Alexandre Pujol
parent
96d774a9eb
commit
1655a9f5ab
25 changed files with 120 additions and 32 deletions
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/kaccess
|
||||
profile kaccess @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -19,6 +20,8 @@ profile kaccess @{exec_path} {
|
|||
|
||||
/usr/share/icons/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
|
|
|
|||
|
|
@ -57,14 +57,15 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
|||
@{sys}/class/i2c-dev/ r,
|
||||
@{sys}/class/usbmisc/ r,
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r,
|
||||
@{sys}/devices/@{pci}/card@{int}/*/dpms r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/**/dev r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/dpms r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
|
||||
@{sys}/devices/**/ r,
|
||||
@{sys}/devices/i2c-@{int}/name r,
|
||||
@{sys}/devices/platform/**/i2c-@{int}/**/name r,
|
||||
|
|
|
|||
|
|
@ -12,10 +12,10 @@ profile kded @{exec_path} {
|
|||
include <abstractions/audio-client>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.bluez>
|
||||
include <abstractions/bus/org.freedesktop.PolicyKit1>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/bus/org.bluez>
|
||||
include <abstractions/bus/org.freedesktop.PolicyKit1>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/kde-strict>
|
||||
|
|
@ -31,7 +31,8 @@ profile kded @{exec_path} {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
signal (send) set=hup peer=xsettingsd,
|
||||
signal send set=hup peer=xsettingsd,
|
||||
signal send set=term peer=kioworker,
|
||||
|
||||
#aa:dbus own bus=system name=com.redhat.NewPrinterNotification
|
||||
#aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
|
||||
|
|
@ -54,6 +55,7 @@ profile kded @{exec_path} {
|
|||
@{bin}/plasma-welcome rPUx,
|
||||
@{bin}/python3.@{int} rix,
|
||||
@{bin}/setxkbmap rix,
|
||||
@{bin}/xmodmap rPUx,
|
||||
@{bin}/xrdb rPx,
|
||||
@{bin}/xsetroot rPx,
|
||||
@{bin}/xsettingsd rPx,
|
||||
|
|
@ -73,6 +75,7 @@ profile kded @{exec_path} {
|
|||
|
||||
/etc/fstab r,
|
||||
/etc/xdg/accept-languages.codes r,
|
||||
/etc/xdg/baloofilerc r,
|
||||
/etc/xdg/kcminputrc r,
|
||||
/etc/xdg/kde* r,
|
||||
/etc/xdg/kioslaverc r,
|
||||
|
|
@ -83,6 +86,7 @@ profile kded @{exec_path} {
|
|||
|
||||
/ r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.gtkrc-2.0 rw,
|
||||
|
||||
@{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
|
||||
|
|
@ -94,6 +98,7 @@ profile kded @{exec_path} {
|
|||
@{user_config_dirs}/kcookiejarrc.lock rwk,
|
||||
@{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/baloofilerc r,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
|
|
@ -125,20 +130,22 @@ profile kded @{exec_path} {
|
|||
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||
owner @{user_config_dirs}/plasma* r,
|
||||
owner @{user_config_dirs}/touchpadrc r,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||
|
||||
owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
|
||||
owner @{user_share_dirs}/icc/{,edid-*} r,
|
||||
owner @{user_share_dirs}/kcookiejar/#@{int} rw,
|
||||
owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
|
||||
owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
|
||||
owner @{user_share_dirs}/kded{5,6}/{,**} rw,
|
||||
owner @{user_share_dirs}/kscreen/{,**} rwl,
|
||||
owner @{user_share_dirs}/kservices{5,6}/{,**} r,
|
||||
owner @{user_share_dirs}/ktp/cache.db rwk,
|
||||
owner @{user_share_dirs}/remoteview/ r,
|
||||
owner @{user_share_dirs}/services5/{,**} r,
|
||||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
|
|
|
|||
|
|
@ -64,6 +64,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
owner @{user_share_dirs}/konsole/** rwlk,
|
||||
owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r,
|
||||
|
||||
owner @{user_state_dirs}/#@{int} rw,
|
||||
owner @{user_state_dirs}/konsolestaterc rw,
|
||||
owner @{user_state_dirs}/konsolestaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int},
|
||||
owner @{user_state_dirs}/konsolestaterc.lock rwk,
|
||||
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/konsole.@{rand6} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -16,11 +16,11 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
||||
signal send set=(usr1,term) peer=kscreenlocker_greet,
|
||||
|
||||
