felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge f33af10c9e into 9db6bf4a35

Browse source
This commit is contained in:
Besanon 2025-09-16 23:54:17 +02:00 committed by GitHub
commit 441d7a9904
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
28 changed files with 848 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/lxqt
View file

@ -17,6 +17,9 @@
signal (receive) set=(kill, term) peer=lxqt-session, signal (receive) set=(kill, term) peer=lxqt-session,
ptrace read peer=lxqt-session,
/usr/share/desktop-base/{,**} r,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/lxqt/** r, /usr/share/lxqt/** r,

39
apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2025 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-lxqt
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-lxqt
profile xdg-desktop-portal-lxqt @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/graphics>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
owner @{HOME}/ r,
owner @{desktop_config_dirs}/user-dirs.dirs r,
owner @{user_cache_dirs}/xdg-desktop-portal-lxqt/{,**} rw,
/dev/tty r,
include if exists <local/xdg-desktop-portal-lxqt>
}
# vim:syntax=apparmor

2
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -46,7 +46,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{bin}/qtxdg-mat ix, @{bin}/qtxdg-mat ix,
@{bin}/dbus-send Cx -> bus, @{bin}/dbus-send Cx -> bus,
@{bin}/kbuildsycoca{,5} Px, @{bin}/kbuildsycoca{,5,6} Px,
@{bin}/mimetype Px, @{bin}/mimetype Px,
@{bin}/vendor_perl/mimetype Px, @{bin}/vendor_perl/mimetype Px,
@{bin}/xprop Px, @{bin}/xprop Px,

2
apparmor.d/groups/freedesktop/xdg-settings
View file

@ -42,7 +42,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) {
@{bin}/qtxdg-mat ix, @{bin}/qtxdg-mat ix,
@{bin}/dbus-send Cx -> bus, @{bin}/dbus-send Cx -> bus,
@{bin}/kreadconfig{,5} Px, @{bin}/kreadconfig{,5,6} Px,
@{bin}/xdg-mime Px, @{bin}/xdg-mime Px,
@{bin}/xprop Px, @{bin}/xprop Px,

2
apparmor.d/groups/kde/kbuildsycoca
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/kbuildsycoca{,5} @{exec_path} = @{bin}/kbuildsycoca{,5,6}
profile kbuildsycoca @{exec_path} flags=(attach_disconnected) { profile kbuildsycoca @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>

2
apparmor.d/groups/kde/kglobalacceld
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld @{exec_path} = @{bin}/kglobalaccel{,5,6} @{lib}/kglobalacceld
profile kglobalacceld @{exec_path} { profile kglobalacceld @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>

2
apparmor.d/groups/kde/kreadconfig
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/kreadconfig{,5} @{exec_path} = @{bin}/kreadconfig{5,6}
profile kreadconfig @{exec_path} { profile kreadconfig @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/kde-strict> include <abstractions/kde-strict>

6
apparmor.d/groups/kde/kwin_wayland
View file

@ -54,8 +54,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/usr/share/kservicetypes5/{,*.desktop} r, /usr/share/kservicetypes5/{,*.desktop} r,
/usr/share/kwin-wayland/{,**} r, /usr/share/kwin-wayland/{,**} r,
/usr/share/kwin/{,**} r, /usr/share/kwin/{,**} r,
/usr/share/kwin-wayland/{,**} r,
/usr/share/libinput-*/{,**} r, /usr/share/libinput-*/{,**} r,
/usr/share/libinput/{,**} r, /usr/share/libinput/{,**} r,
/usr/share/lxqt/*.conf r,
/usr/share/pipewire/client.conf r, /usr/share/pipewire/client.conf r,
/usr/share/plasma/desktoptheme/** r, /usr/share/plasma/desktoptheme/** r,
@ -64,7 +66,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner /var/lib/sddm/.config/kwinoutputconfig.json rw,
/ r, / r,
owner @{HOME}/ r, owner @{HOME}/ r,
@ -86,6 +88,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/ksvg-elements r,
owner @{user_cache_dirs}/kwin/ rw, owner @{user_cache_dirs}/kwin/ rw,
owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**,
owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
@ -104,6 +107,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kwinrulesrc r,
owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/kxkbrc r,
owner @{user_config_dirs}/lxqt/*.conf r,
owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/menus/** r,
owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/plasmarc r,
owner @{user_config_dirs}/session/* r, owner @{user_config_dirs}/session/* r,

34
apparmor.d/groups/lxqt/ControlPanel Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2025 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ControlPanel
profile ControlPanel @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-accessibility>
include <abstractions/consoles>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/etc/xdg/menus/lxqt-config.menu r,
# only for xfe file manager:
owner @{HOME}/.foxrc/ rw,
owner @{HOME}/.foxrc/Desktop rw,
owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk,
owner /tmp/@{int} r,
include if exists <local/ControlPanel>
}
# vim:syntax=apparmor

1
apparmor.d/groups/lxqt/lxqt-about
View file

@ -21,6 +21,7 @@ profile lxqt-about @{exec_path} {
owner /tmp/@{int} r, owner /tmp/@{int} r,
/dev/tty rw, /dev/tty rw,
owner /dev/pts/@{int} rw,
include if exists <local/lxqt-about> include if exists <local/lxqt-about>
} }

35
apparmor.d/groups/lxqt/lxqt-backlight_backend Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-backlight_backend
profile lxqt-backlight_backend @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-accessibility>
include <abstractions/lxqt>
@{exec_path} mr,
@{user_share_dirs}/sddm/xorg-session.log w,
@{sys}/class/backlight/ r,
@{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw,
@{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r,
@{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw,
@{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r,
@{sys}/devices/@{pci}/backlight/**/brightness rw,
owner /tmp/@{int} r,
/dev/tty rw,
include if exists <local/lxqt-backlight_backend>
}
# vim:syntax=apparmor

63
apparmor.d/groups/lxqt/lxqt-config Normal file
View file

@ -0,0 +1,63 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-config
profile lxqt-config @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-accessibility>
include <abstractions/graphics>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
@{exec_path} mr,
@{open_path} rpx -> child-open,
@{bin}/lxqt-admin-user rPx,
@{bin}/ibus-setup rPx,
@{bin}/lxqt-config-monitor rPx,
@{bin}/pcmanfm-qt rPx,
@{bin}/lxqt-admin-time rPx,
@{bin}/lxqt-config-input rPx,
@{bin}/lxqt-config-locale rPx,
@{bin}/lxqt-config-brightness rPx,
@{bin}/lxqt-config-session rPx,
@{bin}/lxqt-config-file-associations rPx,
@{bin}/lxqt-config-powermanagement rPx,
@{bin}/lxqt-config-appearance rPx,
@{bin}/lxqt-config-globalkeyshortcuts rPx,
@{bin}/lxqt-config-notificationd rPx,
@{bin}/obconf-qt rPx,
@{bin}/nm-connection-editor rPx,
@{bin}/pavucontrol rPx,
@{bin}/pavucontrol-qt rPx,
@{bin}/system-config-printer rPx,
/usr/share/desktop-directories/lxqt-* r,
/etc/xdg/menus/lxqt-config.menu r,
owner @{user_config_dirs}/lxqt/ r,
owner @{user_config_dirs}/lxqt/#@{int} rw,
owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/qt6ct/qt6ct.conf.@{rand6} rwl -> @{user_config_dirs}/qt6ct/#@{int},
owner @{user_config_dirs}/qt6ct/qt6ct.conf.lock rwk,
owner @{user_config_dirs}/qt6ct/#@{int} rw,
owner @{user_config_dirs}/qt6ct/qt6ct.conf rw,
owner /tmp/@{int} r,
/dev/tty rw,
include if exists <local/lxqt-config>
}
# vim:syntax=apparmor

51
apparmor.d/groups/lxqt/lxqt-config-appearance Normal file
View file

@ -0,0 +1,51 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-appearance
profile lxqt-config-appearance @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-accessibility>
include <abstractions/dconf-write>
include <abstractions/graphics>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
@{exec_path} mr,
@{bin}/gsettings rPx,
@{bin}/pcmanfm-qt rPx,
@{bin}/xsettingsd rPx,
owner @{HOME}/.gtkrc-2.0 rw,
owner @{HOME}/.icons/default/index.theme rw,
owner @{HOME}/.Xdefaults rw,
owner @{HOME}/.Xresources rw,
owner @{user_config_dirs}/gtk-3.0/settings.ini rw,
owner @{user_config_dirs}/lxqt/ r,
owner @{user_config_dirs}/lxqt/#@{int} rwk,
owner @{user_config_dirs}/lxqt/session.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw,
owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*,
owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} rw,
owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r,
owner /tmp/#@{int} rw,
owner /tmp/lxqt-config-appearance.@{rand6} rwl -> /tmp/#@{int},
/dev/tty rw,
include if exists <local/lxqt-config-appearance>
}
# vim:syntax=apparmor

56
apparmor.d/groups/lxqt/lxqt-config-brightness Normal file
View file

@ -0,0 +1,56 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-brightness
profile lxqt-config-brightness @{exec_path} {
include <abstractions/base>
include <abstractions/lxqt>
@{exec_path} mr,
@{bin}/pkexec Cx -> pkexec,
@{sh_path} rix,
owner @{HOME}/ r,
owner /tmp/@{int} r,
@{sys}/class/backlight/ r,
@{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw,
@{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r,
@{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw,
@{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r,
@{sys}/devices/@{pci}/backlight/**/brightness rw,
/dev/tty rw,
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
@{bin}/@{bin}/lxqt-config-brightness Px,
@{etc_ro}/inputrc r,
@{etc_ro}/inputrc.keys r,
@{sys}/class/backlight/ r,
@{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw,
@{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r,
@{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw,
@{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r,
@{sys}/devices/@{pci}/backlight/**/brightness rw,
include if exists <local/lxqt-config-brightness_pkexec>
}
include if exists <local/lxqt-config-brightness>
}
# vim:syntax=apparmor

32
apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-globalkeyshortcuts
profile lxqt-config-globalkeyshortcuts @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-accessibility>
include <abstractions/graphics>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner @{user_config_dirs}/lxqt/lxqt* rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock rwk,
owner @{user_config_dirs}/lxqt/#@{int} rw,
owner /tmp/@{int} r,
/dev/tty rw,
include if exists <local/lxqt-config-globalkeyshortcuts>
}
# vim:syntax=apparmor

71
apparmor.d/groups/lxqt/lxqt-config-input Normal file
View file

@ -0,0 +1,71 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-input
profile lxqt-config-input @{exec_path} {
include <abstractions/audio-client>
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.bluez>
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/devices-usb>
include <abstractions/bus-session>
include <abstractions/bus-accessibility>
include <abstractions/graphics>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
signal (read) set=(kill,term) peer=lxqt-session,
@{exec_path} mr,
@{bin}/setxkbmap rix,
/etc/udev/udev.conf r,
owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw,
owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw,
owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/#@{int} rwk,
owner @{user_config_dirs}/lxqt/session.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt-config-input.conf rwl -> @{user_config_dirs}/lxqt/#@{int},
owner /tmp/@{int} r,
@{run}/udev/data/c@{int}:* r, # for /dev/input/*
@{run}/udev/data/+sound:card@{int} r, # for Soundcards
@{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections.
@{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
@{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal)
@{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
@{run}/udev/data/+backlight:* r, # For background light Display
@{run}/udev/data/+leds:* r, # for state of LEDs
@{run}/udev/data/n@{int} r, # For network interface
@{run}/udev/data/+input:* r, # for mouse, keyboard, touchpad
@{run}/udev/data/+dmi:* r, # for motherboard info
@{run}/udev/data/+drm:* r, # For screen outputs
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power
@{sys}/bus/**/devices/ r, # ALL under /sys/bus/* is asked for read
@{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read
@{sys}/devices/**/uevent r,
/dev/tty rw,
deny @{sys}/class/usbmisc/ r,
include if exists <local/lxqt-config-input>
}
# vim:syntax=apparmor

