feat(profile): update kde profiles on openSUSE Tumbleweed.

See #424
2024-08-20 18:49:52 +01:00 · 2024-08-20 18:49:52 +01:00 · 93313422bd
commit 93313422bd
parent 14fae89fdd
34 changed files with 93 additions and 43 deletions
--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@ -40,6 +40,7 @@ profile DiscoverNotifier @{exec_path} {
  /var/lib/flatpak/{,**} r,

  /var/cache/swcatalog/cache/ w,
+  /var/cache/swcatalog/xml/{,**} r,

  owner @{user_cache_dirs}/appstream/ r,
  owner @{user_cache_dirs}/appstream/** rw,
@ -58,6 +59,8 @@ profile DiscoverNotifier @{exec_path} {
  owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw,
  owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw,

+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
  /dev/tty r,

  profile gpg {
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@ -25,6 +25,8 @@ profile gmenudbusmenuproxy @{exec_path} {
  owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
  owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,

+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
  include if exists <local/gmenudbusmenuproxy>
 }

--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/kalendarac
 profile kalendarac @{exec_path} {
  include <abstractions/base>
-  include <abstractions/audio-client>
+  include <abstractions/audio-server>
  include <abstractions/graphics>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
@ -36,6 +36,8 @@ profile kalendarac @{exec_path} {
  owner @{user_config_dirs}/kalendaracrc.lock rwk,
  owner @{user_config_dirs}/kmail2rc r,

+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
  /dev/tty r,

  include if exists <local/kalendarac>
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -36,6 +36,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)

  owner @{HOME}/ r,

+  owner @{user_cache_dirs}/ddcutil/* r,
  owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,

  owner @{user_config_dirs}/#@{int} rw,
@ -63,7 +64,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
  @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
  @{sys}/devices/@{pci}/drm/card@{int}/*/status r,
  @{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
-  @{sys}/devices/@{pci}/i2c-@{int}/name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
  @{sys}/devices/**/ r,
  @{sys}/devices/i2c-@{int}/name r,
  @{sys}/devices/platform/**/i2c-@{int}/**/name r,
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@ -59,7 +59,7 @@ profile kded @{exec_path} {
  @{bin}/xsettingsd         rPx,
  @{lib}/drkonqi            rPx,

-  #aa:exec utempter
+  @{lib}/{,@{multiarch}/}utempter/utempter rPx,
  #aa:exec kconf_update

  /usr/share/color-schemes/{,**} r,
@ -123,8 +123,7 @@ profile kded @{exec_path} {
  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
  owner @{user_config_dirs}/menus/{,**} r,
  owner @{user_config_dirs}/networkmanagement.notifyrc r,
-  owner @{user_config_dirs}/plasma-nm r,
-  owner @{user_config_dirs}/plasma-welcomerc r,
+  owner @{user_config_dirs}/plasma* r,
  owner @{user_config_dirs}/touchpadrc r,
  owner @{user_config_dirs}/Trolltech.conf.lock rwk,
  owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
@ -151,6 +150,8 @@ profile kded @{exec_path} {
  owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
  owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,

+  @{sys}/class/leds/ r,
+
        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline/ r,
        @{PROC}/@{pids}/fd/ r,
--- a/apparmor.d/groups/kde/kglobalacceld
+++ b/apparmor.d/groups/kde/kglobalacceld
@ -19,6 +19,7 @@ profile kglobalacceld @{exec_path} {

  /etc/machine-id r,
  /etc/xdg/menus/ r,
+  /etc/xdg/menus/applications-merged/ r,

  owner @{user_cache_dirs}/ksycoca{5,6}_* rw,

@ -29,6 +30,8 @@ profile kglobalacceld @{exec_path} {
  owner @{user_config_dirs}/menus/ r,
  owner @{user_config_dirs}/menus/applications-merged/ r,

+  @{PROC}/sys/kernel/random/boot_id r,
+
  /dev/tty r,

  include if exists <local/kglobalacceld>
--- a/apparmor.d/groups/kde/kiod
+++ b/apparmor.d/groups/kde/kiod
@ -13,6 +13,7 @@ profile kiod @{exec_path} {
  include <abstractions/graphics>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>

  network netlink raw,

--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@ -26,7 +26,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{bin}/@{shells}                      rUx,
  @{browsers_path}                      rPx,

