Merge f33af10c9e into 9db6bf4a35

2025-09-16 23:54:17 +02:00 · 2025-09-16 23:54:17 +02:00 · 441d7a9904
commit 441d7a9904
parent 9db6bf4a35 f33af10c9e
28 changed files with 848 additions and 11 deletions
--- a/apparmor.d/abstractions/lxqt
+++ b/apparmor.d/abstractions/lxqt
@ -17,6 +17,9 @@

  signal (receive) set=(kill, term) peer=lxqt-session,

+  ptrace read peer=lxqt-session,
+
+  /usr/share/desktop-base/{,**} r,
  /usr/share/hwdata/pnp.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/lxqt/** r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-lxqt
@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2025 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path}  = @{lib}/xdg-desktop-portal-lxqt
+@{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-lxqt
+profile xdg-desktop-portal-lxqt @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/graphics>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-shader-cache>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  owner @{HOME}/ r,
+
+  owner @{desktop_config_dirs}/user-dirs.dirs r,
+
+  owner @{user_cache_dirs}/xdg-desktop-portal-lxqt/{,**} rw,
+
+  /dev/tty r,
+
+  include if exists <local/xdg-desktop-portal-lxqt>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@ -46,7 +46,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
  @{bin}/qtxdg-mat            ix,

  @{bin}/dbus-send            Cx -> bus,
-  @{bin}/kbuildsycoca{,5}     Px,
+  @{bin}/kbuildsycoca{,5,6}   Px,
  @{bin}/mimetype             Px,
  @{bin}/vendor_perl/mimetype Px,
  @{bin}/xprop                Px,
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@ -42,7 +42,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) {
  @{bin}/qtxdg-mat            ix,

  @{bin}/dbus-send            Cx -> bus,
-  @{bin}/kreadconfig{,5}      Px,
+  @{bin}/kreadconfig{,5,6}    Px,
  @{bin}/xdg-mime             Px,
  @{bin}/xprop                Px,

--- a/apparmor.d/groups/kde/kbuildsycoca
+++ b/apparmor.d/groups/kde/kbuildsycoca
@ -7,7 +7,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/kbuildsycoca{,5}
+@{exec_path} = @{bin}/kbuildsycoca{,5,6}
 profile kbuildsycoca @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/freedesktop.org>
--- a/apparmor.d/groups/kde/kglobalacceld
+++ b/apparmor.d/groups/kde/kglobalacceld
@ -6,7 +6,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld
+@{exec_path} = @{bin}/kglobalaccel{,5,6} @{lib}/kglobalacceld
 profile kglobalacceld @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
--- a/apparmor.d/groups/kde/kreadconfig
+++ b/apparmor.d/groups/kde/kreadconfig
@ -6,7 +6,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/kreadconfig{,5}
+@{exec_path} = @{bin}/kreadconfig{5,6}
 profile kreadconfig @{exec_path} {
  include <abstractions/base>
  include <abstractions/kde-strict>
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@ -54,8 +54,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /usr/share/kservicetypes5/{,*.desktop} r,
  /usr/share/kwin-wayland/{,**} r,
  /usr/share/kwin/{,**} r,
+  /usr/share/kwin-wayland/{,**} r,
  /usr/share/libinput-*/{,**} r,
  /usr/share/libinput/{,**} r,
+  /usr/share/lxqt/*.conf r,
  /usr/share/pipewire/client.conf r,
  /usr/share/plasma/desktoptheme/** r,

@ -64,7 +66,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
-
+  owner /var/lib/sddm/.config/kwinoutputconfig.json rw,
  / r,
  owner @{HOME}/ r,

