felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improve kde integration.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-01 20:27:03 +02:00
parent 87e82b1505
commit 3cc39debfb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
12 changed files with 35 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/kde/DiscoverNotifier
View file

@ -41,7 +41,7 @@ profile DiscoverNotifier @{exec_path} {
/var/cache/swcatalog/cache/ w, /var/cache/swcatalog/cache/ w,
/var/cache/swcatalog/xml/{,**} r, /var/cache/swcatalog/xml/{,**} r,
owner @{user_cache_dirs}/appstream/ r, owner @{user_cache_dirs}/appstream/ rw,
owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/appstream/** rw,
owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_cache_dirs}/flatpak/{,**} rw,

17
apparmor.d/groups/kde/baloo
View file

@ -45,22 +45,7 @@ profile baloo @{exec_path} {
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/udev/data/+*:* r, @{run}/udev/data/+*:* r,
@{run}/udev/data/c@{int}:@{int} r,
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c7:@{int} r, # For Virtual console capture devices
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
@{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport*
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
@{run}/udev/data/c203:@{int} r, # CPU CPUID information
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/*/devices/ r, @{sys}/bus/*/devices/ r,

29
apparmor.d/groups/kde/baloorunner
View file

@ -28,33 +28,8 @@ profile baloorunner @{exec_path} {
/tmp/ r, /tmp/ r,
@{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+*:* r,
@{run}/udev/data/+bluetooth:* r, @{run}/udev/data/c@{int}:@{int} r,
@{run}/udev/data/+dmi* r, # for motherboard info
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c7:@{int} r, # For Virtual console capture devices
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
@{run}/udev/data/c203:@{int} r, # CPU CPUID information
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/*/devices/ r, @{sys}/bus/*/devices/ r,

42
apparmor.d/groups/kde/dolphin
View file

@ -29,6 +29,9 @@ profile dolphin @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{lib}/libheif/ r,
@{lib}/libheif/*.so* mr,
@{bin}/ldd rix, @{bin}/ldd rix,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{lib}/{,@{multiarch}/}utempter/utempter rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx,
@ -81,8 +84,10 @@ profile dolphin @{exec_path} {
owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/dolphinrc.lock rwk,
owner @{user_config_dirs}/kde.org/#@{int} rw, owner @{user_config_dirs}/kde.org/#@{int} rw,
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int},
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk,
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int},
owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk,
owner @{user_config_dirs}/knfsshare.lock rwk,
owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/ rw,
owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/session/#@{int} rw,
@ -93,44 +98,15 @@ profile dolphin @{exec_path} {
owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int},
owner @{tmp}/dolphin.@{rand6} rwl, owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk,
@{run}/issue r, @{run}/issue r,
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
@{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+*:* r,
@{run}/udev/data/+backlight:* r, @{run}/udev/data/c@{int}:@{int} r,
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+dmi* r, # for motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c7:@{int} r, # For Virtual console capture devices
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
@{run}/udev/data/c81:@{int} r, # For video4linux
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
@{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
@{run}/udev/data/c203:@{int} r, # CPU CPUID information
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/*/devices/ r, @{sys}/bus/*/devices/ r,

1
apparmor.d/groups/kde/kalendarac
View file

@ -25,6 +25,7 @@ profile kalendarac @{exec_path} {
owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi-firstrunrc r,
owner @{user_config_dirs}/akonadi/ rw,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emaildefaults r,
owner @{user_config_dirs}/emailidentities r, owner @{user_config_dirs}/emailidentities r,

2
apparmor.d/groups/kde/kcminit
View file

@ -26,6 +26,8 @@ profile kcminit @{exec_path} {
owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl,
owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl,
owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl,
owner @{user_config_dirs}/kcminputrc.lock rwk,
owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/kgammarc r,
owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadrc r,
owner @{user_config_dirs}/touchpadxlibinputrc r, owner @{user_config_dirs}/touchpadxlibinputrc r,

