From 21dfc6ea2672b6f83f8fdee0d1ca6bb79037b83a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Mar 2025 15:35:27 +0100 Subject: [PATCH] feat(profile): improve kde profiles. fix #676 --- apparmor.d/groups/kde/dolphin | 5 +++++ apparmor.d/groups/kde/drkonqi | 1 + apparmor.d/groups/kde/drkonqi-coredump-processor | 4 ++-- apparmor.d/groups/kde/kwin_wayland | 8 ++------ apparmor.d/groups/kde/plasmashell | 6 ++++-- apparmor.d/profiles-s-z/thunderbird | 1 + 6 files changed, 15 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index b42b37dec..93780d889 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -44,6 +44,7 @@ profile dolphin @{exec_path} { /usr/share/thumbnailers/{,**} r, /etc/fstab r, + /etc/exports r, /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, @@ -100,8 +101,10 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+backlight:* r, @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @@ -121,7 +124,9 @@ profile dolphin @{exec_path} { @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 83fd07181..fbadf053b 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -51,6 +51,7 @@ profile drkonqi @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 9b1e6c379..359352383 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -25,9 +25,9 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/system@*.journal* r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@*.journal* r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 240869a31..101affd8c 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -45,11 +45,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/plasma/desktoptheme/** r, /etc/pipewire/client.conf.d/ r, - /etc/xdg/kscreenlockerrc r, - /etc/xdg/menus/{,applications.menu} r, - /etc/xdg/menus/applications-merged/ r, - /etc/xdg/plasmarc r, - /etc/xdg/Xwayland-session.d/{,*} r, + /etc/xdg/** r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -93,7 +89,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/menus/{,applications-merged/} r, + owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 059760bd3..07fbc8e14 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -39,9 +39,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network netlink dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send), + signal send, @{exec_path} mr, @@ -72,6 +72,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, + /usr/share/qalculate/{,**} r, /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, @@ -172,6 +173,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma_icons/*.desktop r, owner @{user_share_dirs}/plasma/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, + owner @{user_share_dirs}/qalculate/{,**} r, owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 594d04b64..02046580c 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -59,6 +59,7 @@ profile thunderbird @{exec_path} { owner @{tmp}/nsemail{,-@{int}}.eml rw, owner @{tmp}/nsma{,-@{int}} rw, owner @{tmp}/pid-@{pid}/{,**} w, + owner @{tmp}/remote-settings-startup-bundle- rw, /dev/urandom w,