feat(profile): improve kde profiles.

See #676
2025-03-06 21:53:41 +01:00 · 2025-03-06 21:53:41 +01:00 · 7e1c08b75d
commit 7e1c08b75d
parent 06f2fb4659
5 changed files with 49 additions and 5 deletions
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@ -21,6 +21,8 @@ profile xdg-desktop-portal-kde @{exec_path} {
  network inet6 stream,
  network netlink raw,

+  signal send set=term peer=kioworker,
+
  @{exec_path} mr,

  #aa:exec kioworker
@ -33,6 +35,8 @@ profile xdg-desktop-portal-kde @{exec_path} {

  owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw,

+  owner @{PROC}/@{pid}/mountinfo r,
+
  /dev/tty r,

  include if exists <local/xdg-desktop-portal-kde>
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@ -21,6 +21,7 @@ profile dolphin @{exec_path} {
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/recent-documents-write>
+  include <abstractions/thumbnails-cache-write>

  network netlink raw,

@ -98,9 +99,40 @@ profile dolphin @{exec_path} {
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

+  @{run}/udev/data/+acpi:* r,             # for acpi
+  @{run}/udev/data/+bluetooth:* r,
+  @{run}/udev/data/+dmi* r,               # for motherboard info
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+i2c:* r,
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+leds:* r,
+  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/+platform:* r,
+  @{run}/udev/data/+power_supply* r,
+  @{run}/udev/data/+rfkill:* r,
+  @{run}/udev/data/+sound:card@{int} r,   # for sound card
+
+  @{run}/udev/data/c1:@{int}    r,        # For RAM disk
+  @{run}/udev/data/c4:@{int} r,           # For TTY devices
+  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
+  @{run}/udev/data/c7:@{int} r,           # For Virtual console capture devices
+  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
+  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
+  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
+  @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
+  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
+  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
+  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+
  @{sys}/bus/ r,
  @{sys}/bus/*/devices/ r,
+  @{sys}/class/*/ r,
+  @{sys}/devices/**/uevent r,

+  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

--- a/apparmor.d/groups/kde/kioworker
+++ b/apparmor.d/groups/kde/kioworker
@ -26,10 +26,11 @@ profile kioworker @{exec_path} {
  network netlink raw,
  network netlink dgram,

-  signal (receive) set=term peer=dolphin,
-  signal (receive) set=term peer=firefox-kmozillahelper,
-  signal (receive) set=term peer=plasma-discover,
-  signal (receive) set=term peer=plasmashell,
+  signal receive set=term peer=dolphin,
+  signal receive set=term peer=firefox-kmozillahelper,
+  signal receive set=term peer=plasma-discover,
+  signal receive set=term peer=plasmashell,
+  signal receive set=term peer=xdg-desktop-portal-kde,     

  @{exec_path} mr,

@ -37,6 +38,7 @@ profile kioworker @{exec_path} {
  @{lib}/libheif/*.so* rm,

  @{bin}/wrestool rPUx,
+  @{bin}/gs rPUx,

  #aa:exec kio_http_cache_cleaner

@ -91,6 +93,7 @@ profile kioworker @{exec_path} {
  owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int},
  owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

+  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -93,6 +93,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  @{MOUNTS}/ r,

        @{HOME}/ r,
+  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
@ -137,6 +138,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  owner @{user_config_dirs}/kcookiejarrc r,
  owner @{user_config_dirs}/kdedefaults/plasmarc r,
  owner @{user_config_dirs}/kdiff3fileitemactionrc r,
+  owner @{user_config_dirs}/kiorc r,
  owner @{user_config_dirs}/kioslaverc r,
  owner @{user_config_dirs}/klaunchrc r,
  owner @{user_config_dirs}/klipperrc r,
@ -156,7 +158,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
  owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
  owner @{user_share_dirs}/kio/servicemenus/{,**} r,
-  owner @{user_share_dirs}/klipper/{,*} rwl,
+  owner @{user_share_dirs}/klipper/{,**} rwl,
  owner @{user_share_dirs}/konsole/ r,
  owner @{user_share_dirs}/kpeople/persondb rwk,
  owner @{user_share_dirs}/kpeoplevcard/ r,
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -37,6 +37,9 @@ profile thunderbird @{exec_path} {
  # Desktop integration
  @{open_path}       rPx -> child-open,

+  # Extensions
+  @{bin}/SysTray-X   rPUx,
+
  /usr/share/lightning/{,**} r,

  owner /var/mail/** rwk,