From 82d549ac9504a7a52ac1765a977c22df1a252459 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 22 Oct 2024 16:29:43 +0200 Subject: [PATCH 001/161] Create abstraction for lxqt desktop group first file for the LXQT 2.0 desktop group --- apparmor.d/abstractions/lxqt | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 apparmor.d/abstractions/lxqt diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt new file mode 100644 index 000000000..9cb526741 --- /dev/null +++ b/apparmor.d/abstractions/lxqt @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + include + include + + signal (receive) set=(kill, term) peer=lxqt-session, + + /usr/share/hwdata/pnp.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/lxqt/** r, + /usr/share/qt{5,6}/ r, + /usr/share/qt{5,6}/{,**} r, + + owner @{HOME}/.Xdefaults r, + + owner @{user_cache_dirs}/fontconfig/* rw, + owner @{user_cache_dirs}/lxqt-notificationd/* r, + + owner @{user_config_dirs}/lxqt/*.conf rw, + + include if exists + +# vim:syntax=apparmor From 5b715473dc4f8fd495b86960ca03c64d538eced1 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 22 Oct 2024 18:55:35 +0200 Subject: [PATCH 002/161] Update lxqt --- apparmor.d/abstractions/lxqt | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 9cb526741..83a9b151f 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -5,6 +5,7 @@ abi , include + include include include include @@ -16,12 +17,9 @@ /usr/share/hwdata/pnp.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/lxqt/** r, - /usr/share/qt{5,6}/ r, - /usr/share/qt{5,6}/{,**} r, owner @{HOME}/.Xdefaults r, - owner @{user_cache_dirs}/fontconfig/* rw, owner @{user_cache_dirs}/lxqt-notificationd/* r, owner @{user_config_dirs}/lxqt/*.conf rw, From 8072b339c9066a95ca65908ca75e1dcdea6f7c74 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 22 Oct 2024 19:33:37 +0200 Subject: [PATCH 003/161] xdg-desktop abstraction added --- apparmor.d/abstractions/lxqt | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 83a9b151f..d9aa3712e 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -11,6 +11,7 @@ include include include + include signal (receive) set=(kill, term) peer=lxqt-session, From 637347bac73a4d572c71944fc763e48d37f6eb1e Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 22 Oct 2024 19:37:23 +0200 Subject: [PATCH 004/161] removing tabs --- apparmor.d/abstractions/lxqt | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index d9aa3712e..c1633033f 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -13,17 +13,17 @@ include include - signal (receive) set=(kill, term) peer=lxqt-session, + signal (receive) set=(kill, term) peer=lxqt-session, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/lxqt/** r, + /usr/share/hwdata/pnp.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/lxqt/** r, - owner @{HOME}/.Xdefaults r, + owner @{HOME}/.Xdefaults r, - owner @{user_cache_dirs}/lxqt-notificationd/* r, + owner @{user_cache_dirs}/lxqt-notificationd/* r, - owner @{user_config_dirs}/lxqt/*.conf rw, + owner @{user_config_dirs}/lxqt/*.conf rw, include if exists From 836dbd01aeac17d79f1f9143c9a3b05795758bac Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 22 Oct 2024 20:15:29 +0200 Subject: [PATCH 005/161] Create startlxqt starter file for LXQT Desktop --- apparmor.d/profiles-s-z/startlxqt | 84 +++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 apparmor.d/profiles-s-z/startlxqt diff --git a/apparmor.d/profiles-s-z/startlxqt b/apparmor.d/profiles-s-z/startlxqt new file mode 100644 index 000000000..d56b77f62 --- /dev/null +++ b/apparmor.d/profiles-s-z/startlxqt @@ -0,0 +1,84 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/startlxqt +profile startlxqt @{exec_path} { + include + include + include + include + include + include + + signal (receive) set=(term) peer=sddm, + + @{exec_path} mr, + + @{bin}/xrdb rPx, + @{bin}/xsetroot rPx, + @{bin}/xprop rpx, + @{bin}/mkdir rix, + @{sh_path} rix, + @{bin}/lxqt-session rPx, + + @{bin}/systemctl rCx -> systemctl, + @{bin}/dbus-update-activation-environment rCx -> dbus, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/kservices5/{,**} r, + /usr/share/mime/{,**} r, + /etc/locale.alias r, + /etc/machine-id r, + /etc/xdg/menus/{,**} r, + + @{HOME}/ r, + owner @{HOME}/.Xauthority r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, + + owner @{user_config_dirs}/lxqt/ rw, + owner @{user_config_dirs}/menus/{,**} r, + + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#@{int} rw, + owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, + + owner @{run}/user/@{uid}/ r, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/maps r, + + /dev/tty rw, + /dev/tty@{int} rw, + + profile systemctl flags=(attach_disconnected) { + include + include + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } +} + +# vim:syntax=apparmor From 5164b2b78af90c5e4a1665180eb5cccc276c9ed2 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 22 Oct 2024 20:36:58 +0200 Subject: [PATCH 006/161] Create startlxqt --- apparmor.d/groups/lxqt/startlxqt | 86 ++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 apparmor.d/groups/lxqt/startlxqt diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt new file mode 100644 index 000000000..e04047143 --- /dev/null +++ b/apparmor.d/groups/lxqt/startlxqt @@ -0,0 +1,86 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_pathstlx} = @{bin}/startlxqt +profile startlxqt @{exec_pathstlx} { + include + include + include + include + include + include + + signal (receive) set=(term) peer=sddm, + + @{exec_pathstlx} mr, + + @{bin}/xrdb rPx, + @{bin}/xsetroot rPx, + @{bin}/xprop rpx, + @{bin}/mkdir rix, + @{sh_path} rix, + @{bin}/lxqt-session rPx, + + @{bin}/systemctl rCx -> systemctl, + @{bin}/dbus-update-activation-environment rCx -> dbus, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/kservices5/{,**} r, + /usr/share/mime/{,**} r, + + /etc/locale.alias r, + /etc/machine-id r, + /etc/xdg/menus/{,**} r, + + @{HOME}/ r, + owner @{HOME}/.Xauthority r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/lxqt/ rw, + owner @{user_config_dirs}/menus/{,**} r, + + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#@{int} rw, + owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, + + owner @{run}/user/@{uid}/ r, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/maps r, + + /dev/tty rw, + /dev/tty@{int} rw, + + profile systemctl flags=(attach_disconnected) { + include + include + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } +} + +# vim:syntax=apparmor From b5aa129eab4b733cc24b7479d064e926ab18e5ed Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 22 Oct 2024 21:37:03 +0200 Subject: [PATCH 007/161] fixing startlxqt I use sddm as display manager I cant remove the other file - only use graphical env., sorry After startlxqt i would add 2 lines to sddm to enable the start of LXQT desktop --- apparmor.d/groups/lxqt/startlxqt | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index e04047143..2ac94f990 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -7,18 +7,16 @@ abi , include -@{exec_pathstlx} = @{bin}/startlxqt -profile startlxqt @{exec_pathstlx} { +@{exec_path} = @{bin}/startlxqt +profile startlxqt @{exec_path} { include include - include include include - include signal (receive) set=(term) peer=sddm, - @{exec_pathstlx} mr, + @{exec_path} mr, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, @@ -35,14 +33,11 @@ profile startlxqt @{exec_pathstlx} { /usr/share/kservices5/{,**} r, /usr/share/mime/{,**} r, - /etc/locale.alias r, /etc/machine-id r, /etc/xdg/menus/{,**} r, @{HOME}/ r, - owner @{HOME}/.Xauthority r, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, @@ -59,12 +54,13 @@ profile startlxqt @{exec_pathstlx} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/maps r, /dev/tty rw, /dev/tty@{int} rw, + include if exists + profile systemctl flags=(attach_disconnected) { include include From e81dc05074b08b5aaa8fd18355bb895c5d8f5b5a Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 22 Oct 2024 23:02:24 +0200 Subject: [PATCH 008/161] Delete apparmor.d/profiles-s-z/startlxqt --- apparmor.d/profiles-s-z/startlxqt | 84 ------------------------------- 1 file changed, 84 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/startlxqt diff --git a/apparmor.d/profiles-s-z/startlxqt b/apparmor.d/profiles-s-z/startlxqt deleted file mode 100644 index d56b77f62..000000000 --- a/apparmor.d/profiles-s-z/startlxqt +++ /dev/null @@ -1,84 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/startlxqt -profile startlxqt @{exec_path} { - include - include - include - include - include - include - - signal (receive) set=(term) peer=sddm, - - @{exec_path} mr, - - @{bin}/xrdb rPx, - @{bin}/xsetroot rPx, - @{bin}/xprop rpx, - @{bin}/mkdir rix, - @{sh_path} rix, - @{bin}/lxqt-session rPx, - - @{bin}/systemctl rCx -> systemctl, - @{bin}/dbus-update-activation-environment rCx -> dbus, - - /usr/share/color-schemes/{,**} r, - /usr/share/desktop-directories/{,**} r, - /usr/share/kservices5/{,**} r, - /usr/share/mime/{,**} r, - /etc/locale.alias r, - /etc/machine-id r, - /etc/xdg/menus/{,**} r, - - @{HOME}/ r, - owner @{HOME}/.Xauthority r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, - @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, - - owner @{user_config_dirs}/lxqt/ rw, - owner @{user_config_dirs}/menus/{,**} r, - - owner @{user_share_dirs}/kservices5/{,**} r, - owner @{user_share_dirs}/sddm/wayland-session.log rw, - owner @{user_share_dirs}/sddm/xorg-session.log rw, - - owner /tmp/#@{int} rw, - owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, - - owner @{run}/user/@{uid}/ r, - - @{PROC}/sys/kernel/core_pattern r, - owner @{PROC}/@{pid}/maps r, - - /dev/tty rw, - /dev/tty@{int} rw, - - profile systemctl flags=(attach_disconnected) { - include - include - - include if exists - } - - profile dbus { - include - - @{bin}/dbus-update-activation-environment mr, - - owner @{HOME}/.xsession-errors w, - - include if exists - } -} - -# vim:syntax=apparmor From 67fcca54e362cb0a76a6d3310456efd9f0853bf0 Mon Sep 17 00:00:00 2001 From: Besanon Date: Wed, 23 Oct 2024 12:15:58 +0200 Subject: [PATCH 009/161] indented by 2 spaces (like other entries) --- apparmor.d/groups/lxqt/startlxqt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 2ac94f990..06967e694 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -59,7 +59,7 @@ profile startlxqt @{exec_path} { /dev/tty rw, /dev/tty@{int} rw, - include if exists + include if exists profile systemctl flags=(attach_disconnected) { include From c47e048f4a149c8aa04bc43cd9b2c248440c8d5c Mon Sep 17 00:00:00 2001 From: Besanon Date: Thu, 24 Oct 2024 08:26:20 +0200 Subject: [PATCH 010/161] Update sddm Enable sddm to start an lxqt desktop session --- apparmor.d/groups/kde/sddm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 5e024adfd..d8adff564 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -40,6 +40,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, + signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, signal (send) set=(kill, term) peer=xsetroot, @@ -94,6 +95,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/sddm-greeter{,-qt6} rPx, + @{bin}/startlxqt rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, From d567cb85f9bda3194b6418295e24bd912b54bd42 Mon Sep 17 00:00:00 2001 From: Besanon Date: Thu, 24 Oct 2024 08:46:48 +0200 Subject: [PATCH 011/161] Create lxqt-session lxqt-session to be started by startlxqt. Display manager: sddm --- apparmor.d/groups/lxqt/lxqt-session | 115 ++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-session diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session new file mode 100644 index 000000000..2a72835ec --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -0,0 +1,115 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-session +profile lxqt-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + signal (send), + signal (receive) set=(kill, term) peer=startlxqt, + signal (receive) set=(kill, term) peer=sddm, + + ptrace (read), + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/sed rix, + @{bin}/readlink rix, + @{bin}/dirname rix, + @{bin}/system-config-printer-applet rPx, + @{bin}/lxqt-config-input rPx, + @{bin}/lxqt-session-settings rPx, + @{bin}/lxqt-globalkeysd rPx, + @{bin}/lxqt-panel rPx, + @{bin}/lxqt-policykit-agent rPx, + @{bin}/lxqt-runner rPx, + @{bin}/lxqt-notificationd rPx, + @{bin}/lxqt-powermanagement rPx, + @{bin}/lxqt-config rPx, + @{bin}/lxqt-leave rPx, + @{bin}/lxqt-about rPx, + @{bin}/lxqt-config-monitor rPx, + @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/systemctl rCx -> systemctl, + + @{bin}/pavucontrol rPx, + @{lib}/geoclue-2.0/demos/agent rPx, + @{bin}/python3.@{int} rPx, + @{lib}/python3.@{int} rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/nm-applet rPx, + @{bin}/pcmanfm-qt rPx, + @{bin}/openbox rix, + @{bin}/dconf-editor rPx, + @{bin}/setxkbmap rix, + @{bin}/start-pulseaudio-x11 rPx, + @{bin}/xrdb rPx, + @{bin}/xdg-user-dirs-update rPx, + + /usr/share/ r, + /usr/share/mime/ r, + /usr/share/cursors/ r, + /usr/share/backintime/common/* r, + /usr/share/desktop-directories/* r, + /usr/share/system-config-printer/* r, + + /etc/xdg/ r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/*.desktop r, + /etc/xdg/menus/lxqt-* r, + /etc/xdg/openbox/* r, + /etc/udev/udev.conf r, + + owner @{HOME}/.local/share/ r, + owner @{HOME}/.config/ r, + owner @{HOME}/.config/autostart/ r, + owner @{HOME}/.config/autostart/* rw, + owner @{user_cache_dirs}/openbox/ rw, + owner @{user_cache_dirs}/openbox/sessions/ rw, + owner @{user_cache_dirs}/openbox/openbox.log rwk, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/dconf/user r, + owner @{user_config_dirs}/openbox/rc.xml r, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/stat r, + + @{run}/systemd/inhibit/** rw, + + /dev/tty rw, + + include if exists + + profile systemctl { + include + include + + include if exists + + profile dbus { + include + include + + @{bin}/dbus-update-activation-environment mr, + + include if exists + } +} + +# vim:syntax=apparmor From 2ae93044b868e8c1a65ce0e2adc36eabfbd2aab4 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 25 Oct 2024 07:49:08 +0200 Subject: [PATCH 012/161] Update lxqt-session --- apparmor.d/groups/lxqt/lxqt-session | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 2a72835ec..1fcced9e5 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -10,17 +10,18 @@ include @{exec_path} = @{bin}/lxqt-session profile lxqt-session @{exec_path} flags=(attach_disconnected) { include - include + include + include include include include + ptrace (read), + signal (send), signal (receive) set=(kill, term) peer=startlxqt, signal (receive) set=(kill, term) peer=sddm, - ptrace (read), - network netlink raw, @{exec_path} mr, @@ -47,8 +48,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/pavucontrol rPx, @{lib}/geoclue-2.0/demos/agent rPx, - @{bin}/python3.@{int} rPx, - @{lib}/python3.@{int} rPx, @{bin}/nm-connection-editor rPx, @{bin}/nm-applet rPx, @{bin}/pcmanfm-qt rPx, @@ -73,35 +72,29 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/openbox/* r, /etc/udev/udev.conf r, - owner @{HOME}/.local/share/ r, - owner @{HOME}/.config/ r, - owner @{HOME}/.config/autostart/ r, - owner @{HOME}/.config/autostart/* rw, + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_cache_dirs}/openbox/ rw, owner @{user_cache_dirs}/openbox/sessions/ rw, owner @{user_cache_dirs}/openbox/openbox.log rwk, owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, - owner @{user_config_dirs}/dconf/user r, owner @{user_config_dirs}/openbox/rc.xml r, - owner @{user_share_dirs}/sddm/xorg-session.log rw, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/ r, - @{PROC}/uptime r, + @{PROC}/uptime r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r, - @{run}/systemd/inhibit/** rw, - /dev/tty rw, - include if exists - profile systemctl { include include include if exists - + } profile dbus { include include @@ -110,6 +103,8 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { include if exists } + + include if exists } # vim:syntax=apparmor From 4c2db9baf05ec1061c626184060f4a74db16a58e Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 25 Oct 2024 08:07:08 +0200 Subject: [PATCH 013/161] Update lxqt-session --- apparmor.d/groups/lxqt/lxqt-session | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 1fcced9e5..dc739ba8b 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/lxqt-session profile lxqt-session @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -31,18 +32,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/system-config-printer-applet rPx, - @{bin}/lxqt-config-input rPx, - @{bin}/lxqt-session-settings rPx, - @{bin}/lxqt-globalkeysd rPx, - @{bin}/lxqt-panel rPx, - @{bin}/lxqt-policykit-agent rPx, - @{bin}/lxqt-runner rPx, - @{bin}/lxqt-notificationd rPx, - @{bin}/lxqt-powermanagement rPx, - @{bin}/lxqt-config rPx, - @{bin}/lxqt-leave rPx, - @{bin}/lxqt-about rPx, - @{bin}/lxqt-config-monitor rPx, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/systemctl rCx -> systemctl, @@ -50,7 +39,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{lib}/geoclue-2.0/demos/agent rPx, @{bin}/nm-connection-editor rPx, @{bin}/nm-applet rPx, - @{bin}/pcmanfm-qt rPx, @{bin}/openbox rix, @{bin}/dconf-editor rPx, @{bin}/setxkbmap rix, From 632f62b7035ac0d2ed493061b4c39d72f57ff18b Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 25 Oct 2024 08:14:19 +0200 Subject: [PATCH 014/161] removed trailing whitespace --- apparmor.d/groups/lxqt/lxqt-session | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index dc739ba8b..5bc8491b3 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -71,7 +71,7 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/ r, - @{PROC}/uptime r, + @{PROC}/uptime r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r, From 6ca909210b335aafc2b8ac944316ef85ddd25ac1 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 25 Oct 2024 11:56:49 +0200 Subject: [PATCH 015/161] Update kscreen_backend_launcher to support lxqt desktop is needed for several complaints: DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r --- apparmor.d/groups/kde/kscreen_backend_launcher | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 5e09b0cbe..d4b547c7c 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include + include include @{exec_path} mr, From b2e0387fe74586be1b2e3b130bbbbac527558405 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 27 Oct 2024 23:15:22 +0100 Subject: [PATCH 016/161] Update