ptrace (read) peer=kbuildsycoca5,
|
||||
|
||||
unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none),
|
||||
unix (send, receive) type=stream peer=(label="kscreenlocker_greet",addr=none),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ profile kwin_x11 @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
owner @{user_config_dirs}/kwinoutputconfig.json r,
|
||||
owner @{user_config_dirs}/kwinoutputconfig.json rw,
|
||||
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/kwinrulesrc r,
|
||||
|
|
|
|||
|
|
@ -11,27 +11,47 @@ include <tunables/global>
|
|||
profile okular @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-globals-write>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5-settings-write>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/user-read-strict>
|
||||
include <abstractions/user-write-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
signal send set=term peer=kioworker,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ps2pdf rPUx,
|
||||
|
||||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
@{bin}/gpgcon rCx -> gpg,
|
||||
@{bin}/gpgconf rCx -> gpg,
|
||||
@{bin}/gpgsm rCx -> gpg,
|
||||
|
||||
@{open_path} rPx -> child-open,
|
||||
#aa:exec kioworker
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/okular/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/xdg/baloofilerc r,
|
||||
/etc/xdg/dolphinrc r,
|
||||
/etc/xdg/menus/ r,
|
||||
/etc/xdg/menus/applications-merged/ r,
|
||||
|
||||
/ r,
|
||||
@{MOUNTS}/ r,
|
||||
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
|
||||
owner @{user_cache_dirs}/okular/{,**} rw,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/okularpartrc rw,
|
||||
owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
|
|
@ -39,22 +59,52 @@ profile okular @{exec_path} {
|
|||
owner @{user_config_dirs}/okularrc rw,
|
||||
owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/okularrc.lock rwk,
|
||||
owner @{user_config_dirs}/baloofilerc r,
|
||||
owner @{user_config_dirs}/dolphinrc r,
|
||||
owner @{user_config_dirs}/okular-generator-popplerrc r,
|
||||
owner @{user_config_dirs}/KDE/*.conf r,
|
||||
owner @{user_config_dirs}/kioslaverc r,
|
||||
owner @{user_config_dirs}/kservicemenurc r,
|
||||
owner @{user_config_dirs}/kwalletrc r,
|
||||
owner @{user_config_dirs}/menus/ r,
|
||||
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
|
||||
owner @{user_share_dirs}/#@{int} rw,
|
||||
owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r,
|
||||
owner @{user_share_dirs}/okular/ rw,
|
||||
owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**,
|
||||
owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int},
|
||||
owner @{user_share_dirs}/recently-used.xbel.lock rk,
|
||||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
owner @{user_cache_dirs}/okular/{,**} rw,
|
||||
owner @{user_state_dirs}/#@{int} rw,
|
||||
owner @{user_state_dirs}/okularstaterc rw,
|
||||
owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int},
|
||||
owner @{user_state_dirs}/okularstaterc.lock rwk,
|
||||
|
||||
owner @{tmp}/#@{int} rw,
|
||||
owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int},
|
||||
owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int},
|
||||
owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment,
|
||||
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||
owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{bin}/gpg{,2} mr,
|
||||
@{bin}/gpgcon mr,
|
||||
@{bin}/gpgsm mr,
|
||||
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/*.conf r,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
owner @{run}/user/@{uid}/gnupg/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -90,6 +90,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
|
||||
/var/lib/AccountsService/icons/* r,
|
||||
|
||||
@{MOUNTS}/ r,
|
||||
|
||||
@{HOME}/ r,
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
|
|
@ -197,6 +199,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/diskstats r,
|
||||
@{PROC}/loadavg r,
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ profile sddm-greeter @{exec_path} {
|
|||
owner @{SDDM_HOME}/#@{int} mrw,
|
||||
owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,
|
||||
|
||||
owner @{HOME}/.face.icon r,
|
||||
@{HOME}/.face.icon r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue