From 98bcf221ee8403c3fb246d9a332ab7fa48db4a5a Mon Sep 17 00:00:00 2001 From: Besanon Date: Wed, 12 Jun 2024 10:44:57 +0200 Subject: [PATCH] Add LXQT group & falkon --- apparmor.d/abstractions/lxqt | 2 + apparmor.d/groups/lxqt/falkon | 212 ++++++++++++++++++ apparmor.d/groups/lxqt/featherpad | 9 +- apparmor.d/groups/lxqt/lximage-qt | 49 ++-- apparmor.d/groups/lxqt/lxqt | 28 +++ apparmor.d/groups/lxqt/lxqt-about | 1 + apparmor.d/groups/lxqt/lxqt-admin-time | 2 +- apparmor.d/groups/lxqt/lxqt-admin-user | 9 +- apparmor.d/groups/lxqt/lxqt-admin-user-helper | 5 +- apparmor.d/groups/lxqt/lxqt-archiver | 28 +++ apparmor.d/groups/lxqt/lxqt-backlight_backend | 32 +++ apparmor.d/groups/lxqt/lxqt-config | 18 +- apparmor.d/groups/lxqt/lxqt-config-appearance | 5 +- apparmor.d/groups/lxqt/lxqt-config-brightness | 9 +- .../groups/lxqt/lxqt-config-file-associations | 11 +- .../lxqt/lxqt-config-globalkeyshortcuts | 6 +- apparmor.d/groups/lxqt/lxqt-config-input | 37 ++- apparmor.d/groups/lxqt/lxqt-config-locale | 2 +- apparmor.d/groups/lxqt/lxqt-config-monitor | 3 +- .../groups/lxqt/lxqt-config-notificationd | 20 +- .../groups/lxqt/lxqt-config-powermanagement | 5 +- apparmor.d/groups/lxqt/lxqt-config-printer | 4 +- apparmor.d/groups/lxqt/lxqt-config-session | 28 ++- apparmor.d/groups/lxqt/lxqt-globalkeysd | 9 +- apparmor.d/groups/lxqt/lxqt-leave | 6 +- apparmor.d/groups/lxqt/lxqt-notificationd | 52 ++--- apparmor.d/groups/lxqt/lxqt-openssh-askpass | 8 +- apparmor.d/groups/lxqt/lxqt-panel | 15 +- apparmor.d/groups/lxqt/lxqt-policykit-agent | 25 +-- apparmor.d/groups/lxqt/lxqt-powermanagement | 36 +++ apparmor.d/groups/lxqt/lxqt-runner | 8 +- apparmor.d/groups/lxqt/lxqt-session | 129 ++++++----- apparmor.d/groups/lxqt/obconf-qt | 2 +- apparmor.d/groups/lxqt/pavucontrol-qt | 2 + apparmor.d/groups/lxqt/pcmanfm-qt | 2 +- apparmor.d/groups/lxqt/screengrab | 2 +- apparmor.d/groups/lxqt/startlxqt | 88 ++++++++ 37 files changed, 694 insertions(+), 215 deletions(-) create mode 100644 apparmor.d/groups/lxqt/falkon create mode 100644 apparmor.d/groups/lxqt/lxqt create mode 100644 apparmor.d/groups/lxqt/lxqt-archiver create mode 100644 apparmor.d/groups/lxqt/lxqt-backlight_backend create mode 100644 apparmor.d/groups/lxqt/lxqt-powermanagement create mode 100644 apparmor.d/groups/lxqt/startlxqt diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index e41df3e72..8d85a4b74 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -9,6 +9,8 @@ include include + signal (receive) set=(kill, term) peer=lxqt-session, + /usr/share/hwdata/pnp.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/lxqt/** r, diff --git a/apparmor.d/groups/lxqt/falkon b/apparmor.d/groups/lxqt/falkon new file mode 100644 index 000000000..3c4495012 --- /dev/null +++ b/apparmor.d/groups/lxqt/falkon @@ -0,0 +1,212 @@ +## apparmor.d - Full set of apparmor profiles +# Copyright (C) 2015-2022 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = falkon{,.sh,-wayland} + +@{exec_path} = @{bin}/falkon +profile falkon @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network netlink raw, + network packet dgram, + + signal (send, receive) set=(term, kill) peer=QtWebEngineProc, + signal (send) set=(term, kill) peer=falkon-*, + signal (send) set=(term) peer=dnsmasq, + + deny dbus send bus=system path=/org/freedesktop/hostname1, + + dbus bind bus=session name=org.mpris.MediaPlayer2.falkon.*, + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="{org.freedesktop.DBus,:*}"), + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Playlists + member=GetPlaylists + peer=(name=:*), + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.resolve1.Manager + member={SetLink*,ResolveHostname} + peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit + interface=org.freedesktop.PowerManagement.Inhibit + member=Inhibit + peer=(name=org.freedesktop.PowerManagement), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), + + @{exec_path} mr, + + @{lib}/qt6/QtWebEngineProcess rix, + @{bin}/resolvconf rPx, + @{bin}/dnsmasq rPx, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/expr rix, + + @{lib}/@{multiarch}/qt6/plugins/kf6/org.kde.kwindowsystem.platforms/KF6WindowSystemKWaylandPlugin.so mr, + + # Desktop integration + @{bin}/kreadconfig6 rPx, + @{bin}/update-mime-database rPx, + @{lib}/gvfsd-metadata rPx, + + /usr/lib/qt6/plugins/falkon/*.so mr, + /usr/share/libfm-qt/translations/libfm-qt_de.qm r, + /usr/share/@{name}/{,**} r, + /usr/share/doc/{,**} rw, + /usr/share/publicsuffix/public_suffix_list.dafsa r, + /usr/share/qt6/** rw, + /usr/share/thumbnailers/ r, + /usr/share/webext/{,**} r, + /usr/share/hunspell-bdic/ r, + + /etc/fstab r, + /etc/mime.types r, + /etc/udev/udev.conf r, + + owner @{HOME}/ r, + owner @{HOME}/.pki/ r, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{HOME}/.mozilla/firefox/ r, + + owner @{user_config_dirs}/ rw, + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/falkon/ r, + owner @{user_config_dirs}/falkon/* r, + owner @{user_config_dirs}/falkon/profiles/** rwkl -> @{user_config_dirs}/falkon/profiles/#@{int}, + owner @{user_config_dirs}/falkonrc.lock rwk, + owner @{user_config_dirs}/chromium/WidevineCdm/** r, + owner @{user_config_dirs}/chromium/WidevineCdm/4.10.2710.0/_platform_specific/linux_x64/*.so m, + owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{user_config_dirs}/kdedefaults/* r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/QtProject.conf rwk, + owner @{user_config_dirs}/QtProject.conf.lock rwk, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/falkonrc.lock rw, + + owner @{user_share_dirs}/applications/userapp-falkon-@{rand6}.desktop{,.@{rand6}} rw, + owner @{user_share_dirs}/falkon/falkonstaterc.lock rwk, + owner @{user_share_dirs}/falkon/QtWebEngine/Default/user_prefs.json r, + + owner @{user_cache_dirs}/ r, + owner @{user_cache_dirs}/falkon/** rw, + owner @{user_cache_dirs}/falkon/qmlcache/** rwkl -> @{user_cache_dirs}/falkon/qmlcache/#@{int}, + owner @{user_cache_dirs}/falkon/qtpipelinecache-x86_64-little_endian-lp64/qqpc_opengl.lck rwk, + + /tmp/ r, + owner /tmp/.xfsm-ICE-@{rand6} rw, + owner /tmp/@{name}/ rw, + owner /tmp/@{name}/* rwk, + owner /tmp/@{rand6}.tmp r, + owner /tmp/falkon-*/ rw, + owner /tmp/falkon-*/* rwk, + owner /tmp/falkon-@{rand6}/** rwkl -> /tmp/falkon-@{rand6}/#@{int}, + owner /tmp/@{rand8}.txt w, + owner /tmp/.org.chromium.Chromium.@{rand6} rw, + + /var/tmp/ r, + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/** rwkl -> @{run}/user/@{uid}/#@{int}, + @{run}/mount/utab r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/bus/ r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/renderD128/ r, + @{sys}/devices/@{pci}/drm/renderD129/ r, + @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/background.slice/*/cpu.max r, + + @{PROC}/ r, + @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/route r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/status r, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/fs/inotify/max_user_watches r, + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/tty rw, + /dev/video@{int} rw, + /dev/snd/controlC@{int} r, + owner /dev/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + owner /dev/tty@{int} rw, # File Inherit + owner /dev/shm/.org.chromium.Chromium.@{rand6} rwk, + + # Silencer + deny owner @{HOME}/.* r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + include if exists +} diff --git a/apparmor.d/groups/lxqt/featherpad b/apparmor.d/groups/lxqt/featherpad index 60b6ff435..3f8688619 100644 --- a/apparmor.d/groups/lxqt/featherpad +++ b/apparmor.d/groups/lxqt/featherpad @@ -30,14 +30,16 @@ profile featherpad @{exec_path} { /opt/{,**} r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{HOME}/.inputrc r, owner @{HOME}/.bashrc r, owner @{HOME}/.bash_profile r, owner @{HOME}/.bash_logout r, owner @{HOME}/.xscreensaver r, - - owner @{user_config_dirs}/QtProject.conf r, - owner @{user_config_dirs}/featherpad/{,**} rwk, + owner @{user_config_dirs}/QtProject.conf r, + owner @{user_config_dirs}/QtProject.conf r, + owner @{user_config_dirs}/featherpad/{,**} rwk, owner @{user_config_dirs}/featherpad/** rwkl -> @{user_config_dirs}/featherpad/#@{int}, owner /tmp/@{int} r, @@ -54,4 +56,5 @@ profile featherpad @{exec_path} { /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/lxqt/lximage-qt b/apparmor.d/groups/lxqt/lximage-qt index 9776c86d1..4a9a36378 100644 --- a/apparmor.d/groups/lxqt/lximage-qt +++ b/apparmor.d/groups/lxqt/lximage-qt @@ -1,7 +1,9 @@ -# +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 Besanon # SPDX-License-Identifier: GPL-2.0-only -# + +abi , #include @@ -17,48 +19,41 @@ profile lximage-qt @{exec_path} { include include include - - signal (receive) set=(kill, term) peer=lxqt-session, - @{exec_path} mr, - @{lib}exec/menu-cache/menu-cached mr, + @{exec_path} mr, + @{lib}exec/menu-cache/menu-cached mr, - /usr/share/icons/{,**} r, - /usr/share/desktop-directories/{,**} r, + /usr/share/icons/{,**} r, + /usr/share/desktop-directories/{,**} r, /usr/share/lximage-qt/translations/{,**} r, /usr/share/libfm-qt6/translations/libfm-qt_de.qm r, - /usr/share/thumbnailers/{,**} r, + /usr/share/thumbnailers/{,**} r, /usr/share/gvfs/remote-volume-monitors/ r, /usr/share/gvfs/remote-volume-monitors/udisks2.monitor r, /etc/xdg/menus/lxqt-applications.menu r, - owner @{HOME}/.inputrc r, - owner @{HOME}/.bashrc r, - owner @{HOME}/.bash_profile r, - owner @{HOME}/.bash_logout r, - owner @{HOME}/.bash_history r, - owner @{HOME}/.xscreensaver r, - owner @{user_cache_dirs}/thumbnails/normal/** rwk, - owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/QtProject.conf rw, owner @{user_config_dirs}/QtProject.conf.lock rwk, - owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/lximage-qt/settings.conf r, - owner @{user_config_dirs}/lximage-qt/{,**} rwk, - owner @{user_config_dirs}/lximage-qt/** rwkl -> @{user_config_dirs}/lximage-qt/#@{int}, + owner @{user_config_dirs}/lximage-qt/QtProject.conf.