lxqt-session --- apparmor.d/groups/lxqt/lxqt-session | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 5bc8491b3..3a4a6cd61 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -17,13 +17,13 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include - ptrace (read), + network netlink raw, signal (send), signal (receive) set=(kill, term) peer=startlxqt, signal (receive) set=(kill, term) peer=sddm, - network netlink raw, + ptrace (read), @{exec_path} mr, From b8712e7e7528862a564c0e3a3ae9ecaf9ff76e66 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 28 Oct 2024 16:27:25 +0100 Subject: [PATCH 017/161] Create lxqt-panel --- apparmor.d/groups/lxqt/lxqt-panel | 86 +++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-panel diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel new file mode 100644 index 000000000..8ed2bb720 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -0,0 +1,86 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-panel +profile lxqt-panel @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + network packet dgram, + + @{exec_path} mr, + + @{bin}/exo-open rix, + @{bin}/nm-applet rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/xdg-open rPx, + @{bin}/ControlPanel rPx, + + /usr/lib{,32,64}/lxqt-panel/*.so mr, # LXQT-Plugins + /usr/lib{,32,64}/lxqt-config/*.so mr, # LXQT-Plugins + + /usr/share/lxqt/helpers/*.desktop r, + /usr/share/lxqt/panel/plugins/{,*.desktop} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/X11/locale/locale.alias r, + /usr/share/lxqt/themes/{,**} r, + + /etc/fstab r, + /etc/udev/udev.conf r, + /etc/machine-id r, + /etc/xdg/lxqt-qtxdg.conf r, + /etc/xdg/menus/**.menu r, + /etc/xdg/menus/applications-merged/ r, + /etc/xdg/ui/uistandards.rc r, + + /var/lib/dbus/machine-id r, + + owner @{HOME}/.config/menus/**.menu rw, + owner @{HOME}/.config/menus/applications-merged/ r, + owner @{HOME}/Desktop/** rw, + owner @{HOME}/Desktop/#@{int} rw, + owner @{HOME}/Desktop/*.desktop l -> @{HOME}/Desktop/#@{int}, + owner @{HOME}/.local/share/desktop-directories/*.directory r, + owner @{HOME}/.local/share/gvfs-metadata/{,*} r, + + owner @{user_config_dirs}/lxqt/#* rw, + owner @{user_config_dirs}/lxqt/panel.conf rw, + owner @{user_config_dirs}/lxqt/panel.conf.lock rwk, + owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, + owner @{user_config_dirs}/pulse/{,**} rwk, + owner @{user_config_dirs}/ibus/bus/{,**} rw, + + @{run}/udev/data/* r, + + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/dev r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + /dev/tty@{int} rw, + /dev/pts/@{int} rw, + /dev/snd/controlC@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From db1a170fcbc329173675a982fe113c62c6c0af73 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 28 Oct 2024 16:52:59 +0100 Subject: [PATCH 018/161] Update lxqt-panel --- apparmor.d/groups/lxqt/lxqt-panel | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 8ed2bb720..2caf6b69b 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -50,9 +50,9 @@ profile lxqt-panel @{exec_path} { /var/lib/dbus/machine-id r, - owner @{HOME}/.config/menus/**.menu rw, + owner @{HOME}/.config/menus/*.menu rw, owner @{HOME}/.config/menus/applications-merged/ r, - owner @{HOME}/Desktop/** rw, + owner @{HOME}/Desktop/*.desktop rw, owner @{HOME}/Desktop/#@{int} rw, owner @{HOME}/Desktop/*.desktop l -> @{HOME}/Desktop/#@{int}, owner @{HOME}/.local/share/desktop-directories/*.directory r, From 6524dcc148ffa934b99961e117895eeaf55e8874 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 29 Oct 2024 12:47:38 +0100 Subject: [PATCH 019/161] Update lxqt-panel --- apparmor.d/groups/lxqt/lxqt-panel | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 2caf6b69b..9bdd43228 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -13,6 +13,7 @@ profile lxqt-panel @{exec_path} { include include include + include include include @@ -25,20 +26,16 @@ profile lxqt-panel @{exec_path} { @{exec_path} mr, - @{bin}/exo-open rix, + @{open_path} rix, @{bin}/nm-applet rPx, @{bin}/nm-connection-editor rPx, - @{bin}/xdg-open rPx, @{bin}/ControlPanel rPx, - /usr/lib{,32,64}/lxqt-panel/*.so mr, # LXQT-Plugins - /usr/lib{,32,64}/lxqt-config/*.so mr, # LXQT-Plugins + @{lib}/lxqt-panel/*.so mr, # LXQT-Plugins + @{lib}/lxqt-config/*.so mr, # LXQT-Plugins - /usr/share/lxqt/helpers/*.desktop r, - /usr/share/lxqt/panel/plugins/{,*.desktop} r, /usr/share/desktop-directories/{,**} r, - /usr/share/X11/locale/locale.alias r, - /usr/share/lxqt/themes/{,**} r, + /usr/share/lxqt/{,**} r, /etc/fstab r, /etc/udev/udev.conf r, @@ -50,21 +47,20 @@ profile lxqt-panel @{exec_path} { /var/lib/dbus/machine-id r, - owner @{HOME}/.config/menus/*.menu rw, - owner @{HOME}/.config/menus/applications-merged/ r, owner @{HOME}/Desktop/*.desktop rw, owner @{HOME}/Desktop/#@{int} rw, owner @{HOME}/Desktop/*.desktop l -> @{HOME}/Desktop/#@{int}, - owner @{HOME}/.local/share/desktop-directories/*.directory r, - owner @{HOME}/.local/share/gvfs-metadata/{,*} r, - owner @{user_config_dirs}/lxqt/#* rw, + owner @{user_config_dirs}/menus/*.menu rw, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/share/desktop-directories/*.directory r, + owner @{user_config_dirs}/share/gvfs-metadata/{,*} r, + owner @{user_config_dirs}/lxqt/#@{int} rw, owner @{user_config_dirs}/lxqt/panel.conf rw, owner @{user_config_dirs}/lxqt/panel.conf.lock rwk, owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, + owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pulse/{,**} rwk, - owner @{user_config_dirs}/ibus/bus/{,**} rw, @{run}/udev/data/* r, From 2653354f62d817f5e9ee1a8bd76df92f12c06927 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 29 Oct 2024 13:12:59 +0100 Subject: [PATCH 020/161] Update lxqt-panel --- apparmor.d/groups/lxqt/lxqt-panel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 9bdd43228..51a3c0149 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -31,7 +31,7 @@ profile lxqt-panel @{exec_path} { @{bin}/nm-connection-editor rPx, @{bin}/ControlPanel rPx, - @{lib}/lxqt-panel/*.so mr, # LXQT-Plugins + @{lib}/lxqt-panel/*.so mr, # LXQT-Plugins @{lib}/lxqt-config/*.so mr, # LXQT-Plugins /usr/share/desktop-directories/{,**} r, From 0cfe954a9ebcd5aaae5e2a60718c8ca3434dc47c Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 29 Oct 2024 14:35:55 +0100 Subject: [PATCH 021/161] fix conflicting x --- apparmor.d/groups/lxqt/lxqt-panel | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 51a3c0149..536b1351f 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -26,7 +26,6 @@ profile lxqt-panel @{exec_path} { @{exec_path} mr, - @{open_path} rix, @{bin}/nm-applet rPx, @{bin}/nm-connection-editor rPx, @{bin}/ControlPanel rPx, From 0aafd35dec80f436ad6900271a01f195e633796f Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 1 Nov 2024 15:06:25 +0100 Subject: [PATCH 022/161] Update lxqt-panel add child-open --- apparmor.d/groups/lxqt/lxqt-panel | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 536b1351f..618ff479c 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -26,6 +26,7 @@ profile lxqt-panel @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open, @{bin}/nm-applet rPx, @{bin}/nm-connection-editor rPx, @{bin}/ControlPanel rPx, From 26b1b3290f9bd23651fb89fa7e69ca8aff4964c8 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 1 Nov 2024 15:13:24 +0100 Subject: [PATCH 023/161] remove include you think its too permissive to have app-launcher-user here, right? --- apparmor.d/groups/lxqt/lxqt-panel | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 618ff479c..f2a5878c8 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-panel profile lxqt-panel @{exec_path} { include - include include include include From 9791b68bd7be457cea53912825d8db80a3065efe Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 1 Nov 2024 20:05:09 +0100 Subject: [PATCH 024/161] Update lxqt-panel add needed programs --- apparmor.d/groups/lxqt/lxqt-panel | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index f2a5878c8..c7960653c 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -26,9 +26,11 @@ profile lxqt-panel @{exec_path} { @{exec_path} mr, @{open_path} rPx -> child-open, + @{bin}/ControlPanel rPx, + @{bin}/lxqt-leave rPx, @{bin}/nm-applet rPx, @{bin}/nm-connection-editor rPx, - @{bin}/ControlPanel rPx, + @{bin}/pulseaudio rPx, @{lib}/lxqt-panel/*.so mr, # LXQT-Plugins @{lib}/lxqt-config/*.so mr, # LXQT-Plugins From 38e88cef14c602b0df78d6097d4615ee62b8428e Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 1 Nov 2024 22:20:05 +0100 Subject: [PATCH 025/161] Update lxqt-panel turning back to layout of corresponding xfce file. --- apparmor.d/groups/lxqt/lxqt-panel | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index c7960653c..650a7e402 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -12,7 +12,6 @@ profile lxqt-panel @{exec_path} { include include include - include include include @@ -25,12 +24,13 @@ profile lxqt-panel @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open, - @{bin}/ControlPanel rPx, - @{bin}/lxqt-leave rPx, + @{bin}/exo-open rix, + @{lib}/gio-launch-desktop rix, @{bin}/nm-applet rPx, @{bin}/nm-connection-editor rPx, - @{bin}/pulseaudio rPx, + @{bin}/ControlPanel rPx, + + @{bin}/sudo rCx -> root, @{lib}/lxqt-panel/*.so mr, # LXQT-Plugins @{lib}/lxqt-config/*.so mr, # LXQT-Plugins @@ -77,6 +77,15 @@ profile lxqt-panel @{exec_path} { /dev/pts/@{int} rw, /dev/snd/controlC@{int} rw, + profile root { + include + include + + @{bin}/lsblk rPx, + + include if exists + } + include if exists } From d5552d2f94c3482e1b7fec192c681be009129942 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 11:55:57 +0100 Subject: [PATCH 026/161] Create lxqt-globalkeysd --- apparmor.d/groups/lxqt/lxqt-globalkeysd | 42 +++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-globalkeysd diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd new file mode 100644 index 000000000..2f440b902 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-globalkeysd +profile lxqt-globalkeysd @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/screengrab rpx, + @{bin}/lxqt-config-brightness rpx, + + /usr/share/lxqt/globalkeyshortcuts.conf rw, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, + owner @{user_config_dirs}/lxqt/#@{int} wr, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 35fa0a23a684ea30611798ed5c28e502a65a6c18 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 11:58:11 +0100 Subject: [PATCH 027/161] Create lxqt-about --- apparmor.d/groups/lxqt/lxqt-about | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-about diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about new file mode 100644 index 000000000..e8fcde1d0 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-about +profile lxqt-about @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From a7da4672ae33a9f26229711b77df81cfedca5b73 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 11:59:35 +0100 Subject: [PATCH 028/161] Create lxqt-leave --- apparmor.d/groups/lxqt/lxqt-leave | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-leave diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave new file mode 100644 index 000000000..74aa39f7c --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-leave +profile lxqt-leave @{exec_path} { + include + include + include + + @{exec_pathlx21} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 554301bee8540498ce17224ca0e8007051155faa Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 12:02:12 +0100 Subject: [PATCH 029/161] Create lxqt-runner --- apparmor.d/groups/lxqt/lxqt-runner | 36 ++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-runner diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner new file mode 100644 index 000000000..81383e968 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-runner +profile lxqt-runner @{exec_path} { + include + include + include + + @{exec_pathlx27} mr, + + /usr/share/icons/ r, + /usr/share/icons/{,**} r, + /usr/share/desktop-directories/ r, + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 7433e7ba795101032a22c93a672a3804b60157f3 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 12:16:27 +0100 Subject: [PATCH 030/161] Update lxqt-leave --- apparmor.d/groups/lxqt/lxqt-leave | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave index 74aa39f7c..aac8953cc 100644 --- a/apparmor.d/groups/lxqt/lxqt-leave +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -13,7 +13,7 @@ profile lxqt-leave @{exec_path} { include include - @{exec_pathlx21} mr, + @{exec_path} mr, owner /tmp/@{int} r, From 3ede7913a6bcd0dcd4cc51f8967ef261ead82515 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 12:16:45 +0100 Subject: [PATCH 031/161] Update lxqt-runner --- apparmor.d/groups/lxqt/lxqt-runner | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 81383e968..173217539 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -13,7 +13,7 @@ profile lxqt-runner @{exec_path} { include include - @{exec_pathlx27} mr, + @{exec_path} mr, /usr/share/icons/ r, /usr/share/icons/{,**} r, From de38a3b40bc9619cc98ccbf6cd6c362c6a935b18 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 17:38:19 +0100 Subject: [PATCH 032/161] Update lxqt-globalkeysd --- apparmor.d/groups/lxqt/lxqt-globalkeysd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index 2f440b902..8b3e19442 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -15,12 +15,12 @@ profile lxqt-globalkeysd @{exec_path} { include include include - include @{exec_path} mr, - @{bin}/screengrab rpx, - @{bin}/lxqt-config-brightness rpx, + @{open_path} rPx -> child-open-help, + @{bin}/screengrab rPx, + @{bin}/lxqt-config-brightness rPx, /usr/share/lxqt/globalkeyshortcuts.conf rw, From 919d8a25c7ea70c571ecd4ad701940ac715c3009 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 18:10:24 +0100 Subject: [PATCH 033/161] remove video in lxqt-about --- apparmor.d/groups/lxqt/lxqt-about | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about index e8fcde1d0..96743910d 100644 --- a/apparmor.d/groups/lxqt/lxqt-about +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -11,7 +11,6 @@ include profile lxqt-about @{exec_path} { include include - include @{exec_path} mr, From e278ea54f7d4fecbe6bf5ba0871cb01147b81db9 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 4 Nov 2024 18:10:51 +0100 Subject: [PATCH 034/161] Update lxqt-about --- apparmor.d/groups/lxqt/lxqt-about | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about index 96743910d..8f5830453 100644 --- a/apparmor.d/groups/lxqt/lxqt-about +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -14,7 +14,6 @@ profile lxqt-about @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, /usr/share/desktop-directories/{,**} r, /etc/xdg/menus/lxqt-applications.menu r, From 66b19bf48d1fd183aeb5541a8f3eb1b84b7eddca Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 10 Nov 2024 08:10:48 +0100 Subject: [PATCH 035/161] Update lxqt-runner --- apparmor.d/groups/lxqt/lxqt-runner | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 173217539..272c8e730 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -16,7 +16,6 @@ profile lxqt-runner @{exec_path} { @{exec_path} mr, /usr/share/icons/ r, - /usr/share/icons/{,**} r, /usr/share/desktop-directories/ r, /usr/share/desktop-directories/{,**} r, From 7e85bd5cba0536359dc7908559ff0bbe7207be4b Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 10 Nov 2024 08:22:16 +0100 Subject: [PATCH 036/161] remove abstr. in lxqt-globalkeysd --- apparmor.d/groups/lxqt/lxqt-globalkeysd | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index 8b3e19442..8729b1abb 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -11,10 +11,8 @@ include profile lxqt-globalkeysd @{exec_path} { include include - include include include - include @{exec_path} mr, From bbabc65d27edf686f571b6c2f3c1943ff00e49b4 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 10 Nov 2024 08:22:54 +0100 Subject: [PATCH 037/161] remove abstr. in lxqt-runner --- apparmor.d/groups/lxqt/lxqt-runner | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 272c8e730..9477c1bda 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-runner profile lxqt-runner @{exec_path} { include - include include @{exec_path} mr, From 9452b4fefd89f45a0464fd4a02b8005eddf99519 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 10 Nov 2024 08:24:55 +0100 Subject: [PATCH 038/161] remove abstr. in lxqt-leave --- apparmor.d/groups/lxqt/lxqt-leave | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave index aac8953cc..e76d81f54 100644 --- a/apparmor.d/groups/lxqt/lxqt-leave +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-leave profile lxqt-leave @{exec_path} { include - include include @{exec_path} mr, From 3abe61d0073edf2b05532090689325c4710ade85 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 20:57:59 +0100 Subject: [PATCH 039/161] Create lxqt-config-notificationd --- .../groups/lxqt/lxqt-config-notificationd | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-notificationd diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd new file mode 100644 index 000000000..63b2eb673 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-notificationd +profile lxqt-config-notificationd @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.lock rwk, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 08a2987d358cacbbdf8197ff18ec8cad91d6aec4 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 21:03:16 +0100 Subject: [PATCH 040/161] Create lxqt-config-locale --- apparmor.d/groups/lxqt/lxqt-config-locale | 40 +++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-locale diff --git a/apparmor.d/groups/lxqt/lxqt-config-locale b/apparmor.d/groups/lxqt/lxqt-config-locale new file mode 100644 index 000000000..c7c868c18 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-locale @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-locale +profile lxqt-config-locale @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/* r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 9d946327a440df90f129f34b179bbd35683fa5cd Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 21:05:18 +0100 Subject: [PATCH 041/161] Create lxqt-config-printer --- apparmor.d/groups/lxqt/lxqt-config-printer | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-printer diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer new file mode 100644 index 000000000..d7a4c5da0 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-printer @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-printer +profile lxqt-config-printer @{exec_path} { + include + include + + @{exec_pathlx15} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From ee63c445f03628f3bf4cfb23f11712f26e715b75 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 21:10:03 +0100 Subject: [PATCH 042/161] Create lxqt-config-file-associations --- .../groups/lxqt/lxqt-config-file-associations | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-file-associations diff --git a/apparmor.d/groups/lxqt/lxqt-config-file-associations b/apparmor.d/groups/lxqt/lxqt-config-file-associations new file mode 100644 index 000000000..4232f1c70 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-file-associations @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-file-associations +profile lxqt-config-file-associations @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/mimeapps* rwk, + owner @{user_config_dirs}/lxqt-* rwk, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf kl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} rwk, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 26b2e1c54c343f01ead0c8fa31fa100394ba3587 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 21:15:24 +0100 Subject: [PATCH 043/161] Create lxqt-config-powermanagement --- .../groups/lxqt/lxqt-config-powermanagement | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-powermanagement diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement new file mode 100644 index 000000000..636e13b46 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-powermanagement +profile lxqt-config-powermanagement @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + @{sys}/class/backlight/ r, + @{sys}/devices/@{pci_bus}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, + @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, + @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, + @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, + @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, + @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 41a75353988629a5d293af8decec65e71670ed0b Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 21:21:12 +0100 Subject: [PATCH 044/161] enable wayland-session for lxqt 2.1 startlxqtwayland for starting the session, support for labwc and kwin_wayland --- apparmor.d/groups/kde/sddm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index d8adff564..d28049e42 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -40,6 +40,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, + signal (send) set=(kill, term) peer=labwc, signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, @@ -47,6 +48,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, + signal (send) set=(term) peer=startlxqtwayland, dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable @@ -96,6 +98,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwin_wayland rPx, @{bin}/sddm-greeter{,-qt6} rPx, @{bin}/startlxqt rPx, + @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, From 30226845351a412363c0a2f90283ad1eb53103f4 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 21:36:56 +0100 Subject: [PATCH 045/161] Update lxqt-config-printer --- apparmor.d/groups/lxqt/lxqt-config-printer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer index d7a4c5da0..f4c38e94d 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-printer +++ b/apparmor.d/groups/lxqt/lxqt-config-printer @@ -12,7 +12,7 @@ profile lxqt-config-printer @{exec_path} { include include - @{exec_pathlx15} mr, + @{exec_path} mr, owner /tmp/@{int} r, From c2fa8db554e18f750bf553b0a203220dab309b19 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 22:13:48 +0100 Subject: [PATCH 046/161] Update lxqt-config-powermanagement --- apparmor.d/groups/lxqt/lxqt-config-powermanagement | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement index 636e13b46..d24080127 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -26,12 +26,12 @@ profile lxqt-config-powermanagement @{exec_path} { owner /tmp/@{int} r, @{sys}/class/backlight/ r, - @{sys}/devices/@{pci_bus}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, - @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, - @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, - @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, - @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, - @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, + @{sys}/devices/@{pci}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, + @{sys}/devices/@{pci}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, + @{sys}/devices/@{pci}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, + @{sys}/devices/@{pci}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, + @{sys}/devices/@{pci}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, + @{sys}/devices/@{pci}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, /dev/tty rw, From af7641a687361284e7f9cf39f15391e4af0f284d Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 25 Nov 2024 17:21:30 +0100 Subject: [PATCH 047/161] Update sddm --- apparmor.d/groups/kde/sddm | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index d28049e42..8e491bb2b 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -97,6 +97,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/sddm-greeter{,-qt6} rPx, + @{bin}/labwc rPx, @{bin}/startlxqt rPx, @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, From 49dab185643e0422d2f2e85e2df6e1a0b5308f68 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 25 Nov 2024 17:44:53 +0100 Subject: [PATCH 048/161] Update sddm From 0f36ac12ea84e59f94acb62d58496ea372e92b0c Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 29 Nov 2024 16:55:09 +0100 Subject: [PATCH 049/161] adapt pci-rules ok, havent seen this profile yet. I will change that in lxqt-powermanagement as well and check the other profiles --- .../groups/lxqt/lxqt-config-powermanagement | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement index d24080127..a4339c9fd 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -26,12 +26,15 @@ profile lxqt-config-powermanagement @{exec_path} { owner /tmp/@{int} r, @{sys}/class/backlight/ r, - @{sys}/devices/@{pci}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, - @{sys}/devices/@{pci}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, - @{sys}/devices/@{pci}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, - @{sys}/devices/@{pci}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, - @{sys}/devices/@{pci}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, - @{sys}/devices/@{pci}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, + @{sys}/class/leds/ r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, /dev/tty rw, From 65ab819b8f81c44e5c6d5a5236a0bd1e280dadac Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 29 Nov 2024 17:11:16 +0100 Subject: [PATCH 050/161] Update lxqt-config-powermanagement From b60609644802793091649dddc406368051c22cc6 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 29 Nov 2024 17:49:01 +0100 Subject: [PATCH 051/161] Update lxqt-config-powermanagement --- apparmor.d/groups/lxqt/lxqt-config-powermanagement | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement index a4339c9fd..05e04f864 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -26,7 +26,7 @@ profile lxqt-config-powermanagement @{exec_path} { owner /tmp/@{int} r, @{sys}/class/backlight/ r, - @{sys}/class/leds/ r, + @{sys}/class/leds/ r, @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, From 6e402fe2bded6736c2698c14befe095e1448a63e Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 29 Nov 2024 19:03:37 +0100 Subject: [PATCH 052/161] Update lxqt-config-powermanagement --- apparmor.d/groups/lxqt/lxqt-config-powermanagement | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement index 05e04f864..0406e1529 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -25,17 +25,6 @@ profile lxqt-config-powermanagement @{exec_path} { owner /tmp/@{int} r, - @{sys}/class/backlight/ r, - @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - /dev/tty rw, include if exists From 26c93b6e1bee36c03fa40abefe4817a71c57c593 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 29 Nov 2024 19:04:29 +0100 Subject: [PATCH 053/161] Update lxqt-config-powermanagement --- apparmor.d/groups/lxqt/lxqt-config-powermanagement | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement index 0406e1529..4b96ccb36 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -23,6 +23,16 @@ profile lxqt-config-powermanagement @{exec_path} { owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + @{sys}/class/leds/ r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + owner /tmp/@{int} r, /dev/tty rw, From 12eb857f2ce6f7f6df46c6b8b1ac6dde1d1b9c4e Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 10:44:06 +0100 Subject: [PATCH 054/161] Create startlxqtwayland basic support for labwc --- apparmor.d/groups/lxqt/startlxqtwayland | 94 +++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 apparmor.d/groups/lxqt/startlxqtwayland diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland new file mode 100644 index 000000000..f9976d548 --- /dev/null +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -0,0 +1,94 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/startlxqtwayland +profile startlxqtwayland @{exec_path} { + include + include + include + include + include + include + include + + signal (receive) set=(term) peer=sddm, + + @{exec_path} mr, + + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/labwc rpx, + @{bin}/grep rix, + @{bin}/gawk rix, + @{bin}/mkdir rix, + @{sh_path} rix, + @{bin}/lxqt-session rPx, + @{bin}/systemd-detect-virt rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/dbus-update-activation-environment rCx -> dbus, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/kservices5/{,**} r, + /usr/share/mime/{,**} r, + + /etc/locale.alias r, + /etc/machine-id r, + /etc/xdg/menus/{,**} r, + + @{HOME}/ r, + owner @{HOME}/.Xauthority r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/labwc/ rw, + owner @{user_config_dirs}/labwc/** rw, + owner @{user_config_dirs}/lxqt/ rw, + owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/lxqt/wayland/ rw, + + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#@{int} rw, + owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, + + owner @{run}/user/@{uid}/ r, + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/maps r, + + /dev/tty rw, + /dev/tty@{int} rw, + + profile systemctl flags=(attach_disconnected) { + include + include + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } +} + +# vim:syntax=apparmor From c6472638e8ca6476d5499b7d53dd068e2c915c4f Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 10:48:38 +0100 Subject: [PATCH 055/161] Create lxqt-notificationd --- apparmor.d/groups/lxqt/lxqt-notificationd | 56 +++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-notificationd diff --git a/apparmor.d/groups/lxqt/lxqt-notificationd b/apparmor.d/groups/lxqt/lxqt-notificationd new file mode 100644 index 000000000..6de782182 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-notificationd @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-notificationd +profile lxqt-notificationd @{exec_path} { + include + include + include + include + + dbus receive + bus=session + path="/org/freedesktop/Notifications" + interface="org.freedesktop.DBus.Introspectable" + peer=(name=":[0-9]*.[0-9]*"), + dbus send + bus=session + path="/org/freedesktop/Notifications" + interface="org.freedesktop.Notifications" + peer=(name="org.freedesktop.DBus"), + dbus receive + bus=session + path="/org/freedesktop/Notifications" + interface="org.freedesktop.Notifications" + peer=(name=":[0-9]*.[0-9]*"), + + @{exec_path} mr, + + @{bin}/lxqt-config-notificationd rPx, + + /etc/machine-id r, + + owner @{user_cache_dirs}/lxqt-notificationd/ r, + owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rwk, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list rw, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list l -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.lock rwk, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, + + owner /tmp/@{int} r, + owner /tmp/falkon-@{rand6}/falkon_notif.png r, + + /dev/tty rw, + /dev/tty@{int} rw, + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From 557d804974c60f62a6134b8901be70d5d76a730d Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 10:49:29 +0100 Subject: [PATCH 056/161] Update startlxqtwayland --- apparmor.d/groups/lxqt/startlxqtwayland | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland index f9976d548..b461ddf32 100644 --- a/apparmor.d/groups/lxqt/startlxqtwayland +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -77,7 +77,7 @@ profile startlxqtwayland @{exec_path} { include include - include if exists + include if exists } profile dbus { @@ -87,7 +87,7 @@ profile startlxqtwayland @{exec_path} { owner @{HOME}/.xsession-errors w, - include if exists + include if exists } } From f7e8a5e2257feb843d8ba0a97d33f76d417b9fe8 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 10:54:23 +0100 Subject: [PATCH 057/161] Create lxqt-config-brightness --- apparmor.d/groups/lxqt/lxqt-config-brightness | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-brightness diff --git a/apparmor.d/groups/lxqt/lxqt-config-brightness b/apparmor.d/groups/lxqt/lxqt-config-brightness new file mode 100644 index 000000000..24147bc2f --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-brightness @@ -0,0 +1,33 @@ + apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-brightness +profile lxqt-config-brightness @{exec_path} { + include + include + + @{exec_path} mr, + @{bin}/pkexec rpx, + + @{sh_path} rix, + + owner @{HOME}/ r, + + owner /tmp/@{int} r, + + @{sys}/class/backlight/ r, + @{sys}/devices/@{pci}/**/**/drm/card@{int}/card@{int}-eDP-@{int}/amdgpu_bl@{int}/* rw, + @{sys}/devices/@{pci}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 75e824d43ec839a94ad58c0a5512bf16d097cbd8 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 10:59:24 +0100 Subject: [PATCH 058/161] Update startlxqtwayland --- apparmor.d/groups/lxqt/startlxqtwayland | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland index b461ddf32..387d7cdbe 100644 --- a/apparmor.d/groups/lxqt/startlxqtwayland +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -89,6 +89,8 @@ profile startlxqtwayland @{exec_path} { include if exists } + +include if exists } # vim:syntax=apparmor From d4e4f3eec9c1c6b644b75fcd0ad9a1ff05d40b7d Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 11:01:41 +0100 Subject: [PATCH 059/161] Update startlxqtwayland --- apparmor.d/groups/lxqt/startlxqtwayland | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland index 387d7cdbe..bae481ea9 100644 --- a/apparmor.d/groups/lxqt/startlxqtwayland +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -73,6 +73,8 @@ profile startlxqtwayland @{exec_path} { /dev/tty rw, /dev/tty@{int} rw, + include if exists + profile systemctl flags=(attach_disconnected) { include include @@ -89,8 +91,6 @@ profile startlxqtwayland @{exec_path} { include if exists } - -include if exists } # vim:syntax=apparmor From 3643618145282202a5b6152a84cdaf1aa5345a90 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 11:07:02 +0100 Subject: [PATCH 060/161] Update lxqt-config-brightness --- apparmor.d/groups/lxqt/lxqt-config-brightness | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-brightness b/apparmor.d/groups/lxqt/lxqt-config-brightness index 24147bc2f..5ec1aafe8 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-brightness +++ b/apparmor.d/groups/lxqt/lxqt-config-brightness @@ -1,4 +1,4 @@ - apparmor.d - Full set of apparmor profiles +# apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 Besanon # SPDX-License-Identifier: GPL-2.0-only From fe7ce759e20daf6e3c6f150e30dfc6128beccda0 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 11:08:50 +0100 Subject: [PATCH 061/161] Update lxqt-config-notificationd From 40cbf01c64373c45ec6443f77c4866b9014d5ba9 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 11:11:27 +0100 Subject: [PATCH 062/161] Update lxqt-config-notificationd --- apparmor.d/groups/lxqt/lxqt-config-notificationd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd index 63b2eb673..6fae1d785 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -28,7 +28,7 @@ profile lxqt-config-notificationd @{exec_path} { /dev/tty rw, - include if exists + include if exists } # vim:syntax=apparmor From 9e0d84a028e7c3e4b0bc9c2bc8d0be277968e8bc Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 11:13:07 +0100 Subject: [PATCH 063/161] Update lxqt-config-notificationd --- apparmor.d/groups/lxqt/lxqt-config-notificationd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd index 6fae1d785..63b2eb673 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -28,7 +28,7 @@ profile lxqt-config-notificationd @{exec_path} { /dev/tty rw, - include if exists + include if exists } # vim:syntax=apparmor From 113856a40e1e2b31db7e75fb294a0f7cd7bcccf8 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 11:17:20 +0100 Subject: [PATCH 064/161] Update lxqt-notificationd --- apparmor.d/groups/lxqt/lxqt-notificationd | 31 +++++++++++------------ 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-notificationd b/apparmor.d/groups/lxqt/lxqt-notificationd index 6de782182..9714c3615 100644 --- a/apparmor.d/groups/lxqt/lxqt-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-notificationd @@ -30,27 +30,26 @@ profile lxqt-notificationd @{exec_path} { interface="org.freedesktop.Notifications" peer=(name=":[0-9]*.[0-9]*"), - @{exec_path} mr, + @{exec_path} mr, - @{bin}/lxqt-config-notificationd rPx, + @{bin}/lxqt-config-notificationd rPx, - /etc/machine-id r, + /etc/machine-id r, - owner @{user_cache_dirs}/lxqt-notificationd/ r, - owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rwk, - owner @{user_cache_dirs}/lxqt-notificationd/unattended.list rw, - owner @{user_cache_dirs}/lxqt-notificationd/unattended.list l -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, - owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.lock rwk, - owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, + owner @{user_cache_dirs}/lxqt-notificationd/ r, + owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rwk, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list rw, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list l -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.lock rwk, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, - owner /tmp/@{int} r, - owner /tmp/falkon-@{rand6}/falkon_notif.png r, + owner /tmp/@{int} r, + + /dev/tty rw, + /dev/tty@{int} rw, + owner /dev/tty@{int} rw, - /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/tty@{int} rw, - - include if exists + include if exists } # vim:syntax=apparmor From b311245e4e25db05c34722ef7882a3699cda3210 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 11:18:51 +0100 Subject: [PATCH 065/161] Update lxqt-notificationd --- apparmor.d/groups/lxqt/lxqt-notificationd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-notificationd b/apparmor.d/groups/lxqt/lxqt-notificationd index 9714c3615..0669b8c86 100644 --- a/apparmor.d/groups/lxqt/lxqt-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-notificationd @@ -44,7 +44,7 @@ profile lxqt-notificationd @{exec_path} { owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, owner /tmp/@{int} r, - + /dev/tty rw, /dev/tty@{int} rw, owner /dev/tty@{int} rw, From 91c27251472959d7b7fe53c572f3b8fa5734e590 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 14 Dec 2024 14:22:30 +0100 Subject: [PATCH 066/161] Update labwc for use with lxqt --- apparmor.d/profiles-g-l/labwc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 93234bf52..ac1b7a8ae 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -17,6 +17,8 @@ profile labwc @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=term peer=sddm, + network netlink raw, @{exec_path} mr, @@ -27,11 +29,16 @@ profile labwc @{exec_path} flags=(attach_disconnected) { /usr/share/libinput/ r, /usr/share/libinput/*.quirks r, + /usr/share/themes/**/themerc r, + /usr/share/themes/Vent/openbox-3/*.xbm r, + /usr/share/X11/xkb/** r, owner @{user_config_dirs}/labwc/ r, owner @{user_config_dirs}/labwc/* r, + owner @{user_config_dirs}/lxqt/wayland/ rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + owner /dev/shm/wlroots-@{rand6} rw, @{sys}/class/drm/ r, @{sys}/class/input/ r, From 78b3dffe90f073c10dbf20fbe2482ad730ed0d0e Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 13:48:05 +0200 Subject: [PATCH 067/161] Create ControlPanel --- apparmor.d/groups/lxqt/ControlPanel | 38 +++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 apparmor.d/groups/lxqt/ControlPanel diff --git a/apparmor.d/groups/lxqt/ControlPanel b/apparmor.d/groups/lxqt/ControlPanel new file mode 100644 index 000000000..fac3a6031 --- /dev/null +++ b/apparmor.d/groups/lxqt/ControlPanel @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ControlPanel +profile ControlPanel @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/lxqt-* r, + + /etc/xdg/menus/lxqt-config.menu r, + + # only for xfe file manager: + owner @{HOME}/.foxrc/ rw, + owner @{HOME}/.foxrc/Desktop rw, + + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + + owner /tmp/@{int} r, + + /dev/pts/@{int} rw, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 6968b49225314c7eb0c52477fb2ba9b7f136426c Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 13:49:48 +0200 Subject: [PATCH 068/161] Update lxqt-about --- apparmor.d/groups/lxqt/lxqt-about | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about index 8f5830453..7f69b8e2f 100644 --- a/apparmor.d/groups/lxqt/lxqt-about +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -21,6 +21,7 @@ profile lxqt-about @{exec_path} { owner /tmp/@{int} r, /dev/tty rw, + owner /dev/pts/@{int} rw, include if exists } From b3942b1cbb31b14f42546e37d5c283771f224e09 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 13:51:53 +0200 Subject: [PATCH 069/161] Create lxqt-backlight_backend --- apparmor.d/groups/lxqt/lxqt-backlight_backend | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-backlight_backend diff --git a/apparmor.d/groups/lxqt/lxqt-backlight_backend b/apparmor.d/groups/lxqt/lxqt-backlight_backend new file mode 100644 index 000000000..f2c976372 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-backlight_backend @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-backlight_backend +profile lxqt-backlight_backend @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{user_share_dirs}/sddm/xorg-session.log w, + + @{sys}/class/backlight/ r, + @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, + @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, + @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, + @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, + @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, + owner @{sys}/devices/@{pci}/**/card@{int}/card@{int}-eDP-1/intel_backlight/type r, + owner @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/brightness rw, + owner @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/brightness rw, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 71180ac2c78a24d241bbddebe8794ff60c45cb2e Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 13:53:42 +0200 Subject: [PATCH 070/161] Create lxqt-config --- apparmor.d/groups/lxqt/lxqt-config | 67 ++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config diff --git a/apparmor.d/groups/lxqt/lxqt-config b/apparmor.d/groups/lxqt/lxqt-config new file mode 100644 index 000000000..e034e3e9b --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config +profile lxqt-config @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/qt6ct/qt6ct.conf rw, + + @{bin}/lxqt-admin-user rPx, + @{bin}/ibus-setup rPx, + @{bin}/lxqt-config-monitor rPx, + @{bin}/pcmanfm-qt rPx, + @{bin}/lxqt-admin-time rPx, + @{bin}/lxqt-config-input rPx, + @{bin}/lxqt-config-locale rPx, + @{bin}/lxqt-config-brightness rPx, + @{bin}/lxqt-config-session rPx, + @{bin}/lxqt-config-file-associations rPx, + @{bin}/lxqt-config-powermanagement rPx, + @{bin}/lxqt-config-appearance rPx, + @{bin}/lxqt-config-globalkeyshortcuts rPx, + @{bin}/lxqt-config-notificationd rPx, + @{bin}/obconf-qt rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/pavucontrol rPx, + @{bin}/pavucontrol-qt rPx, + @{bin}/system-config-printer rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/ControlPanel rPx, + @{bin}/qt6ct rix, + @{bin}/xdg-open rPx, + + /usr/share/desktop-directories/lxqt-* r, + + /etc/xdg/menus/lxqt-config.menu r, + + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int8}7, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int8}2, + owner @{user_config_dirs}/qt6ct/qt6ct.conf.@{rand6} rwl -> @{user_config_dirs}/qt6ct/#@{int}, + owner @{user_config_dirs}/qt6ct/qt6ct.conf.lock rwk, + owner @{user_config_dirs}/qt6ct/#@{int} rw, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From c44ef69ea2c1b064347338c094c96f32a2a3a4f8 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 13:55:00 +0200 Subject: [PATCH 071/161] Create lxqt-config-appearance --- apparmor.d/groups/lxqt/lxqt-config-appearance | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-appearance diff --git a/apparmor.d/groups/lxqt/lxqt-config-appearance b/apparmor.d/groups/lxqt/lxqt-config-appearance new file mode 100644 index 000000000..8918ea79b --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-appearance @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-appearance +profile lxqt-config-appearance @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gsettings rPx, + @{bin}/pcmanfm-qt rPx, + @{bin}/xsettingsd rPx, + + owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.icons/default/index.theme rw, + owner @{HOME}/.Xdefaults rw, + owner @{HOME}/.Xresources rw, + + owner @{user_config_dirs}/gtk-3.0/settings.ini rw, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, + owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r, + + owner /tmp/#@{int} rw, + owner /tmp/lxqt-config-appearance.@{rand6} rwl -> /tmp/#@{int}, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 19109b119672d1ed0a6250b12c9f77f14ef1cbfb Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 13:56:22 +0200 Subject: [PATCH 072/161] Create lxqt-config-globalkeyshortcuts --- .../lxqt/lxqt-config-globalkeyshortcuts | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts diff --git a/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts new file mode 100644 index 000000000..7a098cbe6 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-globalkeyshortcuts +profile lxqt-config-globalkeyshortcuts @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/lxqt/lxqt* rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rw, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From f4c2354a25237cbda88f4eceb9362b8f6a23fbcc Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 13:58:22 +0200 Subject: [PATCH 073/161] Create lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 104 +++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-input diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input new file mode 100644 index 000000000..6888e7c1c --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -0,0 +1,104 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-input +profile lxqt-config-input @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + signal (read) set=(kill,term) peer=lxqt-session, + + @{exec_path} mr, + + @{bin}/setxkbmap rix, + + /etc/udev/udev.conf r, + + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-input.conf rwl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + @{run}/udev/data/c@{int}:* r, + @{run}/udev/data/b@{int}:* r, + @{run}/udev/data/+sound:card@{int} r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:* r, + @{run}/udev/data/n@{int} r, + @{run}/udev/data/+input:* r, + @{run}/udev/data/+dmi:* r, + @{run}/udev/data/+drm:* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+rfkill:* r, + + @{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read + @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read + @{sys}/devices/**/uevent r, + @{sys}/devices/platform/**/uevent r, + @{sys}/devices/platform/cpu/**/uevent r, + @{sys}/devices/system/machinecheck/**/uevent r, + @{sys}/devices/pnp@{int}/**/uevent r, + @{sys}/devices/system/clockevents/clockevent@{int}/uevent r, + @{sys}/devices/system/cpu/cpu@{int}/uevent r, + @{sys}/devices/system/memory/memory@{int}/uevent r, + @{sys}/devices/virtual/devlink/**/uevent r, + @{sys}/devices/virtual/mem/**/uevent r, + @{sys}/devices/virtual/bdi/@{int}:@{int}/uevent r, + @{sys}/devices/virtual/block/loop@{int}/uevent r, + @{sys}/devices/virtual/input/**/uevent r, + @{sys}/devices/virtual/memory_tiering/memory_tier@{int}/uevent r, + @{sys}/devices/virtual/misc/**/uevent r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + @{sys}/devices/virtual/sound/ctl-led/uevent r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/uevent r, + @{sys}/devices/virtual/thermal/cooling_device@{int}/uevent r, + @{sys}/devices/virtual/tty/**/uevent r, + @{sys}/devices/virtual/vc/vcsu@{int}/uevent r, + @{sys}/devices/virtual/vc/vcsa@{int}/uevent r, + @{sys}/devices/virtual/vc/vcs@{int}/uevent r, + @{sys}/devices/LNXSYSTM:00/PNP*/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/LNXTHERM:@{rand2}/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:00/PNP*/PNP*/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:00/HPIC*/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/device*/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/AMDI*/**/wakeup@{int}/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/**/wakeup/wakeup@{int}/uevent r, + + /dev/tty rw, + + deny @{sys}/class/usbmisc/ r, + + include if exists +} + +# vim:syntax=apparmor From f6dca084c08064e62769e954e98f17febd21d9e9 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 13:59:57 +0200 Subject: [PATCH 074/161] Create lxqt-config-monitor --- apparmor.d/groups/lxqt/lxqt-config-monitor | 42 ++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-monitor diff --git a/apparmor.d/groups/lxqt/lxqt-config-monitor b/apparmor.d/groups/lxqt/lxqt-config-monitor new file mode 100644 index 000000000..8545b3c8c --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-monitor @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-monitor +profile lxqt-config-monitor @{exec_path} { + include + include + include + include + include + + signal (read) set=(kill,term) peer=lxqt-session, + + @{exec_path} mr, + + /var/cache/fontconfig/{,**} rw, + + owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop rw, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From c39403791d5dae0f3caf3ee5e75458759e5668fa Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:02:07 +0200 Subject: [PATCH 075/161] Create lxqt-config-session --- apparmor.d/groups/lxqt/lxqt-config-session | 58 ++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-session diff --git a/apparmor.d/groups/lxqt/lxqt-config-session b/apparmor.d/groups/lxqt/lxqt-config-session new file mode 100644 index 000000000..856c2075c --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-session @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-session +profile lxqt-config-session @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/libfm-qt6/translations/libfm-qt_de.qm r, + /usr/share/gvfs/remote-volume-monitors/ r, + /usr/share/gvfs/remote-volume-monitors/udisks2.monitor r, + /usr/share/thumbnailers/ r, + + /etc/fstab r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/** r, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/autostart/ rw, + owner @{user_config_dirs}/QtProject.conf rw, + owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, + owner @{user_config_dirs}/QtProject.conf.lock rwk, + owner @{user_config_dirs}/autostart/*.desktop rw, + owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop r, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/user-dirs.dirs rw, + owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf.lock rwk, + owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + owner @{PROC}/@{pid}/mountinfo r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From ed52afceda69cf527bf04746ba8f13158a567a22 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:03:40 +0200 Subject: [PATCH 076/161] Create lxqt-policykit-agent --- apparmor.d/groups/lxqt/lxqt-policykit-agent | 55 +++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-policykit-agent diff --git a/apparmor.d/groups/lxqt/lxqt-policykit-agent b/apparmor.d/groups/lxqt/lxqt-policykit-agent new file mode 100644 index 000000000..cbf3f51d0 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-policykit-agent @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/lxqt-policykit-agent-[0-9] +@{exec_path} += @{bin}/lxqt-policykit-agent +profile lxqt-policykit-agent @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + signal (send) set=(term, kill) peer=polkit-agent-helper, + + @{exec_path} mr, + + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + + /usr/share/lxqt/translations/lxqt-policykit-agent/lxqt-policykit-agent_de.qm r, + + /etc/machine-id r, + + /var/lib/dbus/machine-id r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/qt5ct/{,**} r, + + owner /tmp/#@{int} rw, + owner /tmp/lxqt-policykit-agent-[0-9].* rwl -> /tmp/#@{int}, + + @{run}/systemd/users/@{uid} r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/core_pattern r, + + /dev/shm/#@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From 59a2e6f8a82f6e0e1097357b3dc0394fbeb26e7c Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:09:34 +0200 Subject: [PATCH 077/161] Update lxqt-config-globalkeyshortcuts --- apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts index 7a098cbe6..26d2a51d4 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts +++ b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts @@ -16,15 +16,15 @@ profile lxqt-config-globalkeyshortcuts @{exec_path} { include include - @{exec_path} mr, + @{exec_path} mr, owner @{user_config_dirs}/lxqt/lxqt* rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock rwk, owner @{user_config_dirs}/lxqt/#@{int} rw, - owner /tmp/@{int} r, + owner /tmp/@{int} r, - /dev/tty rw, + /dev/tty rw, include if exists } From a032a5310417f1afbeb911138db7c23996e1668e Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:13:50 +0200 Subject: [PATCH 078/161] Update lxqt-config-session --- apparmor.d/groups/lxqt/lxqt-config-session | 38 +++++++++++----------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-session b/apparmor.d/groups/lxqt/lxqt-config-session index 856c2075c..3d1353a60 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-session +++ b/apparmor.d/groups/lxqt/lxqt-config-session @@ -18,32 +18,32 @@ profile lxqt-config-session @{exec_path} { include include - @{exec_path} mr, + @{exec_path} mr, - /usr/share/libfm-qt6/translations/libfm-qt_de.qm r, - /usr/share/gvfs/remote-volume-monitors/ r, + /usr/share/libfm-qt6/translations/libfm-qt_de.qm r, + /usr/share/gvfs/remote-volume-monitors/ r, /usr/share/gvfs/remote-volume-monitors/udisks2.monitor r, /usr/share/thumbnailers/ r, - - /etc/fstab r, - /etc/xdg/autostart/ r, - /etc/xdg/autostart/** r, - - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/QtProject.conf rw, + + /etc/fstab r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/** r, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/autostart/ rw, + owner @{user_config_dirs}/QtProject.conf rw, owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, - owner @{user_config_dirs}/QtProject.conf.lock rwk, - owner @{user_config_dirs}/autostart/*.desktop rw, + owner @{user_config_dirs}/QtProject.conf.lock rwk, + owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop r, owner @{user_config_dirs}/lxqt/ r, - owner @{user_config_dirs}/lxqt/#@{int} rwk, - owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-config-session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-session.conf.lock rwk, owner @{user_config_dirs}/lxqt/session.conf.lock rwk, - owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/user-dirs.dirs rw, - owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/user-dirs.dirs rw, + owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf.lock rwk, owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner /tmp/@{int} r, From fda7f318aa5f0f50f093ecc34bbb2a0e50b673f0 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:14:41 +0200 Subject: [PATCH 079/161] Update lxqt-about --- apparmor.d/groups/lxqt/lxqt-about | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about index 7f69b8e2f..7dabe599f 100644 --- a/apparmor.d/groups/lxqt/lxqt-about +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -21,7 +21,7 @@ profile lxqt-about @{exec_path} { owner /tmp/@{int} r, /dev/tty rw, - owner /dev/pts/@{int} rw, + owner /dev/pts/@{int} rw, include if exists } From 780af3a8894c54e74a9aa8910f28a54ab4629507 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:16:38 +0200 Subject: [PATCH 080/161] Update startlxqtwayland --- apparmor.d/groups/lxqt/startlxqtwayland | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland index bae481ea9..fade82b24 100644 --- a/apparmor.d/groups/lxqt/startlxqtwayland +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -26,8 +26,8 @@ profile startlxqtwayland @{exec_path} { @{bin}/cp rix, @{bin}/dirname rix, @{bin}/labwc rpx, - @{bin}/grep rix, - @{bin}/gawk rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, @{bin}/mkdir rix, @{sh_path} rix, @{bin}/lxqt-session rPx, From ee80b539dadefd9b4e4a029529dc8ee3bde9ac7e Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:19:15 +0200 Subject: [PATCH 081/161] Update lxqt-policykit-agent --- apparmor.d/groups/lxqt/lxqt-policykit-agent | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-policykit-agent b/apparmor.d/groups/lxqt/lxqt-policykit-agent index cbf3f51d0..02c27d64a 100644 --- a/apparmor.d/groups/lxqt/lxqt-policykit-agent +++ b/apparmor.d/groups/lxqt/lxqt-policykit-agent @@ -21,30 +21,30 @@ profile lxqt-policykit-agent @{exec_path} flags=(attach_disconnected) { signal (send) set=(term, kill) peer=polkit-agent-helper, - @{exec_path} mr, + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /usr/share/lxqt/translations/lxqt-policykit-agent/lxqt-policykit-agent_de.qm r, - /etc/machine-id r, + /etc/machine-id r, - /var/lib/dbus/machine-id r, + /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/qt5ct/{,**} r, - owner /tmp/#@{int} rw, + owner /tmp/#@{int} rw, owner /tmp/lxqt-policykit-agent-[0-9].* rwl -> /tmp/#@{int}, - @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{uid} r, - @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, @{PROC}/sys/kernel/core_pattern r, /dev/shm/#@{int} rw, From 021af97a5680446c203172a2df34ae1baeefcdea Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:22:25 +0200 Subject: [PATCH 082/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 46 ++++++++++++------------ 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 6888e7c1c..621136e49 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -40,36 +40,36 @@ profile lxqt-config-input @{exec_path} { owner @{user_config_dirs}/lxqt/session.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt-config-input.conf rwl -> @{user_config_dirs}/lxqt/#@{int}, - owner /tmp/@{int} r, + owner /tmp/@{int} r, - @{run}/udev/data/c@{int}:* r, - @{run}/udev/data/b@{int}:* r, - @{run}/udev/data/+sound:card@{int} r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:* r, - @{run}/udev/data/n@{int} r, - @{run}/udev/data/+input:* r, - @{run}/udev/data/+dmi:* r, - @{run}/udev/data/+drm:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/c@{int}:* r, + @{run}/udev/data/b@{int}:* r, + @{run}/udev/data/+sound:card@{int} r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:* r, + @{run}/udev/data/n@{int} r, + @{run}/udev/data/+input:* r, + @{run}/udev/data/+dmi:* r, + @{run}/udev/data/+drm:* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+rfkill:* r, - @{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read - @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read - @{sys}/devices/**/uevent r, - @{sys}/devices/platform/**/uevent r, + @{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read + @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read + @{sys}/devices/**/uevent r, + @{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/cpu/**/uevent r, @{sys}/devices/system/machinecheck/**/uevent r, - @{sys}/devices/pnp@{int}/**/uevent r, + @{sys}/devices/pnp@{int}/**/uevent r, @{sys}/devices/system/clockevents/clockevent@{int}/uevent r, @{sys}/devices/system/cpu/cpu@{int}/uevent r, @{sys}/devices/system/memory/memory@{int}/uevent r, @{sys}/devices/virtual/devlink/**/uevent r, - @{sys}/devices/virtual/mem/**/uevent r, + @{sys}/devices/virtual/mem/**/uevent r, @{sys}/devices/virtual/bdi/@{int}:@{int}/uevent r, @{sys}/devices/virtual/block/loop@{int}/uevent r, @{sys}/devices/virtual/input/**/uevent r, @@ -94,7 +94,7 @@ profile lxqt-config-input @{exec_path} { @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/**/wakeup/wakeup@{int}/uevent r, - /dev/tty rw, + /dev/tty rw, deny @{sys}/class/usbmisc/ r, From 8f064f21f15f26c2509bb669b021d58df1fbe262 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:24:24 +0200 Subject: [PATCH 083/161] Update lxqt-config-appearance --- apparmor.d/groups/lxqt/lxqt-config-appearance | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-appearance b/apparmor.d/groups/lxqt/lxqt-config-appearance index 8918ea79b..d0f52f365 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-appearance +++ b/apparmor.d/groups/lxqt/lxqt-config-appearance @@ -17,30 +17,30 @@ profile lxqt-config-appearance @{exec_path} { include include - @{exec_path} mr, + @{exec_path} mr, - @{bin}/gsettings rPx, - @{bin}/pcmanfm-qt rPx, - @{bin}/xsettingsd rPx, + @{bin}/gsettings rPx, + @{bin}/pcmanfm-qt rPx, + @{bin}/xsettingsd rPx, - owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.gtkrc-2.0 rw, owner @{HOME}/.icons/default/index.theme rw, - owner @{HOME}/.Xdefaults rw, + owner @{HOME}/.Xdefaults rw, owner @{HOME}/.Xresources rw, owner @{user_config_dirs}/gtk-3.0/settings.ini rw, owner @{user_config_dirs}/lxqt/ r, - owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/#@{int} rwk, owner @{user_config_dirs}/lxqt/session.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} rw, owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r, - owner /tmp/#@{int} rw, + owner /tmp/#@{int} rw, owner /tmp/lxqt-config-appearance.@{rand6} rwl -> /tmp/#@{int}, /dev/tty rw, From d2c0f9f79c0dc9f66418407cdbd06fc5bde70ae5 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:27:28 +0200 Subject: [PATCH 084/161] Update lxqt-config --- apparmor.d/groups/lxqt/lxqt-config | 56 +++++++++++++++--------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config b/apparmor.d/groups/lxqt/lxqt-config index e034e3e9b..ef63232e0 100644 --- a/apparmor.d/groups/lxqt/lxqt-config +++ b/apparmor.d/groups/lxqt/lxqt-config @@ -16,50 +16,50 @@ profile lxqt-config @{exec_path} { include include - @{exec_path} mr, + @{exec_path} mr, owner @{user_config_dirs}/qt6ct/qt6ct.conf rw, - @{bin}/lxqt-admin-user rPx, - @{bin}/ibus-setup rPx, - @{bin}/lxqt-config-monitor rPx, - @{bin}/pcmanfm-qt rPx, - @{bin}/lxqt-admin-time rPx, - @{bin}/lxqt-config-input rPx, - @{bin}/lxqt-config-locale rPx, - @{bin}/lxqt-config-brightness rPx, - @{bin}/lxqt-config-session rPx, - @{bin}/lxqt-config-file-associations rPx, - @{bin}/lxqt-config-powermanagement rPx, - @{bin}/lxqt-config-appearance rPx, + @{bin}/lxqt-admin-user rPx, + @{bin}/ibus-setup rPx, + @{bin}/lxqt-config-monitor rPx, + @{bin}/pcmanfm-qt rPx, + @{bin}/lxqt-admin-time rPx, + @{bin}/lxqt-config-input rPx, + @{bin}/lxqt-config-locale rPx, + @{bin}/lxqt-config-brightness rPx, + @{bin}/lxqt-config-session rPx, + @{bin}/lxqt-config-file-associations rPx, + @{bin}/lxqt-config-powermanagement rPx, + @{bin}/lxqt-config-appearance rPx, @{bin}/lxqt-config-globalkeyshortcuts rPx, - @{bin}/lxqt-config-notificationd rPx, - @{bin}/obconf-qt rPx, - @{bin}/nm-connection-editor rPx, - @{bin}/pavucontrol rPx, - @{bin}/pavucontrol-qt rPx, - @{bin}/system-config-printer rPx, - @{bin}/nm-connection-editor rPx, - @{bin}/ControlPanel rPx, - @{bin}/qt6ct rix, - @{bin}/xdg-open rPx, + @{bin}/lxqt-config-notificationd rPx, + @{bin}/obconf-qt rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/pavucontrol rPx, + @{bin}/pavucontrol-qt rPx, + @{bin}/system-config-printer rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/ControlPanel rPx, + @{bin}/qt6ct rix, + @{bin}/xdg-open rPx, /usr/share/desktop-directories/lxqt-* r, - /etc/xdg/menus/lxqt-config.menu r, + /etc/xdg/menus/lxqt-config.menu r, - owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/ r, owner @{user_config_dirs}/lxqt/#@{int} rw, owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int8}7, owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int8}2, owner @{user_config_dirs}/qt6ct/qt6ct.conf.@{rand6} rwl -> @{user_config_dirs}/qt6ct/#@{int}, owner @{user_config_dirs}/qt6ct/qt6ct.conf.lock rwk, - owner @{user_config_dirs}/qt6ct/#@{int} rw, + owner @{user_config_dirs}/qt6ct/#@{int} rw, - owner /tmp/@{int} r, + owner /tmp/@{int} r, - /dev/tty rw, + /dev/tty rw, include if exists } From fde82377d74e2c6561b1618c0fe6470a3a41fef9 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:33:03 +0200 Subject: [PATCH 085/161] Update lxqt-config-session --- apparmor.d/groups/lxqt/lxqt-config-session | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-session b/apparmor.d/groups/lxqt/lxqt-config-session index 3d1353a60..5b659dba0 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-session +++ b/apparmor.d/groups/lxqt/lxqt-config-session @@ -32,7 +32,7 @@ profile lxqt-config-session @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/autostart/ rw, owner @{user_config_dirs}/QtProject.conf rw, - owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, + owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, owner @{user_config_dirs}/QtProject.conf.lock rwk, owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop r, @@ -40,19 +40,19 @@ profile lxqt-config-session @{exec_path} { owner @{user_config_dirs}/lxqt/#@{int} rwk, owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt-config-session.conf.lock rwk, - owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/user-dirs.dirs rw, owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf.lock rwk, - owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf rwkl -> @{user_config_dirs}/lxqt/#@{int}, - owner /tmp/@{int} r, + owner /tmp/@{int} r, - owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty rw, - include if exists + include if exists } # vim:syntax=apparmor From 7b2d52786e5464e354559bd3c41d1b05f2ad702a Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:34:52 +0200 Subject: [PATCH 086/161] Update lxqt-backlight_backend --- apparmor.d/groups/lxqt/lxqt-backlight_backend | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-backlight_backend b/apparmor.d/groups/lxqt/lxqt-backlight_backend index f2c976372..257a62adb 100644 --- a/apparmor.d/groups/lxqt/lxqt-backlight_backend +++ b/apparmor.d/groups/lxqt/lxqt-backlight_backend @@ -14,23 +14,23 @@ profile lxqt-backlight_backend @{exec_path} { include include - @{exec_path} mr, + @{exec_path} mr, @{user_share_dirs}/sddm/xorg-session.log w, - @{sys}/class/backlight/ r, + @{sys}/class/backlight/ r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, - @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, - owner @{sys}/devices/@{pci}/**/card@{int}/card@{int}-eDP-1/intel_backlight/type r, + @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, + owner @{sys}/devices/@{pci}/**/card@{int}/card@{int}-eDP-1/intel_backlight/type r, owner @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/brightness rw, owner @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/brightness rw, - owner /tmp/@{int} r, + owner /tmp/@{int} r, - /dev/tty rw, + /dev/tty rw, include if exists } From ce1a826eea74a52355e1837b69c10e94ae77be6c Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:35:41 +0200 Subject: [PATCH 087/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 621136e49..39fa9f3f6 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -23,11 +23,11 @@ profile lxqt-config-input @{exec_path} { signal (read) set=(kill,term) peer=lxqt-session, - @{exec_path} mr, + @{exec_path} mr, - @{bin}/setxkbmap rix, + @{bin}/setxkbmap rix, - /etc/udev/udev.conf r, + /etc/udev/udev.conf r, owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, From 959d9ddf16b7b51fb9ffc89c22e5bb86358996ce Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:36:39 +0200 Subject: [PATCH 088/161] Update lxqt-policykit-agent --- apparmor.d/groups/lxqt/lxqt-policykit-agent | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-policykit-agent b/apparmor.d/groups/lxqt/lxqt-policykit-agent index 02c27d64a..32e678644 100644 --- a/apparmor.d/groups/lxqt/lxqt-policykit-agent +++ b/apparmor.d/groups/lxqt/lxqt-policykit-agent @@ -45,9 +45,9 @@ profile lxqt-policykit-agent @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, - @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/core_pattern r, - /dev/shm/#@{int} rw, + /dev/shm/#@{int} rw, include if exists } From 93261691a332e33e682535260e9739012fde1d52 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:42:58 +0200 Subject: [PATCH 089/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 34 ++++++++++++------------ 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 39fa9f3f6..4f8db2352 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -25,7 +25,7 @@ profile lxqt-config-input @{exec_path} { @{exec_path} mr, - @{bin}/setxkbmap rix, + @{bin}/setxkbmap rix, /etc/udev/udev.conf r, @@ -38,25 +38,25 @@ profile lxqt-config-input @{exec_path} { owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/#@{int} rwk, owner @{user_config_dirs}/lxqt/session.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-config-input.conf rwl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-input.conf rwl -> @{user_config_dirs}/lxqt/#@{int}, owner /tmp/@{int} r, - @{run}/udev/data/c@{int}:* r, - @{run}/udev/data/b@{int}:* r, - @{run}/udev/data/+sound:card@{int} r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:* r, - @{run}/udev/data/n@{int} r, - @{run}/udev/data/+input:* r, - @{run}/udev/data/+dmi:* r, - @{run}/udev/data/+drm:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/c@{int}:* r, # Comment 1 + @{run}/udev/data/b@{int}:* r, # Comment 1 + @{run}/udev/data/+sound:card@{int} r, # Comment 1 + @{run}/udev/data/+bluetooth:* r, # Comment 1 + @{run}/udev/data/+platform:* r, # Comment 1 + @{run}/udev/data/+acpi:* r, # Comment 1 + @{run}/udev/data/+i2c:* r, # Comment 1 + @{run}/udev/data/+backlight:* r, # Comment 1 + @{run}/udev/data/+leds:* r, # Comment 1 + @{run}/udev/data/n@{int} r, # Comment 1 + @{run}/udev/data/+input:* r, # Comment 1 + @{run}/udev/data/+dmi:* r, # Comment 1 + @{run}/udev/data/+drm:* r, # Comment 1 + @{run}/udev/data/+pci:* r, # Comment 1 + @{run}/udev/data/+rfkill:* r, # Comment 1 @{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read From 6618e320c3c61848d3a68930200204a2baa044bb Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:45:27 +0200 Subject: [PATCH 090/161] Update lxqt-session --- apparmor.d/groups/lxqt/lxqt-session | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 3a4a6cd61..c5760e20e 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -14,7 +14,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, @@ -33,7 +32,7 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/dirname rix, @{bin}/system-config-printer-applet rPx, @{bin}/dbus-update-activation-environment rCx -> dbus, - @{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/pavucontrol rPx, @{lib}/geoclue-2.0/demos/agent rPx, @@ -51,7 +50,7 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, - /usr/share/system-config-printer/* r, + /usr/share/system-config-printer/* r, /etc/xdg/ r, /etc/xdg/autostart/ r, From ccef6fe881da7a4f940bb6f2b7e3292ae9d10879 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:46:00 +0200 Subject: [PATCH 091/161] Update lxqt-backlight_backend --- apparmor.d/groups/lxqt/lxqt-backlight_backend | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-backlight_backend b/apparmor.d/groups/lxqt/lxqt-backlight_backend index 257a62adb..261e958b1 100644 --- a/apparmor.d/groups/lxqt/lxqt-backlight_backend +++ b/apparmor.d/groups/lxqt/lxqt-backlight_backend @@ -26,7 +26,7 @@ profile lxqt-backlight_backend @{exec_path} { @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, owner @{sys}/devices/@{pci}/**/card@{int}/card@{int}-eDP-1/intel_backlight/type r, owner @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/brightness rw, - owner @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/brightness rw, + owner @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/brightness rw, owner /tmp/@{int} r, From 26217f3d9401d637dde0ebeddac84e0b3019e10c Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:47:16 +0200 Subject: [PATCH 092/161] Update startlxqtwayland --- apparmor.d/groups/lxqt/startlxqtwayland | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland index fade82b24..50e2f4510 100644 --- a/apparmor.d/groups/lxqt/startlxqtwayland +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -15,7 +15,6 @@ profile startlxqtwayland @{exec_path} { include include include - include signal (receive) set=(term) peer=sddm, From 5f111e765a96e8d1d222919c14b38f393ca9aaf3 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:48:26 +0200 Subject: [PATCH 093/161] Update startlxqtwayland --- apparmor.d/groups/lxqt/startlxqtwayland | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland index 50e2f4510..a0b746029 100644 --- a/apparmor.d/groups/lxqt/startlxqtwayland +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -14,7 +14,6 @@ profile startlxqtwayland @{exec_path} { include include include - include signal (receive) set=(term) peer=sddm, From dfac792fa3e9eaf10994af862cf85280d4588ed5 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:49:22 +0200 Subject: [PATCH 094/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 4f8db2352..550f53244 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -89,7 +89,7 @@ profile lxqt-config-input @{exec_path} { @{sys}/devices/LNXSYSTM:00/LNXSYBUS:00/PNP*/PNP*/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:00/HPIC*/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/device*/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/device*/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/AMDI*/**/wakeup@{int}/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/**/wakeup/wakeup@{int}/uevent r, From 78b608486cdc6b4d2cad57c12394f10d82fe7ea9 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:50:09 +0200 Subject: [PATCH 095/161] Update lxqt-config-appearance --- apparmor.d/groups/lxqt/lxqt-config-appearance | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-appearance b/apparmor.d/groups/lxqt/lxqt-config-appearance index d0f52f365..f5ba489df 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-appearance +++ b/apparmor.d/groups/lxqt/lxqt-config-appearance @@ -19,7 +19,7 @@ profile lxqt-config-appearance @{exec_path} { @{exec_path} mr, - @{bin}/gsettings rPx, + @{bin}/gsettings rPx, @{bin}/pcmanfm-qt rPx, @{bin}/xsettingsd rPx, @@ -41,7 +41,7 @@ profile lxqt-config-appearance @{exec_path} { owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r, owner /tmp/#@{int} rw, - owner /tmp/lxqt-config-appearance.