Update various profiles
Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
This commit is contained in:
Jeroen Rijken
Alex
parent
92a1d9f65f
commit
b532dd6827
47 changed files with 459 additions and 26 deletions
|
|
@ -29,6 +29,7 @@ profile dolphin @{exec_path} {
|
|||
@{bin}/ldd rix,
|
||||
@{lib}/kf5/kioslave5 rPx,
|
||||
@{lib}/@{multiarch}/kf5/kioslave5 rPx,
|
||||
@{lib}/@{multiarch}/libexec/kf5/kioslave5 rPx,
|
||||
|
||||
/usr/share/kf5/kmoretools/{,**} r,
|
||||
/usr/share/kio/{,**} r,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/kcminit
|
||||
profile kcminit @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/kde-strict>
|
||||
|
||||
|
|
|
|||
|
|
@ -121,6 +121,7 @@ profile kded5 @{exec_path} {
|
|||
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
||||
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||
owner @{user_config_dirs}/plasma-nm r,
|
||||
owner @{user_config_dirs}/touchpadrc r,
|
||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||
|
|
@ -147,6 +148,7 @@ profile kded5 @{exec_path} {
|
|||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/cmdline/ r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/fdinfo/@{int} r,
|
||||
@{PROC}/@{pids}/fd/info/@{int} r,
|
||||
@{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
|
|
|||
|
|
@ -22,8 +22,9 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (send) set=(hup),
|
||||
|
||||
@{exec_path} mr,
|
||||
@{bin}/@{shells} rUx,
|
||||
@{exec_path} mr,
|
||||
@{bin}/@{shells} rUx,
|
||||
@{browsers_path} rPx,
|
||||
@{lib}/@{multiarch}/utempter/utempter rPUx,
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,10 @@ include <tunables/global>
|
|||
@{exec_path} += @{lib}/@{multiarch}/libexec/kscreenlocker_greet
|
||||
profile kscreenlocker-greet @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1>
|
||||
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
|
|
@ -25,6 +29,13 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
signal (receive) set=(usr1, term) peer=ksmserver,
|
||||
signal (receive) set=(term) peer=kwin_wayland,
|
||||
|
||||
unix (send,receive) type=stream peer=(label="ksmserver",addr=none),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=sddm),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/libheif/ r,
|
||||
|
|
@ -57,6 +68,7 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
|
||||
owner @{HOME}/.face.icon r,
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner @{user_pictures_dirs}/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
|
@ -85,6 +97,7 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/loginuid r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
|
|
|||
|
|
@ -9,13 +9,16 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/ksmserver
|
||||
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
||||
|
||||
|
||||
unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/rm rix,
|
||||
|
|
@ -32,27 +35,33 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/knotifications5/*.notifyrc r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
|
||||
/etc/xdg/menus/applications-merged/ r,
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/kscreenlockerrc r,
|
||||
/etc/xdg/menus/ r,
|
||||
|
||||
/var/lib/flatpak/exports/share/mime/ r,
|
||||
|
||||
owner @{HOME}/@{rand6} rw,
|
||||
owner @{HOME}/.Xauthority rw,
|
||||
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* rl,
|
||||
owner @{user_cache_dirs}/ksycoca5_* rwlk,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc rw,
|
||||
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
||||
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
||||
owner @{user_config_dirs}/menus/ r,
|
||||
|
||||
owner @{user_share_dirs}/kservices5/ r,
|
||||
owner @{user_share_dirs}/kservices5/ServiceMenus/ r,
|
||||
|
||||
owner /tmp/@{rand6} rw,
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
|
|
|||
66
apparmor.d/groups/kde/ksmserver-logout-greeter
Normal file
66
apparmor.d/groups/kde/ksmserver-logout-greeter
Normal file
|
|
@ -0,0 +1,66 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Jeroen Rijken
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/@{multiarch}/libexec/ksmserver-logout-greeter
|
||||
profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dri>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/kde-icon-cache-write>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5-shader-cache>
|
||||
include <abstractions/qt5>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
||||
/ r,
|
||||
/etc/machine-id r,
|
||||
/etc/timezone r,
|
||||
|
||||
/usr/share/plasma/desktoptheme/** r,
