felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add LXQT group & falkon

Browse source
This commit is contained in:
Besanon 2024-06-12 10:44:57 +02:00
parent b652231277
commit 98bcf221ee
37 changed files with 694 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/lxqt
View file

@ -9,6 +9,8 @@
include <abstractions/wayland> include <abstractions/wayland>
include <abstractions/X-strict> include <abstractions/X-strict>
signal (receive) set=(kill, term) peer=lxqt-session,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/lxqt/** r, /usr/share/lxqt/** r,

212
apparmor.d/groups/lxqt/falkon Normal file
View file

@ -0,0 +1,212 @@
## apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2022 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{name} = falkon{,.sh,-wayland}
@{exec_path} = @{bin}/falkon
profile falkon @{exec_path} {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.FileManager1>
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.freedesktop.RealtimeKit1>
include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/enchant>
include <abstractions/lxqt>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics-full>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/qt5-shader-cache>
include <abstractions/thumbnails-cache-read>
include <abstractions/thumbnails-cache-write>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network netlink raw,
network packet dgram,
signal (send, receive) set=(term, kill) peer=QtWebEngineProc,
signal (send) set=(term, kill) peer=falkon-*,
signal (send) set=(term) peer=dnsmasq,
deny dbus send bus=system path=/org/freedesktop/hostname1,
dbus bind bus=session name=org.mpris.MediaPlayer2.falkon.*,
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name="{org.freedesktop.DBus,:*}"),
dbus receive bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.Playlists
member=GetPlaylists
peer=(name=:*),
dbus send bus=system path=/org/freedesktop/resolve1
interface=org.freedesktop.resolve1.Manager
member={SetLink*,ResolveHostname}
peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit
interface=org.freedesktop.PowerManagement.Inhibit
member=Inhibit
peer=(name=org.freedesktop.PowerManagement),
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus, label=dbus-system),
@{exec_path} mr,
@{lib}/qt6/QtWebEngineProcess rix,
@{bin}/resolvconf rPx,
@{bin}/dnsmasq rPx,
@{sh_path} rix,
@{bin}/basename rix,
@{bin}/expr rix,
@{lib}/@{multiarch}/qt6/plugins/kf6/org.kde.kwindowsystem.platforms/KF6WindowSystemKWaylandPlugin.so mr,
# Desktop integration
@{bin}/kreadconfig6 rPx,
@{bin}/update-mime-database rPx,
@{lib}/gvfsd-metadata rPx,
/usr/lib/qt6/plugins/falkon/*.so mr,
/usr/share/libfm-qt/translations/libfm-qt_de.qm r,
/usr/share/@{name}/{,**} r,
/usr/share/doc/{,**} rw,
/usr/share/publicsuffix/public_suffix_list.dafsa r,
/usr/share/qt6/** rw,
/usr/share/thumbnailers/ r,
/usr/share/webext/{,**} r,
/usr/share/hunspell-bdic/ r,
/etc/fstab r,
/etc/mime.types r,
/etc/udev/udev.conf r,
owner @{HOME}/ r,
owner @{HOME}/.pki/ r,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{HOME}/.mozilla/firefox/ r,
owner @{user_config_dirs}/ rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/falkon/ r,
owner @{user_config_dirs}/falkon/* r,
owner @{user_config_dirs}/falkon/profiles/** rwkl -> @{user_config_dirs}/falkon/profiles/#@{int},
owner @{user_config_dirs}/falkonrc.lock rwk,
owner @{user_config_dirs}/chromium/WidevineCdm/** r,
owner @{user_config_dirs}/chromium/WidevineCdm/4.10.2710.0/_platform_specific/linux_x64/*.so m,
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kdeglobals.lock rwk,
owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/QtProject.conf rwk,
owner @{user_config_dirs}/QtProject.conf.lock rwk,
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
owner @{user_config_dirs}/falkonrc.lock rw,
owner @{user_share_dirs}/applications/userapp-falkon-@{rand6}.desktop{,.@{rand6}} rw,
owner @{user_share_dirs}/falkon/falkonstaterc.lock rwk,
owner @{user_share_dirs}/falkon/QtWebEngine/Default/user_prefs.json r,
owner @{user_cache_dirs}/ r,
owner @{user_cache_dirs}/falkon/** rw,
owner @{user_cache_dirs}/falkon/qmlcache/** rwkl -> @{user_cache_dirs}/falkon/qmlcache/#@{int},
owner @{user_cache_dirs}/falkon/qtpipelinecache-x86_64-little_endian-lp64/qqpc_opengl.lck rwk,
/tmp/ r,
owner /tmp/.xfsm-ICE-@{rand6} rw,
owner /tmp/@{name}/ rw,
owner /tmp/@{name}/* rwk,
owner /tmp/@{rand6}.tmp r,
owner /tmp/falkon-*/ rw,
owner /tmp/falkon-*/* rwk,
owner /tmp/falkon-@{rand6}/** rwkl -> /tmp/falkon-@{rand6}/#@{int},
owner /tmp/@{rand8}.txt w,
owner /tmp/.org.chromium.Chromium.@{rand6} rw,
/var/tmp/ r,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/** rwkl -> @{run}/user/@{uid}/#@{int},
@{run}/mount/utab r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/bus/ r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/ r,
@{sys}/devices/@{pci}/drm/card@{int}/ r,
@{sys}/devices/@{pci}/drm/renderD128/ r,
@{sys}/devices/@{pci}/drm/renderD129/ r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/background.slice/*/cpu.max r,
@{PROC}/ r,
@{PROC}/@{pid}/net/arp r,
@{PROC}/@{pid}/net/route r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/smaps r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
owner @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/environ r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
/dev/ r,
/dev/hidraw@{int} rw,
/dev/tty rw,
/dev/video@{int} rw,
/dev/snd/controlC@{int} r,
owner /dev/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
owner /dev/tty@{int} rw, # File Inherit
owner /dev/shm/.org.chromium.Chromium.@{rand6} rwk,
# Silencer
deny owner @{HOME}/.* r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/falkon>
}