@{rand6} rwkl -> @{user_config_dirs}/lximage-qt/#@{int}, - owner /tmp/{,**} r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + owner @{HOME}/.inputrc r, + owner @{HOME}/.bashrc r, + owner @{HOME}/.bash_profile r, + owner @{HOME}/.bash_logout r, + owner @{HOME}/.bash_history r, + owner @{HOME}/.xscreensaver r, - @{sys}/devices/@{pci_bus}/{,**} r, - @{sys}/devices/@{pci_bus}/**/**/** r, + owner /tmp/@{int} r, - /dev/tty rw, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt b/apparmor.d/groups/lxqt/lxqt new file mode 100644 index 000000000..8d85a4b74 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + + include + include + include + include + include + include + + signal (receive) set=(kill, term) peer=lxqt-session, + + /usr/share/hwdata/pnp.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/lxqt/** r, + /usr/share/qt{5,6}/ r, + /usr/share/qt{5,6}/{,**} r, + + owner @{HOME}/.Xdefaults r, + + owner @{user_cache_dirs}/fontconfig/* rw, + owner @{user_cache_dirs}/lxqt-notificationd/* r, + + owner @{user_config_dirs}/lxqt/*.conf rw, + + owner @{user_share_dirs}/sddm/xorg-session.log rw, + diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about index 1c783f6a9..0c3a365d9 100644 --- a/apparmor.d/groups/lxqt/lxqt-about +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -11,6 +11,7 @@ abi , profile lxqt-about @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/lxqt/lxqt-admin-time b/apparmor.d/groups/lxqt/lxqt-admin-time index eb2f0682c..40efe3b92 100644 --- a/apparmor.d/groups/lxqt/lxqt-admin-time +++ b/apparmor.d/groups/lxqt/lxqt-admin-time @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-admin-time -profile lxqt-admin-time @{exec_path} flags=(complain) { +profile lxqt-admin-time @{exec_path} { include include include diff --git a/apparmor.d/groups/lxqt/lxqt-admin-user b/apparmor.d/groups/lxqt/lxqt-admin-user index 8e941b669..6c9504b97 100644 --- a/apparmor.d/groups/lxqt/lxqt-admin-user +++ b/apparmor.d/groups/lxqt/lxqt-admin-user @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-admin-user -profile lxqt-admin-user @{exec_path} flags=(complain) { +profile lxqt-admin-user @{exec_path} { include include include @@ -21,7 +21,12 @@ profile lxqt-admin-user @{exec_path} flags=(complain) { @{exec_path} mr, - owner /tmp/{,**} r, + @{bin}/pkexec rPx, + @{bin}/usermod rPx, + + /etc/shells r, + + owner /tmp/@{int} r, /dev/tty rw, diff --git a/apparmor.d/groups/lxqt/lxqt-admin-user-helper b/apparmor.d/groups/lxqt/lxqt-admin-user-helper index eec6c9f90..28b2d02af 100644 --- a/apparmor.d/groups/lxqt/lxqt-admin-user-helper +++ b/apparmor.d/groups/lxqt/lxqt-admin-user-helper @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-admin-user-helper -profile lxqt-admin-user-helper @{exec_path} flags=(complain) { +profile lxqt-admin-user-helper @{exec_path} { include include include @@ -19,7 +19,10 @@ profile lxqt-admin-user-helper @{exec_path} flags=(complain) { include @{exec_path} mr, + + @{bin}/usermod rPx, + owner @{sh_path} r, owner /tmp/@{int} r, /dev/tty rw, diff --git a/apparmor.d/groups/lxqt/lxqt-archiver b/apparmor.d/groups/lxqt/lxqt-archiver new file mode 100644 index 000000000..90abd1de5 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-archiver @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-archiver +profile lxqt-archiver @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} diff --git a/apparmor.d/groups/lxqt/lxqt-backlight_backend b/apparmor.d/groups/lxqt/lxqt-backlight_backend new file mode 100644 index 000000000..092687e40 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-backlight_backend @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-backlight_backend +profile lxqt-backlight_backend @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{sys}/class/backlight/ r, + owner @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, + owner @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* rw, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} diff --git a/apparmor.d/groups/lxqt/lxqt-config b/apparmor.d/groups/lxqt/lxqt-config index 78aa20e1d..10d591ba6 100644 --- a/apparmor.d/groups/lxqt/lxqt-config +++ b/apparmor.d/groups/lxqt/lxqt-config @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config -profile lxqt-config @{exec_path} flags=(complain) { +profile lxqt-config @{exec_path} { include include include @@ -41,24 +41,20 @@ profile lxqt-config @{exec_path} flags=(complain) { @{bin}/pavucontrol-qt rPx, @{bin}/system-config-printer rPx, @{bin}/nm-connection-editor rPx, - @{bin}/ControlPanel rPx, + @{bin}/ControlPanel rPx, - - /etc/xdg/menus/lxqt-config.menu r, + /etc/xdg/menus/lxqt-config.menu r, - /usr/share/desktop-directories/lxqt-* r, + /usr/share/desktop-directories/lxqt-* r, owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, - @{sys}/devices/@{pci_bus}/**/* r, - @{sys}/devices/@{pci_bus}/**/**/* r, + @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/random/boot_id