@ -86,6 +88,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_cache_dirs}/ksvg-elements r,
  owner @{user_cache_dirs}/kwin/ rw,
  owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**,
+  owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk -> @{user_cache_dirs}/#@{int},
  owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
  owner @{user_cache_dirs}/plasma-svgelements rw,
  owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
@ -104,6 +107,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kwinrulesrc r,
  owner @{user_config_dirs}/kxkbrc r,
+  owner @{user_config_dirs}/lxqt/*.conf r,
  owner @{user_config_dirs}/menus/** r,
  owner @{user_config_dirs}/plasmarc r,
  owner @{user_config_dirs}/session/* r,
--- a/apparmor.d/groups/lxqt/ControlPanel
+++ b/apparmor.d/groups/lxqt/ControlPanel
@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2025 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/ControlPanel
+profile ControlPanel @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/consoles>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /etc/xdg/menus/lxqt-config.menu r,
+
+  # only for xfe file manager:
+  owner @{HOME}/.foxrc/ rw,
+  owner @{HOME}/.foxrc/Desktop rw,
+
+  owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk,
+
+  owner /tmp/@{int} r,
+
+  include if exists <local/ControlPanel>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-about
+++ b/apparmor.d/groups/lxqt/lxqt-about
@ -21,6 +21,7 @@ profile lxqt-about @{exec_path} {
  owner /tmp/@{int} r,