9
apparmor.d/groups/lxqt/featherpad
View file

@ -30,14 +30,16 @@ profile featherpad @{exec_path} {
/opt/{,**} r, /opt/{,**} r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{HOME}/.inputrc r, owner @{HOME}/.inputrc r,
owner @{HOME}/.bashrc r, owner @{HOME}/.bashrc r,
owner @{HOME}/.bash_profile r, owner @{HOME}/.bash_profile r,
owner @{HOME}/.bash_logout r, owner @{HOME}/.bash_logout r,
owner @{HOME}/.xscreensaver r, owner @{HOME}/.xscreensaver r,
owner @{user_config_dirs}/QtProject.conf r,
owner @{user_config_dirs}/QtProject.conf r, owner @{user_config_dirs}/QtProject.conf r,
owner @{user_config_dirs}/featherpad/{,**} rwk, owner @{user_config_dirs}/featherpad/{,**} rwk,
owner @{user_config_dirs}/featherpad/** rwkl -> @{user_config_dirs}/featherpad/#@{int}, owner @{user_config_dirs}/featherpad/** rwkl -> @{user_config_dirs}/featherpad/#@{int},
owner /tmp/@{int} r, owner /tmp/@{int} r,
@ -54,4 +56,5 @@ profile featherpad @{exec_path} {
/dev/tty rw, /dev/tty rw,
include if exists <local/featherpad>
} }

49
apparmor.d/groups/lxqt/lximage-qt
View file

@ -1,7 +1,9 @@
# # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com> # Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
#
abi <abi/3.0>,
#include <tunables/global> #include <tunables/global>
@ -17,48 +19,41 @@ profile lximage-qt @{exec_path} {
include <abstractions/user-write> include <abstractions/user-write>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
signal (receive) set=(kill, term) peer=lxqt-session,
@{exec_path} mr, @{exec_path} mr,
@{lib}exec/menu-cache/menu-cached mr, @{lib}exec/menu-cache/menu-cached mr,
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,
/usr/share/desktop-directories/{,**} r, /usr/share/desktop-directories/{,**} r,
/usr/share/lximage-qt/translations/{,**} r, /usr/share/lximage-qt/translations/{,**} r,
/usr/share/libfm-qt6/translations/libfm-qt_de.qm r, /usr/share/libfm-qt6/translations/libfm-qt_de.qm r,
/usr/share/thumbnailers/{,**} r, /usr/share/thumbnailers/{,**} r,
/usr/share/gvfs/remote-volume-monitors/ r, /usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/udisks2.monitor r, /usr/share/gvfs/remote-volume-monitors/udisks2.monitor r,
/etc/xdg/menus/lxqt-applications.menu r, /etc/xdg/menus/lxqt-applications.menu r,
owner @{HOME}/.inputrc r,
owner @{HOME}/.bashrc r,
owner @{HOME}/.bash_profile r,
owner @{HOME}/.bash_logout r,
owner @{HOME}/.bash_history r,
owner @{HOME}/.xscreensaver r,
owner @{user_cache_dirs}/thumbnails/normal/** rwk, owner @{user_cache_dirs}/thumbnails/normal/** rwk,
owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/#@{int} rwk,
owner @{user_config_dirs}/QtProject.conf rw, owner @{user_config_dirs}/QtProject.conf rw,
owner @{user_config_dirs}/QtProject.conf.lock rwk, owner @{user_config_dirs}/QtProject.conf.lock rwk,
owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/lximage-qt/settings.conf r, owner @{user_config_dirs}/lximage-qt/settings.conf r,
owner @{user_config_dirs}/lximage-qt/{,**} rwk, owner @{user_config_dirs}/lximage-qt/QtProject.conf.@{rand6} rwkl -> @{user_config_dirs}/lximage-qt/#@{int},
owner @{user_config_dirs}/lximage-qt/** rwkl -> @{user_config_dirs}/lximage-qt/#@{int},
owner /tmp/{,**} r, @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/random/boot_id r, owner @{HOME}/.inputrc r,
owner @{PROC}/@{pid}/mountinfo r, owner @{HOME}/.bashrc r,
owner @{PROC}/@{pid}/mounts r, owner @{HOME}/.bash_profile r,
owner @{HOME}/.bash_logout r,
owner @{HOME}/.bash_history r,
owner @{HOME}/.xscreensaver r,
@{sys}/devices/@{pci_bus}/{,**} r, owner /tmp/@{int} r,
@{sys}/devices/@{pci_bus}/**/**/** r,
/dev/tty rw, /dev/tty rw,
include if exists <local/lximage-qt>
} }

28
apparmor.d/groups/lxqt/lxqt Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/qt5>
include <abstractions/wayland>
include <abstractions/X-strict>
signal (receive) set=(kill, term) peer=lxqt-session,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/lxqt/** r,
/usr/share/qt{5,6}/ r,
/usr/share/qt{5,6}/{,**} r,
owner @{HOME}/.Xdefaults r,
owner @{user_cache_dirs}/fontconfig/* rw,
owner @{user_cache_dirs}/lxqt-notificationd/* r,
owner @{user_config_dirs}/lxqt/*.conf rw,
owner @{user_share_dirs}/sddm/xorg-session.log rw,

