feat(profile): improve kde profiles.

fix #676
2025-03-23 15:35:27 +01:00 · 2025-03-23 15:35:27 +01:00 · 21dfc6ea26
commit 21dfc6ea26
parent 7684de3459
6 changed files with 15 additions and 10 deletions
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@ -44,6 +44,7 @@ profile dolphin @{exec_path} {
  /usr/share/thumbnailers/{,**} r,

  /etc/fstab r,
+  /etc/exports r,
  /etc/machine-id r,
  /etc/xdg/arkrc r,
  /etc/xdg/dolphinrc r,
@ -100,8 +101,10 @@ profile dolphin @{exec_path} {
  owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

  @{run}/udev/data/+acpi:* r,             # for acpi
+  @{run}/udev/data/+backlight:* r,
  @{run}/udev/data/+bluetooth:* r,
  @{run}/udev/data/+dmi* r,               # for motherboard info
+  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
  @{run}/udev/data/+i2c:* r,
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
@ -121,7 +124,9 @@ profile dolphin @{exec_path} {
  @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
+  @{run}/udev/data/c81:@{int}  r,         # For video4linux
  @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
+  @{run}/udev/data/c90:@{int} r,          # For RAM, ROM, Flash
  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
--- a/apparmor.d/groups/kde/drkonqi
+++ b/apparmor.d/groups/kde/drkonqi
@ -51,6 +51,7 @@ profile drkonqi @{exec_path} {

  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,

  include if exists <local/drkonqi>
 }
--- a/apparmor.d/groups/kde/drkonqi-coredump-processor
+++ b/apparmor.d/groups/kde/drkonqi-coredump-processor
@ -25,9 +25,9 @@ profile drkonqi-coredump-processor @{exec_path} {
  /{run,var}/log/journal/ r,
  /{run,var}/log/journal/@{hex32}/ r,
  /{run,var}/log/journal/@{hex32}/system.journal r,
-  /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
+  /{run,var}/log/journal/@{hex32}/system@*.journal* r,
  /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r,
-  /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
+  /{run,var}/log/journal/@{hex32}/user-@{uid}@*.journal* r,
  /{run,var}/log/journal/remote/ r,

  include if exists <local/drkonqi-coredump-processor>
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@ -45,11 +45,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
  /usr/share/plasma/desktoptheme/** r,

  /etc/pipewire/client.conf.d/ r,
-  /etc/xdg/kscreenlockerrc r,
-  /etc/xdg/menus/{,applications.menu} r,
-  /etc/xdg/menus/applications-merged/ r,
-  /etc/xdg/plasmarc r,
-  /etc/xdg/Xwayland-session.d/{,*} r,
+  /etc/xdg/** r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
@ -93,7 +89,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kwinrulesrc r,
  owner @{user_config_dirs}/kxkbrc r,
-  owner @{user_config_dirs}/menus/{,applications-merged/} r,
+  owner @{user_config_dirs}/menus/** r,
  owner @{user_config_dirs}/plasmarc r,
  owner @{user_config_dirs}/session/* r,

--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -39,9 +39,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  network netlink dgram,
  network netlink raw,

-  ptrace (read),
+  ptrace read,

-  signal (send),
+  signal send,

  @{exec_path} mr,

@ -72,6 +72,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  /usr/share/metainfo/{,**} r,
  /usr/share/plasma/{,**} r,
  /usr/share/plasma5support/** r,
+  /usr/share/qalculate/{,**} r,
  /usr/share/rider/{,**} r,
  /usr/share/solid/actions/{,**} r,
  /usr/share/swcatalog/{,**} r,
@ -172,6 +173,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  owner @{user_share_dirs}/plasma_icons/*.desktop r,
  owner @{user_share_dirs}/plasma/{,**} r,
  owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**,
+  owner @{user_share_dirs}/qalculate/{,**} r,
  owner @{user_share_dirs}/user-places.xbel{,*} rwl,
  owner @{user_share_dirs}/wallpapers/{,**} rw,

--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -59,6 +59,7 @@ profile thunderbird @{exec_path} {
  owner @{tmp}/nsemail{,-@{int}}.eml rw,
  owner @{tmp}/nsma{,-@{int}} rw,
  owner @{tmp}/pid-@{pid}/{,**} w,
+  owner @{tmp}/remote-settings-startup-bundle- rw,

  /dev/urandom w,