feat(profile): improve kde integration.

apparmor.d/groups/kde/DiscoverNotifier

@@ -41,7 +41,7 @@ profile DiscoverNotifier @{exec_path} {
   /var/cache/swcatalog/cache/ w,
   /var/cache/swcatalog/xml/{,**} r,
 
-  owner @{user_cache_dirs}/appstream/ r,
+  owner @{user_cache_dirs}/appstream/ rw,
   owner @{user_cache_dirs}/appstream/** rw,
   owner @{user_cache_dirs}/flatpak/{,**} rw,
 

apparmor.d/groups/kde/baloo

@@ -45,22 +45,7 @@ profile baloo @{exec_path} {
   @{run}/mount/utab r,
 
   @{run}/udev/data/+*:* r,
-
-  @{run}/udev/data/c1:@{int} r,           # For RAM disk
-  @{run}/udev/data/c4:@{int} r,           # For TTY devices
-  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
-  @{run}/udev/data/c7:@{int} r,           # For Virtual console capture devices
-  @{run}/udev/data/c10:@{int} r,          # For non-serial mice, misc features
-  @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
-  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
-  @{run}/udev/data/c81:@{int} r,          # For video4linux
-  @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
-  @{run}/udev/data/c99:@{int} r,          # For raw parallel ports /dev/parport*
-  @{run}/udev/data/c116:@{int} r,         # For ALSA
-  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
-  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
-  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
-  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+  @{run}/udev/data/c@{int}:@{int} r,
 
   @{sys}/bus/ r,
   @{sys}/bus/*/devices/ r,

apparmor.d/groups/kde/baloorunner

@@ -28,33 +28,8 @@ profile baloorunner @{exec_path} {
 
   /tmp/ r,
 
-  @{run}/udev/data/+acpi:* r,             # for acpi
-  @{run}/udev/data/+bluetooth:* r,
-  @{run}/udev/data/+dmi* r,               # for motherboard info
-  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
-  @{run}/udev/data/+i2c:* r,
-  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
-  @{run}/udev/data/+leds:* r,
-  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
-  @{run}/udev/data/+platform:* r,
-  @{run}/udev/data/+power_supply* r,
-  @{run}/udev/data/+rfkill:* r,
-  @{run}/udev/data/+sound:card@{int} r,   # for sound card
-
-  @{run}/udev/data/c1:@{int}    r,        # For RAM disk
-  @{run}/udev/data/c4:@{int} r,           # For TTY devices
-  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
-  @{run}/udev/data/c7:@{int} r,           # For Virtual console capture devices
-  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
-  @{run}/udev/data/c116:@{int} r,         # For ALSA
-  @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
-  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
-  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
-  @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
-  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
-  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
-  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
-  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+  @{run}/udev/data/+*:* r,
+  @{run}/udev/data/c@{int}:@{int} r,
 
   @{sys}/bus/ r,
   @{sys}/bus/*/devices/ r,

apparmor.d/groups/kde/dolphin

@@ -29,6 +29,9 @@ profile dolphin @{exec_path} {
 
   @{exec_path} mr,
 
+  @{lib}/libheif/            r,
+  @{lib}/libheif/*.so*      mr,
+
   @{bin}/ldd            rix,
   @{bin}/lsb_release    rPx -> lsb_release,
   @{lib}/{,@{multiarch}/}utempter/utempter rPx,
@@ -81,8 +84,10 @@ profile dolphin @{exec_path} {
   owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/dolphinrc.lock rwk,
   owner @{user_config_dirs}/kde.org/#@{int} rw,
-  owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int},
   owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk,
+  owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int},
+  owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk,
+  owner @{user_config_dirs}/knfsshare.lock rwk,
 
   owner @{user_config_dirs}/session/ rw,
   owner @{user_config_dirs}/session/#@{int} rw,
@@ -93,44 +98,15 @@ profile dolphin @{exec_path} {
 
   owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int},
 
-  owner @{tmp}/dolphin.@{rand6} rwl,
+  owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk,
 
         @{run}/issue r,
         @{run}/mount/utab r,
   owner @{run}/user/@{uid}/#@{int} rw,
   owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
-  @{run}/udev/data/+acpi:* r,             # for acpi
-  @{run}/udev/data/+backlight:* r,
-  @{run}/udev/data/+bluetooth:* r,
-  @{run}/udev/data/+dmi* r,               # for motherboard info
-  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
-  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
-  @{run}/udev/data/+i2c:* r,
-  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
-  @{run}/udev/data/+leds:* r,
-  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
-  @{run}/udev/data/+platform:* r,
-  @{run}/udev/data/+power_supply* r,
-  @{run}/udev/data/+rfkill:* r,
-  @{run}/udev/data/+sound:card@{int} r,   # for sound card
-
-  @{run}/udev/data/c1:@{int}    r,        # For RAM disk
-  @{run}/udev/data/c4:@{int} r,           # For TTY devices
-  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
-  @{run}/udev/data/c7:@{int} r,           # For Virtual console capture devices
-  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
-  @{run}/udev/data/c116:@{int} r,         # For ALSA
-  @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
-  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
-  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
-  @{run}/udev/data/c81:@{int}  r,         # For video4linux
-  @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
-  @{run}/udev/data/c90:@{int} r,          # For RAM, ROM, Flash
-  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
-  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
-  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
-  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+  @{run}/udev/data/+*:* r,
+  @{run}/udev/data/c@{int}:@{int} r,
 