1
apparmor.d/groups/lxqt/lxqt-about
View file

@ -11,6 +11,7 @@ abi <abi/3.0>,
profile lxqt-about @{exec_path} { profile lxqt-about @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/lxqt>
include <abstractions/video> include <abstractions/video>
include <abstractions/lxqt> include <abstractions/lxqt>

2
apparmor.d/groups/lxqt/lxqt-admin-time
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-admin-time @{exec_path} = @{bin}/lxqt-admin-time
profile lxqt-admin-time @{exec_path} flags=(complain) { profile lxqt-admin-time @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>

9
apparmor.d/groups/lxqt/lxqt-admin-user
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-admin-user @{exec_path} = @{bin}/lxqt-admin-user
profile lxqt-admin-user @{exec_path} flags=(complain) { profile lxqt-admin-user @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>
@ -21,7 +21,12 @@ profile lxqt-admin-user @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
owner /tmp/{,**} r, @{bin}/pkexec rPx,
@{bin}/usermod rPx,
/etc/shells r,
owner /tmp/@{int} r,
/dev/tty rw, /dev/tty rw,

5
apparmor.d/groups/lxqt/lxqt-admin-user-helper
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-admin-user-helper @{exec_path} = @{bin}/lxqt-admin-user-helper
profile lxqt-admin-user-helper @{exec_path} flags=(complain) { profile lxqt-admin-user-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>
@ -19,7 +19,10 @@ profile lxqt-admin-user-helper @{exec_path} flags=(complain) {
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
@{bin}/usermod rPx,
owner @{sh_path} r,
owner /tmp/@{int} r, owner /tmp/@{int} r,
/dev/tty rw, /dev/tty rw,

28
apparmor.d/groups/lxqt/lxqt-archiver Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-archiver
profile lxqt-archiver @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/video>
include <abstractions/lxqt>
include <abstractions/qt5-shader-cache>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open>
@{exec_path} mr,
owner /tmp/@{int} r,
/dev/tty rw,
include if exists <local/lxqt-archiver>
}

32
apparmor.d/groups/lxqt/lxqt-backlight_backend Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-backlight_backend
profile lxqt-backlight_backend @{exec_path} {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/video>
include <abstractions/lxqt>
include <abstractions/qt5-shader-cache>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open>
@{exec_path} mr,
@{sys}/class/backlight/ r,
owner @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw,
owner @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* rw,
owner /tmp/@{int} r,
/dev/tty rw,
include if exists <local/lxqt-backlight_backend>
}

18
apparmor.d/groups/lxqt/lxqt-config
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config @{exec_path} = @{bin}/lxqt-config
profile lxqt-config @{exec_path} flags=(complain) { profile lxqt-config @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/graphics> include <abstractions/graphics>
@ -41,24 +41,20 @@ profile lxqt-config @{exec_path} flags=(complain) {
@{bin}/pavucontrol-qt rPx, @{bin}/pavucontrol-qt rPx,
@{bin}/system-config-printer rPx, @{bin}/system-config-printer rPx,
@{bin}/nm-connection-editor rPx, @{bin}/nm-connection-editor rPx,
@{bin}/ControlPanel rPx, @{bin}/ControlPanel rPx,
/etc/xdg/menus/lxqt-config.menu r,
/etc/xdg/menus/lxqt-config.menu r,
/usr/share/desktop-directories/lxqt-* r, /usr/share/desktop-directories/lxqt-* r,
owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int},
@{sys}/devices/@{pci_bus}/**/* r, @{PROC}/sys/kernel/random/boot_id r,
@{sys}/devices/@{pci_bus}/**/**/* r,
@{PROC}/sys/kernel/random/boot_id r, owner /tmp/@{int} r,
owner /tmp/{,**} r, /dev/tty rw,
/dev/tty rw,
include if exists <local/lxqt-config> include if exists <local/lxqt-config>
} }

5
apparmor.d/groups/lxqt/lxqt-config-appearance
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-appearance @{exec_path} = @{bin}/lxqt-config-appearance
profile lxqt-config-appearance @{exec_path} flags=(complain) { profile lxqt-config-appearance @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gtk> include <abstractions/gtk>
@ -21,8 +21,9 @@ profile lxqt-config-appearance @{exec_path} flags=(complain) {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
@{bin}/gsettings rPx, @{bin}/gsettings rPx,
@{bin}/pcmanfm-qt rPx,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r, owner @{user_config_dirs}/pcmanfm-qt/lxqt/settings.conf r,

9
apparmor.d/groups/lxqt/lxqt-config-brightness
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-brightness @{exec_path} = @{bin}/lxqt-config-brightness
profile lxqt-config-brightness @{exec_path} flags=(complain) { profile lxqt-config-brightness @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>
@ -18,7 +18,8 @@ profile lxqt-config-brightness @{exec_path} flags=(complain) {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
@{bin}/pkexec rpx,
@{sh_path} rix, @{sh_path} rix,
@ -27,8 +28,8 @@ profile lxqt-config-brightness @{exec_path} flags=(complain) {
owner /tmp/{,**} r, owner /tmp/{,**} r,
@{sys}/class/backlight/ r, @{sys}/class/backlight/ r,
@{sys}/devices/@{pci_bus}/{,**} r, @{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-@{int}/amdgpu_bl@{int}/* rw,
@{sys}/devices/@{pci_bus}/**/**/** r, @{sys}/devices/@{pci_bus}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw,
/dev/tty rw, /dev/tty rw,

