diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi new file mode 100644 index 000000000..c1916c361 --- /dev/null +++ b/apparmor.d/groups/kde/drkonqi @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/drkonqi +profile drkonqi @{exec_path} { + include + include + include + + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + + @{run}/user/@{uid}/xauth_* rl, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac new file mode 100644 index 000000000..af2dee657 --- /dev/null +++ b/apparmor.d/groups/kde/kalendarac @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/kalendarac +profile kalendarac @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/akonadi_control rPx, + + /usr/share/akonadi/firstrun/{,*} r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + + /etc/machine-id r, + /etc/xdg/kdeglobals r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/akonadi-firstrunrc r, + owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, + owner @{user_config_dirs}/kalendaracrc rw, + owner @{user_config_dirs}/kalendaracrc.?????? rwl, + owner @{user_config_dirs}/kalendaracrc.lock rwk, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, + + @{run}/user/@{uid}/xauth_* rl, + + @{PROC}/sys/kernel/core_pattern r, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kauth-fontinst b/apparmor.d/groups/kde/kauth-fontinst new file mode 100644 index 000000000..93a128be0 --- /dev/null +++ b/apparmor.d/groups/kde/kauth-fontinst @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/kauth/fontinst +profile kauth-fontinst @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit new file mode 100644 index 000000000..4ae1d6d32 --- /dev/null +++ b/apparmor.d/groups/kde/kcminit @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/kcminit +profile kcminit @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/xrdb rPx, + + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + /usr/share/hwdata/pnp.ids r, + + /etc/machine-id r, + /etc/xdg/kcmdisplayrc r, + /etc/xdg/kcminputrc r, + /etc/xdg/kdeglobals r, + + owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl, + owner @{user_config_dirs}/gtkrc{,.??????} rwl, + owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kgammarc r, + owner @{user_config_dirs}/Trolltech.conf.lock rwk, + owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl, + + owner /tmp/kcminit.?????? rwl, + owner /tmp/#[0-9]* rw, + + @{run}/user/@{uid}/xauth_* rl, + + @{PROC}/sys/kernel/random/boot_id r, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil new file mode 100644 index 000000000..43e5e8816 --- /dev/null +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/org_kde_powerdevil +profile kde-powerdevil @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability wake_alarm, + + network netlink raw, + + @{exec_path} mrix, + + @{libexec}/drkonqi rPx, + + /usr/share/hwdata/*.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + + /etc/fstab r, + /etc/xdg/kdeglobals r, + + owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, + + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/powerdevilrc r, + owner @{user_config_dirs}/powermanagementprofilesrc r, + + @{run}/systemd/inhibit/*.ref rw, + owner @{run}/user/@{uid}kcrash_[0-9]* rw, + + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + /dev/rfkill r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kio_http_cache_cleaner b/apparmor.d/groups/kde/kio_http_cache_cleaner new file mode 100644 index 000000000..763f5f62d --- /dev/null +++ b/apparmor.d/groups/kde/kio_http_cache_cleaner @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/kf5/kio_http_cache_cleaner +profile kio_http_cache_cleaner @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 new file mode 100644 index 000000000..a22063d8c --- /dev/null +++ b/apparmor.d/groups/kde/kioslave5 @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/kf5/kioslave5 +profile kioslave5 @{exec_path} { + include + include + include + include + include + include + include + include + + network netlink raw, + + signal (receive) set=term peer=plasmashell, + + @{exec_path} mr, + + @{libexec}/libheif/ r, + @{libexec}/libheif/*.so* rm, + + /usr/share/hwdata/*.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + /usr/share/kservices5/{,**} r, + /usr/share/kservicetypes5/*.desktop r, + + /etc/fstab r, + /etc/xdg/kdeglobals r, + /etc/xdg/kioslaverc r, + /etc/xdg/kwinrc r, + /etc/xdg/menus/{,**} r, + + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + + owner @{user_cache_dirs}/ksycoca5_* r, + owner @{user_cache_dirs}/thumbnails/*/ r, + + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + + owner @{user_share_dirs}/baloo/index-lock rwk, + owner @{user_share_dirs}/baloo/index rw, + + owner @{run}/user/@{uid}/#[0-9]* rw, + owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl, + owner @{run}/user/@{uid}/xauth_* rl, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher new file mode 100644 index 000000000..9800289d2 --- /dev/null +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/kf5/kscreen_backend_launcher +profile kscreen_backend_launcher @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/hwdata/*.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter new file mode 100644 index 000000000..240893d8e --- /dev/null +++ b/apparmor.d/groups/kde/utempter @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/utempter/utempter +profile utempter @{exec_path} { + include + include + include + + @{exec_path} mr, + + /dev/ptmx rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy new file mode 100644 index 000000000..3d4e7dc2f --- /dev/null +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/xembedsniproxy +profile xembedsniproxy @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/hwdata/*.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + + @{run}/user/@{uid}/xauth_* rl, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2403a08ed..3be24a9b9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -89,6 +89,7 @@ dkms attach_disconnected,complain docker-proxy complain dockerd attach_disconnected,complain downloadhelper complain +drkonqi complain e2fsck complain etckeeper complain evince complain @@ -167,17 +168,24 @@ iwctl complain iwd complain kaccess complain kactivitymanagerd complain +kalendarac complain kauth-backlighthelper complain kauth-chargethresholdhelper complain kauth-discretegpuhelper complain +kauth-fontinst complain kauth-kded-smart-helper complain kauth-kinfocenter-dmidecode-helper complain +kcminit complain kconf_update complain +kde-powerdevil complain kded5 complain kernel-install complain kglobalaccel5 complain kgx complain +kio_http_cache_cleaner complain +kioslave5 complain kmod attach_disconnected,complain +kscreen_backend_launcher complain ksmserver attach_disconnected,mediate_deleted,complain kwin_x11 complain landscape-sysinfo complain @@ -317,6 +325,7 @@ umount.udisks2 complain update-grub complain update-secureboot-policy complain userdbctl complain +utempter complain virt-manager attach_disconnected,complain virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected @@ -337,5 +346,6 @@ xdg-document-portal complain xdg-permission-store attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain +xembedsniproxy complain xorg attach_disconnected,complain xsettingsd complain