemsettings/** rwlk,
   owner @{user_share_dirs}/wallpapers/{,**} r,
 
+  owner @{run}/user/@{uid}/#@{int} rw,
+
+  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
+
   @{sys}/bus/ r,
+  @{sys}/bus/acpi/devices/ r,
   @{sys}/bus/cpu/devices/ r,
   @{sys}/class/ r,
+  @{sys}/firmware/acpi/pm_profile r,
 
+        @{PROC}/interrupts r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
+  /dev/ r,
+  /dev/bus/usb/ r,
+  /dev/input/ r,
+  /dev/rfkill r,
   /dev/tty r,
 
   include if exists <local/systemsettings>

apparmor.d/groups/kde/xwaylandvideobridge

@@ -20,6 +20,8 @@ profile xwaylandvideobridge @{exec_path} {
   owner @{user_cache_dirs}/xwaylandvideobridge/ rw,
   owner @{user_cache_dirs}/xwaylandvideobridge/** rwk,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   include if exists <local/xwaylandvideobridge>
 }
 

apparmor.d/groups/virt/virtnetworkd

@@ -20,7 +20,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/dnsmasq rPx,
 
-  /etc/libvirt/libvirt.conf r,
+  /etc/libvirt/*.conf r,
 
   owner /var/lib/libvirt/dnsmasq/*.macs* rw,
 

apparmor.d/groups/virt/virtnodedevd

@@ -29,8 +29,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   /usr/share/hwdata/*.ids r,
   /usr/share/pci.ids r,
 
-  /etc/libvirt/libvirt.conf r,
-  /etc/libvirt/virtnodedevd.conf r,
+  /etc/libvirt/*.conf r,
   /etc/mdevctl.d/{,**} r,
 
         @{run}/systemd/inhibit/@{int}.ref rw,
@@ -64,6 +63,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
   @{run}/udev/data/c89:@{int}  r,         # For I2C bus interface
   @{run}/udev/data/c90:@{int} r,          # For RAM, ROM, Flash
+  @{run}/udev/data/c99:@{int} r,          # For raw parallel ports /dev/parport*
   @{run}/udev/data/c116:@{int} r,         # For ALSA
   @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
   @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
@@ -90,6 +90,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/mtrr w,
+  owner @{PROC}/uptime r,
 
   include if exists <local/virtnodedevd>
 }

apparmor.d/groups/virt/virtstoraged

@@ -25,8 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
   @{bin}/qemu-system*  rUx, # TODO: Integration with virt-aa-helper
   @{bin}/qemu-img      rUx, # TODO: Integration with virt-aa-helper
 
-  /etc/libvirt/**/ r,
-  /etc/libvirt/libvirt.conf r,
+  /etc/libvirt/{,**} r,
 
   # For disk images
   @{MOUNTS}/ r,