r, + owner /tmp/@{int} r, - owner /tmp/{,**} r, - - /dev/tty rw, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt-config-appearance b/apparmor.d/groups/lxqt/lxqt-config-appearance index 02759efd8..5934a321b 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-appearance +++ b/apparmor.d/groups/lxqt/lxqt-config-appearance @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config-appearance -profile lxqt-config-appearance @{exec_path} flags=(complain) { +profile lxqt-config-appearance @{exec_path} { include include include @@ -21,8 +21,9 @@ profile lxqt-config-appearance @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, @{bin}/gsettings rPx, + @{bin}/pcmanfm-qt rPx, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r, diff --git a/apparmor.d/groups/lxqt/lxqt-config-brightness b/apparmor.d/groups/lxqt/lxqt-config-brightness index a579a7bb1..2b827c409 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-brightness +++ b/apparmor.d/groups/lxqt/lxqt-config-brightness @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config-brightness -profile lxqt-config-brightness @{exec_path} flags=(complain) { +profile lxqt-config-brightness @{exec_path} { include include include @@ -18,7 +18,8 @@ profile lxqt-config-brightness @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, + @{bin}/pkexec rpx, @{sh_path} rix, @@ -27,8 +28,8 @@ profile lxqt-config-brightness @{exec_path} flags=(complain) { owner /tmp/{,**} r, @{sys}/class/backlight/ r, - @{sys}/devices/@{pci_bus}/{,**} r, - @{sys}/devices/@{pci_bus}/**/**/** r, + @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-@{int}/amdgpu_bl@{int}/* rw, + @{sys}/devices/@{pci_bus}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, /dev/tty rw, diff --git a/apparmor.d/groups/lxqt/lxqt-config-file-associations b/apparmor.d/groups/lxqt/lxqt-config-file-associations index dcd2cbe8f..a5ad795f8 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-file-associations +++ b/apparmor.d/groups/lxqt/lxqt-config-file-associations @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config-file-associations -profile lxqt-config-file-associations @{exec_path} flags=(complain) { +profile lxqt-config-file-associations @{exec_path} { include include include @@ -18,17 +18,18 @@ profile lxqt-config-file-associations @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, - owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/mimeapps* rwk, owner @{user_config_dirs}/lxqt-* rwk, + owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner /tmp/#@{int} rwk, - @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/boot_id r, - /dev/tty rw, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts index 15a6a4e5f..16537a3a9 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts +++ b/apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config-globalkeyshortcuts -profile lxqt-config-globalkeyshortcuts @{exec_path} flags=(complain) { +profile lxqt-config-globalkeyshortcuts @{exec_path} { include include include @@ -18,8 +18,8 @@ profile lxqt-config-globalkeyshortcuts @{exec_path} flags=(complain) { include include include - - @{exec_path} mr, + + @{exec_path} mr, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, diff --git a/apparmor.d/groups/lxqt/lxqt-config-input b/apparmor.d/groups/lxqt/lxqt-config-input index 3cc7ea6eb..ea54c8784 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-input +++ b/apparmor.d/groups/lxqt/lxqt-config-input @@ -8,7 +8,8 @@ abi , include @{exec_path} = @{bin}/lxqt-config-input -profile lxqt-config-input @{exec_path} flags=(complain) { +profile lxqt-config-input @{exec_path} { + include include include include @@ -17,29 +18,45 @@ profile lxqt-config-input @{exec_path} flags=(complain) { include include include + include include include include include - @{exec_path} mr, + + @{exec_path} mr, @{bin}/setxkbmap rix, + /etc/udev/udev.conf r, + owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, - owner /tmp/@{int} r, + owner /tmp/@{int} r, - # There are hundreds of files to be accessed - Question: better to deny the few not to be accessed?? - @{run}/udev/data/** r, - @{sys}/devices/** r, - @{sys}/class/** r, - @{sys}/bus/** r, - @{sys}/devices/** r, + @{run}/udev/data/c@{int}:* r, + @{run}/udev/data/b@{int}:* r, + @{run}/udev/data/+sound:card@{int} r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:* r, + @{run}/udev/data/n@{int} r, + @{run}/udev/data/+input:* r, + @{run}/udev/data/+dmi:* r, + @{run}/udev/data/+drm:* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+rfkill:* r, + + @{sys}/bus/** r, + @{sys}/class/** r, + @{sys}/devices/** r, @{PROC}/sys/kernel/random/boot_id r, - /dev/tty rw, include if exists diff --git a/apparmor.d/groups/lxqt/lxqt-config-locale b/apparmor.d/groups/lxqt/lxqt-config-locale index 5a9c34645..b0d9a17ed 