11
apparmor.d/groups/lxqt/lxqt-config-file-associations
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-file-associations @{exec_path} = @{bin}/lxqt-config-file-associations
profile lxqt-config-file-associations @{exec_path} flags=(complain) { profile lxqt-config-file-associations @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>
@ -18,17 +18,18 @@ profile lxqt-config-file-associations @{exec_path} flags=(complain) {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/mimeapps* rwk, owner @{user_config_dirs}/mimeapps* rwk,
owner @{user_config_dirs}/lxqt-* rwk, owner @{user_config_dirs}/lxqt-* rwk,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner /tmp/#@{int} rwk, owner /tmp/#@{int} rwk,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
/dev/tty rw, /dev/tty rw,
include if exists <local/lxqt-config-file-associations> include if exists <local/lxqt-config-file-associations>
} }

6
apparmor.d/groups/lxqt/lxqt-config-globalkeyshortcuts
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-globalkeyshortcuts @{exec_path} = @{bin}/lxqt-config-globalkeyshortcuts
profile lxqt-config-globalkeyshortcuts @{exec_path} flags=(complain) { profile lxqt-config-globalkeyshortcuts @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/graphics> include <abstractions/graphics>
@ -18,8 +18,8 @@ profile lxqt-config-globalkeyshortcuts @{exec_path} flags=(complain) {
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int},

37
apparmor.d/groups/lxqt/lxqt-config-input
View file

@ -8,7 +8,8 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-input @{exec_path} = @{bin}/lxqt-config-input
profile lxqt-config-input @{exec_path} flags=(complain) { profile lxqt-config-input @{exec_path} {
include <abstractions/audio-client>
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.bluez> include <abstractions/bus/org.bluez>
@ -17,29 +18,45 @@ profile lxqt-config-input @{exec_path} flags=(complain) {
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/graphics>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
include <abstractions/lxqt> include <abstractions/lxqt>
include <abstractions/qt5-shader-cache> include <abstractions/qt5-shader-cache>
include <abstractions/video> include <abstractions/video>
@{exec_path} mr,
@{exec_path} mr,
@{bin}/setxkbmap rix, @{bin}/setxkbmap rix,
/etc/udev/udev.conf r,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner /tmp/@{int} r, owner /tmp/@{int} r,
# There are hundreds of files to be accessed - Question: better to deny the few not to be accessed?? @{run}/udev/data/c@{int}:* r,
@{run}/udev/data/** r, @{run}/udev/data/b@{int}:* r,
@{sys}/devices/** r, @{run}/udev/data/+sound:card@{int} r,
@{sys}/class/** r, @{run}/udev/data/+bluetooth:* r,
@{sys}/bus/** r, @{run}/udev/data/+platform:* r,
@{sys}/devices/** r, @{run}/udev/data/+acpi:* r,
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+leds:* r,
@{run}/udev/data/n@{int} r,
@{run}/udev/data/+input:* r,
@{run}/udev/data/+dmi:* r,
@{run}/udev/data/+drm:* r,
@{run}/udev/data/+pci:* r,
@{run}/udev/data/+rfkill:* r,
@{sys}/bus/** r,
@{sys}/class/** r,
@{sys}/devices/** r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
/dev/tty rw, /dev/tty rw,
include if exists <local/lxqt-config-input> include if exists <local/lxqt-config-input>

2
apparmor.d/groups/lxqt/lxqt-config-locale
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-locale @{exec_path} = @{bin}/lxqt-config-locale
profile lxqt-config-locale @{exec_path} flags=(complain) { profile lxqt-config-locale @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>

3
apparmor.d/groups/lxqt/lxqt-config-monitor
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-monitor @{exec_path} = @{bin}/lxqt-config-monitor
profile lxqt-config-monitor @{exec_path} flags=(complain) { profile lxqt-config-monitor @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>
@ -18,6 +18,7 @@ profile lxqt-config-monitor @{exec_path} flags=(complain) {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
owner /tmp/@{int} r, owner /tmp/@{int} r,

20
apparmor.d/groups/lxqt/lxqt-config-notificationd
View file

@ -8,23 +8,25 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-notificationd @{exec_path} = @{bin}/lxqt-config-notificationd
profile lxqt-config-notificationd @{exec_path} flags=(complain) { profile lxqt-config-notificationd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk include <abstractions/fonts>
include <abstractions/graphics> include <abstractions/qt5>
include <abstractions/video>
include <abstractions/lxqt> include <abstractions/lxqt>
include <abstractions/qt5-shader-cache> include <abstractions/fontconfig-cache-read>
include <abstractions/dbus-session-strict> include <abstractions/graphics>
include <abstractions/dbus-accessibility-strict> include <abstractions/mesa>
include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/lxqt/ r, owner @{user_config_dirs}/lxqt/ r,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner /tmp/{,**} r, owner /tmp/#@{int} r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,

5
apparmor.d/groups/lxqt/lxqt-config-powermanagement
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-powermanagement @{exec_path} = @{bin}/lxqt-config-powermanagement
profile lxqt-config-powermanagement @{exec_path} flags=(complain) { profile lxqt-config-powermanagement @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/gtk> include <abstractions/gtk>
@ -26,10 +26,13 @@ profile lxqt-config-powermanagement @{exec_path} flags=(complain) {
owner /tmp/@{int} r, owner /tmp/@{int} r,
@{sys}/class/backlight/ r, @{sys}/class/backlight/ r,
@{sys}/devices/@{pci_bus}/**/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/* rw,
@{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/ r,
@{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/max_brightness r,
@{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/bl_power r,
@{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r, @{sys}/devices/@{pci_bus}/0000:00:02.0/drm/card@{int}/card@{int}-eDP-@{int}/intel_backlight/actual_brightness r,
@{sys}/devices/@{pci_bus}/**/**/drm/card@{int}/card@{int}-eDP-1/amdgpu_bl@{int}/* r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,