@{rand6} rwl -> /tmp/#@{int}, + owner /tmp/lxqt-config-appearance.@{rand6} rwl -> /tmp/#@{int}, /dev/tty rw, From fe840a2bdc8f8c5aa91d74d1573058f884239a8b Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:50:56 +0200 Subject: [PATCH 096/161] Update lxqt-config-appearance --- apparmor.d/groups/lxqt/lxqt-config-appearance | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-appearance b/apparmor.d/groups/lxqt/lxqt-config-appearance index f5ba489df..b1511b08e 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-appearance +++ b/apparmor.d/groups/lxqt/lxqt-config-appearance @@ -43,7 +43,7 @@ profile lxqt-config-appearance @{exec_path} { owner /tmp/#@{int} rw, owner /tmp/lxqt-config-appearance.@{rand6} rwl -> /tmp/#@{int}, - /dev/tty rw, + /dev/tty rw, include if exists } From fb4921d30367d9a671bd6d5e0a07d838fbcd40e0 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 14:53:27 +0200 Subject: [PATCH 097/161] Update ControlPanel --- apparmor.d/groups/lxqt/ControlPanel | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/lxqt/ControlPanel b/apparmor.d/groups/lxqt/ControlPanel index fac3a6031..31a281238 100644 --- a/apparmor.d/groups/lxqt/ControlPanel +++ b/apparmor.d/groups/lxqt/ControlPanel @@ -15,11 +15,11 @@ profile ControlPanel @{exec_path} { include include - @{exec_path} mr, + @{exec_path} mr, /usr/share/desktop-directories/lxqt-* r, - /etc/xdg/menus/lxqt-config.menu r, + /etc/xdg/menus/lxqt-config.menu r, # only for xfe file manager: owner @{HOME}/.foxrc/ rw, @@ -27,10 +27,10 @@ profile ControlPanel @{exec_path} { owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, - owner /tmp/@{int} r, + owner /tmp/@{int} r, - /dev/pts/@{int} rw, - /dev/tty rw, + /dev/pts/@{int} rw, + /dev/tty rw, include if exists } From 30eea3e36e4ae39fa10cdc163c6747c1dcef678d Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:00:08 +0200 Subject: [PATCH 098/161] Update lxqt-config-session --- apparmor.d/groups/lxqt/lxqt-config-session | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-session b/apparmor.d/groups/lxqt/lxqt-config-session index 5b659dba0..7a28142bd 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-session +++ b/apparmor.d/groups/lxqt/lxqt-config-session @@ -50,7 +50,7 @@ profile lxqt-config-session @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, - /dev/tty rw, + /dev/tty rw, include if exists } From 4df4dba3fa0e71868d241915a6980032c6cb8be3 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:00:41 +0200 Subject: [PATCH 099/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 550f53244..cd5fe791f 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -88,7 +88,7 @@ profile lxqt-config-input @{exec_path} { @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/LNXTHERM:@{rand2}/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:00/PNP*/PNP*/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:00/HPIC*/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/uevent r, + @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/device*/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/AMDI*/**/wakeup@{int}/uevent r, @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/uevent r, From 84afb4c1ae8ca051f105fce3bb5c7b1b14e5b5d1 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:01:45 +0200 Subject: [PATCH 100/161] Update startlxqtwayland --- apparmor.d/groups/lxqt/startlxqtwayland | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland index a0b746029..b8b09a1ee 100644 --- a/apparmor.d/groups/lxqt/startlxqtwayland +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -11,8 +11,6 @@ include profile startlxqtwayland @{exec_path} { include include - include - include include signal (receive) set=(term) peer=sddm, From a54a67335bf555f3f568b5293972f759f401f4a4 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:04:12 +0200 Subject: [PATCH 101/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index cd5fe791f..6f8a6651c 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -59,7 +59,7 @@ profile lxqt-config-input @{exec_path} { @{run}/udev/data/+rfkill:* r, # Comment 1 @{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read - @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read + @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read @{sys}/devices/**/uevent r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/cpu/**/uevent r, From c17e5fd7f6bdf4df3385e0edd03247a076fd4335 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:06:22 +0200 Subject: [PATCH 102/161] Update lxqt-config-monitor --- apparmor.d/groups/lxqt/lxqt-config-monitor | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-monitor b/apparmor.d/groups/lxqt/lxqt-config-monitor index 8545b3c8c..380f9483f 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-monitor +++ b/apparmor.d/groups/lxqt/lxqt-config-monitor @@ -17,24 +17,24 @@ profile lxqt-config-monitor @{exec_path} { signal (read) set=(kill,term) peer=lxqt-session, - @{exec_path} mr, + @{exec_path} mr, - /var/cache/fontconfig/{,**} rw, + /var/cache/fontconfig/{,**} rw, owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop rw, - owner @{user_config_dirs}/lxqt/ r, - owner @{user_config_dirs}/lxqt/#@{int} rwk, - owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, - owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} rw, owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf l -> @{user_config_dirs}/lxqt/#@{int}, - owner /tmp/@{int} r, + owner /tmp/@{int} r, - /dev/tty rw, + /dev/tty rw, include if exists } From 87d20460edfc0a92d997b9ee8268482a26d838ae Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:08:28 +0200 Subject: [PATCH 103/161] Update lxqt-config-session From 78956242aced3f6dd7eb14dfedf2351fbeb4d209 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:09:19 +0200 Subject: [PATCH 104/161] Update startlxqtwayland --- apparmor.d/groups/lxqt/startlxqtwayland | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/startlxqtwayland b/apparmor.d/groups/lxqt/startlxqtwayland index b8b09a1ee..43d0001f4 100644 --- a/apparmor.d/groups/lxqt/startlxqtwayland +++ b/apparmor.d/groups/lxqt/startlxqtwayland @@ -64,7 +64,6 @@ profile startlxqtwayland @{exec_path} { owner @{run}/user/@{uid}/ r, @{PROC}/sys/kernel/core_pattern r, - owner @{PROC}/@{pid}/maps r, /dev/tty rw, /dev/tty@{int} rw, From db22e001c67610de2f5ca233f569e6204caa24ab Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:11:35 +0200 Subject: [PATCH 105/161] Update lxqt-config --- apparmor.d/groups/lxqt/lxqt-config | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config b/apparmor.d/groups/lxqt/lxqt-config index ef63232e0..b55bb2c1c 100644 --- a/apparmor.d/groups/lxqt/lxqt-config +++ b/apparmor.d/groups/lxqt/lxqt-config @@ -40,16 +40,16 @@ profile lxqt-config @{exec_path} { @{bin}/pavucontrol-qt rPx, @{bin}/system-config-printer rPx, @{bin}/nm-connection-editor rPx, - @{bin}/ControlPanel rPx, + @{bin}/ControlPanel rPx, @{bin}/qt6ct rix, @{bin}/xdg-open rPx, - + /usr/share/desktop-directories/lxqt-* r, /etc/xdg/menus/lxqt-config.menu r, owner @{user_config_dirs}/lxqt/ r, - owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/#@{int} rw, owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int8}7, owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int8}2, From 7d456fedd24d81ca4beb9761e10e31c294ba8ae2 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:12:09 +0200 Subject: [PATCH 106/161] Update ControlPanel --- apparmor.d/groups/lxqt/ControlPanel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/ControlPanel b/apparmor.d/groups/lxqt/ControlPanel index 31a281238..07fd14d2b 100644 --- a/apparmor.d/groups/lxqt/ControlPanel +++ b/apparmor.d/groups/lxqt/ControlPanel @@ -23,7 +23,7 @@ profile ControlPanel @{exec_path} { # only for xfe file manager: owner @{HOME}/.foxrc/ rw, - owner @{HOME}/.foxrc/Desktop rw, + owner @{HOME}/.foxrc/Desktop rw, owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, From 788bc56ce9441f6e8d1d5d003a3de0133ec5073b Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:14:30 +0200 Subject: [PATCH 107/161] Update lxqt-config-session --- apparmor.d/groups/lxqt/lxqt-config-session | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-session b/apparmor.d/groups/lxqt/lxqt-config-session index 7a28142bd..3bbbcef58 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-session +++ b/apparmor.d/groups/lxqt/lxqt-config-session @@ -32,7 +32,7 @@ profile lxqt-config-session @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/autostart/ rw, owner @{user_config_dirs}/QtProject.conf rw, - owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, + owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, owner @{user_config_dirs}/QtProject.conf.lock rwk, owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop r, From 4ba0377dfc2158589fa4ef5807d0c0ed3b5482e6 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 15:15:42 +0200 Subject: [PATCH 108/161] Update lxqt-config --- apparmor.d/groups/lxqt/lxqt-config | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config b/apparmor.d/groups/lxqt/lxqt-config index b55bb2c1c..778650fae 100644 --- a/apparmor.d/groups/lxqt/lxqt-config +++ b/apparmor.d/groups/lxqt/lxqt-config @@ -27,12 +27,12 @@ profile lxqt-config @{exec_path} { @{bin}/lxqt-admin-time rPx, @{bin}/lxqt-config-input rPx, @{bin}/lxqt-config-locale rPx, - @{bin}/lxqt-config-brightness rPx, + @{bin}/lxqt-config-brightness rPx, @{bin}/lxqt-config-session rPx, @{bin}/lxqt-config-file-associations rPx, @{bin}/lxqt-config-powermanagement rPx, @{bin}/lxqt-config-appearance rPx, - @{bin}/lxqt-config-globalkeyshortcuts rPx, + @{bin}/lxqt-config-globalkeyshortcuts rPx, @{bin}/lxqt-config-notificationd rPx, @{bin}/obconf-qt rPx, @{bin}/nm-connection-editor rPx, @@ -40,7 +40,7 @@ profile lxqt-config @{exec_path} { @{bin}/pavucontrol-qt rPx, @{bin}/system-config-printer rPx, @{bin}/nm-connection-editor rPx, - @{bin}/ControlPanel rPx, + @{bin}/ControlPanel rPx, @{bin}/qt6ct rix, @{bin}/xdg-open rPx, From 1ecb19ed776f3fa8f0e79b416115d566fb69e44e Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 22:44:31 +0200 Subject: [PATCH 109/161] Update ControlPanel --- apparmor.d/groups/lxqt/ControlPanel | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/apparmor.d/groups/lxqt/ControlPanel b/apparmor.d/groups/lxqt/ControlPanel index 07fd14d2b..7e48e4310 100644 --- a/apparmor.d/groups/lxqt/ControlPanel +++ b/apparmor.d/groups/lxqt/ControlPanel @@ -12,13 +12,12 @@ profile ControlPanel @{exec_path} { include include include + include include include @{exec_path} mr, - /usr/share/desktop-directories/lxqt-* r, - /etc/xdg/menus/lxqt-config.menu r, # only for xfe file manager: @@ -29,9 +28,6 @@ profile ControlPanel @{exec_path} { owner /tmp/@{int} r, - /dev/pts/@{int} rw, - /dev/tty rw, - include if exists } From 1c86ea54b60b935a6fbc0558a1161dd7e571f511 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 22:52:18 +0200 Subject: [PATCH 110/161] Update lxqt-backlight_backend --- apparmor.d/groups/lxqt/lxqt-backlight_backend | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-backlight_backend b/apparmor.d/groups/lxqt/lxqt-backlight_backend index 261e958b1..9f0bd1ae7 100644 --- a/apparmor.d/groups/lxqt/lxqt-backlight_backend +++ b/apparmor.d/groups/lxqt/lxqt-backlight_backend @@ -19,14 +19,11 @@ profile lxqt-backlight_backend @{exec_path} { @{user_share_dirs}/sddm/xorg-session.log w, @{sys}/class/backlight/ r, - @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, - @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, - @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, - @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, - @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, - owner @{sys}/devices/@{pci}/**/card@{int}/card@{int}-eDP-1/intel_backlight/type r, - owner @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/brightness rw, - owner @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/brightness rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, owner /tmp/@{int} r, From c02567a703af5edc32c48346a62a4c617dabad6b Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:00:16 +0200 Subject: [PATCH 111/161] Update lxqt-config --- apparmor.d/groups/lxqt/lxqt-config | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config b/apparmor.d/groups/lxqt/lxqt-config index 778650fae..b5194c870 100644 --- a/apparmor.d/groups/lxqt/lxqt-config +++ b/apparmor.d/groups/lxqt/lxqt-config @@ -17,8 +17,7 @@ profile lxqt-config @{exec_path} { include @{exec_path} mr, - - owner @{user_config_dirs}/qt6ct/qt6ct.conf rw, + @{open_path} rpx -> child-open, @{bin}/lxqt-admin-user rPx, @{bin}/ibus-setup rPx, @@ -39,10 +38,6 @@ profile lxqt-config @{exec_path} { @{bin}/pavucontrol rPx, @{bin}/pavucontrol-qt rPx, @{bin}/system-config-printer rPx, - @{bin}/nm-connection-editor rPx, - @{bin}/ControlPanel rPx, - @{bin}/qt6ct rix, - @{bin}/xdg-open rPx, /usr/share/desktop-directories/lxqt-* r, @@ -51,11 +46,12 @@ profile lxqt-config @{exec_path} { owner @{user_config_dirs}/lxqt/ r, owner @{user_config_dirs}/lxqt/#@{int} rw, owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int8}7, - owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int8}2, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/qt6ct/qt6ct.conf.@{rand6} rwl -> @{user_config_dirs}/qt6ct/#@{int}, owner @{user_config_dirs}/qt6ct/qt6ct.conf.lock rwk, owner @{user_config_dirs}/qt6ct/#@{int} rw, + owner @{user_config_dirs}/qt6ct/qt6ct.conf rw, owner /tmp/@{int} r, From deeefc5768c37c3d0b2343ab84dce2bde5dde6ba Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:03:01 +0200 Subject: [PATCH 112/161] Create pcmanfm-qt --- apparmor.d/groups/lxqt/pcmanfm-qt | 110 ++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 apparmor.d/groups/lxqt/pcmanfm-qt diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt new file mode 100644 index 000000000..0b1a168ff --- /dev/null +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -0,0 +1,110 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pcmanfm-qt +profile pcmanfm-qt @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + signal (send) set=(term, kill), + signal (receive) set=(term, kill) peer=lxqt-session, + + network netlink raw, + + #aa:dbus own bus=session name=org.pcmanfm.PCManFM + #aa:exec kioworker + + @{exec_path} mr, + + @{lib}/menu-cache/menu-cached rPx, + @{lib}exec/menu-cache/menu-cache-gen rix, + + owner @{user_cache_dirs}/pcmanfm-qt/** r, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/ r, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/recent-files.conf.lock rwk, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-0.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/dir-settings.conf~ l -> @{user_config_dirs}/pcmanfm-qt/lxqt/dir-settings.conf, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-eDP-@{int}.conf.lock rwk, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.lock rwk, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-0.conf.lock rwk, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-eDP-@{int}.conf l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/recent-files.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, + owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.lock.* rwk, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/fs/cgroup/{,**} r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/cgroup r, + + # To read/write files in the system. The read permission is granted for all files, the write + # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in + # the list. + / r, + /boot/ r, + /boot/** r, + owner /boot/** rw, + /etc/ r, + /etc/** r, + owner /etc/** rw, + /home/ r, + /home/** r, + /home/** rw, + /lost+found/ r, + /lost+found/** r, + owner /lost+found/** rw, + @{MOUNTS}/ r, + @{MOUNTS}/** r, + owner @{MOUNTS}/** rw, + /opt/ r, + /opt/** r, + owner /opt/** rw, + /root/ r, + /root/** r, + owner /root/** rw, + @{run}/ r, + @{run}/** r, + owner @{run}/** rw, + /srv/ r, + /srv/** r, + owner /srv/** rw, + /tmp/ r, + /tmp/** r, + owner /tmp/** rw, + /usr/ r, + /usr/** r, + owner /usr/** rw, + /var/ r, + /var/** r, + owner /var/** rw, + + /dev/tty r, + + include if exists +} + +# vim:syntax=apparmor From e2f5ac9bcd409ee3fea8bfcf3996e486a3f2e6c5 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:09:55 +0200 Subject: [PATCH 113/161] Update lxqt-config-brightness --- apparmor.d/groups/lxqt/lxqt-config-brightness | 35 +++++++++++++++++-- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-brightness b/apparmor.d/groups/lxqt/lxqt-config-brightness index 5ec1aafe8..f0627643f 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-brightness +++ b/apparmor.d/groups/lxqt/lxqt-config-brightness @@ -13,7 +13,8 @@ profile lxqt-config-brightness @{exec_path} { include @{exec_path} mr, - @{bin}/pkexec rpx, + + @{bin}/pkexec Cx -> pkexec, @{sh_path} rix, @@ -22,11 +23,39 @@ profile lxqt-config-brightness @{exec_path} { owner /tmp/@{int} r, @{sys}/class/backlight/ r, - @{sys}/devices/@{pci}/**/**/drm/card@{int}/card@{int}-eDP-@{int}/amdgpu_bl@{int}/* rw, - @{sys}/devices/@{pci}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, /dev/tty rw, + profile pkexec { + include + include + include + + ptrace read peer=aa-notify, + + @{sbin}/apparmor_parser Px, + @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, + + /usr/share/apparmor/** r, + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + + /etc/apparmor.d/ r, + /etc/apparmor.d/** rw, + /etc/apparmor/* r, + + @{PROC}/@{pid}/mounts r, + + include if exists + } + include if exists } From 1f3326fbd9bb377cf52f05720ed7da373e9b4d1d Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:32:40 +0200 Subject: [PATCH 114/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 61 ++++++------------------ 1 file changed, 14 insertions(+), 47 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 6f8a6651c..4d4170328 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -42,57 +42,24 @@ profile lxqt-config-input @{exec_path} { owner /tmp/@{int} r, - @{run}/udev/data/c@{int}:* r, # Comment 1 - @{run}/udev/data/b@{int}:* r, # Comment 1 - @{run}/udev/data/+sound:card@{int} r, # Comment 1 - @{run}/udev/data/+bluetooth:* r, # Comment 1 - @{run}/udev/data/+platform:* r, # Comment 1 - @{run}/udev/data/+acpi:* r, # Comment 1 - @{run}/udev/data/+i2c:* r, # Comment 1 - @{run}/udev/data/+backlight:* r, # Comment 1 - @{run}/udev/data/+leds:* r, # Comment 1 - @{run}/udev/data/n@{int} r, # Comment 1 - @{run}/udev/data/+input:* r, # Comment 1 - @{run}/udev/data/+dmi:* r, # Comment 1 - @{run}/udev/data/+drm:* r, # Comment 1 - @{run}/udev/data/+pci:* r, # Comment 1 - @{run}/udev/data/+rfkill:* r, # Comment 1 + @{run}/udev/data/c@{int}:* r, # for /dev/input/* + @{run}/udev/data/+sound:card@{int} r, # for Soundcards + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+backlight:* r, # For background light Display + @{run}/udev/data/+leds:* r, # for state of LEDs + @{run}/udev/data/n@{int} r, # For network interface + @{run}/udev/data/+input:* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+dmi:* r, # for motherboard info + @{run}/udev/data/+drm:* r, # For screen outputs + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read @{sys}/devices/**/uevent r, - @{sys}/devices/platform/**/uevent r, - @{sys}/devices/platform/cpu/**/uevent r, - @{sys}/devices/system/machinecheck/**/uevent r, - @{sys}/devices/pnp@{int}/**/uevent r, - @{sys}/devices/system/clockevents/clockevent@{int}/uevent r, - @{sys}/devices/system/cpu/cpu@{int}/uevent r, - @{sys}/devices/system/memory/memory@{int}/uevent r, - @{sys}/devices/virtual/devlink/**/uevent r, - @{sys}/devices/virtual/mem/**/uevent r, - @{sys}/devices/virtual/bdi/@{int}:@{int}/uevent r, - @{sys}/devices/virtual/block/loop@{int}/uevent r, - @{sys}/devices/virtual/input/**/uevent r, - @{sys}/devices/virtual/memory_tiering/memory_tier@{int}/uevent r, - @{sys}/devices/virtual/misc/**/uevent r, - @{sys}/devices/virtual/sound/seq/uevent r, - @{sys}/devices/virtual/sound/timer/uevent r, - @{sys}/devices/virtual/sound/ctl-led/uevent r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/uevent r, - @{sys}/devices/virtual/thermal/cooling_device@{int}/uevent r, - @{sys}/devices/virtual/tty/**/uevent r, - @{sys}/devices/virtual/vc/vcsu@{int}/uevent r, - @{sys}/devices/virtual/vc/vcsa@{int}/uevent r, - @{sys}/devices/virtual/vc/vcs@{int}/uevent r, - @{sys}/devices/LNXSYSTM:00/PNP*/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/LNXTHERM:@{rand2}/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:00/PNP*/PNP*/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:00/HPIC*/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/device*/device*/device*/device*/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/AMDI*/**/wakeup@{int}/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/uevent r, - @{sys}/devices/LNXSYSTM:00/LNXSYBUS:@{rand2}/PNP*/**/wakeup/wakeup@{int}/uevent r, /dev/tty rw, From 625c5e77135c7d28b97da460e331d6b807df25bd Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:34:04 +0200 Subject: [PATCH 115/161] Update lxqt-config-monitor --- apparmor.d/groups/lxqt/lxqt-config-monitor | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-monitor b/apparmor.d/groups/lxqt/lxqt-config-monitor index 380f9483f..68454b3ae 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-monitor +++ b/apparmor.d/groups/lxqt/lxqt-config-monitor @@ -12,6 +12,7 @@ profile lxqt-config-monitor @{exec_path} { include include include + include include include @@ -19,8 +20,6 @@ profile lxqt-config-monitor @{exec_path} { @{exec_path} mr, - /var/cache/fontconfig/{,**} rw, - owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop rw, owner @{user_config_dirs}/lxqt/ r, owner @{user_config_dirs}/lxqt/#@{int} rwk, From 0fb0d88d6f10838e925c269faf3f10a7cae1fc56 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:35:50 +0200 Subject: [PATCH 116/161] Update lxqt-config-monitor --- apparmor.d/groups/lxqt/lxqt-config-monitor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-monitor b/apparmor.d/groups/lxqt/lxqt-config-monitor index 68454b3ae..6455a24fb 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-monitor +++ b/apparmor.d/groups/lxqt/lxqt-config-monitor @@ -25,7 +25,7 @@ profile lxqt-config-monitor @{exec_path} { owner @{user_config_dirs}/lxqt/#@{int} rwk, owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*, + owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} rw, owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, From 8287e30bd7e816ce2ff30b88ea2d61940cdcc45e Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:39:11 +0200 Subject: [PATCH 117/161] Update lxqt-config-session --- apparmor.d/groups/lxqt/lxqt-config-session | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-session b/apparmor.d/groups/lxqt/lxqt-config-session index 3bbbcef58..41b66bf14 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-session +++ b/apparmor.d/groups/lxqt/lxqt-config-session @@ -35,7 +35,6 @@ profile lxqt-config-session @{exec_path} { owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, owner @{user_config_dirs}/QtProject.conf.lock rwk, owner @{user_config_dirs}/autostart/*.desktop rw, - owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop r, owner @{user_config_dirs}/lxqt/ r, owner @{user_config_dirs}/lxqt/#@{int} rwk, owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk, From 0b0486017888100bd977525922c10636d4723cfd Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:41:49 +0200 Subject: [PATCH 118/161] Update lxqt-notificationd --- apparmor.d/groups/lxqt/lxqt-notificationd | 23 +++-------------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-notificationd b/apparmor.d/groups/lxqt/lxqt-notificationd index 0669b8c86..c204940a5 100644 --- a/apparmor.d/groups/lxqt/lxqt-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-notificationd @@ -10,26 +10,13 @@ include @{exec_path} = @{bin}/lxqt-notificationd profile lxqt-notificationd @{exec_path} { include + include include include include - dbus receive - bus=session - path="/org/freedesktop/Notifications" - interface="org.freedesktop.DBus.Introspectable" - peer=(name=":[0-9]*.[0-9]*"), - dbus send - bus=session - path="/org/freedesktop/Notifications" - interface="org.freedesktop.Notifications" - peer=(name="org.freedesktop.DBus"), - dbus receive - bus=session - path="/org/freedesktop/Notifications" - interface="org.freedesktop.Notifications" - peer=(name=":[0-9]*.[0-9]*"), - + #aa:dbus own bus=session name=org.freedesktop.Notifications + @{exec_path} mr, @{bin}/lxqt-config-notificationd rPx, @@ -45,10 +32,6 @@ profile lxqt-notificationd @{exec_path} { owner /tmp/@{int} r, - /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/tty@{int} rw, - include if exists } From 7e167aa216907fe264d7d4d7d28b47b8f6eccfe4 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:44:42 +0200 Subject: [PATCH 119/161] Update lxqt-policykit-agent --- apparmor.d/groups/lxqt/lxqt-policykit-agent | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-policykit-agent b/apparmor.d/groups/lxqt/lxqt-policykit-agent index 32e678644..867edcd5b 100644 --- a/apparmor.d/groups/lxqt/lxqt-policykit-agent +++ b/apparmor.d/groups/lxqt/lxqt-policykit-agent @@ -14,7 +14,6 @@ profile lxqt-policykit-agent @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -25,8 +24,6 @@ profile lxqt-policykit-agent @{exec_path} flags=(attach_disconnected) { @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /usr/share/lxqt/translations/lxqt-policykit-agent/lxqt-policykit-agent_de.qm r, - /etc/machine-id r, /var/lib/dbus/machine-id r, From 157ce50fc2170f0909de6d9b9af69b9b3a4e0f31 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:46:13 +0200 Subject: [PATCH 120/161] Update lxqt --- apparmor.d/abstractions/lxqt | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index f20c24a32..f4b001774 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -15,6 +15,7 @@ signal (receive) set=(kill, term) peer=lxqt-session, + /usr/share/desktop-base/{,**} r, /usr/share/hwdata/pnp.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/lxqt/** r, From daa2f92859950cba2eb88f94cd8d2a48fce8b838 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:50:45 +0200 Subject: [PATCH 121/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 26 ++++++++++++------------ 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 4d4170328..3b4afff51 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -42,20 +42,20 @@ profile lxqt-config-input @{exec_path} { owner /tmp/@{int} r, - @{run}/udev/data/c@{int}:* r, # for /dev/input/* + @{run}/udev/data/c@{int}:* r, # for /dev/input/* @{run}/udev/data/+sound:card@{int} r, # for Soundcards - @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) - @{run}/udev/data/+backlight:* r, # For background light Display - @{run}/udev/data/+leds:* r, # for state of LEDs - @{run}/udev/data/n@{int} r, # For network interface - @{run}/udev/data/+input:* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+drm:* r, # For screen outputs - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+backlight:* r, # For background light Display + @{run}/udev/data/+leds:* r, # for state of LEDs + @{run}/udev/data/n@{int} r, # For network interface + @{run}/udev/data/+input:* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+dmi:* r, # for motherboard info + @{run}/udev/data/+drm:* r, # For screen outputs + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read From 8519ae8012759b8ce5d07534a9d72ed1c39f4a2f Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:51:09 +0200 Subject: [PATCH 122/161] Update lxqt-config-brightness --- apparmor.d/groups/lxqt/lxqt-config-brightness | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-brightness b/apparmor.d/groups/lxqt/lxqt-config-brightness index f0627643f..9d8db96c3 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-brightness +++ b/apparmor.d/groups/lxqt/lxqt-config-brightness @@ -24,7 +24,7 @@ profile lxqt-config-brightness @{exec_path} { @{sys}/class/backlight/ r, @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, From 1e8dab4ba600fc24b761d33d43960a493253af14 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:51:48 +0200 Subject: [PATCH 123/161] Update lxqt-config-notificationd From d5efe6896772fc030d15bac2e4773a0fcd7f7ae1 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:52:11 +0200 Subject: [PATCH 124/161] Update lxqt-config-monitor --- apparmor.d/groups/lxqt/lxqt-config-monitor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-monitor b/apparmor.d/groups/lxqt/lxqt-config-monitor index 6455a24fb..6dbf7e24f 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-monitor +++ b/apparmor.d/groups/lxqt/lxqt-config-monitor @@ -12,7 +12,7 @@ profile lxqt-config-monitor @{exec_path} { include include include - include + include include include From 12249a115a0337850efe36196625f957e70ca8c9 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:53:39 +0200 Subject: [PATCH 125/161] Update pcmanfm-qt --- apparmor.d/groups/lxqt/pcmanfm-qt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index 0b1a168ff..3acccd0a6 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -35,7 +35,7 @@ profile pcmanfm-qt @{exec_path} { @{exec_path} mr, @{lib}/menu-cache/menu-cached rPx, - @{lib}exec/menu-cache/menu-cache-gen rix, + @{lib}/exec/menu-cache/menu-cache-gen rix, owner @{user_cache_dirs}/pcmanfm-qt/** r, owner @{user_config_dirs}/pcmanfm-qt/lxqt/ r, From aca75e13def852553e2638633a5f458357dbeaf8 Mon Sep 17 00:00:00 2001 From: Besanon Date: Tue, 12 Aug 2025 23:55:36 +0200 Subject: [PATCH 126/161] Update pcmanfm-qt --- apparmor.d/groups/lxqt/pcmanfm-qt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index 3acccd0a6..5b0c02c52 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -55,7 +55,7 @@ profile pcmanfm-qt @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/fs/cgroup/{,**} r, - + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/fd/ r, @@ -65,9 +65,9 @@ profile pcmanfm-qt @{exec_path} { # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in # the list. / r, - /boot/ r, - /boot/** r, - owner /boot/** rw, + @{efi}/ r, + @{efi}/** r, + owner @{efi}/** rw, /etc/ r, /etc/** r, owner /etc/** rw, From ffd649a0e36743984de3f2f91121a32d13f32604 Mon Sep 17 00:00:00 2001 From: Besanon Date: Wed, 13 Aug 2025 00:00:21 +0200 Subject: [PATCH 127/161] Update lxqt-notificationd --- apparmor.d/groups/lxqt/lxqt-notificationd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-notificationd b/apparmor.d/groups/lxqt/lxqt-notificationd index c204940a5..c42242aa4 100644 --- a/apparmor.d/groups/lxqt/lxqt-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-notificationd @@ -16,7 +16,7 @@ profile lxqt-notificationd @{exec_path} { include #aa:dbus own bus=session name=org.freedesktop.Notifications - + @{exec_path} mr, @{bin}/lxqt-config-notificationd rPx, From 96b28a4fc3e7794fbeaa5f53ec685abb416ee14f Mon Sep 17 00:00:00 2001 From: Besanon Date: Wed, 13 Aug 2025 00:01:18 +0200 Subject: [PATCH 128/161] Update lxqt-config-input --- apparmor.d/groups/lxqt/lxqt-config-input | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 3b4afff51..a7605f326 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -44,7 +44,7 @@ profile lxqt-config-input @{exec_path} { @{run}/udev/data/c@{int}:* r, # for /dev/input/* @{run}/udev/data/+sound:card@{int} r, # for Soundcards - @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) From 47c7f0c160ea56266a68bf64acfd5df782bf8b63 Mon Sep 17 00:00:00 2001 From: Besanon Date: Wed, 13 Aug 2025 00:03:27 +0200 Subject: [PATCH 129/161] Update lxqt --- apparmor.d/abstractions/lxqt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index f4b001774..c242c78df 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -15,6 +15,8 @@ signal (receive) set=(kill, term) peer=lxqt-session, + ptrace read peer=lxqt-session, + /usr/share/desktop-base/{,**} r, /usr/share/hwdata/pnp.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, From b12e94d58a309824fcaf39bba1509e046616cdb7 Mon Sep 17 00:00:00 2001 From: Besanon Date: Wed, 13 Aug 2025 00:05:13 +0200 Subject: [PATCH 130/161] Update lxqt-session --- apparmor.d/groups/lxqt/lxqt-session | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index c5760e20e..732ebd5cc 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -61,6 +61,9 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_cache_dirs}/openbox/ rw, owner @{user_cache_dirs}/openbox/sessions/ rw, owner @{user_cache_dirs}/openbox/openbox.log rwk, From 9c959ade915f0679807adb1e624c0000f7e9f3a5 Mon Sep 17 00:00:00 2001 From: Besanon Date: Wed, 13 Aug 2025 00:09:19 +0200 Subject: [PATCH 131/161] Update lxqt-panel --- apparmor.d/groups/lxqt/lxqt-panel | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index f817be69d..acf1cbabc 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/lxqt-panel profile lxqt-panel @{exec_path} { + include include include include From 7b8f70f76786debf1344de4b8f3d7d6f201a543d Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 08:30:41 +0200 Subject: [PATCH 132/161] Update programs --- apparmor.d/tunables/multiarch.d/programs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index a7cbaf831..00a66ad99 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -70,7 +70,7 @@ @{emails_names} = evolution geary # File explorers -@{file_explorers_names} = dolphin nautilus thunar +@{file_explorers_names} = dolphin nautilus thunar pcmanfm-qt # Text editors @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli @@ -91,7 +91,7 @@ @{help_names} = yelp # Terminal emulator -@{terminal_names} = kgx terminator konsole ptyxis +@{terminal_names} = kgx terminator konsole ptyxis qterminal # Backup @{backup_names} = deja-dup borg From f0a707364f810b9670146a01adec855885f09e80 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 08:38:34 +0200 Subject: [PATCH 133/161] Create qterminal --- apparmor.d/groups/lxqt/qterminal | 72 ++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 apparmor.d/groups/lxqt/qterminal diff --git a/apparmor.d/groups/lxqt/qterminal b/apparmor.d/groups/lxqt/qterminal new file mode 100644 index 000000000..5ca0cc544 --- /dev/null +++ b/apparmor.d/groups/lxqt/qterminal @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Jeroen Rijken +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/qterminal +profile qterminal @{exec_path} { + include + include + include + include + include + include + include + include + + ptrace (read), + + signal (send) set=(hup), + signal (send) set=(kill) peer=htop, + + #aa:dbus own bus=session name=org.QTerminal-@{int} + + @{exec_path} mr, + @{bin}/@{shells} rUx, + @{browsers_path} rPx, + @{bin}/htop rPx, + @{bin}/dbus-launch rPx, + @{open_path} rPx -> child-open-help, + + #aa:exec utempter + + /usr/share/color-schemes/{,**} r, + /usr/share/kf6/{,**} r, + /usr/share/qterminal/{,**} r, + /usr/share/sounds/** r, + /usr/share/lxqt/lxqt.conf r, + /usr/share/qtermwidget6/{,**} r, + /etc/xdg/ui/ui_standards.rc r, + + /{,var/}run/systemd/notify w, + /var/cache/fontconfig/ rw, + + owner @{HOME}/@{XDG_SSH_DIR}/config r, + @{HOME}/.Xdefaults r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/lxqt/lxqt.conf r, + owner @{user_config_dirs}/qterminal.org/** rw, + owner @{user_config_dirs}/qterminal.org/#@{int} rwk, + owner @{user_config_dirs}/qterminal.org/qterminal.ini.lock rwk, + owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6} rwk, + owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6} l -> @{user_config_dirs}/qterminal.org/#@{int}, + + owner /tmp/#@{int} rw, + owner /tmp/konsole.@{rand6} rw, + owner /tmp/xauth_@{rand6} rw, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor From 03275ff5c75cafa2cbd1c98b6be6e4940a523793 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 09:44:56 +0200 Subject: [PATCH 134/161] Update pcmanfm-qt --- apparmor.d/groups/lxqt/pcmanfm-qt | 82 ++++++++++--------------------- 1 file changed, 26 insertions(+), 56 deletions(-) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index 5b0c02c52..1e5e78f7d 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -10,13 +10,11 @@ include @{exec_path} = @{bin}/pcmanfm-qt profile pcmanfm-qt @{exec_path} { include - include include include include include include - include include include include @@ -29,26 +27,32 @@ profile pcmanfm-qt @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.pcmanfm.PCManFM #aa:exec kioworker @{exec_path} mr, - @{lib}/menu-cache/menu-cached rPx, + @{lib}/menu-cache/menu-cached rix, @{lib}/exec/menu-cache/menu-cache-gen rix, - owner @{user_cache_dirs}/pcmanfm-qt/** r, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/ r, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/recent-files.conf.lock rwk, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-0.