-  #aa:exec utempter
+  @{lib}/libheif/                            r,
+  @{lib}/libheif/**                         mr,
+  @{lib}/{,@{multiarch}/}utempter/utempter rPx,

  /usr/share/color-schemes/{,**} r,
  /usr/share/kf6/{,**} r,
@ -47,12 +49,15 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  owner @{user_config_dirs}/#@{int} rwl,
  owner @{user_config_dirs}/breezerc r,
+  owner @{user_config_dirs}/kbookmarkrc r,
+  owner @{user_config_dirs}/konsole.notifyrc r,
  owner @{user_config_dirs}/konsolerc{,*} rwlk,
  owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/konsolesshconfig.lock rwk,
  owner @{user_config_dirs}/kservicemenurc r,
  owner @{user_config_dirs}/menus/{,**} r,
+  owner @{user_config_dirs}/session/** rwlk,

  owner @{user_share_dirs}/color-schemes/{,**} r,
  owner @{user_share_dirs}/konsole/ rw,
@ -62,6 +67,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/konsole.@{rand6} rw,

+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/stat r,

--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} {
  owner @{user_config_dirs}/kscreenlockerrc r,
  owner @{user_config_dirs}/ksmserverrc r,
  owner @{user_config_dirs}/plasmarc r,
+  owner @{user_config_dirs}/plasmashellrc r,

  # If one is blocked, the others are probed.
  deny owner @{HOME}/#@{int} mrw,
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@ -52,6 +52,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk,

  owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
  owner @{user_config_dirs}/kscreenlockerrc r,
  owner @{user_config_dirs}/ksmserverrc rw,
  owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
@ -62,6 +63,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/kservices{5,6}/ r,
  owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,

+  owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int},
+  owner @{run}/user/@{uid}/iceauth_@{rand6}-c w,
+  owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c,
+  owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw,
+
  owner @{tmp}/@{rand6} rw,

        @{run}/systemd/inhibit/[0-9]*.ref rw,
--- a/apparmor.d/groups/kde/kwalletd
+++ b/apparmor.d/groups/kde/kwalletd
@ -43,6 +43,8 @@ profile kwalletd @{exec_path} {

  owner @{tmp}/kwalletd5.* rw,

+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,

--- a/apparmor.d/groups/kde/plasma_waitforname
+++ b/apparmor.d/groups/kde/plasma_waitforname
@ -10,6 +10,7 @@ include <tunables/global>
 profile plasma_waitforname @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/qt5>

  @{exec_path} mr,

--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -178,6 +178,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
        @{run}/mount/utab r,
        @{run}/user/@{uid}/gvfs/ r,
  owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
  owner @{run}/user/@{uid}/kdesud_:@{int} w,
  owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

@ -187,9 +188,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  @{sys}/devices/platform/** r,

  @{sys}/devices/@{pci}/name r,
-  @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/thermal/**/{name,type} r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,

        @{PROC}/ r,
        @{PROC}/cmdline r,
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@ -49,6 +49,8 @@ profile sddm-greeter @{exec_path} {
  owner @{SDDM_HOME}/#@{int} mrw,
  owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,

+  owner @{HOME}/.face.icon r,
+
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/icon-cache.kcache rw,
  owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@ -22,6 +22,7 @@ profile startplasma @{exec_path} {
  @{bin}/env                rix,
  @{bin}/grep               rix,
  @{bin}/kapplymousetheme  rPUx,
+  @{bin}/kdeinit5_shutdown rPUx,
  @{bin}/ksplashqml        rPUx,
  @{bin}/plasma_session     rPx,
  @{bin}/xrdb               rPx,
--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@ -20,6 +20,8 @@ profile xembedsniproxy @{exec_path} {

  owner @{tmp}/xauth_@{rand6} r,

+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
  @{run}/user/@{uid}/xauth_@{rand6} rl,

  include if exists <local/xembedsniproxy>