From 3cc39debfb5544872af9a6c468720e5eca97f5a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:27:03 +0200 Subject: [PATCH] feat(profile): improve kde integration. --- apparmor.d/groups/kde/DiscoverNotifier | 2 +- apparmor.d/groups/kde/baloo | 17 +---------- apparmor.d/groups/kde/baloorunner | 29 ++---------------- apparmor.d/groups/kde/dolphin | 42 ++++++-------------------- apparmor.d/groups/kde/kalendarac | 1 + apparmor.d/groups/kde/kcminit | 2 ++ apparmor.d/groups/kde/kconf_update | 5 +-- apparmor.d/groups/kde/kded | 9 +++++- apparmor.d/groups/kde/kiod | 1 + apparmor.d/groups/kde/kioworker | 4 ++- apparmor.d/groups/kde/ksplashqml | 3 ++ apparmor.d/groups/kde/startplasma | 1 + 12 files changed, 35 insertions(+), 81 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 197f90f88..3ec36976d 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -41,7 +41,7 @@ profile DiscoverNotifier @{exec_path} { /var/cache/swcatalog/cache/ w, /var/cache/swcatalog/xml/{,**} r, - owner @{user_cache_dirs}/appstream/ r, + owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 5ceb04725..e53bf4039 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -45,22 +45,7 @@ profile baloo @{exec_path} { @{run}/mount/utab r, @{run}/udev/data/+*:* r, - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index e3fca1f8f..8410408b3 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,33 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 93780d889..802ba0a96 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -29,6 +29,9 @@ profile dolphin @{exec_path} { @{exec_path} mr, + @{lib}/libheif/ r, + @{lib}/libheif/*.so* mr, + @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @@ -81,8 +84,10 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, + owner @{user_config_dirs}/knfsshare.lock rwk, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/#@{int} rw, @@ -93,44 +98,15 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, - owner @{tmp}/dolphin.@{rand6} rwl, + owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index 661090bc1..a45652c7b 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -25,6 +25,7 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, + owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 93378bf76..e11de6a48 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -26,6 +26,8 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadxlibinputrc r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 49da5e3ca..ee42fef98 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -32,14 +32,15 @@ profile kconf_update @{exec_path} { @{bin}/qtchooser rPx, @{lib}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix, + @{lib}/qt6/bin/qtpaths rix, /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /etc/xdg/konsolerc r, - /etc/xdg/ui/ui_standards.rc r, + /etc/xdg/*rc r, + /etc/xdg/ui/*rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 9efaec4fc..c9fa538df 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -55,6 +55,7 @@ profile kded @{exec_path} { @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, @{python_path} rix, + @{bin}/flatpak rPx, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -87,6 +88,12 @@ profile kded @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.var/ w, + owner @{HOME}/.var/app/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, + owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, + @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, @@ -120,7 +127,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index f6a7ba95a..cf9646051 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} profile kiod @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 592e5811e..1d091fd09 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -42,7 +42,7 @@ profile kioworker @{exec_path} { #aa:exec kio_http_cache_cleaner - /usr/share/kio_desktop/directory.desktop r, + /usr/share/kio_desktop/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, @@ -56,6 +56,8 @@ profile kioworker @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* r, + @{sbin}/ r, + @{sbin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index be59fe842..13f1216a5 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -14,11 +14,14 @@ profile ksplashqml @{exec_path} { include include + ptrace read peer=startplasma, + @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + /usr/share/color-schemes/* r, /usr/share/plasma/** r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 773122f57..b69d7fdb9 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -40,6 +40,7 @@ profile startplasma @{exec_path} { /etc/machine-id r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, + /etc/xdg/plasmarc r, /var/lib/flatpak/exports/share/mime/ r,