felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-08-22 23:23:47 +01:00
parent 7273bde534
commit 96b8f96137
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
33 changed files with 185 additions and 131 deletions
Download patch file Download diff file Expand all files Collapse all files

61
apparmor.d/groups/kde/kconf_update
View file

@ -9,6 +9,11 @@ include <tunables/global>
@{exec_path} = @{lib}/kf5/kconf_update
profile kconf_update @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/perl>
include <abstractions/python>
@ -35,32 +40,48 @@ profile kconf_update @{exec_path} {
/etc/xdg/kdeglobals r,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/akregatorrc r,
owner @{user_config_dirs}/kateschemarc r,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kconf_updaterc r,
owner @{user_config_dirs}/kconf_updaterc.lock rk,
owner @{user_config_dirs}/kconf_updaterc* rwl,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals.lock rk,
owner @{user_config_dirs}/kdeglobals* rwl,
owner @{user_config_dirs}/khotkeysrc r,
owner @{user_config_dirs}/kmixrc r,
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/kwinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/akregatorrc.lock rwk,
owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/dolphinrc.lock rwk,
owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kateschemarc.lock rwk,
owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kcminputrc.lock rwk,
owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals.lock rwk,
owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/khotkeysrc.lock rwk,
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kmixrc.lock rwk,
owner @{user_config_dirs}/kmixrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/konsolerc.lock rwk,
owner @{user_config_dirs}/konsolerc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/krunnerrc.lock rwk,
owner @{user_config_dirs}/krunnerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/krunnerstaterc.lock rwk,
owner @{user_config_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kscreenlockerrc.lock rwk,
owner @{user_config_dirs}/kscreenlockerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/ksmserverrc.lock rwk,
owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrc.lock rwk,
owner @{user_config_dirs}/kwinrulesrc rw,
owner @{user_config_dirs}/kwinrulesrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrulesrc.lock rwk,
owner @{user_config_dirs}/kxkbrc rw,
owner @{user_config_dirs}/kxkbrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kxkbrc.lock rwk,
owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/plasmashellrc r,
owner @{user_share_dirs}/#@{int} rw,
owner /tmp/#@{int} rw,
owner /tmp/kconf_update.@{rand6} rwl,
owner /tmp/kconf_update.@{rand6}.lock rwk,
owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},
@{PROC}/@{sys}/kernel/random/boot_id r,

8
apparmor.d/groups/kde/kde-powerdevil
View file

@ -32,12 +32,10 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/powerdevilrc rwl,
owner @{user_config_dirs}/powerdevilrc.lock rwk,
owner @{user_config_dirs}/powermanagementprofilesrc r,
owner @{user_config_dirs}/powermanagementprofilesrc rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
@{run}/systemd/inhibit/*.ref rw,
owner @{run}/user/@{uid}kcrash_[0-9]* rw,
@ -49,7 +47,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/bus/ r,
@{sys}/devices/pci[0-9]*/@{int}/drm/card@{int}/*/status r,
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
/dev/tty rw,
/dev/rfkill r,

19
apparmor.d/groups/kde/kded5
View file

@ -72,23 +72,23 @@ profile kded5 @{exec_path} {
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/bluedevilglobalrc rk,
owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
owner @{user_config_dirs}/gtk-{3,4}/settings.ini.lock rk,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kconf_updaterc r,
owner @{user_config_dirs}/kcookiejarrc r,
owner @{user_config_dirs}/kdebugrc r,
owner @{user_config_dirs}/kded5rc.lock rwk,
owner @{user_config_dirs}/kded5rc* rwl,
owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdedefaults/{,**} r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/khotkeysrc.lock rwk,
owner @{user_config_dirs}/khotkeysrc* rwl,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/ktimezonedrc r,
owner @{user_config_dirs}/kwinrc.lock rwk,
owner @{user_config_dirs}/kwinrc* rwl,
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kxkbrc r,
owner @{user_config_dirs}/libaccounts-glib/ rw,
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
@ -99,9 +99,9 @@ profile kded5 @{exec_path} {
owner @{user_config_dirs}/xsettingsd/{,**} rw,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/kcookiejar/#*[0-9] rw,
owner @{user_share_dirs}/kcookiejar/cookies rw,
owner @{user_share_dirs}/kcookiejar/cookies.@{rand6} rwlk,
owner @{user_share_dirs}/kcookiejar/#@{int} rw,
owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwl -> @{user_share_dirs}/kcookiejar/#@{int},
owner @{user_share_dirs}/kded5/{,**} rw,
owner @{user_share_dirs}/kscreen/{,**} rwl,
owner @{user_share_dirs}/kservices5/{,**} r,
@ -109,6 +109,7 @@ profile kded5 @{exec_path} {
owner @{user_share_dirs}/remoteview/ r,
owner @{user_share_dirs}/services5/{,**} r,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/gvfs/ r,
owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,

31
apparmor.d/groups/kde/kioslave5
View file

@ -9,7 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/kf5/kioslave5
profile kioslave5 @{exec_path} {
include <abstractions/base>
include <abstractions/deny-sensitive-home>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
@ -18,6 +20,7 @@ profile kioslave5 @{exec_path} {
include <abstractions/qt5>
include <abstractions/ssl_certs>
include <abstractions/trash>
include <abstractions/vulkan>
network inet dgram,
network inet6 dgram,
@ -26,6 +29,7 @@ profile kioslave5 @{exec_path} {
network netlink raw,
network netlink dgram,
signal (receive) set=term peer=dolphin,
signal (receive) set=term peer=firefox-kmozillahelper,
signal (receive) set=term peer=plasmashell,
@ -39,6 +43,7 @@ profile kioslave5 @{exec_path} {
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/*.desktop r,
/usr/share/mime/ r,
/etc/fstab r,
/etc/xdg/kdeglobals r,
@ -46,11 +51,24 @@ profile kioslave5 @{exec_path} {
/etc/xdg/kwinrc r,
/etc/xdg/menus/{,**} r,
owner @{MOUNTDIRS}/** r,
# Full access to user's data
/ r,
/*/ r,
@{bin}/ r,
@{lib}/ r,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rw,
owner @{HOME}/{,**} rw,
owner @{run}/user/@{uid}/{,**} rw,
owner /tmp/{,**} rw,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
# Silence non user's data
deny /boot/{,**} r,
deny /opt/{,**} r,
deny /root/{,**} r,
deny /tmp/.* rw,
deny /tmp/.*/{,**} rw,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_cache_dirs}/thumbnails/*/ r,
@ -61,8 +79,11 @@ profile kioslave5 @{exec_path} {
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_share_dirs}/baloo/index-lock rwk,
owner @{user_share_dirs}/baloo/index rw,
owner @{user_share_dirs}/baloo/index-lock rwk,
owner @{user_share_dirs}/kactivitymanagerd/resources/database rk,
owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw,

14
apparmor.d/groups/kde/plasmashell
View file

@ -35,7 +35,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
network inet6 stream,
network netlink raw,
ptrace read peer=pinentry-qt,
ptrace (read) peer=pinentry-qt,
ptrace (read) peer=kded5,
signal (send),
@ -101,10 +102,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_cache_dirs}/ksycoca5_* rl,
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwlk,
owner @{user_cache_dirs}/plasma-svgelements.{,@{rand6}} rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
owner @{user_cache_dirs}/plasma-svgelements* rwl,
owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
owner @{user_cache_dirs}/bookmarksrunner/ rw,
owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int},
owner @{user_config_dirs}/#@{int} rwk,
owner @{user_config_dirs}/*kde*.desktop* r,
@ -116,9 +118,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_config_dirs}/kactivitymanagerd-statsrc r,
owner @{user_config_dirs}/{KDE,kde.org}/ rw,
owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#@{int},
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/klipperrc r,
@ -149,6 +149,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
owner @{user_share_dirs}/user-places.xbel r,
owner /tmp/#@{int} rw,
@{run}/mount/utab r,
@{run}/user/@{uid}/gvfs/ r,
owner @{run}/user/@{uid}/#@{int} rw,

11
apparmor.d/groups/kde/sddm
View file

@ -26,6 +26,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability net_admin,
capability setgid,
capability setuid,
@ -35,7 +36,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
network netlink raw,
ptrace (trace) peer=@{profile_name},
ptrace (read) peer=unconfined,
ptrace (read) peer=kwalletd5,
signal (send) set=(kill, term) peer=startplasma,
signal (send) set=(kill, term) peer=xorg,
@{exec_path} mr,
@ -116,9 +120,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/ w,
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/kdewallet.salt r,
owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
owner @{user_share_dirs}/sddm/ w,
owner @{user_share_dirs}/sddm/wayland-session.log w,
owner @{user_share_dirs}/sddm/xorg-session.log w,
/tmp/sddm-* rw,
@ -130,6 +134,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/sddm.pid rw,
@{run}/sddm/\{@{uuid}\} rw,
@{run}/sddm/#@{int} rw,
@{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
@{run}/systemd/sessions/*.ref rw,
@{run}/user/@{uid}/xauth_@{rand6} rwl,
@ -137,7 +142,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kwallet5.socket rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r,
@{PROC}/uptime r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/core_pattern r,