   @{sys}/bus/ r,
   @{sys}/bus/*/devices/ r,

apparmor.d/groups/kde/kalendarac

@@ -25,6 +25,7 @@ profile kalendarac @{exec_path} {
 
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/akonadi-firstrunrc r,
+  owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
   owner @{user_config_dirs}/emaildefaults r,
   owner @{user_config_dirs}/emailidentities r,

apparmor.d/groups/kde/kcminit

@@ -26,6 +26,8 @@ profile kcminit @{exec_path} {
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl,
   owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl,
+  owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl,
+  owner @{user_config_dirs}/kcminputrc.lock rwk,
   owner @{user_config_dirs}/kgammarc r,
   owner @{user_config_dirs}/touchpadrc r,
   owner @{user_config_dirs}/touchpadxlibinputrc r,

apparmor.d/groups/kde/kconf_update

@@ -32,14 +32,15 @@ profile kconf_update @{exec_path} {
   @{bin}/qtchooser                       rPx,
   @{lib}/kconf_update_bin/*              rix,
   @{lib}/@{multiarch}/kconf_update_bin/* rix,
+  @{lib}/qt6/bin/qtpaths                 rix,
   /usr/share/kconf_update/*.py           rix,
   /usr/share/kconf_update/*.sh           rix,
 
   /usr/share/kconf_update/{,**} r,
   /usr/share/kglobalaccel/org.kde.krunner.desktop r,
 
-  /etc/xdg/konsolerc r,
-  /etc/xdg/ui/ui_standards.rc r,
+  /etc/xdg/*rc r,
+  /etc/xdg/ui/*rc r,
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,

apparmor.d/groups/kde/kded

@@ -55,6 +55,7 @@ profile kded @{exec_path} {
   @{bin}/pgrep              rCx -> pgrep,
   @{bin}/plasma-welcome    rPUx,
   @{python_path}            rix,
+  @{bin}/flatpak            rPx,
   @{bin}/setxkbmap          rix,
   @{bin}/xmodmap           rPUx,
   @{bin}/xrdb               rPx,
@@ -87,6 +88,12 @@ profile kded @{exec_path} {
   owner @{HOME}/ r,
   owner @{HOME}/.gtkrc-2.0 rw,
 
+  owner @{HOME}/.var/ w,
+  owner @{HOME}/.var/app/ w,
+  owner @{HOME}/.var/app/org.mozilla.firefox/**/ w,
+  owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w,
+  owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w,
+
         @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
   owner @{user_cache_dirs}/plasmashell/ rw,
   owner @{user_cache_dirs}/plasmashell/** rwlk ->  @{user_cache_dirs}/plasmashell/**,
@@ -120,7 +127,7 @@ profile kded @{exec_path} {
   owner @{user_share_dirs}/user-places.xbel r,
 
   owner @{user_state_dirs}/#@{int} rw,
-  owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk,
+  owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int},
 
         @{run}/mount/utab r,
         @{run}/udev/data/c189:@{int} r,                # for /dev/bus/usb/**

apparmor.d/groups/kde/kiod

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6}
 profile kiod @{exec_path} {
   include <abstractions/base>
+  include <abstractions/devices-usb-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>

apparmor.d/groups/kde/kioworker

@@ -42,7 +42,7 @@ profile kioworker @{exec_path} {
 
   #aa:exec kio_http_cache_cleaner
 
-  /usr/share/kio_desktop/directory.desktop r,
+  /usr/share/kio_desktop/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes{5,6}/*.desktop r,
   /usr/share/remoteview/* r,
@@ -56,6 +56,8 @@ profile kioworker @{exec_path} {
   /*/ r,
   @{bin}/ r,
   @{bin}/* r,
+  @{sbin}/ r,
+  @{sbin}/* r,
   @{lib}/ r,
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,

apparmor.d/groups/kde/ksplashqml

@@ -14,11 +14,14 @@ profile ksplashqml @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-shader-cache>
 
+  ptrace read peer=startplasma,
+
   @{exec_path} mr,
 
   @{lib}/libheif/            r,
   @{lib}/libheif/*.so*      rm,
 
+  /usr/share/color-schemes/* r,
   /usr/share/plasma/** r,
 
   /etc/machine-id r,

apparmor.d/groups/kde/startplasma

@@ -40,6 +40,7 @@ profile startplasma @{exec_path} {
   /etc/machine-id r,
   /etc/xdg/menus/{,**} r,
   /etc/xdg/plasma-workspace/env/{,*} r,
+  /etc/xdg/plasmarc r,
 
   /var/lib/flatpak/exports/share/mime/ r,