41
apparmor.d/groups/lxqt/lxqt-config-monitor Normal file
View file

@ -0,0 +1,41 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-monitor
profile lxqt-config-monitor @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-accessibility>
include <abstractions/fontconfig-cache-write>
include <abstractions/lxqt>
include <abstractions/graphics>
signal (read) set=(kill,term) peer=lxqt-session,
@{exec_path} mr,
owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop rw,
owner @{user_config_dirs}/lxqt/ r,
owner @{user_config_dirs}/lxqt/#@{int} rwk,
owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw,
owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} rw,
owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf l -> @{user_config_dirs}/lxqt/#@{int},
owner /tmp/@{int} r,
/dev/tty rw,
include if exists <local/lxqt-config-monitor>
}
# vim:syntax=apparmor

2
apparmor.d/groups/lxqt/lxqt-config-notificationd
View file

@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-notificationd @{exec_path} = @{bin}/lxqt-config-notificationd
profile lxqt-config-notificationd @{exec_path} { profile lxqt-config-notificationd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-session>
include <abstractions/lxqt> include <abstractions/lxqt>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

57
apparmor.d/groups/lxqt/lxqt-config-session Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-session
profile lxqt-config-session @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-accessibility>
include <abstractions/graphics>
include <abstractions/lxqt>
include <abstractions/thumbnails-cache-read>
include <abstractions/thumbnails-cache-write>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/usr/share/libfm-qt6/translations/libfm-qt_de.qm r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/udisks2.monitor r,
/usr/share/thumbnailers/ r,
/etc/fstab r,
/etc/xdg/autostart/ r,
/etc/xdg/autostart/** r,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/autostart/ rw,
owner @{user_config_dirs}/QtProject.conf rw,
owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl,
owner @{user_config_dirs}/QtProject.conf.lock rwk,
owner @{user_config_dirs}/autostart/*.desktop rw,
owner @{user_config_dirs}/lxqt/ r,
owner @{user_config_dirs}/lxqt/#@{int} rwk,
owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk,
owner @{user_config_dirs}/lxqt/lxqt-config-session.conf.lock rwk,
owner @{user_config_dirs}/lxqt/session.conf.lock rwk,
owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/user-dirs.dirs rw,
owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf.lock rwk,
owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner /tmp/@{int} r,
owner @{PROC}/@{pid}/mountinfo r,
/dev/tty rw,
include if exists <local/lxqt-config-session>
}
# vim:syntax=apparmor

38
apparmor.d/groups/lxqt/lxqt-notificationd Normal file
View file

@ -0,0 +1,38 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-notificationd
profile lxqt-notificationd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-accessibility>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
#aa:dbus own bus=session name=org.freedesktop.Notifications
@{exec_path} mr,
@{bin}/lxqt-config-notificationd rPx,
/etc/machine-id r,
owner @{user_cache_dirs}/lxqt-notificationd/ r,
owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rwk,
owner @{user_cache_dirs}/lxqt-notificationd/unattended.list rw,
owner @{user_cache_dirs}/lxqt-notificationd/unattended.list l -> @{user_cache_dirs}/lxqt-notificationd/#@{int},
owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.lock rwk,
owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int},
owner /tmp/@{int} r,
include if exists <local/lxqt-notificationd>
}
# vim:syntax=apparmor

1
apparmor.d/groups/lxqt/lxqt-panel
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/lxqt-panel @{exec_path} = @{bin}/lxqt-panel
profile lxqt-panel @{exec_path} { profile lxqt-panel @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/lxqt> include <abstractions/lxqt>

52
apparmor.d/groups/lxqt/lxqt-policykit-agent Normal file
View file

@ -0,0 +1,52 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/@{multiarch}/lxqt-policykit-agent-[0-9]
@{exec_path} += @{bin}/lxqt-policykit-agent
profile lxqt-policykit-agent @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
signal (send) set=(term, kill) peer=polkit-agent-helper,
@{exec_path} mr,
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/#@{int} rw,
owner /tmp/lxqt-policykit-agent-[0-9].* rwl -> /tmp/#@{int},
@{run}/systemd/users/@{uid} r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/core_pattern r,
/dev/shm/#@{int} rw,
include if exists <local/lxqt-policykit-agent>
}
# vim:syntax=apparmor

