diff --git a/apparmor.d/groups/lxqt/lxqt-notificationd b/apparmor.d/groups/lxqt/lxqt-notificationd new file mode 100644 index 000000000..eeddd38ab --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-notificationd @@ -0,0 +1,70 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-session +profile lxqt-notificationd @{exec_path} flags=(complain) { + include + include + include + include + include + include + include + + # TODO: local only + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + dbus receive + bus=session + path="/org/freedesktop/Notifications" + interface="org.freedesktop.DBus.Introspectable" + peer=(name=":[0-9]*.[0-9]*"), + dbus send + bus=session + path="/org/freedesktop/Notifications" + interface="org.freedesktop.Notifications" + peer=(name="org.freedesktop.DBus"), + dbus receive + bus=session + path="/org/freedesktop/Notifications" + interface="org.freedesktop.Notifications" + peer=(name=":[0-9]*.[0-9]*"), + + @{exec_path} mr, + @{bin}/xrdb rPx, +## @{bin}/dbus-update-activation-environment rix, this should not be set here + + /usr/share/lxqt/power.conf r, + + /etc/nsswitch.conf r, + + /var/lib/dpkg/info/lxqt-notifications.conffiles r, + + owner @{user_cache_dirs}/lxqt-notificationd/** rwk, + owner @{user_cache_dirs}/lxqt-notificationd/#@{int} rw, + owner @{user_cache_dirs}/lxqt-notificationd/unattended.list.@{rand6} rwkl -> @{user_cache_dirs}/lxqt-notificationd/#@{int}, + + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/power.conf r, + + # useless : + @{run}/systemd/inhibit/2.ref rw, + + @{PROC}/sys/kernel/random/boot_id r, + + owner /tmp/{,**} r, + + /dev/tty rw, + + include if exists +}