diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 8c1c1686f..bd5981dcf 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -11,6 +11,7 @@ include profile xdg-desktop-portal-kde @{exec_path} { include include + include include include include @@ -30,6 +31,12 @@ profile xdg-desktop-portal-kde @{exec_path} { #aa:exec kioworker /usr/share/plasma/look-and-feel/** r, + /usr/share/thumbnailers/{,**} r, + + /etc/fstab r, + /etc/xdg/dolphinrc r, + + / r, owner @{HOME}/ r, @@ -39,12 +46,21 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, + + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, owner @{PROC}/@{pid}/mountinfo r, + /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index a45652c7b..e9ae78457 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -34,6 +34,11 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/kalendaracstaterc rw, + owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, + owner @{user_state_dirs}/kalendaracstaterc.lock rwk, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c9fa538df..2ef26836d 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -84,6 +84,7 @@ profile kded @{exec_path} { /var/lib/dbus/machine-id r, / r, + @{efi}/ r, owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 9da19046d..0e8ba3395 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -18,15 +18,11 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, /etc/machine-id r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index eb53bc078..6d515fb18 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -49,9 +49,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index dc64cbb9e..5ffcafd4f 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -36,9 +36,6 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, - owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index e05e443ff..8400c8cb6 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -25,10 +25,12 @@ profile kwin_x11 @{exec_path} { @{exec_path} mrix, @{sh_path} rix, + @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi + /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, @@ -47,6 +49,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kaccessrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, @@ -54,8 +57,6 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_share_dirs}/kwin/scripts/ r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7cd628b09..acd9b7430 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -42,8 +42,6 @@ profile okular @{exec_path} { /etc/fstab r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, / r, @{MOUNTS}/ r, @@ -51,19 +49,17 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_config_dirs}/okular-generator-popplerrc r, - owner @{user_config_dirs}/KDE/*.conf r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index dce3545f7..e17d4c5f1 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -21,16 +21,10 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, - /etc/xdg/menus/applications-merged/ r, - /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 1fbeda384..5d3812594 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -36,7 +36,6 @@ profile plasma_session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - /etc/xdg/menus/ r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6..b41dac08a 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -57,7 +57,6 @@ profile systemsettings @{exec_path} { /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -90,8 +89,6 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 3c5ec0a94..66729769f 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -17,6 +17,8 @@ profile pinentry-qt @{exec_path} { include include + ptrace read peer=gpg-agent, + @{exec_path} mr, /etc/machine-id r,