From 108352022535db016e9c31091de7d453e482fe7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 27 Apr 2023 22:27:16 +0100 Subject: [PATCH] feat(kde): add initial version for more kde profles. --- apparmor.d/groups/kde/gmenudbusmenuproxy | 27 ++++++ apparmor.d/groups/kde/kactivitymanagerd | 30 +++++++ .../kde/kauth-kinfocenter-dmidecode-helper | 18 ++++ apparmor.d/groups/kde/kconf_update | 22 +++++ apparmor.d/groups/kde/kglobalaccel5 | 34 +++++++ apparmor.d/groups/kde/plasma-discover | 30 +++++++ apparmor.d/groups/kde/plasmashell | 88 +++++++++++++++++++ dists/flags/main.flags | 5 ++ 8 files changed, 254 insertions(+) create mode 100644 apparmor.d/groups/kde/gmenudbusmenuproxy create mode 100644 apparmor.d/groups/kde/kactivitymanagerd create mode 100644 apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper create mode 100644 apparmor.d/groups/kde/kconf_update create mode 100644 apparmor.d/groups/kde/kglobalaccel5 create mode 100644 apparmor.d/groups/kde/plasma-discover create mode 100644 apparmor.d/groups/kde/plasmashell diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy new file mode 100644 index 000000000..83fb97b59 --- /dev/null +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/gmenudbusmenuproxy +profile gmenudbusmenuproxy @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /usr/share/hwdata/*.ids r, + + /etc/machine-id r, + + owner @{HOME}/.gtkrc-2.0 rw, + + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd new file mode 100644 index 000000000..f3d441627 --- /dev/null +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/kactivitymanagerd +profile kactivitymanagerd @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/hwdata/*.ids r, + /usr/share/qt/translations/*.qm r, + + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kactivitymanagerdrc r, + + owner @{user_share_dirs}/kactivitymanagerd/{,**} rwl, + + @{PROC}/sys/kernel/core_pattern r, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper new file mode 100644 index 000000000..b1f3d5e28 --- /dev/null +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/kauth/kinfocenter-dmidecode-helper +profile kauth-kinfocenter-dmidecode-helper @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}{s,}bin/dmidecode rPx, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update new file mode 100644 index 000000000..cfd607981 --- /dev/null +++ b/apparmor.d/groups/kde/kconf_update @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/kf5/kconf_update +profile kconf_update @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/kconf_update/{,**} r, + + owner @{user_config_dirs}/kconf_updaterc r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kglobalaccel5 b/apparmor.d/groups/kde/kglobalaccel5 new file mode 100644 index 000000000..7c1f48c64 --- /dev/null +++ b/apparmor.d/groups/kde/kglobalaccel5 @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/kglobalaccel5 +profile kglobalaccel5 @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/hwdata/*.ids r, + /usr/share/kglobalaccel/{,**} r, + /usr/share/qt/translations/*.qm r, + /usr/share/mime/{,**} r, + + /etc/machine-id r, + + owner @{user_config_dirs}/kglobalshortcutsrc* rwl, + owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, + owner @{user_config_dirs}/#[0-9]* rw, + + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/core_pattern r, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover new file mode 100644 index 000000000..6c20c8790 --- /dev/null +++ b/apparmor.d/groups/kde/plasma-discover @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/plasma-discover +profile plasma-discover @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}lib/kf5/kioslave5 rPUx, # TODO: rPx, + /{usr/,}lib/kf5/kio_http_cache_cleaner rPUx, # TODO: rPx, + + /etc/machine-id r, + + /var/tmp/flatpak-cache-*/ rw, + /var/tmp/flatpak-cache-*/** rwkl, + /var/tmp/#[0-9]* rw, + + owner @{user_config_dirs}/kde.org/{,**} rwlk, + owner @{user_config_dirs}/discoverrc rwl, + owner @{user_config_dirs}/#[0-9]* rwl, + owner @{user_config_dirs}/discoverrc.lock rwk, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell new file mode 100644 index 000000000..c6a65cae6 --- /dev/null +++ b/apparmor.d/groups/kde/plasmashell @@ -0,0 +1,88 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/plasmashell +profile plasmashell @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + network inet stream, + network inet6 stream, + network netlink raw, + + signal (send), + + @{exec_path} mr, + + /{usr/,}bin/plasma-discover rPx, + /{usr/,}lib/kf5/kioslave5 rPUx, # TODO: rPx, + /{usr/,}bin/dolphin rPUx, # TODO: rPx, + + /usr/share/hwdata/*.ids r, + /usr/share/kservices5/{,**} r, + /usr/share/kservicetypes5/{,**} r, + /usr/share/plasma/{,**} r, + /usr/share/qt/translations/*.qm r, + /usr/share/solid/actions/{,**} r, + /usr/share/wallpapers/{,**} r, + /usr/share/krunner/{,**} r, + /usr/share/konsole/ r, + /usr/share/akonadi/firstrun/{,*} r, + + /etc/appstream.conf r, + /etc/xdg/taskmanagerrulesrc r, + /etc/xdg/menus/ r, + /etc/machine-id r, + /etc/fstab r, + + owner @{user_templates_dirs}/ r, + + owner @{user_cache_dirs}/#[0-9]* rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca5_* r, + owner @{user_cache_dirs}/plasma-svgelements* rwl, + owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl, + + owner @{user_config_dirs}/*kde*.desktop* r, + owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/dolphinrc r, + owner @{user_config_dirs}/kde.org/{,**} rwlk, + owner @{user_config_dirs}/KDE/{,**} r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/plasma*desktop* rwlk, + owner @{user_config_dirs}/plasmashellrc r, + + owner @{user_share_dirs}/#[0-9]* rw, + owner @{user_share_dirs}/akonadi/search_db/{,**} r, + owner @{user_share_dirs}/klipper/{,*} rwl, + owner @{user_share_dirs}/krunnerstaterc.lock rwk, + owner @{user_share_dirs}/krunnerstaterc* rwk, + + owner @{run}/user/@{uid}/#[0-9]* rw, + owner @{run}/user/@{uid}/plasmashell??????.[0-9].kioworker.socket rwl, + + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5ce6e6c14..f35c8c1e6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -108,6 +108,7 @@ gdm-runtime-config complain gdm-x-session attach_disconnected,complain gdm-xsession complain glib-compile-resources complain +gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-characters complain gnome-control-center attach_disconnected,complain @@ -164,12 +165,16 @@ irqbalance complain iwctl complain iwd complain kaccess complain +kactivitymanagerd complain kauth-backlighthelper complain kauth-chargethresholdhelper complain kauth-discretegpuhelper complain kauth-kded-smart-helper complain +kauth-kinfocenter-dmidecode-helper complain +kconf_update complain kded5 complain kernel-install complain +kglobalaccel5 complain kgx complain kmod attach_disconnected,complain ksmserver attach_disconnected,mediate_deleted,complain