  /dev/tty rw,
+  owner /dev/pts/@{int} rw,

  include if exists <local/lxqt-about>
 }
--- a/apparmor.d/groups/lxqt/lxqt-backlight_backend
+++ b/apparmor.d/groups/lxqt/lxqt-backlight_backend
@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-backlight_backend
+profile lxqt-backlight_backend @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/lxqt>
+
+  @{exec_path} mr,
+
+  @{user_share_dirs}/sddm/xorg-session.log w,
+
+  @{sys}/class/backlight/ r,
+  @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw,
+  @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r,
+  @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw,
+  @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r,
+  @{sys}/devices/@{pci}/backlight/**/brightness rw,
+
+  owner /tmp/@{int} r,
+
+  /dev/tty rw,
+
+  include if exists <local/lxqt-backlight_backend>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-config
+++ b/apparmor.d/groups/lxqt/lxqt-config
@ -0,0 +1,63 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-config
+profile lxqt-config @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/graphics>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+  @{open_path} rpx -> child-open,
+
+  @{bin}/lxqt-admin-user rPx,
+  @{bin}/ibus-setup rPx,
+  @{bin}/lxqt-config-monitor rPx,
+  @{bin}/pcmanfm-qt rPx,
+  @{bin}/lxqt-admin-time rPx,
+  @{bin}/lxqt-config-input rPx,
+  @{bin}/lxqt-config-locale rPx,
+  @{bin}/lxqt-config-brightness rPx,
+  @{bin}/lxqt-config-session rPx,
+  @{bin}/lxqt-config-file-associations rPx,
+  @{bin}/lxqt-config-powermanagement rPx,
+  @{bin}/lxqt-config-appearance rPx,
+  @{bin}/lxqt-config-globalkeyshortcuts rPx,
+  @{bin}/lxqt-config-notificationd rPx,
+  @{bin}/obconf-qt rPx,
+  @{bin}/nm-connection-editor rPx,
+  @{bin}/pavucontrol rPx,
+  @{bin}/pavucontrol-qt rPx,
+  @{bin}/system-config-printer rPx,
+
+  /usr/share/desktop-directories/lxqt-* r,
+
+  /etc/xdg/menus/lxqt-config.menu r,
+
+  owner @{user_config_dirs}/lxqt/ r,
+  owner @{user_config_dirs}/lxqt/#@{int} rw,
+  owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/qt6ct/qt6ct.conf.@{rand6} rwl -> @{user_config_dirs}/qt6ct/#@{int},
+  owner @{user_config_dirs}/qt6ct/qt6ct.conf.lock rwk,
+  owner @{user_config_dirs}/qt6ct/#@{int} rw,
+  owner @{user_config_dirs}/qt6ct/qt6ct.conf    rw,
+
+  owner /tmp/@{int} r,
+
+  /dev/tty rw,
+
+  include if exists <local/lxqt-config>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-config-appearance
+++ b/apparmor.d/groups/lxqt/lxqt-config-appearance
@ -0,0 +1,51 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-config-appearance
+profile lxqt-config-appearance @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/dconf-write>
+  include <abstractions/graphics>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{bin}/gsettings rPx,
+  @{bin}/pcmanfm-qt rPx,
+  @{bin}/xsettingsd rPx,
+
+  owner @{HOME}/.gtkrc-2.0 rw,
+  owner @{HOME}/.icons/default/index.theme rw,
+  owner @{HOME}/.Xdefaults rw,
+  owner @{HOME}/.Xresources rw,
+
+  owner @{user_config_dirs}/gtk-3.0/settings.ini rw,
+  owner @{user_config_dirs}/lxqt/  r,
+  owner @{user_config_dirs}/lxqt/#@{int} rwk,
+  owner @{user_config_dirs}/lxqt/session.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw,
+  owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#*,
+  owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} rw,
+  owner @{user_config_dirs}/lxqt/lxqt-config-appearance.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r,
+
+  owner /tmp/#@{int} rw,
+  owner /tmp/lxqt-config-appearance.@{rand6} rwl -> /tmp/#@{int},
+
+  /dev/tty rw,
+
+  include if exists <local/lxqt-config-appearance>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-config-brightness
+++ b/apparmor.d/groups/lxqt/lxqt-config-brightness
@ -0,0 +1,56 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-config-brightness
+profile lxqt-config-brightness @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/lxqt>
+
+  @{exec_path} mr,
+
+  @{bin}/pkexec Cx -> pkexec,
+
+  @{sh_path} rix,
+
+  owner @{HOME}/ r,
+
+  owner /tmp/@{int} r,
+
+  @{sys}/class/backlight/ r,
+  @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw,
+  @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r,
+  @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw,
+  @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r,
+  @{sys}/devices/@{pci}/backlight/**/brightness rw,
+
+  /dev/tty rw,
+
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    @{bin}/@{bin}/lxqt-config-brightness Px,
+
+    @{etc_ro}/inputrc r,
+    @{etc_ro}/inputrc.keys r,
+
+    @{sys}/class/backlight/ r,
+    @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw,