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/dir-settings.conf~ l -> @{user_config_dirs}/pcmanfm-qt/lxqt/dir-settings.conf, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-eDP-@{int}.conf.lock rwk, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.lock rwk, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-0.conf.lock rwk, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/desktop-items-eDP-@{int}.conf l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/recent-files.conf.@{rand6} l -> @{user_config_dirs}/pcmanfm-qt/lxqt/#@{int}, - owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf.lock.* rwk, + #aa:lint ignore=too-wide + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rw, + owner @{tmp}/ r, + owner @{tmp}/** rw, + + owner @{user_cache_dirs}/pcmanfm-qt/{,**} rw, + owner @{user_config_dirs}/pcmanfm-qt/ rw, + owner @{user_config_dirs}/pcmanfm-qt/** rwlk -> @{user_config_dirs}/pcmanfm-qt/**, @{sys}/bus/ r, @{sys}/class/ r, @@ -61,46 +65,12 @@ profile pcmanfm-qt @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cgroup r, - # To read/write files in the system. The read permission is granted for all files, the write - # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in - # the list. - / r, - @{efi}/ r, - @{efi}/** r, - owner @{efi}/** rw, - /etc/ r, - /etc/** r, - owner /etc/** rw, - /home/ r, - /home/** r, - /home/** rw, - /lost+found/ r, - /lost+found/** r, - owner /lost+found/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** r, - owner @{MOUNTS}/** rw, - /opt/ r, - /opt/** r, - owner /opt/** rw, - /root/ r, - /root/** r, - owner /root/** rw, - @{run}/ r, - @{run}/** r, - owner @{run}/** rw, - /srv/ r, - /srv/** r, - owner /srv/** rw, - /tmp/ r, - /tmp/** r, - owner /tmp/** rw, - /usr/ r, - /usr/** r, - owner /usr/** rw, - /var/ r, - /var/** r, - owner /var/** rw, + # Silence non user's data + deny @{efi}/{,**} r, + deny /opt/{,**} r, + deny /root/{,**} r, + deny /tmp/.* rw, + deny /tmp/.*/{,**} rw, /dev/tty r, From 86b1eb979dd8a343ce78aa03efb237daa52173c0 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 09:53:06 +0200 Subject: [PATCH 135/161] Update lxqt-config-notificationd --- apparmor.d/groups/lxqt/lxqt-config-notificationd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd index 63b2eb673..771b2cf44 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -10,6 +10,8 @@ include @{exec_path} = @{bin}/lxqt-config-notificationd profile lxqt-config-notificationd @{exec_path} { include + include + include include include From e6833a8ed957b1c4dc11278b751b08f87d52d8cd Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 09:54:25 +0200 Subject: [PATCH 136/161] Update lxqt-panel --- apparmor.d/groups/lxqt/lxqt-panel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index acf1cbabc..adf2e6a32 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -9,8 +9,8 @@ include @{exec_path} = @{bin}/lxqt-panel profile lxqt-panel @{exec_path} { - include include + include include include include From 2ffd0c31b39249f49b32974abab893d8f77a2005 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 09:56:58 +0200 Subject: [PATCH 137/161] Update qterminal --- apparmor.d/groups/lxqt/qterminal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/qterminal b/apparmor.d/groups/lxqt/qterminal index 5ca0cc544..aa13e6625 100644 --- a/apparmor.d/groups/lxqt/qterminal +++ b/apparmor.d/groups/lxqt/qterminal @@ -51,7 +51,7 @@ profile qterminal @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/lxqt/lxqt.conf r, - owner @{user_config_dirs}/qterminal.org/** rw, + owner @{user_config_dirs}/qterminal.org/{,**} rw, owner @{user_config_dirs}/qterminal.org/#@{int} rwk, owner @{user_config_dirs}/qterminal.org/qterminal.ini.lock rwk, owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6} rwk, From 2743d6021318b518aa9b38ac24ee27e67fd8cf37 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 09:59:46 +0200 Subject: [PATCH 138/161] Update pcmanfm-qt --- apparmor.d/groups/lxqt/pcmanfm-qt | 42 +++++++++++++++---------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index 1e5e78f7d..39e5d5980 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -34,21 +34,21 @@ profile pcmanfm-qt @{exec_path} { @{lib}/menu-cache/menu-cached rix, @{lib}/exec/menu-cache/menu-cache-gen rix, - #aa:lint ignore=too-wide - # Full access to user's data - / r, - /*/ r, - @{bin}/ r, - @{lib}/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - owner @{HOME}/ r, - owner @{HOME}/** rw, - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rw, - owner @{tmp}/ r, - owner @{tmp}/** rw, + #aa:lint ignore=too-wide + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rw, + owner @{tmp}/ r, + owner @{tmp}/** rw, owner @{user_cache_dirs}/pcmanfm-qt/{,**} rw, owner @{user_config_dirs}/pcmanfm-qt/ rw, @@ -65,12 +65,12 @@ profile pcmanfm-qt @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cgroup r, - # Silence non user's data - deny @{efi}/{,**} r, - deny /opt/{,**} r, - deny /root/{,**} r, - deny /tmp/.* rw, - deny /tmp/.*/{,**} rw, + # Silence non user's data + deny @{efi}/{,**} r, + deny /opt/{,**} r, + deny /root/{,**} r, + deny /tmp/.* rw, + deny /tmp/.*/{,**} rw, /dev/tty r, From 2aa4d19bb4249cf1012aa0996631ef1beb396433 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 10:03:28 +0200 Subject: [PATCH 139/161] Update lxqt-notificationd From 4c77d7ef35487822ebb23de4a76f1893de59b1c2 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 10:09:42 +0200 Subject: [PATCH 140/161] Update lxqt-config-notificationd --- apparmor.d/groups/lxqt/lxqt-config-notificationd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd index 771b2cf44..88244a130 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -11,7 +11,7 @@ include profile lxqt-config-notificationd @{exec_path} { include include - include + include include include From 93f3abbee5533e03c322151b342f6957d60c611e Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 10:26:33 +0200 Subject: [PATCH 141/161] Update lxqt-config-brightness So far that seems to work without complains. sys-statements required both in subprofile and profile --- apparmor.d/groups/lxqt/lxqt-config-brightness | 20 +++++++------------ 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/lxqt/lxqt-config-brightness b/apparmor.d/groups/lxqt/lxqt-config-brightness index 9d8db96c3..ef5ef8a03 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-brightness +++ b/apparmor.d/groups/lxqt/lxqt-config-brightness @@ -34,24 +34,18 @@ profile lxqt-config-brightness @{exec_path} { profile pkexec { include include - include - ptrace read peer=aa-notify, - - @{sbin}/apparmor_parser Px, - @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, - - /usr/share/apparmor/** r, - /usr/share/terminfo/** r, + @{bin}/@{bin}/lxqt-config-brightness Px, @{etc_ro}/inputrc r, @{etc_ro}/inputrc.keys r, - /etc/apparmor.d/ r, - /etc/apparmor.d/** rw, - /etc/apparmor/* r, - - @{PROC}/@{pid}/mounts r, + @{sys}/class/backlight/ r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, include if exists } From 0979f60ed3454906ec1f13c688ae9fcc40c93448 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 15 Aug 2025 10:47:55 +0200 Subject: [PATCH 142/161] Update kwin_wayland These 4 modifications are needed to read lxqt configs abstractions/lxqt contains a bit more, i dont think that it is necessary --- apparmor.d/groups/kde/kwin_wayland | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index afaac3bd0..5e3cc7bf6 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -39,8 +39,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, /usr/share/kwin/{,**} r, + /usr/share/kwin-wayland/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, + /usr/share/lxqt/*.conf r, /usr/share/pipewire/client.conf r, /usr/share/plasma/desktoptheme/** r, @@ -49,7 +51,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/machine-id r, /var/lib/dbus/machine-id r, - + owner /var/lib/sddm/.config/kwinoutputconfig.json rw, / r, owner @{HOME}/ r, @@ -89,6 +91,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, + owner @{user_config_dirs}/lxqt/*.conf r, owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, From 9397efb2984d3f53c4314a92fea67a7939fadfae Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 09:29:24 +0200 Subject: [PATCH 143/161] Update kreadconfig reflect name changes --- apparmor.d/groups/kde/kreadconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig index 8ad9c4b5b..9ccff7340 100644 --- a/apparmor.d/groups/kde/kreadconfig +++ b/apparmor.d/groups/kde/kreadconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/kreadconfig{,5} +@{exec_path} = @{bin}/kreadconfig{5,6} profile kreadconfig @{exec_path} { include include From a08a9f9546034dff62df76d4930a613be33c925a Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 09:30:11 +0200 Subject: [PATCH 144/161] Update kbuildsycoca --- apparmor.d/groups/kde/kbuildsycoca | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kbuildsycoca b/apparmor.d/groups/kde/kbuildsycoca index db3aed9dc..6b0e5971b 100644 --- a/apparmor.d/groups/kde/kbuildsycoca +++ b/apparmor.d/groups/kde/kbuildsycoca @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kbuildsycoca{,5} +@{exec_path} = @{bin}/kbuildsycoca{5,6} profile kbuildsycoca @{exec_path} flags=(attach_disconnected) { include include From 5548dca26bf5f9769005a83b0f6e7e2716704591 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 10:34:10 +0200 Subject: [PATCH 145/161] Update kwin_wayland after enabling the ksycoca6 --- apparmor.d/groups/kde/kwin_wayland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 5e3cc7bf6..92c36f1ad 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -73,6 +73,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/kwin/ rw, owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, + owner @{user_cache_dirs}/ksycoca6_de_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, From 978debc6485626e5a777e67adffa2eba7507ead1 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 16:44:26 +0200 Subject: [PATCH 146/161] Update xdg-mime --- apparmor.d/groups/freedesktop/xdg-mime | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 15b73a2d1..4fb3b8214 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -46,7 +46,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/qtxdg-mat ix, @{bin}/dbus-send Cx -> bus, - @{bin}/kbuildsycoca{,5} Px, + @{bin}/kbuildsycoca{5,6} Px, @{bin}/mimetype Px, @{bin}/vendor_perl/mimetype Px, @{bin}/xprop Px, From 666c3489be6e23aa25acf221c8cdf769c3b8d66c Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 16:45:52 +0200 Subject: [PATCH 147/161] Update xdg-settings --- apparmor.d/groups/freedesktop/xdg-settings | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 870d4cfe4..245d0bf07 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -42,7 +42,7 @@ profile xdg-settings @{exec_path} { @{bin}/qtxdg-mat ix, @{bin}/dbus-send Cx -> bus, - @{bin}/kreadconfig{,5} Px, + @{bin}/kreadconfig{,5,6} Px, @{bin}/xdg-mime Px, @{bin}/xprop Px, From 6741b5f3c7e33b8f1571447d025431091639dfae Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 16:47:17 +0200 Subject: [PATCH 148/161] Update xdg-mime --- apparmor.d/groups/freedesktop/xdg-mime | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 4fb3b8214..98ea71502 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -46,7 +46,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/qtxdg-mat ix, @{bin}/dbus-send Cx -> bus, - @{bin}/kbuildsycoca{5,6} Px, + @{bin}/kbuildsycoca{,5,6} Px, @{bin}/mimetype Px, @{bin}/vendor_perl/mimetype Px, @{bin}/xprop Px, From d303c15a4b18e40133a3c4d98a09f63397b3ecd6 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 16:47:41 +0200 Subject: [PATCH 149/161] Update kbuildsycoca --- apparmor.d/groups/kde/kbuildsycoca | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kbuildsycoca b/apparmor.d/groups/kde/kbuildsycoca index 6b0e5971b..51f145b51 100644 --- a/apparmor.d/groups/kde/kbuildsycoca +++ b/apparmor.d/groups/kde/kbuildsycoca @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kbuildsycoca{5,6} +@{exec_path} = @{bin}/kbuildsycoca{,5,6} profile kbuildsycoca @{exec_path} flags=(attach_disconnected) { include include From b48ced58a0e73f6c027f912ea5beefc5a0160618 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 16:52:59 +0200 Subject: [PATCH 150/161] Update kglobalacceld reflecting newer version --- apparmor.d/groups/kde/kglobalacceld | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 9da19046d..a2d684870 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld +@{exec_path} = @{bin}/kglobalaccel{,5,6} @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include include From 0ad115d239e868c58977a1d6a344f0da2e8b0dae Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 16 Aug 2025 22:47:51 +0200 Subject: [PATCH 151/161] Update pcmanfm-qt some more statements missing --- apparmor.d/groups/lxqt/pcmanfm-qt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index 39e5d5980..e947180e7 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -50,6 +50,10 @@ profile pcmanfm-qt @{exec_path} { owner @{tmp}/ r, owner @{tmp}/** rw, + /usr/share/libfm-qt6/{,**} r, + /usr/share/pcmanfm-qt/translations/pcmanfm-qt_de.qm r, + /usr/share/thumbnailers/{,**} r, + owner @{user_cache_dirs}/pcmanfm-qt/{,**} rw, owner @{user_config_dirs}/pcmanfm-qt/ rw, owner @{user_config_dirs}/pcmanfm-qt/** rwlk -> @{user_config_dirs}/pcmanfm-qt/**, From 78ba8931fa0767d2b33d18732416b75780b8a92d Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 17 Aug 2025 09:48:31 +0200 Subject: [PATCH 152/161] Update kwin_wayland --- apparmor.d/groups/kde/kwin_wayland | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 92c36f1ad..3aadf2f83 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -73,7 +73,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/kwin/ rw, owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, - owner @{user_cache_dirs}/ksycoca6_de_* rwkl -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksycoca6_de_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, From b3ed8b10a0dcf4e78a4f318e9c8aad0470468896 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 22 Aug 2025 21:17:25 +0200 Subject: [PATCH 153/161] Create xdg-desktop-portal-lxqt --- .../freedesktop/xdg-desktop-portal-lxqt | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt b/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt new file mode 100644 index 000000000..10bf2538a --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-lxqt +@{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-lxqt +profile xdg-desktop-portal-lxqt @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_pathxdlx} mr, + + owner @{HOME}/ r, + + owner @{desktop_config_dirs}/user-dirs.dirs r, + + owner @{user_cache_dirs}/xdg-desktop-portal-lxqt/{,**} rw, + + /dev/tty r, + + include if exists +} + +# vim:syntax=apparmor From cd15ded6c75d75434b46db72e5e86ac672d06c1d Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 22 Aug 2025 21:29:11 +0200 Subject: [PATCH 154/161] Update xdg-desktop-portal-lxqt From 6ca75a5360b38075f4aca335d3e9104639411f8e Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 22 Aug 2025 22:50:40 +0200 Subject: [PATCH 155/161] Update kwin_wayland sddm hangs with curser shown, starts without complain when adding this line pam error still there, maybe an arch related issue --- apparmor.d/groups/kde/kwin_wayland | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 3aadf2f83..34b03c2c7 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -19,6 +19,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { capability sys_nice, capability sys_ptrace, + network netlink raw, + ptrace (read), signal (receive) set=term peer=sddm, From 9eaa2b596469d3d017e4bb391a0b5be99cce68ea Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 7 Sep 2025 20:53:30 +0200 Subject: [PATCH 156/161] Update kwin_wayland sorry for the german-only assignment --- apparmor.d/groups/kde/kwin_wayland | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 34b03c2c7..604f4e983 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -75,7 +75,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/kwin/ rw, owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, - owner @{user_cache_dirs}/ksycoca6_de_* rwkl -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, From 33fbbf2da467d60e702a42ba522987a1e0e8f641 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 7 Sep 2025 21:00:04 +0200 Subject: [PATCH 157/161] Update pcmanfm-qt add the dbus line again! #aa:dbus own bus=session name=org.pcmanfm.PCManFM --- apparmor.d/groups/lxqt/pcmanfm-qt | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index e947180e7..ac3d3ef9a 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -28,6 +28,7 @@ profile pcmanfm-qt @{exec_path} { network netlink raw, #aa:exec kioworker + #aa:dbus own bus=session name=org.pcmanfm.PCManFM @{exec_path} mr, From 54c1bd6a7df2006e64251cd4263eae37b1518f1f Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 7 Sep 2025 21:10:14 +0200 Subject: [PATCH 158/161] Update pcmanfm-qt --- apparmor.d/groups/lxqt/pcmanfm-qt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index ac3d3ef9a..4622c9982 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -22,7 +22,7 @@ profile pcmanfm-qt @{exec_path} { include include - signal (send) set=(term, kill), + signal (send) set=(term, kill),m signal (receive) set=(term, kill) peer=lxqt-session, network netlink raw, From 221740c77826a69bda7cfbb328c697ee5e82f871 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 7 Sep 2025 22:30:59 +0200 Subject: [PATCH 159/161] Update xdg-desktop-portal-lxqt ah this was the issue --- apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt b/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt index 10bf2538a..5705d3795 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt @@ -23,7 +23,7 @@ profile xdg-desktop-portal-lxqt @{exec_path} { network inet6 stream, network netlink raw, - @{exec_pathxdlx} mr, + @{exec_path} mr, owner @{HOME}/ r, From 8b1874b042d80491f31e16efd1a289f46ad64720 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sun, 7 Sep 2025 22:42:53 +0200 Subject: [PATCH 160/161] Update pcmanfm-qt --- apparmor.d/groups/lxqt/pcmanfm-qt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index 4622c9982..ac3d3ef9a 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -22,7 +22,7 @@ profile pcmanfm-qt @{exec_path} { include include - signal (send) set=(term, kill),m + signal (send) set=(term, kill), signal (receive) set=(term, kill) peer=lxqt-session, network netlink raw, From f33af10c9e875f85f2dfc68e1b33ae9a0d15bc71 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 13 Sep 2025 08:10:48 +0200 Subject: [PATCH 161/161] reload after su profile alteration