felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improve kde integration

Browse source 
see #559
This commit is contained in:
Alexandre Pujol 2025-08-22 20:37:48 +02:00
parent 1506ae04d8
commit cea9fd5614
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
10 changed files with 32 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/kde/DiscoverNotifier
View file

@ -39,6 +39,7 @@ profile DiscoverNotifier @{exec_path} {
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
/usr/share/flatpak/remotes.d/{,**} r,
/usr/share/metainfo/{,**} r,
/etc/machine-id r,

3
apparmor.d/groups/kde/kded
View file

@ -182,6 +182,9 @@ profile kded @{exec_path} {
@{sys}/class/leds/ r,
@{run}/udev/data/b8:@{int} r, # for /dev/sd*
@{run}/udev/data/b259:@{int} r, # Block Extended Major
@{PROC}/ r,
@{PROC}/@{pids}/cmdline/ r,
@{PROC}/@{pids}/fd/ r,

1
apparmor.d/groups/kde/kioworker
View file

@ -49,6 +49,7 @@ profile kioworker @{exec_path} {
/usr/share/kservices{5,6}/{,**} r,
/usr/share/kservicetypes{5,6}/*.desktop r,
/usr/share/remoteview/* r,
/usr/share/thumbnailers/{,**} r,
/etc/fstab r,
/etc/xdg/kioslaverc r,

2
apparmor.d/groups/kde/kscreen_backend_launcher
View file

@ -13,8 +13,8 @@ profile kscreen_backend_launcher @{exec_path} {
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/desktop>
include <abstractions/kde-strict>
include <abstractions/lxqt>
#aa:dbus own bus=session name=org.kde.KScreen
#aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil

2
apparmor.d/groups/kde/ksmserver-logout-greeter
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/ksmserver-logout-greeter
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter
profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fontconfig-cache-read>

2
apparmor.d/groups/kde/kwalletd
View file

@ -45,7 +45,7 @@ profile kwalletd @{exec_path} {
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},
owner @{run}/user/@{uid}/kwallet{5,6}.socket r,
owner @{run}/user/@{uid}/kwallet{5,6}.socket rw,
owner @{tmp}/kwalletd5.* rw,

19
apparmor.d/groups/kde/kwin_wayland
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/kwin_wayland
profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/bus-accessibility>
@ -46,6 +46,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
/etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi,
/etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio,
/etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus,
#aa:exec kscreenlocker_greet
/usr/share/color-schemes/*.colors r,
@ -53,6 +54,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
/usr/share/kglobalaccel/{,**} r,
/usr/share/kservices{5,6}/{,**} r,
/usr/share/kservicetypes5/{,*.desktop} r,
/usr/share/kwin-wayland/{,**} r,
/usr/share/kwin/{,**} r,
/usr/share/libinput-*/{,**} r,
/usr/share/libinput/{,**} r,
@ -179,6 +181,21 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
include if exists <local/kwin_wayland_pulseaudio>
}
profile ibus {
include <abstractions/base>
include <abstractions/consoles>
@{sh_path} r,
@{lib}/{,ibus/}ibus-x11 rPx,
/etc/xdg/Xwayland-session.d/10-ibus-x11 r,
/home/ r,
owner @{HOME}/ r,
include if exists <local/kwin_wayland_ibus>
}
include if exists <local/kwin_wayland>
}

7
apparmor.d/groups/kde/plasmashell
View file

@ -70,7 +70,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
@{lib}/libheif/{,**} mr,
@{bin}/dolphin rPx,
@{bin}/ksysguardd rix,
@{bin}/ksysguardd rPUx,
@{bin}/plasma-discover rPUx,
@{bin}/xrdb rPx,
@{lib}/kf{5,6}/kdesu{,d} rix,
@ -104,7 +104,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
/etc/appstream.conf r,
/etc/fstab r,
/etc/ksysguarddrc r,
/etc/machine-id r,
/etc/os-release r,
/etc/sensors.d/ r,
@ -166,6 +165,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_config_dirs}/klaunchrc r,
owner @{user_config_dirs}/klipperrc r,
owner @{user_config_dirs}/kmail2.notifyrc r,
owner @{user_config_dirs}/knfsshare r,
owner @{user_config_dirs}/korganizerrc r,
owner @{user_config_dirs}/krunnerrc r,
owner @{user_config_dirs}/ksmserverrc r,
@ -200,9 +200,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_share_dirs}/wallpapers/{,**} rw,
owner @{user_state_dirs}/#@{int} rw,
owner @{user_state_dirs}/plasma/* r,
owner @{user_state_dirs}/plasmashellstaterc rw,
owner @{user_state_dirs}/plasmashellstaterc.lock rwk,
owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl,
owner @{user_state_dirs}/plasmashellstaterc.lock rwk,
/tmp/.mount_nextcl@{rand6}/{,*} r,
owner @{tmp}/#@{int} rw,

1
apparmor.d/groups/kde/sddm
View file

@ -92,6 +92,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/flatpak rPx,
@{bin}/gnome-keyring-daemon rPx,
@{bin}/Hyprland rPx,
@{bin}/ksecretd rPUx,
@{bin}/kwalletd{5,6} rPx,
@{bin}/kwin_wayland rPx,
@{bin}/labwc rPx,

3
apparmor.d/groups/kde/wayland-session
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{etc_ro}/sddm/wayland-session
profile wayland-session @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/shells>
@{exec_path} mr,
@ -39,8 +40,6 @@ profile wayland-session @{exec_path} {
owner @{user_share_dirs}/sddm/wayland-session.log rw,
/dev/tty rw,
include if exists <local/wayland-session>
}