+    @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r,
+    @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw,
+    @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r,
+    @{sys}/devices/@{pci}/backlight/**/brightness rw,
+
+    include if exists <local/lxqt-config-brightness_pkexec>
+  }
+
+  include if exists <local/lxqt-config-brightness>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts
+++ b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts
@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-config-globalkeyshortcuts
+profile lxqt-config-globalkeyshortcuts @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/graphics>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  owner @{user_config_dirs}/lxqt/lxqt* rwkl -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/#@{int} rw,
+
+  owner /tmp/@{int} r,
+
+  /dev/tty rw,
+
+  include if exists <local/lxqt-config-globalkeyshortcuts>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-config-input
+++ b/apparmor.d/groups/lxqt/lxqt-config-input
@ -0,0 +1,71 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-config-input
+profile lxqt-config-input @{exec_path} {
+  include <abstractions/audio-client>
+  include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.bluez>
+  include <abstractions/bus/org.freedesktop.login1>
+  include <abstractions/devices-usb>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/graphics>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+
+  signal (read) set=(kill,term) peer=lxqt-session,
+
+  @{exec_path} mr,
+
+  @{bin}/setxkbmap rix,
+
+  /etc/udev/udev.conf r,
+
+  owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw,
+  owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw,
+  owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt-config-input.conf.@{rand6}  rwkl -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/lxqt/#@{int}  rwk,
+  owner @{user_config_dirs}/lxqt/session.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt-config-input.conf rwl -> @{user_config_dirs}/lxqt/#@{int},
+
+  owner /tmp/@{int} r,
+
+  @{run}/udev/data/c@{int}:* r,  # for /dev/input/*
+  @{run}/udev/data/+sound:card@{int} r,   # for Soundcards
+  @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections.
+  @{run}/udev/data/+platform:* r,  # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
+  @{run}/udev/data/+acpi:* r,  # Exposes ACPI objects (power buttons, batteries, thermal)
+  @{run}/udev/data/+i2c:* r,  # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
+  @{run}/udev/data/+backlight:* r,  # For background light Display
+  @{run}/udev/data/+leds:* r,  # for state of LEDs
+  @{run}/udev/data/n@{int} r,  # For network interface
+  @{run}/udev/data/+input:* r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+dmi:* r,  # for motherboard info
+  @{run}/udev/data/+drm:* r,  # For screen outputs
+  @{run}/udev/data/+pci:* r,  # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/+rfkill:* r,  # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power
+
+  @{sys}/bus/**/devices/ r,   # ALL under /sys/bus/* is asked for read
+  @{sys}/class/**/ r, # ALL but usbmisc under /sys/class is being read
+  @{sys}/devices/**/uevent r,
+
+  /dev/tty rw,
+
+  deny @{sys}/class/usbmisc/ r,
+
+  include if exists <local/lxqt-config-input>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-config-monitor
+++ b/apparmor.d/groups/lxqt/lxqt-config-monitor
@ -0,0 +1,41 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-config-monitor
+profile lxqt-config-monitor @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/fontconfig-cache-write>
+  include <abstractions/lxqt>
+  include <abstractions/graphics>
+
+  signal (read) set=(kill,term) peer=lxqt-session,
+
+  @{exec_path} mr,
+
+  owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop     rw,
+  owner @{user_config_dirs}/lxqt/ r,
+  owner @{user_config_dirs}/lxqt/#@{int} rwk,
+  owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6} rw,
+  owner @{user_config_dirs}/lxqt/lxqt.conf.@{rand6}  l -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} rw,
+  owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/lxqt/lxqt-config-monitor.conf l -> @{user_config_dirs}/lxqt/#@{int},
+
+  owner /tmp/@{int} r,
+
+  /dev/tty rw,
+
+  include if exists <local/lxqt-config-monitor>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-config-notificationd
+++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd
@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-notificationd
 profile lxqt-config-notificationd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/bus-session>
  include <abstractions/lxqt>
  include <abstractions/nameservice-strict>