5
apparmor.d/groups/kde/kconf_update
View file

@ -32,14 +32,15 @@ profile kconf_update @{exec_path} {
@{bin}/qtchooser rPx, @{bin}/qtchooser rPx,
@{lib}/kconf_update_bin/* rix, @{lib}/kconf_update_bin/* rix,
@{lib}/@{multiarch}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix,
@{lib}/qt6/bin/qtpaths rix,
/usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.py rix,
/usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/*.sh rix,
/usr/share/kconf_update/{,**} r, /usr/share/kconf_update/{,**} r,
/usr/share/kglobalaccel/org.kde.krunner.desktop r, /usr/share/kglobalaccel/org.kde.krunner.desktop r,
/etc/xdg/konsolerc r, /etc/xdg/*rc r,
/etc/xdg/ui/ui_standards.rc r, /etc/xdg/ui/*rc r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,

9
apparmor.d/groups/kde/kded
View file

@ -55,6 +55,7 @@ profile kded @{exec_path} {
@{bin}/pgrep rCx -> pgrep, @{bin}/pgrep rCx -> pgrep,
@{bin}/plasma-welcome rPUx, @{bin}/plasma-welcome rPUx,
@{python_path} rix, @{python_path} rix,
@{bin}/flatpak rPx,
@{bin}/setxkbmap rix, @{bin}/setxkbmap rix,
@{bin}/xmodmap rPUx, @{bin}/xmodmap rPUx,
@{bin}/xrdb rPx, @{bin}/xrdb rPx,
@ -87,6 +88,12 @@ profile kded @{exec_path} {
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.gtkrc-2.0 rw, owner @{HOME}/.gtkrc-2.0 rw,
owner @{HOME}/.var/ w,
owner @{HOME}/.var/app/ w,
owner @{HOME}/.var/app/org.mozilla.firefox/**/ w,
owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w,
owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w,
@{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/ rw,
owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**,
@ -120,7 +127,7 @@ profile kded @{exec_path} {
owner @{user_share_dirs}/user-places.xbel r, owner @{user_share_dirs}/user-places.xbel r,
owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/#@{int} rw,
owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int},
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**

1
apparmor.d/groups/kde/kiod
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6}
profile kiod @{exec_path} { profile kiod @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/devices-usb-read>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/kde-strict> include <abstractions/kde-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

4
apparmor.d/groups/kde/kioworker
View file

@ -42,7 +42,7 @@ profile kioworker @{exec_path} {
#aa:exec kio_http_cache_cleaner #aa:exec kio_http_cache_cleaner
/usr/share/kio_desktop/directory.desktop r, /usr/share/kio_desktop/{,**} r,
/usr/share/kservices{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r,
/usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/kservicetypes{5,6}/*.desktop r,
/usr/share/remoteview/* r, /usr/share/remoteview/* r,
@ -56,6 +56,8 @@ profile kioworker @{exec_path} {
/*/ r, /*/ r,
@{bin}/ r, @{bin}/ r,
@{bin}/* r, @{bin}/* r,
@{sbin}/ r,
@{sbin}/* r,
@{lib}/ r, @{lib}/ r,
@{MOUNTDIRS}/ r, @{MOUNTDIRS}/ r,
@{MOUNTS}/ r, @{MOUNTS}/ r,

3
apparmor.d/groups/kde/ksplashqml
View file

@ -14,11 +14,14 @@ profile ksplashqml @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache> include <abstractions/qt5-shader-cache>
ptrace read peer=startplasma,
@{exec_path} mr, @{exec_path} mr,
@{lib}/libheif/ r, @{lib}/libheif/ r,
@{lib}/libheif/*.so* rm, @{lib}/libheif/*.so* rm,
/usr/share/color-schemes/* r,
/usr/share/plasma/** r, /usr/share/plasma/** r,
/etc/machine-id r, /etc/machine-id r,

1
apparmor.d/groups/kde/startplasma
View file

@ -40,6 +40,7 @@ profile startplasma @{exec_path} {
/etc/machine-id r, /etc/machine-id r,
/etc/xdg/menus/{,**} r, /etc/xdg/menus/{,**} r,
/etc/xdg/plasma-workspace/env/{,*} r, /etc/xdg/plasma-workspace/env/{,*} r,
/etc/xdg/plasmarc r,
/var/lib/flatpak/exports/share/mime/ r, /var/lib/flatpak/exports/share/mime/ r,