4
apparmor.d/groups/lxqt/lxqt-session
View file

@ -13,7 +13,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
include <abstractions/dconf> include <abstractions/dconf>
include <abstractions/lxqt> include <abstractions/lxqt>
include <abstractions/qt5-shader-cache>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network netlink raw, network netlink raw,
@ -60,6 +59,9 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/autostart/ r,
owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_config_dirs}/autostart/*.desktop r,
owner @{user_config_dirs}/lxqt/#@{int} rw,
owner @{user_config_dirs}/lxqt/session.conf.lock rwk,
owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_cache_dirs}/openbox/ rw, owner @{user_cache_dirs}/openbox/ rw,
owner @{user_cache_dirs}/openbox/sessions/ rw, owner @{user_cache_dirs}/openbox/sessions/ rw,
owner @{user_cache_dirs}/openbox/openbox.log rwk, owner @{user_cache_dirs}/openbox/openbox.log rwk,

85
apparmor.d/groups/lxqt/pcmanfm-qt Normal file
View file

@ -0,0 +1,85 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pcmanfm-qt
profile pcmanfm-qt @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.UDisks2>
include <abstractions/deny-sensitive-home>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
include <abstractions/recent-documents-write>
include <abstractions/thumbnails-cache-write>
signal (send) set=(term, kill),
signal (receive) set=(term, kill) peer=lxqt-session,
network netlink raw,
#aa:exec kioworker
#aa:dbus own bus=session name=org.pcmanfm.PCManFM
@{exec_path} mr,
@{lib}/menu-cache/menu-cached rix,
@{lib}/exec/menu-cache/menu-cache-gen rix,
#aa:lint ignore=too-wide
# Full access to user's data
/ r,
/*/ r,
@{bin}/ r,
@{lib}/ r,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rw,
owner @{HOME}/ r,
owner @{HOME}/** rw,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/** rw,
owner @{tmp}/ r,
owner @{tmp}/** rw,
/usr/share/libfm-qt6/{,**} r,
/usr/share/pcmanfm-qt/translations/pcmanfm-qt_de.qm r,
/usr/share/thumbnailers/{,**} r,
owner @{user_cache_dirs}/pcmanfm-qt/{,**} rw,
owner @{user_config_dirs}/pcmanfm-qt/ rw,
owner @{user_config_dirs}/pcmanfm-qt/** rwlk -> @{user_config_dirs}/pcmanfm-qt/**,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{sys}/fs/cgroup/{,**} r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cgroup r,
# Silence non user's data
deny @{efi}/{,**} r,
deny /opt/{,**} r,
deny /root/{,**} r,
deny /tmp/.* rw,
deny /tmp/.*/{,**} rw,
/dev/tty r,
include if exists <local/pcmanfm-qt>
}
# vim:syntax=apparmor

72
apparmor.d/groups/lxqt/qterminal Normal file
View file

@ -0,0 +1,72 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Jeroen Rijken
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/qterminal
profile qterminal @{exec_path} {
include <abstractions/audio-client>
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/graphics>
include <abstractions/lxqt>
include <abstractions/nameservice-strict>
ptrace (read),
signal (send) set=(hup),
signal (send) set=(kill) peer=htop,
#aa:dbus own bus=session name=org.QTerminal-@{int}
@{exec_path} mr,
@{bin}/@{shells} rUx,
@{browsers_path} rPx,
@{bin}/htop rPx,
@{bin}/dbus-launch rPx,
@{open_path} rPx -> child-open-help,
#aa:exec utempter
/usr/share/color-schemes/{,**} r,
/usr/share/kf6/{,**} r,
/usr/share/qterminal/{,**} r,
/usr/share/sounds/** r,
/usr/share/lxqt/lxqt.conf r,
/usr/share/qtermwidget6/{,**} r,
/etc/xdg/ui/ui_standards.rc r,
/{,var/}run/systemd/notify w,
/var/cache/fontconfig/ rw,
owner @{HOME}/@{XDG_SSH_DIR}/config r,
@{HOME}/.Xdefaults r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/lxqt/lxqt.conf r,
owner @{user_config_dirs}/qterminal.org/{,**} rw,
owner @{user_config_dirs}/qterminal.org/#@{int} rwk,
owner @{user_config_dirs}/qterminal.org/qterminal.ini.lock rwk,
owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6} rwk,
owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6} l -> @{user_config_dirs}/qterminal.org/#@{int},
owner /tmp/#@{int} rw,
owner /tmp/konsole.@{rand6} rw,
owner /tmp/xauth_@{rand6} rw,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/qterminal>
}
# vim:syntax=apparmor