--- a/apparmor.d/groups/lxqt/lxqt-config-session
+++ b/apparmor.d/groups/lxqt/lxqt-config-session
@ -0,0 +1,57 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-config-session
+profile lxqt-config-session @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/graphics>
+  include <abstractions/lxqt>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/thumbnails-cache-write>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/libfm-qt6/translations/libfm-qt_de.qm  r,
+  /usr/share/gvfs/remote-volume-monitors/ r,
+  /usr/share/gvfs/remote-volume-monitors/udisks2.monitor r,
+  /usr/share/thumbnailers/ r,
+
+  /etc/fstab r,
+  /etc/xdg/autostart/ r,
+  /etc/xdg/autostart/** r,
+
+  owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/autostart/ rw,
+  owner @{user_config_dirs}/QtProject.conf rw,
+  owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl,
+  owner @{user_config_dirs}/QtProject.conf.lock rwk,
+  owner @{user_config_dirs}/autostart/*.desktop rw,
+  owner @{user_config_dirs}/lxqt/  r,
+  owner @{user_config_dirs}/lxqt/#@{int} rwk,
+  owner @{user_config_dirs}/lxqt/lxqt.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/lxqt-config-session.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/session.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int},
+  owner @{user_config_dirs}/user-dirs.dirs rw,
+  owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/waylandwindowmanagers.conf rwkl -> @{user_config_dirs}/lxqt/#@{int},
+
+  owner /tmp/@{int} r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  /dev/tty rw,
+
+  include if exists <local/lxqt-config-session>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-notificationd
+++ b/apparmor.d/groups/lxqt/lxqt-notificationd
@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lxqt-notificationd
+profile lxqt-notificationd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/bus-accessibility>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+
+  #aa:dbus own bus=session name=org.freedesktop.Notifications
+
+  @{exec_path} mr,
+
+  @{bin}/lxqt-config-notificationd rPx,
+
+  /etc/machine-id r,
+
+  owner @{user_cache_dirs}/lxqt-notificationd/ r,
+  owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rwk,
+  owner @{user_cache_dirs}/lxqt-notificationd/unattended.list rw,
+  owner @{user_cache_dirs}/lxqt-notificationd/unattended.list l -> @{user_cache_dirs}/lxqt-notificationd/#@{int},
+  owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.lock  rwk,
+  owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int},
+
+  owner /tmp/@{int} r,
+
+  include if exists <local/lxqt-notificationd>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-panel
+++ b/apparmor.d/groups/lxqt/lxqt-panel
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/lxqt-panel
 profile lxqt-panel @{exec_path} {
  include <abstractions/base>
+  include <abstractions/app-launcher-user>
  include <abstractions/audio-client>
  include <abstractions/dconf-write>
  include <abstractions/lxqt>
--- a/apparmor.d/groups/lxqt/lxqt-policykit-agent
+++ b/apparmor.d/groups/lxqt/lxqt-policykit-agent
@ -0,0 +1,52 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/@{multiarch}/lxqt-policykit-agent-[0-9]
+@{exec_path} += @{bin}/lxqt-policykit-agent
+profile lxqt-policykit-agent @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+
+  signal (send)    set=(term, kill) peer=polkit-agent-helper,
+
+  @{exec_path} mr,
+
+  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
+
+  /etc/machine-id r,
+
+  /var/lib/dbus/machine-id r,
+
+  owner @{user_cache_dirs}/icon-cache.kcache rw,
+  owner @{user_config_dirs}/qt5ct/{,**} r,
+
+  owner /tmp/#@{int} rw,
+  owner /tmp/lxqt-policykit-agent-[0-9].* rwl -> /tmp/#@{int},
+
+  @{run}/systemd/users/@{uid} r,
+
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/@{pid}/cmdline r,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/sys/kernel/core_pattern r,
+
+  /dev/shm/#@{int} rw,
+
+  include if exists <local/lxqt-policykit-agent>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/lxqt-session
+++ b/apparmor.d/groups/lxqt/lxqt-session
@ -13,7 +13,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) {
  include <abstractions/app-launcher-user>
  include <abstractions/dconf>
  include <abstractions/lxqt>
-  include <abstractions/qt5-shader-cache>
  include <abstractions/nameservice-strict>