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-locale +++ b/apparmor.d/groups/lxqt/lxqt-config-locale @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config-locale -profile lxqt-config-locale @{exec_path} flags=(complain) { +profile lxqt-config-locale @{exec_path} { include include include diff --git a/apparmor.d/groups/lxqt/lxqt-config-monitor b/apparmor.d/groups/lxqt/lxqt-config-monitor index ad348f5a3..c038209c4 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-monitor +++ b/apparmor.d/groups/lxqt/lxqt-config-monitor @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config-monitor -profile lxqt-config-monitor @{exec_path} flags=(complain) { +profile lxqt-config-monitor @{exec_path} { include include include @@ -18,6 +18,7 @@ profile lxqt-config-monitor @{exec_path} flags=(complain) { include include + @{exec_path} mr, owner /tmp/@{int} r, diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd index 440e8464e..781ccb7c0 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -8,23 +8,25 @@ abi , include @{exec_path} = @{bin}/lxqt-config-notificationd -profile lxqt-config-notificationd @{exec_path} flags=(complain) { +profile lxqt-config-notificationd @{exec_path} { include - include - include + include + include include - include - include - include - include + include + include + include @{exec_path} mr, + /etc/machine-id r, + + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/lxqt/ r, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, - owner /tmp/{,**} r, + owner /tmp/#@{int} r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement index 832078911..fc088ca40 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config-powermanagement -profile lxqt-config-powermanagement @{exec_path} flags=(complain) { +profile lxqt-config-powermanagement @{exec_path} { include include include @@ -26,10 +26,13 @@ profile lxqt-config-powermanagement @{exec_path} flags=(complain) { owner /tmp/@{int} r, @{sys}/class/backlight/ r, + @{sys}/devices/@{pci_bus}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, + @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r, + @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer index bd763c693..998148824 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-printer +++ b/apparmor.d/groups/lxqt/lxqt-config-printer @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-config-printer -profile lxqt-config-printer @{exec_path} flags=(complain) { +profile lxqt-config-printer @{exec_path} { include include include @@ -18,7 +18,7 @@ profile lxqt-config-printer @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, owner /tmp/@{int} r, diff --git a/apparmor.d/groups/lxqt/lxqt-config-session b/apparmor.d/groups/lxqt/lxqt-config-session index cd5ebbf52..4e4ad82bf 100644 --- a/apparmor.d/groups/lxqt/lxqt-config-session +++ b/apparmor.d/groups/lxqt/lxqt-config-session @@ -8,33 +8,43 @@ abi , include @{exec_path} = @{bin}/lxqt-config-session -profile lxqt-config-session @{exec_path} flags=(complain) { +profile lxqt-config-session @{exec_path} { include include include include include + include include include include include + include + include - @{exec_path} mr, + @{exec_path} mr, - /etc/xdg/autostart/ r, - /etc/xdg/autostart/** r, + /usr/share/libfm-qt6/translations/libfm-qt_de.qm r, + /usr/share/gvfs/remote-volume-monitors/ r, + /usr/share/gvfs/remote-volume-monitors/udisks2.monitor r, + + /etc/fstab r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/** r, - owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl, + owner @{user_config_dirs}/QtProject.conf.lock rwk, + owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop r, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, - owner /tmp/@{int} r, - - @{sys}/devices/@{pci_bus}/{,**} r, - @{sys}/devices/@{pci_bus}/**/**/** r, + owner /tmp/@{int} r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index 1a87a89d5..5d5da5719 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -18,11 +18,9 @@ profile lxqt-globalkeysd @{exec_path} { include include - signal (receive) set=(kill, term) peer=lxqt-session, - @{exec_path} mr, - @{bin}/screengrab rpx, + @{bin}/screengrab rpx, @{bin}/lxqt-config-brightness rpx, /usr/share/lxqt/globalkeyshortcuts.conf rw, @@ -32,13 +30,12 @@ profile lxqt-globalkeysd @{exec_path} { owner @{user_config_dirs}/lxqt/* rwk, owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, owner @{user_config_dirs}/lxqt/#@{int} wr, - owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, /dev/tty rw, - owner /tmp/{,**} r, + owner /tmp/@{int} r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave index acd06c840..05e09c5c5 100644 --- a/apparmor.d/groups/lxqt/lxqt-leave +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-leave -profile lxqt-leave @{exec_path} flags=(complain) { +profile lxqt-leave @{exec_path} { include include include @@ -19,11 +19,9 @@ profile lxqt-leave @{exec_path} flags=(complain) { include