felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improve kde profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-17 17:05:38 +02:00
parent edc2755d61
commit 523522dd1d
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
14 changed files with 81 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
View file

@ -11,6 +11,8 @@ include <tunables/global>
@{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9]
profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/graphics> include <abstractions/graphics>
@ -26,6 +28,9 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
signal (send) set=(term, kill) peer=polkit-agent-helper, signal (send) set=(term, kill) peer=polkit-agent-helper,
#aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int}
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
@{exec_path} mr, @{exec_path} mr,
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,

3
apparmor.d/groups/kde/drkonqi-coredump-cleanup
View file

@ -14,7 +14,8 @@ profile drkonqi-coredump-cleanup @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{user_cache_dirs}/kcrash-metadata/ r, @{user_cache_dirs}/kcrash-metadata/ r,
owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw,
owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw,
include if exists <local/drkonqi-coredump-cleanup> include if exists <local/drkonqi-coredump-cleanup>
} }

21
apparmor.d/groups/kde/kded
View file

@ -18,6 +18,7 @@ profile kded @{exec_path} {
include <abstractions/bus/org.freedesktop.ModemManager1> include <abstractions/bus/org.freedesktop.ModemManager1>
include <abstractions/bus/org.freedesktop.PolicyKit1> include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/bus/org.freedesktop.UDisks2> include <abstractions/bus/org.freedesktop.UDisks2>
include <abstractions/common/apt> #aa:only apt
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/devices-usb> include <abstractions/devices-usb>
@ -26,16 +27,19 @@ profile kded @{exec_path} {
include <abstractions/kde-globals-write> include <abstractions/kde-globals-write>
include <abstractions/kde-strict> include <abstractions/kde-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/wutmp> include <abstractions/wutmp>
capability sys_ptrace, capability sys_ptrace,
network inet dgram, network inet dgram,
network inet stream,
network inet6 dgram, network inet6 dgram,
network netlink raw, network inet6 stream,
network netlink dgram, network netlink dgram,
network netlink raw,
ptrace (read), ptrace read,
signal send set=hup peer=xsettingsd, signal send set=hup peer=xsettingsd,
signal send set=term peer=kioworker, signal send set=term peer=kioworker,
@ -78,11 +82,13 @@ profile kded @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
@{python_path} rix,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/flatpak rPx,
@{bin}/kcminit rPx, @{bin}/kcminit rPx,
@{bin}/lsb_release rPx,
@{bin}/pgrep rCx -> pgrep, @{bin}/pgrep rCx -> pgrep,
@{bin}/plasma-welcome rPUx, @{bin}/plasma-welcome rPUx,
@{python_path} rix,
@{bin}/flatpak rPx,
@{bin}/setxkbmap rix, @{bin}/setxkbmap rix,
@{bin}/xmodmap rPUx, @{bin}/xmodmap rPUx,
@{bin}/xrdb rPx, @{bin}/xrdb rPx,
@ -94,18 +100,22 @@ profile kded @{exec_path} {
#aa:exec kconf_update #aa:exec kconf_update
/usr/share/color-schemes/{,**} r, /usr/share/color-schemes/{,**} r,
/usr/share/distro-info/{,**} r,
/usr/share/distro-release-notifier/{,**} r,
/usr/share/kconf_update/ r, /usr/share/kconf_update/ r,
/usr/share/kded{5,6}/{,**} r, /usr/share/kded{5,6}/{,**} r,
/usr/share/kf{5,6}/kcookiejar/* r, /usr/share/kf{5,6}/kcookiejar/* r,
/usr/share/khotkeys/{,**} r, /usr/share/khotkeys/{,**} r,
/usr/share/kservices{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r,
/usr/share/kservicetypes5/{,**} r, /usr/share/kservicetypes5/{,**} r,
/usr/share/ubuntu-release-upgrader/{,*} r,
/etc/fstab r, /etc/fstab r,
/etc/xdg/accept-languages.codes r, /etc/xdg/accept-languages.codes r,
/etc/xdg/kde* r, /etc/xdg/kde* r,
/etc/xdg/kioslaverc r, /etc/xdg/kioslaverc r,
/etc/xdg/menus/{,**} r, /etc/xdg/menus/{,**} r,
/etc/update-manager/{,**} r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
@ -113,6 +123,8 @@ profile kded @{exec_path} {
/ r, / r,
@{efi}/ r, @{efi}/ r,
owner /var/lib/update-manager/meta-release-lts rw,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.gtkrc-2.0 rw, owner @{HOME}/.gtkrc-2.0 rw,
@ -125,6 +137,7 @@ profile kded @{exec_path} {
@{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/ rw,
owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**,
owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw,
@{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc.lock rwk,
@{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},

4
apparmor.d/groups/kde/konsole
View file

@ -56,7 +56,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/breezerc r,
owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/kbookmarkrc r,
owner @{user_config_dirs}/konsole.notifyrc r, owner @{user_config_dirs}/konsole.notifyrc r,
owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolerc rwl,
owner @{user_config_dirs}/konsolerc.@{rand6} rwl,
owner @{user_config_dirs}/konsolerc.lock rwk,
owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/konsolesshconfig.lock rwk, owner @{user_config_dirs}/konsolesshconfig.lock rwk,

2
apparmor.d/groups/kde/kwalletd
View file

@ -45,6 +45,8 @@ profile kwalletd @{exec_path} {
owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},
owner @{run}/user/@{uid}/kwallet{5,6}.socket r,
owner @{tmp}/kwalletd5.* rw, owner @{tmp}/kwalletd5.* rw,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,

15
apparmor.d/groups/kde/kwin_wayland
View file

@ -23,14 +23,17 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
capability sys_nice, capability sys_nice,
capability sys_ptrace, capability sys_ptrace,
ptrace (read),
signal (receive) set=term peer=sddm,
signal (receive) set=(kill, term) peer=kwin_wayland_wrapper,
signal (send) set=(kill, term) peer=xwayland,
network netlink raw, network netlink raw,
ptrace read,
signal receive set=term peer=sddm,
signal receive set=(kill, term) peer=kwin_wayland_wrapper,
signal send set=(kill, term) peer=xwayland,
unix type=stream peer=(label=xkbcomp),
unix type=stream peer=(label=xwayland),
#aa:dbus own bus=session name=org.freedesktop.ScreenSaver #aa:dbus own bus=session name=org.freedesktop.ScreenSaver
#aa:dbus own bus=session name=org.kde.kglobalaccel #aa:dbus own bus=session name=org.kde.kglobalaccel
#aa:dbus own bus=session name=org.kde.KWin #aa:dbus own bus=session name=org.kde.KWin

1
apparmor.d/groups/kde/plasmashell
View file

@ -80,6 +80,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
/opt/**/share/icons/{,**} r, /opt/**/share/icons/{,**} r,
/opt/*/**/*.desktop r, /opt/*/**/*.desktop r,
/opt/*/**/*.png r, /opt/*/**/*.png r,
/snap/*/@{uid}/**.@{image_ext} r,
/usr/share/*/icons/{,**} r, /usr/share/*/icons/{,**} r,
/usr/share/akonadi/{,**} r, /usr/share/akonadi/{,**} r,
/usr/share/desktop-directories/kf5-*.directory r, /usr/share/desktop-directories/kf5-*.directory r,

9
apparmor.d/groups/kde/sddm
View file

@ -66,20 +66,26 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{lib}/{,sddm/}sddm-helper-start-x11user rix, @{lib}/{,sddm/}sddm-helper-start-x11user rix,
@{shells_path} rix, @{shells_path} rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix, @{bin}/cat rix,
@{sbin}/checkproc rix, @{bin}/date rix,
@{bin}/dirname rix,
@{bin}/disable-paste rix, @{bin}/disable-paste rix,
@{bin}/id rix,
@{bin}/locale rix, @{bin}/locale rix,
@{bin}/manpath rix, @{bin}/manpath rix,
@{bin}/mktemp rix, @{bin}/mktemp rix,
@{bin}/pidof rix, @{bin}/pidof rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/realpath rix, @{bin}/realpath rix,
@{bin}/sed rix,
@{bin}/tr rix, @{bin}/tr rix,
@{bin}/tty rix, @{bin}/tty rix,
@{bin}/uname rix, @{bin}/uname rix,
@{bin}/xdm r, @{bin}/xdm r,
@{bin}/xmodmap rix, @{bin}/xmodmap rix,
@{sbin}/checkproc rix,
@{bin}/dbus-run-session rPx -> dbus-session, @{bin}/dbus-run-session rPx -> dbus-session,
@{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/dbus-update-activation-environment rPx -> dbus-session,
@ -98,6 +104,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/xauth rCx -> xauth, @{bin}/xauth rCx -> xauth,
@{bin}/Xorg rPx, @{bin}/Xorg rPx,
@{bin}/xrandr rPx,
@{bin}/xrdb rPx, @{bin}/xrdb rPx,
@{bin}/xset rPx, @{bin}/xset rPx,
@{bin}/xsetroot rPx, @{bin}/xsetroot rPx,

13
apparmor.d/groups/kde/sddm-xsession
View file

@ -25,9 +25,11 @@ profile sddm-xsession @{exec_path} {
@{bin}/chmod rix, @{bin}/chmod rix,
@{bin}/csh rix, @{bin}/csh rix,
@{bin}/date rix, @{bin}/date rix,
@{bin}/dpkg-query rpx,
@{bin}/fish rix, @{bin}/fish rix,
@{bin}/gettext rix,
@{bin}/gettext.sh r, @{bin}/gettext.sh r,
@{bin}/gpgconf rCx -> gpg, @{bin}/gpgconf rCx -> gpg,
@{bin}/id rix, @{bin}/id rix,
@{bin}/locale rix, @{bin}/locale rix,
@{bin}/locale-check rix, @{bin}/locale-check rix,
@ -40,12 +42,13 @@ profile sddm-xsession @{exec_path} {
@{bin}/tcsh rix, @{bin}/tcsh rix,
@{bin}/tempfile rix, @{bin}/tempfile rix,
@{bin}/touch rix, @{bin}/touch rix,
@{bin}/tr rix,
@{bin}/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
@{bin}/zsh rix,
@{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/dbus-update-activation-environment rCx -> dbus,
@{bin}/flatpak rPx, @{bin}/flatpak rPx,
@{bin}/numlockx rPx, @{bin}/numlockx rPx,
@{bin}/xbrlapi rPx,
@{bin}/xhost rPx, @{bin}/xhost rPx,
@{bin}/xrdb rPx, @{bin}/xrdb rPx,
/etc/X11/Xsession rPx, /etc/X11/Xsession rPx,
@ -60,7 +63,9 @@ profile sddm-xsession @{exec_path} {
@{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/data/{,*} r,
@{system_share_dirs}/im-config/xinputrc.common r, @{system_share_dirs}/im-config/xinputrc.common r,
@{system_share_dirs}/libdebuginfod-common/debuginfod.sh r,
/etc/debuginfod/{,**} r,
/etc/default/{,*} r, /etc/default/{,*} r,
/etc/X11/{,**} r, /etc/X11/{,**} r,
@ -71,7 +76,7 @@ profile sddm-xsession @{exec_path} {
owner @{tmp}/xsess-env-* rw, owner @{tmp}/xsess-env-* rw,
owner @{tmp}/file* rw, owner @{tmp}/file* rw,
audit owner @{tmp}/tmp.* rw, owner @{tmp}/tmp.@{rand10} rw,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
@ -133,6 +138,8 @@ profile sddm-xsession @{exec_path} {
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{HOME}/.xsession-errors w,
/dev/tty@{int} rw, /dev/tty@{int} rw,
owner /dev/pts/@{int} rw, owner /dev/pts/@{int} rw,

1
apparmor.d/groups/kde/startplasma
View file

@ -36,6 +36,7 @@ profile startplasma @{exec_path} {
@{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r,
/usr/share/byobu/desktop/{,**} r,
/usr/share/color-schemes/{,**} r, /usr/share/color-schemes/{,**} r,
/usr/share/desktop-directories/{,**} r, /usr/share/desktop-directories/{,**} r,
/usr/share/kservices{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r,

1
apparmor.d/groups/kde/systemsettings
View file

@ -80,6 +80,7 @@ profile systemsettings @{exec_path} {
owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements r,
owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/ rw,
owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**,

25
apparmor.d/groups/kde/wayland-session
View file

@ -13,14 +13,29 @@ profile wayland-session @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{shells_path} rix, @{shells_path} rix,
@{bin}/id rix, @{bin}/cat ix,
@{bin}/dpkg-query px,
@{bin}/gettext ix,
@{bin}/gettext.sh r,
@{bin}/id ix,
@{bin}/locale ix,
@{bin}/locale-check ix,
@{bin}/sed ix,
@{bin}/tr ix,
@{lib}/plasma-dbus-run-session-if-needed rix, @{bin}/startplasma-wayland Px,
@{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix,
@{bin}/startplasma-wayland rPx, @{lib}/plasma-dbus-run-session-if-needed ix,
/usr/share/im-config/{,**} r,
/usr/share/libdebuginfod-common/debuginfod.sh r,
/etc/debuginfod/{,**} r,
/etc/default/im-config r,
/etc/machine-id r, /etc/machine-id r,
/etc/X11/xinit/xinputrc r,
/etc/X11/Xsession.d/*im-config_launch r,
owner @{user_share_dirs}/sddm/wayland-session.log rw, owner @{user_share_dirs}/sddm/wayland-session.log rw,

1
apparmor.d/groups/kde/xembedsniproxy
View file

@ -16,6 +16,7 @@ profile xembedsniproxy @{exec_path} {
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5> include <abstractions/qt5>
include <abstractions/X-strict>
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/groups/kde/xsettingsd
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/xsettingsd @{exec_path} = @{bin}/xsettingsd
profile xsettingsd @{exec_path} { profile xsettingsd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X-strict>
signal (receive) set=hup peer=kded, signal (receive) set=hup peer=kded,