  network netlink raw,
@ -60,6 +59,9 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) {

  owner @{user_config_dirs}/autostart/ r,
  owner @{user_config_dirs}/autostart/*.desktop r,
+  owner @{user_config_dirs}/lxqt/#@{int} rw,
+  owner @{user_config_dirs}/lxqt/session.conf.lock rwk,
+  owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int},
  owner @{user_cache_dirs}/openbox/   rw,
  owner @{user_cache_dirs}/openbox/sessions/          rw,
  owner @{user_cache_dirs}/openbox/openbox.log        rwk,
--- a/apparmor.d/groups/lxqt/pcmanfm-qt
+++ b/apparmor.d/groups/lxqt/pcmanfm-qt
@ -0,0 +1,85 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pcmanfm-qt
+profile pcmanfm-qt @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.UDisks2>
+  include <abstractions/deny-sensitive-home>
+  include <abstractions/devices-usb>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+  include <abstractions/recent-documents-write>
+  include <abstractions/thumbnails-cache-write>
+
+  signal (send) set=(term, kill),
+  signal (receive) set=(term, kill) peer=lxqt-session,
+
+  network netlink raw,
+
+  #aa:exec kioworker
+  #aa:dbus own bus=session name=org.pcmanfm.PCManFM
+
+  @{exec_path} mr,
+
+  @{lib}/menu-cache/menu-cached rix,
+  @{lib}/exec/menu-cache/menu-cache-gen rix,
+
+  #aa:lint ignore=too-wide
+  # Full access to user's data
+  / r,
+  /*/ r,
+  @{bin}/ r,
+  @{lib}/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/** rw,
+  owner @{HOME}/ r,
+  owner @{HOME}/** rw,
+  owner @{run}/user/@{uid}/ r,
+  owner @{run}/user/@{uid}/** rw,
+  owner @{tmp}/ r,
+  owner @{tmp}/** rw,
+
+  /usr/share/libfm-qt6/{,**} r,
+  /usr/share/pcmanfm-qt/translations/pcmanfm-qt_de.qm r,
+  /usr/share/thumbnailers/{,**} r,
+
+  owner @{user_cache_dirs}/pcmanfm-qt/{,**} rw,
+  owner @{user_config_dirs}/pcmanfm-qt/ rw,
+  owner @{user_config_dirs}/pcmanfm-qt/** rwlk ->  @{user_config_dirs}/pcmanfm-qt/**,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+  @{sys}/fs/cgroup/{,**} r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/cgroup r,
+
+  # Silence non user's data
+  deny @{efi}/{,**} r,
+  deny /opt/{,**} r,
+  deny /root/{,**} r,
+  deny /tmp/.* rw,
+  deny /tmp/.*/{,**} rw,
+
+  /dev/tty r,
+
+  include if exists <local/pcmanfm-qt>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/qterminal
+++ b/apparmor.d/groups/lxqt/qterminal
@ -0,0 +1,72 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Jeroen Rijken
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/qterminal
+profile qterminal @{exec_path} {
+  include <abstractions/audio-client>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/graphics>
+  include <abstractions/lxqt>
+  include <abstractions/nameservice-strict>
+
+  ptrace (read),
+
+  signal (send) set=(hup),
+  signal (send) set=(kill) peer=htop,
+
+  #aa:dbus own bus=session name=org.QTerminal-@{int}
+
+  @{exec_path} mr,
+  @{bin}/@{shells} rUx,
+  @{browsers_path} rPx,
+  @{bin}/htop  rPx,
+  @{bin}/dbus-launch rPx,
+  @{open_path} rPx -> child-open-help,
+
+  #aa:exec utempter
+
+  /usr/share/color-schemes/{,**} r,
+  /usr/share/kf6/{,**} r,
+  /usr/share/qterminal/{,**} r,
+  /usr/share/sounds/** r,
+  /usr/share/lxqt/lxqt.conf r,
+  /usr/share/qtermwidget6/{,**} r,
+  /etc/xdg/ui/ui_standards.rc r,
+
+  /{,var/}run/systemd/notify w,
+  /var/cache/fontconfig/ rw,
+
+  owner @{HOME}/@{XDG_SSH_DIR}/config r,
+  @{HOME}/.Xdefaults r,
+
+  owner @{user_cache_dirs}/icon-cache.kcache rw,
+  owner @{user_config_dirs}/lxqt/lxqt.conf r,
+  owner @{user_config_dirs}/qterminal.org/{,**} rw,
+  owner @{user_config_dirs}/qterminal.org/#@{int} rwk,
+  owner @{user_config_dirs}/qterminal.org/qterminal.ini.lock rwk,
+  owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6} rwk,
+  owner @{user_config_dirs}/qterminal.org/qterminal.ini.@{rand6}  l -> @{user_config_dirs}/qterminal.org/#@{int},
+
+  owner /tmp/#@{int} rw,
+  owner /tmp/konsole.@{rand6} rw,
+  owner /tmp/xauth_@{rand6} rw,
+
+        @{PROC}/sys/kernel/core_pattern r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  include if exists <local/qterminal>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/lxqt/startlxqtwayland
+++ b/apparmor.d/groups/lxqt/startlxqtwayland
@ -0,0 +1,91 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/startlxqtwayland
+profile startlxqtwayland @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/lxqt>
+
+  signal (receive) set=(term) peer=sddm,
+
+  @{exec_path} mr,
+
+  @{bin}/cat rix,
+  @{bin}/cut rix,
+  @{bin}/cp  rix,
+  @{bin}/dirname rix,
+  @{bin}/labwc  rpx,
+  @{bin}/{,e}grep rix,
+  @{bin}/{m,g,}awk rix,
+  @{bin}/mkdir rix,
+  @{sh_path} rix,
+  @{bin}/lxqt-session rPx,
+  @{bin}/systemd-detect-virt rPx,
+  @{bin}/systemctl                           rCx -> systemctl,
+  @{bin}/dbus-update-activation-environment  rCx -> dbus,
+
+  /usr/share/color-schemes/{,**} r,
+  /usr/share/desktop-directories/{,**} r,
+  /usr/share/icu/@{int}.@{int}/*.dat r,
+  /usr/share/kservices5/{,**} r,
+  /usr/share/mime/{,**} r,
+
+  /etc/locale.alias r,
+  /etc/machine-id r,
+  /etc/xdg/menus/{,**} r,
+
+  @{HOME}/ r,
+  owner @{HOME}/.Xauthority r,
+
+  owner @{user_cache_dirs}/ rw,
+  owner @{user_cache_dirs}/#@{int} rw,
+        @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int},
+
+  owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/labwc/ rw,
+  owner @{user_config_dirs}/labwc/** rw,
+  owner @{user_config_dirs}/lxqt/ rw,
+  owner @{user_config_dirs}/menus/{,**} r,
+  owner @{user_config_dirs}/lxqt/wayland/ rw,
+
+  owner @{user_share_dirs}/kservices5/{,**} r,
+  owner @{user_share_dirs}/sddm/wayland-session.log rw,
+  owner @{user_share_dirs}/sddm/xorg-session.log rw,
+
+  owner /tmp/#@{int} rw,
+  owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int},
+
+  owner @{run}/user/@{uid}/ r,
+        @{PROC}/sys/kernel/core_pattern r,
+
+  /dev/tty rw,
+  /dev/tty@{int} rw,
+
+  include if exists <local/startlxqtwayland>
+
+  profile systemctl flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    include if exists <local/startlxqtwayland_systemctl>
+  }
+
+  profile dbus {
+    include <abstractions/base>
+
+    @{bin}/dbus-update-activation-environment mr,
+
+    owner @{HOME}/.xsession-errors w,
+
+    include if exists <local/startlxqtwayland_dbus>
+  }
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/profiles-g-l/labwc
+++ b/apparmor.d/profiles-g-l/labwc
@ -17,6 +17,8 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>