include - signal (receive) set=(term) peer=lxqt-session, - @{exec_path} mr, - owner /tmp/{,**} r, + owner /tmp/@{int} r, /dev/tty rw, diff --git a/apparmor.d/groups/lxqt/lxqt-notificationd b/apparmor.d/groups/lxqt/lxqt-notificationd index eeddd38ab..024a4913d 100644 --- a/apparmor.d/groups/lxqt/lxqt-notificationd +++ b/apparmor.d/groups/lxqt/lxqt-notificationd @@ -7,22 +7,17 @@ abi , include -@{exec_path} = @{bin}/lxqt-session -profile lxqt-notificationd @{exec_path} flags=(complain) { +@{exec_path} = @{bin}/lxqt-notificationd +profile lxqt-notificationd @{exec_path} { include - include - include - include - include + include include - include - - # TODO: local only - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, + include + include + include + include + include + include dbus receive bus=session @@ -39,32 +34,25 @@ profile lxqt-notificationd @{exec_path} flags=(complain) { path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" peer=(name=":[0-9]*.[0-9]*"), - - @{exec_path} mr, - @{bin}/xrdb rPx, -## @{bin}/dbus-update-activation-environment rix, this should not be set here - - /usr/share/lxqt/power.conf r, - - /etc/nsswitch.conf r, - /var/lib/dpkg/info/lxqt-notifications.conffiles r, + @{exec_path} mr, - owner @{user_cache_dirs}/lxqt-notificationd/** rwk, - owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rw, + /etc/nsswitch.conf r, + + /var/lib/dpkg/info/lxqt-notifications.conffiles r, + + owner @{user_cache_dirs}/lxqt-notificationd/** rwk, + owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rw, owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, + owner @{user_cache_dirs}/mesa_shader_cache/index rwk, owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/power.conf r, - - # useless : - @{run}/systemd/inhibit/2.ref rw, - - @{PROC}/sys/kernel/random/boot_id r, owner /tmp/{,**} r, + @{PROC}/sys/kernel/random/boot_id r, + /dev/tty rw, - include if exists + include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt-openssh-askpass b/apparmor.d/groups/lxqt/lxqt-openssh-askpass index 8454564dc..c4bf06e25 100644 --- a/apparmor.d/groups/lxqt/lxqt-openssh-askpass +++ b/apparmor.d/groups/lxqt/lxqt-openssh-askpass @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-openssh-askpass -profile lxqt-openssh-askpass @{exec_path} flags=(complain) { +profile lxqt-openssh-askpass @{exec_path} { include include include @@ -18,11 +18,11 @@ profile lxqt-openssh-askpass @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, - owner /tmp/{,**} r, + owner /tmp/@{int} r, - /dev/tty rw, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index d073cc9c4..5051b4d45 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-panel -profile lxqt-panel @{exec_path} flags=(complain) { +profile lxqt-panel @{exec_path} { include include include @@ -17,7 +17,7 @@ profile lxqt-panel @{exec_path} flags=(complain) { include network inet dgram, - network inet stream, ` + network inet stream, network inet6 dgram, network inet6 stream, network inet dgram, @@ -25,7 +25,7 @@ profile lxqt-panel @{exec_path} flags=(complain) { network netlink raw, network packet dgram, - @{exec_path} mr, + @{exec_path} mr, @{bin}/exo-open rix, @{bin}/nm-connection-editor rPx, @@ -43,12 +43,15 @@ profile lxqt-panel @{exec_path} flags=(complain) { /usr/share/lxqt/themes/{,**} r, /etc/fstab r, + /etc/udev/udev.conf r, /etc/machine-id r, /etc/xdg/lxqt-qtxdg.conf r, /etc/xdg/menus/**.menu r, /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/uistandards.rc r, + /var/lib/dbus/machine-id r, + owner @{HOME}/.config/menus/**.menu rw, owner @{HOME}/.config/menus/applications-merged/ r, owner @{HOME}/Desktop/** r, @@ -62,11 +65,12 @@ profile lxqt-panel @{exec_path} flags=(complain) { owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwk, owner @{user_config_dirs}/ibus/bus/{,**} rw, - @{run}/udev/data/* r, + @{run}/udev/data/* r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci_bus}/0000:00:*.0/ata@{int}/host@{int}/**/**/**/**/**/* r, + @{sys}/devices/@{pci_bus}/0000:00:*/ata@{int}/host@{int}/**/**/**/**/**/* r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, + @{sys}/devices/@{pci_bus}/**/**/nvme/nvme0/nvme0n1/nvme0n1p4/uevent r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/dev r, @@ -79,4 +83,3 @@ profile lxqt-panel @{exec_path} flags=(complain) { include if exists } - diff --git a/apparmor.d/groups/lxqt/lxqt-policykit-agent b/apparmor.d/groups/lxqt/lxqt-policykit-agent index 3f2d5bef4..bc7787d79 100644 --- a/apparmor.d/groups/lxqt/lxqt-policykit-agent +++ b/apparmor.d/groups/lxqt/lxqt-policykit-agent @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/@{multiarch}/lxqt-policykit-agent-[0-9] @{exec_path} += @{bin}/lxqt-policykit-agent -profile lxqt-policykit-agent @{exec_path} flags=(complain) { +profile lxqt-policykit-agent @{exec_path} { include include include @@ -21,35 +21,34 @@ profile lxqt-policykit-agent @{exec_path} flags=(complain) { include signal (send) set=(term, kill) peer=polkit-agent-helper, - signal (receive) set=(kill, term) peer=lxqt-session, - @{exec_path} mr, + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /usr/share/lxqt/translations/lxqt-policykit-agent/lxqt-policykit-agent_de.qm r, - /etc/machine-id r, + /etc/machine-id r, - /var/lib/dbus/machine-id r, + /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/qt5ct/{,**} r, - owner /tmp/#@{int} rw, + owner /tmp/#@{int} rw, owner /tmp/lxqt-policykit-agent-[0-9].