91
apparmor.d/groups/lxqt/startlxqtwayland Normal file
View file

@ -0,0 +1,91 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/startlxqtwayland
profile startlxqtwayland @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/lxqt>
signal (receive) set=(term) peer=sddm,
@{exec_path} mr,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/labwc rpx,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/mkdir rix,
@{sh_path} rix,
@{bin}/lxqt-session rPx,
@{bin}/systemd-detect-virt rPx,
@{bin}/systemctl rCx -> systemctl,
@{bin}/dbus-update-activation-environment rCx -> dbus,
/usr/share/color-schemes/{,**} r,
/usr/share/desktop-directories/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kservices5/{,**} r,
/usr/share/mime/{,**} r,
/etc/locale.alias r,
/etc/machine-id r,
/etc/xdg/menus/{,**} r,
@{HOME}/ r,
owner @{HOME}/.Xauthority r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#@{int} rw,
@{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/labwc/ rw,
owner @{user_config_dirs}/labwc/** rw,
owner @{user_config_dirs}/lxqt/ rw,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/lxqt/wayland/ rw,
owner @{user_share_dirs}/kservices5/{,**} r,
owner @{user_share_dirs}/sddm/wayland-session.log rw,
owner @{user_share_dirs}/sddm/xorg-session.log rw,
owner /tmp/#@{int} rw,
owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int},
owner @{run}/user/@{uid}/ r,
@{PROC}/sys/kernel/core_pattern r,
/dev/tty rw,
/dev/tty@{int} rw,
include if exists <local/startlxqtwayland>
profile systemctl flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/startlxqtwayland_systemctl>
}
profile dbus {
include <abstractions/base>
@{bin}/dbus-update-activation-environment mr,
owner @{HOME}/.xsession-errors w,
include if exists <local/startlxqtwayland_dbus>
}
}
# vim:syntax=apparmor

7
apparmor.d/profiles-g-l/labwc
View file

@ -17,6 +17,8 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=term peer=sddm,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@ -27,11 +29,16 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
/usr/share/libinput/ r, /usr/share/libinput/ r,
/usr/share/libinput/*.quirks r, /usr/share/libinput/*.quirks r,
/usr/share/themes/**/themerc r,
/usr/share/themes/Vent/openbox-3/*.xbm r,
/usr/share/X11/xkb/** r,
owner @{user_config_dirs}/labwc/ r, owner @{user_config_dirs}/labwc/ r,
owner @{user_config_dirs}/labwc/* r, owner @{user_config_dirs}/labwc/* r,
owner @{user_config_dirs}/lxqt/wayland/ rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner /dev/shm/wlroots-@{rand6} rw,
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/input/ r, @{sys}/class/input/ r,

4
apparmor.d/tunables/multiarch.d/programs
View file

@ -70,7 +70,7 @@
@{emails_names} = evolution geary @{emails_names} = evolution geary
# File explorers # File explorers
@{file_explorers_names} = dolphin nautilus thunar @{file_explorers_names} = dolphin nautilus thunar pcmanfm-qt
# Text editors # Text editors
@{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli
@ -91,7 +91,7 @@
@{help_names} = yelp @{help_names} = yelp
# Terminal emulator # Terminal emulator
@{terminal_names} = kgx terminator konsole ptyxis @{terminal_names} = kgx terminator konsole ptyxis qterminal
# Backup # Backup
@{backup_names} = deja-dup borg @{backup_names} = deja-dup borg