+  signal (receive) set=term peer=sddm,
+
  network netlink raw,

  @{exec_path} mr,
@ -27,11 +29,16 @@ profile labwc @{exec_path} flags=(attach_disconnected) {

  /usr/share/libinput/ r,
  /usr/share/libinput/*.quirks r,
+  /usr/share/themes/**/themerc r,
+  /usr/share/themes/Vent/openbox-3/*.xbm r,
+  /usr/share/X11/xkb/** r,

  owner @{user_config_dirs}/labwc/ r,
  owner @{user_config_dirs}/labwc/* r,
+  owner @{user_config_dirs}/lxqt/wayland/ rw,

  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
+  owner /dev/shm/wlroots-@{rand6} rw,

  @{sys}/class/drm/ r,
  @{sys}/class/input/ r,
--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@ -70,7 +70,7 @@
@{emails_names} = evolution geary

 # File explorers
-@{file_explorers_names} = dolphin nautilus thunar
+@{file_explorers_names} = dolphin nautilus thunar pcmanfm-qt

 # Text editors
@{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli
@ -91,7 +91,7 @@
@{help_names} = yelp

 # Terminal emulator
-@{terminal_names} = kgx terminator konsole ptyxis
+@{terminal_names} = kgx terminator konsole ptyxis qterminal

 # Backup
@{backup_names} = deja-dup borg