4
apparmor.d/groups/lxqt/lxqt-config-printer
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-printer @{exec_path} = @{bin}/lxqt-config-printer
profile lxqt-config-printer @{exec_path} flags=(complain) { profile lxqt-config-printer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>
@ -18,7 +18,7 @@ profile lxqt-config-printer @{exec_path} flags=(complain) {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
owner /tmp/@{int} r, owner /tmp/@{int} r,

28
apparmor.d/groups/lxqt/lxqt-config-session
View file

@ -8,33 +8,43 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-config-session @{exec_path} = @{bin}/lxqt-config-session
profile lxqt-config-session @{exec_path} flags=(complain) { profile lxqt-config-session @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/video> include <abstractions/video>
include <abstractions/lxqt> include <abstractions/lxqt>
include <abstractions/qt5>
include <abstractions/qt5-shader-cache> include <abstractions/qt5-shader-cache>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
include <abstractions/thumbnails-cache-read>
include <abstractions/thumbnails-cache-write>
@{exec_path} mr, @{exec_path} mr,
/etc/xdg/autostart/ r, /usr/share/libfm-qt6/translations/libfm-qt_de.qm r,
/etc/xdg/autostart/** r, /usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/udisks2.monitor r,
/etc/fstab r,
/etc/xdg/autostart/ r,
/etc/xdg/autostart/** r,
owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/QtProject.conf.@{rand6} rwkl,
owner @{user_config_dirs}/QtProject.conf.lock rwk,
owner @{user_config_dirs}/autostart/ r,
owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop r, owner @{user_config_dirs}/autostart/lxqt-config-monitor-autostart.desktop r,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner /tmp/@{int} r, owner /tmp/@{int} r,
@{sys}/devices/@{pci_bus}/{,**} r,
@{sys}/devices/@{pci_bus}/**/**/** r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
/dev/tty rw, /dev/tty rw,
include if exists <local/lxqt-config-session>
} }

9
apparmor.d/groups/lxqt/lxqt-globalkeysd
View file

@ -18,11 +18,9 @@ profile lxqt-globalkeysd @{exec_path} {
include <abstractions/dbus-accessibility> include <abstractions/dbus-accessibility>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
signal (receive) set=(kill, term) peer=lxqt-session,
@{exec_path} mr, @{exec_path} mr,
@{bin}/screengrab rpx, @{bin}/screengrab rpx,
@{bin}/lxqt-config-brightness rpx, @{bin}/lxqt-config-brightness rpx,
/usr/share/lxqt/globalkeyshortcuts.conf rw, /usr/share/lxqt/globalkeyshortcuts.conf rw,
@ -32,13 +30,12 @@ profile lxqt-globalkeysd @{exec_path} {
owner @{user_config_dirs}/lxqt/* rwk, owner @{user_config_dirs}/lxqt/* rwk,
owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk,
owner @{user_config_dirs}/lxqt/#@{int} wr, owner @{user_config_dirs}/lxqt/#@{int} wr,
owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/lxqt/#@{int},
/dev/tty rw, /dev/tty rw,
owner /tmp/{,**} r, owner /tmp/@{int} r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,

6
apparmor.d/groups/lxqt/lxqt-leave
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-leave @{exec_path} = @{bin}/lxqt-leave
profile lxqt-leave @{exec_path} flags=(complain) { profile lxqt-leave @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/graphics> include <abstractions/graphics>
@ -19,11 +19,9 @@ profile lxqt-leave @{exec_path} flags=(complain) {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
signal (receive) set=(term) peer=lxqt-session,
@{exec_path} mr, @{exec_path} mr,
owner /tmp/{,**} r, owner /tmp/@{int} r,
/dev/tty rw, /dev/tty rw,

52
apparmor.d/groups/lxqt/lxqt-notificationd
View file

@ -7,22 +7,17 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-session @{exec_path} = @{bin}/lxqt-notificationd
profile lxqt-notificationd @{exec_path} flags=(complain) { profile lxqt-notificationd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/fonts> include <abstractions/gtk>
include <abstractions/qt5>
include <abstractions/lxqt>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/mesa> include <abstractions/lxqt>
include <abstractions/video>
# TODO: local only include <abstractions/qt5-shader-cache>
network inet dgram, include <abstractions/dbus-session>
network inet stream, include <abstractions/dbus-accessibility>
network inet6 dgram, include <abstractions/gvfs-open>
network inet6 stream,
network netlink raw,
dbus receive dbus receive
bus=session bus=session
@ -39,32 +34,25 @@ profile lxqt-notificationd @{exec_path} flags=(complain) {
path="/org/freedesktop/Notifications" path="/org/freedesktop/Notifications"
interface="org.freedesktop.Notifications" interface="org.freedesktop.Notifications"
peer=(name=":[0-9]*.[0-9]*"), peer=(name=":[0-9]*.[0-9]*"),
@{exec_path} mr,
@{bin}/xrdb rPx,
## @{bin}/dbus-update-activation-environment rix, this should not be set here
/usr/share/lxqt/power.conf r,
/etc/nsswitch.conf r,
/var/lib/dpkg/info/lxqt-notifications.conffiles r, @{exec_path} mr,
owner @{user_cache_dirs}/lxqt-notificationd/** rwk, /etc/nsswitch.conf r,
owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rw,
/var/lib/dpkg/info/lxqt-notifications.conffiles r,
owner @{user_cache_dirs}/lxqt-notificationd/** rwk,
owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rw,
owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int},
owner @{user_cache_dirs}/mesa_shader_cache/index rwk,
owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int},
owner @{user_config_dirs}/lxqt/power.conf r,
# useless :
@{run}/systemd/inhibit/2.ref rw,
@{PROC}/sys/kernel/random/boot_id r,
owner /tmp/{,**} r, owner /tmp/{,**} r,
@{PROC}/sys/kernel/random/boot_id r,
/dev/tty rw, /dev/tty rw,
include if exists <local/lxqt-notificationd> include if exists <local/lxqt-notificationd>
} }