* rwl -> /tmp/#@{int}, - @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{uid} r, - @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/sys/kernel/core_pattern r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/core_pattern r, - /dev/shm/#@{int} rw, + /dev/shm/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/lxqt/lxqt-powermanagement b/apparmor.d/groups/lxqt/lxqt-powermanagement new file mode 100644 index 000000000..396b355ec --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-powermanagement @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-powermanagement +profile lxqt-powermanagement @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/xset rPx, + + /etc/udev/udev.conf r, + /etc/fstab r, + + owner /tmp/@{int} r, + + @{run}/systemd/inhibit/* rw, + + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + + include if exists +} diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 0aed899bb..b77b142b2 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lxqt-runner -profile lxqt-runner @{exec_path} flags=(complain) { +profile lxqt-runner @{exec_path} { include include include @@ -17,7 +17,7 @@ profile lxqt-runner @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, /usr/share/icons/ r, /usr/share/icons/{,**} r, @@ -31,9 +31,9 @@ profile lxqt-runner @{exec_path} flags=(complain) { owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, # only needed if tor is installed on /opt - owner /opt/*/**/*.png r, + owner /opt/*/**/*.png r, - owner /tmp/{,**} r, + owner /tmp/@{int} r, /dev/tty rw, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index b4439960d..97ae64051 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -7,51 +7,73 @@ abi , include -@{exec_path} = @{bin}/lxqt-session -profile lxqt-session /bin/lxqt-session flags=(attach_disconnected, complain) { +@{exec_path} = @{bin}/lxqt-session +profile lxqt-session @{exec_path} flags=(attach_disconnected) { + include include - include + include + include + include + include + include include - include - include include + include + include + include + include + include + include + include + include + include - signal (receive) set=(term) peer=sddm, signal (send), + signal (receive) set=(kill, term) peer=startlxqt, + signal (receive) set=(kill, term) peer=sddm, - dbus receive - bus=session - path="/org/freedesktop/Notifications" - interface="org.freedesktop.DBus.Introspectable" - peer=(name=":[0-9]*.[0-9]*"), - dbus send - bus=session - path="/org/freedesktop/Notifications" - interface="org.freedesktop.Notifications" - peer=(name="org.freedesktop.DBus"), - dbus receive - bus=session - path="/org/freedesktop/Notifications" - interface="org.freedesktop.Notifications" - peer=(name=":[0-9]*.[0-9]*"), + ptrace (read), - # aa:dbus own bus=session name=org.freedesktop.Notifications + network netlink raw, - @{exec_path} mr, + @{exec_path} mr, - @{sh_path} rix, - @{bin}/sleep rix, + @{sh_path} rix, + @{bin}/sed rix, + @{bin}/readlink rix, + @{bin}/dirname rix, + @{bin}/system-config-printer-applet rPx, + @{bin}/lxqt-config-input rPx, + @{bin}/lxqt-session-settings rPx, + @{bin}/lxqt-globalkeysd rPx, + @{bin}/lxqt-panel rPx, + @{bin}/lxqt-policykit-agent rPx, + @{bin}/lxqt-runner rPx, + @{bin}/lxqt-notificationd rPx, + @{bin}/lxqt-powermanagement rPx, + @{bin}/lxqt-config rPx, + @{bin}/lxqt-leave rPx, + @{bin}/lxqt-about rPx, + @{bin}/dbus-send rPUx, + @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/systemctl rCx -> systemctl, - @{bin}/dbus-update-activation-environment rcx -> dbus, - @{bin}/systemctl rcx -> systemctl, - @{lib}/geoclue-2.0/demos/agent rpux, - @{lib}/legacy-dist/deprecation-popup rpux, - @{lib}/@{multiarch}/lxqt-policykit-agent-[0-9] Px, + @{bin}/pavucontrol rPx, + @{bin}/python3.@{int} rPx, + @{lib}/python3.