|
||||
/usr/share/plasma/look-and-feel/** r,
|
||||
/var/lib/AccountsService/icons/ r,
|
||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||
/var/lib/flatpak/exports/share/mime/generic-icons r,
|
||||
|
||||
@{lib}/os-release r,
|
||||
|
||||
owner @{user_cache_dirs}/ r,
|
||||
owner @{user_cache_dirs}/#@{int} rwlk,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/ r,
|
||||
owner @{user_cache_dirs}/ksmserver-logout-greeter/qmlcache/{,*} r,
|
||||
owner @{user_cache_dirs}/plasma_theme_breeze-dark_v5.114.0.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements r,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} l -> @{user_cache_dirs}/#@{int},
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
|
||||
owner @{user_share_dirs}/icons/{**,} r,
|
||||
owner @{user_share_dirs}/mime/generic-icons r,
|
||||
|
||||
owner @{PROC}/@{pid}/exe r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
include if exists <local/ksmserver-logout-greeter>
|
||||
}
|
||||
|
|
@ -53,7 +53,7 @@ profile kwin_x11 @{exec_path} {
|
|||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/session/kwin_* rwk,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
|
||||
owner @{user_config_dirs}/session/#@{int} rw,
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/kwin.@{rand6} rwl,
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/plasma-browser-integration-host
|
||||
profile plasma-browser-integration-host @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -19,17 +21,26 @@ profile plasma-browser-integration-host @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/xdg/menus/applications-merged/ r,
|
||||
|
||||
/usr/share/kservices5/{,**} r,
|
||||
|
||||
/etc/xdg/menus/ r,
|
||||
/etc/xdg/taskmanagerrulesrc r,
|
||||
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
/var/lib/flatpak/exports/share/mime/ r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
|
||||
owner @{user_config_dirs}/menus/ r,
|
||||
|
||||
owner @{user_share_dirs}/kservices5/ r,
|
||||
owner @{user_share_dirs}/kservices5/ServiceMenus/ r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
|
||||
include if exists <local/plasma-browser-integration-host>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
include <abstractions/audio>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/devices-usb>
|
||||
|
|
@ -36,6 +37,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
ptrace (read) peer=akonadi*,
|
||||
ptrace (read) peer=kalendarac,
|
||||
ptrace (read) peer=kded5,
|
||||
ptrace (read) peer=ksmserver-logout-greeter,
|
||||
ptrace (read) peer=kwin_x11,
|
||||
ptrace (read) peer=libreoffice*,
|
||||
ptrace (read) peer=pinentry-qt,
|
||||
|
|
@ -85,6 +87,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
|
||||
@{HOME}/ r,
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
owner @{user_pictures_dirs}/{,**} r,
|
||||
|
||||
owner @{user_templates_dirs}/ r,
|
||||
|
||||
|
|
@ -127,6 +130,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/kwalletrc r,
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||
owner @{user_config_dirs}/plasma* rwlk,
|
||||
owner @{user_config_dirs}/pulse/ rw,
|
||||
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||
|
|
@ -152,6 +156,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_share_dirs}/user-places.xbel{,*} rwl -> @{user_share_dirs}/#@{int},
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
/tmp/.mount_nextcl@{rand6}/{,*} r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/user/@{uid}/gvfs/ r,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
|
|
@ -42,6 +46,21 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
signal (send) set=(term) peer=sddm-greeter,
|
||||
signal (send) set=(kill, term) peer=xorg,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=:*, label=kscreenlocker-greet),
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect
|
||||
peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/@{multiarch}/sddm/sddm-helper rix,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,10 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/sddm-greeter
|
||||
profile sddm-greeter @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/org.freedesktop.login1>
|
||||
include <abstractions/bus/org.freedesktop.UPower>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
|
|
@ -60,6 +64,7 @@ profile sddm-greeter @{exec_path} {
|
|||
owner @{HOME}/.glvnd* mrw,
|
||||
|
||||
owner /tmp/runtime-sddm/ rw,
|
||||
owner /tmp/sddm-:@{int}-@{rand6} rw,
|
||||
|
||||
owner @{run}/sddm/{,*} rw,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue