diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 309248e18..3b02d2b16 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -21,6 +21,8 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, + signal send set=term peer=kioworker, + @{exec_path} mr, #aa:exec kioworker @@ -33,6 +35,8 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, + owner @{PROC}/@{pid}/mountinfo r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index d01965bb0..b42b37dec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -21,6 +21,7 @@ profile dolphin @{exec_path} { include include include + include network netlink raw, @@ -98,9 +99,40 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 37dd3eeae..e992e09fd 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -26,10 +26,11 @@ profile kioworker @{exec_path} { network netlink raw, network netlink dgram, - signal (receive) set=term peer=dolphin, - signal (receive) set=term peer=firefox-kmozillahelper, - signal (receive) set=term peer=plasma-discover, - signal (receive) set=term peer=plasmashell, + signal receive set=term peer=dolphin, + signal receive set=term peer=firefox-kmozillahelper, + signal receive set=term peer=plasma-discover, + signal receive set=term peer=plasmashell, + signal receive set=term peer=xdg-desktop-portal-kde, @{exec_path} mr, @@ -37,6 +38,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/gs rPUx, #aa:exec kio_http_cache_cleaner @@ -91,6 +93,7 @@ profile kioworker @{exec_path} { owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 0d8a5d8cb..f800136e0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -93,6 +93,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{MOUNTS}/ r, @{HOME}/ r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -137,6 +138,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, + owner @{user_config_dirs}/kiorc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, @@ -156,7 +158,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,*} rwl, + owner @{user_share_dirs}/klipper/{,**} rwl, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 9a50dafa0..594d04b64 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -37,6 +37,9 @@ profile thunderbird @{exec_path} { # Desktop integration @{open_path} rPx -> child-open, + # Extensions + @{bin}/SysTray-X rPUx, + /usr/share/lightning/{,**} r, owner /var/mail/** rwk,