@{int} rPx, + @{bin}/xfe rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/nm-applet rPx, + @{bin}/nm-tray rPx, + @{bin}/pcmanfm-qt rPx, + @{bin}/openbox rix, + @{bin}/dconf-editor rPx, + @{bin}/setxkbmap rix, + @{bin}/start-pulseaudio-x11 rPx, + @{bin}/xrdb rPx, + @{bin}/xdg-user-dirs-update rPx, + /usr/lib/{/,x86_64-linux-gnu/}tumbler-1/tumblerd rPx, - /etc/xdg/ r, - /etc/xdg/autostart/{,*} r, - /etc/xdg/menus/lxqt-* r, - /etc/xdg/openbox/* r, /usr/share/ r, /usr/share/mime/ r, /usr/share/cursors/ r, @@ -59,34 +81,40 @@ profile lxqt-session /bin/lxqt-session flags=(attach_disconnected, complain) { /usr/share/desktop-directories/* r, /usr/share/system-config-printer/* r, + /etc/xdg/ r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/*.desktop r, + /etc/xdg/menus/lxqt-* r, + /etc/xdg/openbox/* r, + /etc/udev/udev.conf r, + owner @{HOME}/.local/share/ r, owner @{HOME}/.config/ r, owner @{HOME}/.config/autostart/ r, owner @{HOME}/.config/autostart/* rw, - owner @{HOME}/.config/mimeapps.list* rw, - owner @{user_cache_dirs}/openbox/openbox.log rwk, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/dconf/user r, + owner @{user_config_dirs}/openbox/rc.xml r, + owner @{user_share_dirs}/sddm/xorg-session.log rw, - owner @{user_config_dirs}/dconf/user r, - owner @{user_config_dirs}/openbox/rc.xml r, + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/stat r, - owner @{user_share_dirs}/sddm/xorg-session.log rw, + @{run}/systemd/inhibit/** rw, - @{sys}/devices/@{pci_bus}/** r, - - @{run}/systemd/inhibit/* rw, + include if exists - /dev/tty rw, - /dev/tty[0-9]* rw, - /dev/pts/[0-9]* rw, - - profile systemctl flags=(attach_disconnected, complain) { + profile systemctl { include include - + + include if exists } - profile dbus flags=(attach_disconnected, complain) { + profile dbus { include include @@ -94,9 +122,8 @@ profile lxqt-session /bin/lxqt-session flags=(attach_disconnected, complain) { owner @{user_share_dirs}/sddm/xorg-session.log rw, + include if exists } - include if exists - } diff --git a/apparmor.d/groups/lxqt/obconf-qt b/apparmor.d/groups/lxqt/obconf-qt index a2360d3df..fb5d4aada 100644 --- a/apparmor.d/groups/lxqt/obconf-qt +++ b/apparmor.d/groups/lxqt/obconf-qt @@ -35,7 +35,7 @@ profile obconf-qt @{exec_path} { owner @{user_config_dirs}/openbox/rc.xml rw, owner @{user_config_dirs}/openbox/{,**} rw, - owner /tmp/{,**} r, + owner /tmp/@{int} r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/lxqt/pavucontrol-qt b/apparmor.d/groups/lxqt/pavucontrol-qt index 6d49fd8cc..760f3e7e2 100644 --- a/apparmor.d/groups/lxqt/pavucontrol-qt +++ b/apparmor.d/groups/lxqt/pavucontrol-qt @@ -43,4 +43,6 @@ profile pavucontrol-qt @{exec_path} flags=(complain) { /dev/tty r, owner /dev/tty@{int} rw, + + include if exists } diff --git a/apparmor.d/groups/lxqt/pcmanfm-qt b/apparmor.d/groups/lxqt/pcmanfm-qt index 05351aeca..1996b4129 100644 --- a/apparmor.d/groups/lxqt/pcmanfm-qt +++ b/apparmor.d/groups/lxqt/pcmanfm-qt @@ -27,7 +27,7 @@ profile pcmanfm-qt @{exec_path} { network inet stream, network netlink raw, - @{exec_path} mr, + @{exec_pathj} mr, / r, /boot/ r, diff --git a/apparmor.d/groups/lxqt/screengrab b/apparmor.d/groups/lxqt/screengrab index 9d12157d8..185520214 100644 --- a/apparmor.d/groups/lxqt/screengrab +++ b/apparmor.d/groups/lxqt/screengrab @@ -20,7 +20,7 @@ profile screengrab @{exec_path} { include include - @{exec_path} mr, + @{exec_path} mr, /etc/xdg/menus/lxqt-config.menu r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt new file mode 100644 index 000000000..c9ab817ce --- /dev/null +++ b/apparmor.d/groups/lxqt/startlxqt @@ -0,0 +1,88 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/startlxqt +profile startlxqt @{exec_path} { + include + include + include + include + + signal (receive) set=(term) peer=sddm, + + @{exec_path} mr, + + @{bin}/xrdb rPx, + @{bin}/xsetroot rPx, + @{bin}/xprop rpx, + @{bin}/mkdir rix, + @{bin}/dbus-launch rPx, + @{bin}/lxqt-session rPx, + @{sh_path} rix, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/knotifications5/{,**} r, + /usr/share/kservices5/{,**} r, + /usr/share/kservicetypes5/{,**} r, + /usr/share/mime/{,**} r, + /usr/share/plasma/{,**} r, + + /etc/locale.alias r, + /etc/machine-id r, + /etc/xdg/kcminputrc r, + /etc/xdg/kdeglobals r, + /etc/xdg/menus/{,**} r, + + @{HOME}/ r, + owner @{HOME}/.Xauthority r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/kcrash-metadata/ rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/plasma-svgelements rw, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/gtkrc rl, + owner @{user_config_dirs}/gtkrc-2.0 rl, + owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/lxqt/ rw, + owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/kdedefaults/**, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/ksplashrc r, + owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, + owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/plasma-localerc rwl, + owner @{user_config_dirs}/plasma-localerc.lock rwk, + owner @{user_config_dirs}/plasma-workspace/env/ r, + owner @{user_config_dirs}/startkderc r, + owner @{user_config_dirs}/Trolltech.conf rwl, + owner @{user_config_dirs}/Trolltech.conf.lock rwk, + + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#@{int} rw, + owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, + + owner @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/xauth_@{rand6} rl, + + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/maps r, + + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +}