diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 913ab3eb3..902ad7649 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -17,6 +17,9 @@ signal (receive) set=(kill, term) peer=lxqt-session, + ptrace read peer=lxqt-session, + + /usr/share/desktop-base/{,**} r, /usr/share/hwdata/pnp.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/lxqt/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt b/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt new file mode 100644 index 000000000..5705d3795 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-lxqt +@{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-lxqt +profile xdg-desktop-portal-lxqt @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + owner @{HOME}/ r, + + owner @{desktop_config_dirs}/user-dirs.dirs r, + + owner @{user_cache_dirs}/xdg-desktop-portal-lxqt/{,**} rw, + + /dev/tty r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 9e6dbc2e0..02026c448 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -46,7 +46,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/qtxdg-mat ix, @{bin}/dbus-send Cx -> bus, - @{bin}/kbuildsycoca{,5} Px, + @{bin}/kbuildsycoca{,5,6} Px, @{bin}/mimetype Px, @{bin}/vendor_perl/mimetype Px, @{bin}/xprop Px, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index fd05bcee9..9f9655008 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -42,7 +42,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) { @{bin}/qtxdg-mat ix, @{bin}/dbus-send Cx -> bus, - @{bin}/kreadconfig{,5} Px, + @{bin}/kreadconfig{,5,6} Px, @{bin}/xdg-mime Px, @{bin}/xprop Px, diff --git a/apparmor.d/groups/kde/kbuildsycoca b/apparmor.d/groups/kde/kbuildsycoca index db3aed9dc..51f145b51 100644 --- a/apparmor.d/groups/kde/kbuildsycoca +++ b/apparmor.d/groups/kde/kbuildsycoca @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kbuildsycoca{,5} +@{exec_path} = @{bin}/kbuildsycoca{,5,6} profile kbuildsycoca @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf928..af05174ad 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld +@{exec_path} = @{bin}/kglobalaccel{,5,6} @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include include diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig index 8ad9c4b5b..9ccff7340 100644 --- a/apparmor.d/groups/kde/kreadconfig +++ b/apparmor.d/groups/kde/kreadconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/kreadconfig{,5} +@{exec_path} = @{bin}/kreadconfig{5,6} profile kreadconfig @{exec_path} { include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 224835ac2..ae34a0247 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -54,8 +54,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/kservicetypes5/{,*.desktop} r, /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, + /usr/share/kwin-wayland/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, + /usr/share/lxqt/*.conf r, /usr/share/pipewire/client.conf r, /usr/share/plasma/desktoptheme/** r, @@ -64,7 +66,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/machine-id r, /var/lib/dbus/machine-id r, - + owner /var/lib/sddm/.config/kwinoutputconfig.json rw, / r, owner @{HOME}/ r, @@ -86,6 +88,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/kwin/ rw, owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, @@ -104,6 +107,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, + owner @{user_config_dirs}/lxqt/*.conf r, owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, diff --git a/apparmor.d/groups/lxqt/ControlPanel b/apparmor.d/groups/lxqt/ControlPanel new file mode 100644 index 000000000..7e48e4310 --- /dev/null +++ b/apparmor.d/groups/lxqt/ControlPanel @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ControlPanel +profile ControlPanel @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/menus/lxqt-config.menu r, + + # only for xfe file manager: + owner @{HOME}/.foxrc/ rw, + owner @{HOME}/.foxrc/Desktop rw, + + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + + owner /tmp/@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about index 8f5830453..7dabe599f 100644 --- a/apparmor.d/groups/lxqt/lxqt-about +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -21,6 +21,7 @@ profile lxqt-about @{exec_path} { owner /tmp/@{int} r, /dev/tty rw, + owner /dev/pts/@{int} rw, include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt-backlight_backend b/apparmor.d/groups/lxqt/lxqt-backlight_backend new file mode 100644 index 000000000..9f0bd1ae7 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-backlight_backend @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-backlight_backend +profile lxqt-backlight_backend @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{user_share_dirs}/sddm/xorg-session.log w, + + @{sys}/class/backlight/ r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config b/apparmor.d/groups/lxqt/lxqt-config new file mode 100644 index 000000000..b5194c870 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config +profile lxqt-config @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + @{open_path} rpx -> child-open, + + @{bin}/lxqt-admin-user rPx, + @{bin}/ibus-setup rPx, + @{bin}/lxqt-config-monitor rPx, + @{bin}/pcmanfm-qt rPx, + @{bin}/lxqt-admin-time rPx, + @{bin}/lxqt-config-input rPx, + @{bin}/lxqt-config-locale rPx, + @{bin}/lxqt-config-brightness rPx, + @{bin}/lxqt-config-session rPx, + @{bin}/lxqt-config-file-associations rPx, + @{bin}/lxqt-config-powermanagement rPx, + @{bin}/lxqt-config-appearance rPx, + @{bin}/lxqt-config-globalkeyshortcuts rPx, + @{bin}/lxqt-config-notificationd rPx, + @{bin}/obconf-qt rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/pavucontrol rPx, + @{bin}/pavucontrol-qt rPx, + @{bin}/system-config-printer rPx, + + /usr/share/desktop-directories/lxqt-* r, + + /etc/xdg/menus/lxqt-config.menu r, + + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/qt6ct/qt6ct.conf.@{rand6} rwl -> @{user_config_dirs}/qt6ct/#@{int}, + owner @{user_config_dirs}/qt6ct/qt6ct.conf.lock rwk, + owner @{user_config_dirs}/qt6ct/#@{int} rw, + owner @{user_config_dirs}/qt6ct/qt6ct.conf rw, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-appearance b/apparmor.d/groups/lxqt/lxqt-config-appearance new file mode 100644 index 000000000..b1511b08e --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-appearance @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-appearance +profile lxqt-config-appearance @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gsettings rPx, + @{bin}/pcmanfm-qt rPx, + @{bin}/xsettingsd rPx, + + owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.icons/default/index.theme rw, + owner @{HOME}/.Xdefaults rw, + owner @{HOME}/.Xresources rw, + + owner @{user_config_dirs}/gtk-3.0/settings.ini rw, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, + owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r, + + owner /tmp/#@{int} rw, + owner /tmp/lxqt-config-appearance.@{rand6} rwl -> /tmp/#@{int}, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-brightness b/apparmor.d/groups/lxqt/lxqt-config-brightness new file mode 100644 index 000000000..ef5ef8a03 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-brightness @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-brightness +profile lxqt-config-brightness @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/pkexec Cx -> pkexec, + + @{sh_path} rix, + + owner @{HOME}/ r, + + owner /tmp/@{int} r, + + @{sys}/class/backlight/ r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + + /dev/tty rw, + + profile pkexec { + include + include + + @{bin}/@{bin}/lxqt-config-brightness Px, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + + @{sys}/class/backlight/ r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts new file mode 100644 index 000000000..26d2a51d4 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-globalkeyshortcuts +profile lxqt-config-globalkeyshortcuts @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/lxqt/lxqt* rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rw, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input new file mode 100644 index 000000000..a7605f326 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-input +profile lxqt-config-input @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + signal (read) set=(kill,term) peer=lxqt-session, + + @{exec_path} mr, + + @{bin}/setxkbmap rix, + + /etc/udev/udev.conf r, + + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-input.conf rwl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + @{run}/udev/data/c@{int}:* r, # for /dev/input/* + @{run}/udev/data/+sound:card@{int} r, # for Soundcards + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+backlight:* r, # For background light Display + @{run}/udev/data/+leds:* r, # for state of LEDs + @{run}/udev/data/n@{int} r, # For network interface + @{run}/udev/data/+input:* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+dmi:* r, # for motherboard info + @{run}/udev/data/+drm:* r, # For screen outputs + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + + @{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read + @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read + @{sys}/devices/**/uevent r, + + /dev/tty rw, + + deny @{sys}/class/usbmisc/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-monitor b/apparmor.d/groups/lxqt/lxqt-config-monitor new file mode 100644 index 000000000..6dbf7e24f --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-monitor @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-monitor +profile lxqt-config-monitor @{exec_path} { + include + include + include + include + include + include + + signal (read) set=(kill,term) peer=lxqt-session, + + @{exec_path} mr, + + owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop rw, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd index 63b2eb673..88244a130 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -10,6 +10,8 @@ include @{exec_path} = @{bin}/lxqt-config-notificationd profile lxqt-config-notificationd @{exec_path} { include + include + include include include diff --git a/apparmor.d/groups/lxqt/lxqt-config-session b/apparmor.d/groups/lxqt/lxqt-config-session new file mode 100644 index 000000000..41b66bf14 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-session @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-session +profile lxqt-config-session @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/libfm-qt6/translations/libfm-qt_de.qm r, + /usr/share/gvfs/remote-volume-monitors/ r, + /usr/share/gvfs/remote-volume-monitors/udisks2.monitor r, + /usr/share/thumbnailers/ r, + + /etc/fstab r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/** r, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/autostart/ rw, + owner @{user_config_dirs}/QtProject.conf rw, + owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, + owner @{user_config_dirs}/QtProject.conf.lock rwk, + owner @{user_config_dirs}/autostart/*.desktop rw, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/user-dirs.dirs rw, + owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf.lock rwk, + owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + owner @{PROC}/@{pid}/mountinfo r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-notificationd b/apparmor.d/groups/lxqt/lxqt-notificationd new file mode 100644 index 000000000..c42242aa4 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-notificationd @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-notificationd +profile lxqt-notificationd @{exec_path} { + include + include + include + include + include + + #aa:dbus own bus=session name=org.freedesktop.Notifications + + @{exec_path} mr, + + @{bin}/lxqt-config-notificationd rPx, + + /etc/machine-id r, + + owner @{user_cache_dirs}/lxqt-notificationd/ r, + owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rwk, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list rw, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list l -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.lock rwk, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, + + owner /tmp/@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index f817be69d..adf2e6a32 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/lxqt-panel profile lxqt-panel @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/lxqt/lxqt-policykit-agent b/apparmor.d/groups/lxqt/lxqt-policykit-agent new file mode 100644 index 000000000..867edcd5b --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-policykit-agent @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/lxqt-policykit-agent-[0-9] +@{exec_path} += @{bin}/lxqt-policykit-agent +profile lxqt-policykit-agent @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + signal (send) set=(term, kill) peer=polkit-agent-helper, + + @{exec_path} mr, + + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + + /etc/machine-id r, + + /var/lib/dbus/machine-id r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/qt5ct/{,**} r, + + owner /tmp/#@{int} rw, + owner /tmp/lxqt-policykit-agent-[0-9].* rwl -> /tmp/#@{int}, + + @{run}/systemd/users/@{uid} r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/core_pattern r, + + /dev/shm/#@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 910ea7c5f..9aa5f2106 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -13,7 +13,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, @@ -32,7 +31,7 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/dirname rix, @{bin}/system-config-printer-applet rPx, @{bin}/dbus-update-activation-environment rCx -> dbus, - @{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/pavucontrol rPx, @{lib}/geoclue-2.0/demos/agent rPx, @@ -49,7 +48,7 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, - /usr/share/system-config-printer/* r, + /usr/share/system-config-printer/* r, /etc/xdg/ r, /etc/xdg/autostart/ r, @@ -60,6 +59,9 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_cache_dirs}/openbox/ rw, owner @{user_cache_dirs}/openbox/sessions/ rw, owner @{user_cache_dirs}/openbox/openbox.log rwk, diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt new file mode 100644 index 000000000..ac3d3ef9a --- /dev/null +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pcmanfm-qt +profile pcmanfm-qt @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + + signal (send) set=(term, kill), + signal (receive) set=(term, kill) peer=lxqt-session, + + network netlink raw, + + #aa:exec kioworker + #aa:dbus own bus=session name=org.pcmanfm.PCManFM + + @{exec_path} mr, + + @{lib}/menu-cache/menu-cached rix, + @{lib}/exec/menu-cache/menu-cache-gen rix, + + #aa:lint ignore=too-wide + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rw, + owner @{tmp}/ r, + owner @{tmp}/** rw, + + /usr/share/libfm-qt6/{,**} r, + /usr/share/pcmanfm-qt/translations/pcmanfm-qt_de.qm r, + /usr/share/thumbnailers/{,**} r, + + owner @{user_cache_dirs}/pcmanfm-qt/{,**} rw, + owner @{user_config_dirs}/pcmanfm-qt/ rw, + owner @{user_config_dirs}/pcmanfm-qt/** rwlk -> @{user_config_dirs}/pcmanfm-qt/**, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/fs/cgroup/{,**} r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/cgroup r, + + # Silence non user's data + deny @{efi}/{,**} r, + deny /opt/{,**} r, + deny /root/{,**} r, + deny /tmp/.* rw, + deny /tmp/.*/{,**} rw, + + /dev/tty r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/qterminal b/apparmor.d/groups/lxqt/qterminal new file mode 100644 index 000000000..aa13e6625 --- /dev/null +++ b/apparmor.d/groups/lxqt/qterminal @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Jeroen Rijken +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/qterminal +profile qterminal @{exec_path} { + include + include + include + include + include + include + include + include + + ptrace (read), + + signal (send) set=(hup), + signal (send) set=(kill) peer=htop, + + #aa:dbus own bus=session name=org.QTerminal-@{int} + + @{exec_path} mr, + @{bin}/@{shells} rUx, + @{browsers_path} rPx, + @{bin}/htop rPx, + @{bin}/dbus-launch rPx, + @{open_path} rPx -> child-open-help, + + #aa:exec utempter + + /usr/share/color-schemes/{,**} r, + /usr/share/kf6/{,**} r, + /usr/share/qterminal/{,**} r, + /usr/share/sounds/** r, + /usr/share/lxqt/lxqt.conf r, + /usr/share/qtermwidget6/{,**} r, + /etc/xdg/ui/ui_standards.rc r, + + /{,var/}run/systemd/notify w, + /var/cache/fontconfig/ rw, + + owner @{HOME}/@{XDG_SSH_DIR}/config r, + @{HOME}/.Xdefaults r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/lxqt/lxqt.conf r, + owner @{user_config_dirs}/qterminal.org/{,**} rw, + owner @{user_config_dirs}/qterminal.org/#@{int} rwk, + owner @{user_config_dirs}/qterminal.org/qterminal.ini.lock rwk, + owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6} rwk, + owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6} l -> @{user_config_dirs}/qterminal.org/#@{int}, + + owner /tmp/#@{int} rw, + owner /tmp/konsole.@{rand6} rw, + owner /tmp/xauth_@{rand6} rw, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland new file mode 100644 index 000000000..43d0001f4 --- /dev/null +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -0,0 +1,91 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/startlxqtwayland +profile startlxqtwayland @{exec_path} { + include + include + include + + signal (receive) set=(term) peer=sddm, + + @{exec_path} mr, + + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/labwc rpx, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/mkdir rix, + @{sh_path} rix, + @{bin}/lxqt-session rPx, + @{bin}/systemd-detect-virt rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/dbus-update-activation-environment rCx -> dbus, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/kservices5/{,**} r, + /usr/share/mime/{,**} r, + + /etc/locale.alias r, + /etc/machine-id r, + /etc/xdg/menus/{,**} r, + + @{HOME}/ r, + owner @{HOME}/.Xauthority r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/labwc/ rw, + owner @{user_config_dirs}/labwc/** rw, + owner @{user_config_dirs}/lxqt/ rw, + owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/lxqt/wayland/ rw, + + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#@{int} rw, + owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, + + owner @{run}/user/@{uid}/ r, + @{PROC}/sys/kernel/core_pattern r, + + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists + + profile systemctl flags=(attach_disconnected) { + include + include + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index ab624f099..99e3ef3cb 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -17,6 +17,8 @@ profile labwc @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=term peer=sddm, + network netlink raw, @{exec_path} mr, @@ -27,11 +29,16 @@ profile labwc @{exec_path} flags=(attach_disconnected) { /usr/share/libinput/ r, /usr/share/libinput/*.quirks r, + /usr/share/themes/**/themerc r, + /usr/share/themes/Vent/openbox-3/*.xbm r, + /usr/share/X11/xkb/** r, owner @{user_config_dirs}/labwc/ r, owner @{user_config_dirs}/labwc/* r, + owner @{user_config_dirs}/lxqt/wayland/ rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + owner /dev/shm/wlroots-@{rand6} rw, @{sys}/class/drm/ r, @{sys}/class/input/ r, diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index a7cbaf831..00a66ad99 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -70,7 +70,7 @@ @{emails_names} = evolution geary # File explorers -@{file_explorers_names} = dolphin nautilus thunar +@{file_explorers_names} = dolphin nautilus thunar pcmanfm-qt # Text editors @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli @@ -91,7 +91,7 @@ @{help_names} = yelp # Terminal emulator -@{terminal_names} = kgx terminator konsole ptyxis +@{terminal_names} = kgx terminator konsole ptyxis qterminal # Backup @{backup_names} = deja-dup borg