8
apparmor.d/groups/lxqt/lxqt-openssh-askpass
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-openssh-askpass @{exec_path} = @{bin}/lxqt-openssh-askpass
profile lxqt-openssh-askpass @{exec_path} flags=(complain) { profile lxqt-openssh-askpass @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>
@ -18,11 +18,11 @@ profile lxqt-openssh-askpass @{exec_path} flags=(complain) {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
owner /tmp/{,**} r, owner /tmp/@{int} r,
/dev/tty rw, /dev/tty rw,
include if exists <local/lxqt-openssh-askpass> include if exists <local/lxqt-openssh-askpass>
} }

15
apparmor.d/groups/lxqt/lxqt-panel
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-panel @{exec_path} = @{bin}/lxqt-panel
profile lxqt-panel @{exec_path} flags=(complain) { profile lxqt-panel @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
include <abstractions/audio-client> include <abstractions/audio-client>
@ -17,7 +17,7 @@ profile lxqt-panel @{exec_path} flags=(complain) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
network inet dgram, network inet dgram,
network inet stream, ` network inet stream,
network inet6 dgram, network inet6 dgram,
network inet6 stream, network inet6 stream,
network inet dgram, network inet dgram,
@ -25,7 +25,7 @@ profile lxqt-panel @{exec_path} flags=(complain) {
network netlink raw, network netlink raw,
network packet dgram, network packet dgram,
@{exec_path} mr, @{exec_path} mr,
@{bin}/exo-open rix, @{bin}/exo-open rix,
@{bin}/nm-connection-editor rPx, @{bin}/nm-connection-editor rPx,
@ -43,12 +43,15 @@ profile lxqt-panel @{exec_path} flags=(complain) {
/usr/share/lxqt/themes/{,**} r, /usr/share/lxqt/themes/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/udev/udev.conf r,
/etc/machine-id r, /etc/machine-id r,
/etc/xdg/lxqt-qtxdg.conf r, /etc/xdg/lxqt-qtxdg.conf r,
/etc/xdg/menus/**.menu r, /etc/xdg/menus/**.menu r,
/etc/xdg/menus/applications-merged/ r, /etc/xdg/menus/applications-merged/ r,
/etc/xdg/ui/uistandards.rc r, /etc/xdg/ui/uistandards.rc r,
/var/lib/dbus/machine-id r,
owner @{HOME}/.config/menus/**.menu rw, owner @{HOME}/.config/menus/**.menu rw,
owner @{HOME}/.config/menus/applications-merged/ r, owner @{HOME}/.config/menus/applications-merged/ r,
owner @{HOME}/Desktop/** r, owner @{HOME}/Desktop/** r,
@ -62,11 +65,12 @@ profile lxqt-panel @{exec_path} flags=(complain) {
owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwk, owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwk,
owner @{user_config_dirs}/ibus/bus/{,**} rw, owner @{user_config_dirs}/ibus/bus/{,**} rw,
@{run}/udev/data/* r, @{run}/udev/data/* r,
@{sys}/class/i2c-adapter/ r, @{sys}/class/i2c-adapter/ r,
@{sys}/devices/@{pci_bus}/0000:00:*.0/ata@{int}/host@{int}/**/**/**/**/**/* r, @{sys}/devices/@{pci_bus}/0000:00:*/ata@{int}/host@{int}/**/**/**/**/**/* r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
@{sys}/devices/@{pci_bus}/**/**/nvme/nvme0/nvme0n1/nvme0n1p4/uevent r,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/net/dev r,
@ -79,4 +83,3 @@ profile lxqt-panel @{exec_path} flags=(complain) {
include if exists <local/lxqt-panel> include if exists <local/lxqt-panel>
} }

25
apparmor.d/groups/lxqt/lxqt-policykit-agent
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/@{multiarch}/lxqt-policykit-agent-[0-9] @{exec_path} = @{lib}/@{multiarch}/lxqt-policykit-agent-[0-9]
@{exec_path} += @{bin}/lxqt-policykit-agent @{exec_path} += @{bin}/lxqt-policykit-agent
profile lxqt-policykit-agent @{exec_path} flags=(complain) { profile lxqt-policykit-agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
@ -21,35 +21,34 @@ profile lxqt-policykit-agent @{exec_path} flags=(complain) {
include <abstractions/vulkan> include <abstractions/vulkan>
signal (send) set=(term, kill) peer=polkit-agent-helper, signal (send) set=(term, kill) peer=polkit-agent-helper,
signal (receive) set=(kill, term) peer=lxqt-session,
@{exec_path} mr, @{exec_path} mr,
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
/usr/share/lxqt/translations/lxqt-policykit-agent/lxqt-policykit-agent_de.qm r, /usr/share/lxqt/translations/lxqt-policykit-agent/lxqt-policykit-agent_de.qm r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/#@{int} rw, owner /tmp/#@{int} rw,
owner /tmp/lxqt-policykit-agent-[0-9].* rwl -> /tmp/#@{int}, owner /tmp/lxqt-policykit-agent-[0-9].* rwl -> /tmp/#@{int},
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/core_pattern r,
/dev/shm/#@{int} rw, /dev/shm/#@{int} rw,
include if exists <local/lxqt-policykit-agent> include if exists <local/lxqt-policykit-agent>
} }

36
apparmor.d/groups/lxqt/lxqt-powermanagement Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/lxqt-powermanagement
profile lxqt-powermanagement @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/gtk>
include <abstractions/video>
include <abstractions/lxqt>
include <abstractions/qt5-shader-cache>
include <abstractions/nameservice-strict>
include <abstractions/gvfs-open>
@{exec_path} mr,
@{bin}/xset rPx,
/etc/udev/udev.conf r,
/etc/fstab r,
owner /tmp/@{int} r,
@{run}/systemd/inhibit/* rw,
owner @{PROC}/@{pid}/mounts r,
/dev/tty rw,
include if exists <local/lxqt-powermangement>
}

8
apparmor.d/groups/lxqt/lxqt-runner
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-runner @{exec_path} = @{bin}/lxqt-runner
profile lxqt-runner @{exec_path} flags=(complain) { profile lxqt-runner @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/video> include <abstractions/video>
@ -17,7 +17,7 @@ profile lxqt-runner @{exec_path} flags=(complain) {
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/gvfs-open> include <abstractions/gvfs-open>
@{exec_path} mr, @{exec_path} mr,
/usr/share/icons/ r, /usr/share/icons/ r,
/usr/share/icons/{,**} r, /usr/share/icons/{,**} r,
@ -31,9 +31,9 @@ profile lxqt-runner @{exec_path} flags=(complain) {
owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int},
# only needed if tor is installed on /opt # only needed if tor is installed on /opt
owner /opt/*/**/*.png r, owner /opt/*/**/*.png r,
owner /tmp/{,**} r, owner /tmp/@{int} r,
/dev/tty rw, /dev/tty rw,

129
apparmor.d/groups/lxqt/lxqt-session
View file

@ -7,51 +7,73 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lxqt-session @{exec_path} = @{bin}/lxqt-session
profile lxqt-session /bin/lxqt-session flags=(attach_disconnected, complain) { profile lxqt-session @{exec_path} flags=(attach_disconnected) {
include <abstractions/app-open>
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-user> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.UPower>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/gtk>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/dbus-session-strict>
include <abstractions/nameservice-strict>
include <abstractions/lxqt> include <abstractions/lxqt>
include <abstractions/video>
include <abstractions/qt5-shader-cache>
include <abstractions/nameservice-strict>
include <abstractions/dbus-session>
include <abstractions/dbus-accessibility>
include <abstractions/gvfs-open>
include <abstractions/recent-documents-write>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
signal (receive) set=(term) peer=sddm,
signal (send), signal (send),
signal (receive) set=(kill, term) peer=startlxqt,
signal (receive) set=(kill, term) peer=sddm,
dbus receive ptrace (read),
bus=session
path="/org/freedesktop/Notifications"
interface="org.freedesktop.DBus.Introspectable"
peer=(name=":[0-9]*.[0-9]*"),
dbus send
bus=session
path="/org/freedesktop/Notifications"
interface="org.freedesktop.Notifications"
peer=(name="org.freedesktop.DBus"),
dbus receive
bus=session
path="/org/freedesktop/Notifications"
interface="org.freedesktop.Notifications"
peer=(name=":[0-9]*.[0-9]*"),
# aa:dbus own bus=session name=org.freedesktop.Notifications network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/sleep rix, @{bin}/sed rix,
@{bin}/readlink rix,
@{bin}/dirname rix,
@{bin}/system-config-printer-applet rPx,
@{bin}/lxqt-config-input rPx,
@{bin}/lxqt-session-settings rPx,
@{bin}/lxqt-globalkeysd rPx,
@{bin}/lxqt-panel rPx,
@{bin}/lxqt-policykit-agent rPx,
@{bin}/lxqt-runner rPx,
@{bin}/lxqt-notificationd rPx,
@{bin}/lxqt-powermanagement rPx,
@{bin}/lxqt-config rPx,
@{bin}/lxqt-leave rPx,
@{bin}/lxqt-about rPx,
@{bin}/dbus-send rPUx,
@{bin}/dbus-update-activation-environment rCx -> dbus,
@{bin}/systemctl rCx -> systemctl,
@{bin}/dbus-update-activation-environment rcx -> dbus, @{bin}/pavucontrol rPx,
@{bin}/systemctl rcx -> systemctl, @{bin}/python3.@{int} rPx,
@{lib}/geoclue-2.0/demos/agent rpux, @{lib}/python3.@{int} rPx,
@{lib}/legacy-dist/deprecation-popup rpux, @{bin}/xfe rPx,
@{lib}/@{multiarch}/lxqt-policykit-agent-[0-9] Px, @{bin}/nm-connection-editor rPx,
@{bin}/nm-applet rPx,
@{bin}/nm-tray rPx,
@{bin}/pcmanfm-qt rPx,
@{bin}/openbox rix,
@{bin}/dconf-editor rPx,
@{bin}/setxkbmap rix,
@{bin}/start-pulseaudio-x11 rPx,
@{bin}/xrdb rPx,
@{bin}/xdg-user-dirs-update rPx,
/usr/lib/{/,x86_64-linux-gnu/}tumbler-1/tumblerd rPx,
/etc/xdg/ r,
/etc/xdg/autostart/{,*} r,
/etc/xdg/menus/lxqt-* r,
/etc/xdg/openbox/* r,
/usr/share/ r, /usr/share/ r,
/usr/share/mime/ r, /usr/share/mime/ r,
/usr/share/cursors/ r, /usr/share/cursors/ r,
@ -59,34 +81,40 @@ profile lxqt-session /bin/lxqt-session flags=(attach_disconnected, complain) {
/usr/share/desktop-directories/* r, /usr/share/desktop-directories/* r,
/usr/share/system-config-printer/* r, /usr/share/system-config-printer/* r,
/etc/xdg/ r,
/etc/xdg/autostart/ r,
/etc/xdg/autostart/*.desktop r,
/etc/xdg/menus/lxqt-* r,
/etc/xdg/openbox/* r,
/etc/udev/udev.conf r,
owner @{HOME}/.local/share/ r, owner @{HOME}/.local/share/ r,
owner @{HOME}/.config/ r, owner @{HOME}/.config/ r,
owner @{HOME}/.config/autostart/ r, owner @{HOME}/.config/autostart/ r,
owner @{HOME}/.config/autostart/* rw, owner @{HOME}/.config/autostart/* rw,
owner @{HOME}/.config/mimeapps.list* rw,
owner @{user_cache_dirs}/openbox/openbox.log rwk, owner @{user_cache_dirs}/openbox/openbox.log rwk,
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
owner @{user_config_dirs}/dconf/user r,
owner @{user_config_dirs}/openbox/rc.xml r,
owner @{user_share_dirs}/sddm/xorg-session.log rw,
owner @{user_config_dirs}/dconf/user r, @{PROC}/ r,
owner @{user_config_dirs}/openbox/rc.xml r, @{PROC}/uptime r,
@{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/stat r,
owner @{user_share_dirs}/sddm/xorg-session.log rw, @{run}/systemd/inhibit/** rw,
@{sys}/devices/@{pci_bus}/** r, include if exists <local/lxqt-session>
@{run}/systemd/inhibit/* rw,
/dev/tty rw, profile systemctl {
/dev/tty[0-9]* rw,
/dev/pts/[0-9]* rw,
profile systemctl flags=(attach_disconnected, complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/systemctl> include <abstractions/app/systemctl>
include if exists <local/lxqt-session_systemctl>
} }
profile dbus flags=(attach_disconnected, complain) { profile dbus {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-session> include <abstractions/bus-session>
@ -94,9 +122,8 @@ profile lxqt-session /bin/lxqt-session flags=(attach_disconnected, complain) {
owner @{user_share_dirs}/sddm/xorg-session.log rw, owner @{user_share_dirs}/sddm/xorg-session.log rw,
include if exists <local/lxqt-session_dbus>
} }
include if exists <local/lxqt-session>
} }

2
apparmor.d/groups/lxqt/obconf-qt
View file

@ -35,7 +35,7 @@ profile obconf-qt @{exec_path} {
owner @{user_config_dirs}/openbox/rc.xml rw, owner @{user_config_dirs}/openbox/rc.xml rw,
owner @{user_config_dirs}/openbox/{,**} rw, owner @{user_config_dirs}/openbox/{,**} rw,
owner /tmp/{,**} r, owner /tmp/@{int} r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/groups/lxqt/pavucontrol-qt
View file

@ -43,4 +43,6 @@ profile pavucontrol-qt @{exec_path} flags=(complain) {
/dev/tty r, /dev/tty r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
include if exists <local/pavucontrol-qt>
} }

2
apparmor.d/groups/lxqt/pcmanfm-qt
View file

@ -27,7 +27,7 @@ profile pcmanfm-qt @{exec_path} {
network inet stream, network inet stream,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_pathj} mr,
/ r, / r,
/boot/ r, /boot/ r,

2
apparmor.d/groups/lxqt/screengrab
View file

@ -20,7 +20,7 @@ profile screengrab @{exec_path} {
include <abstractions/user-read-strict> include <abstractions/user-read-strict>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
@{exec_path} mr, @{exec_path} mr,
/etc/xdg/menus/lxqt-config.menu r, /etc/xdg/menus/lxqt-config.menu r,

88
apparmor.d/groups/lxqt/startlxqt Normal file
View file

@ -0,0 +1,88 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/startlxqt
profile startlxqt @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/qt5>
include <abstractions/X-strict>
signal (receive) set=(term) peer=sddm,
@{exec_path} mr,
@{bin}/xrdb rPx,
@{bin}/xsetroot rPx,
@{bin}/xprop rpx,
@{bin}/mkdir rix,
@{bin}/dbus-launch rPx,
@{bin}/lxqt-session rPx,
@{sh_path} rix,
/usr/share/color-schemes/{,**} r,
/usr/share/desktop-directories/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications5/{,**} r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/{,**} r,
/usr/share/mime/{,**} r,
/usr/share/plasma/{,**} r,
/etc/locale.alias r,
/etc/machine-id r,
/etc/xdg/kcminputrc r,
/etc/xdg/kdeglobals r,
/etc/xdg/menus/{,**} r,
@{HOME}/ r,
owner @{HOME}/.Xauthority r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/kcrash-metadata/ rw,
@{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/gtkrc rl,
owner @{user_config_dirs}/gtkrc-2.0 rl,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/lxqt/ rw,
owner @{user_config_dirs}/lxqt/** rwkl -> @{user_config_dirs}/kdedefaults/**,
owner @{user_config_dirs}/kdeglobals.lock rwk,
owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/ksplashrc r,
owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/plasma-localerc rwl,
owner @{user_config_dirs}/plasma-localerc.lock rwk,
owner @{user_config_dirs}/plasma-workspace/env/ r,
owner @{user_config_dirs}/startkderc r,
owner @{user_config_dirs}/Trolltech.conf rwl,
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
owner @{user_share_dirs}/kservices5/{,**} r,
owner @{user_share_dirs}/sddm/wayland-session.log rw,
owner @{user_share_dirs}/sddm/xorg-session.log rw,
owner /tmp/#@{int} rw,
owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int},
owner @{run}/user/@{uid}/ r,
@{run}/user/@{uid}/xauth_@{rand6} rl,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/maps r,
/dev/tty rw,
/dev/tty@{int} rw,
include if exists <local/startlxqt>
}