From f360d12ec19fcc2ade26e330400a56c1d706036d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 6 Mar 2025 22:22:56 +0100
Subject: [PATCH] feat(profile): improve kde profiles.

See #675
---
 apparmor.d/groups/kde/baloo          | 17 ++++++-----------
 apparmor.d/groups/kde/kde-powerdevil |  8 ++++++--
 apparmor.d/groups/kde/kioworker      |  2 +-
 apparmor.d/groups/kde/kwin_wayland   | 17 +++++++++++++++++
 apparmor.d/groups/kde/plasmashell    |  2 +-
 apparmor.d/groups/kde/sddm           |  2 +-
 6 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo
index 9a2f4c961..75532a773 100644
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@@ -42,27 +42,22 @@ profile baloo @{exec_path} {
 
   owner @{user_share_dirs}/baloo/{,**} rwk,
 
-  @{run}/udev/data/+acpi:* r,             # for acpi
-  @{run}/udev/data/+backlight:* r,
-  @{run}/udev/data/+bluetooth:* r,
-  @{run}/udev/data/+dmi:* r,              # For motherboard info
-  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
-  @{run}/udev/data/+leds:* r,
-  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
-  @{run}/udev/data/+platform:* r,
-  @{run}/udev/data/+power_supply* r,
-  @{run}/udev/data/+rfkill:* r,
-  @{run}/udev/data/+sound:card@{int} r,   # for sound card
+  @{run}/mount/utab r,
+
+  @{run}/udev/data/+*:* r,
 
   @{run}/udev/data/c1:@{int} r,           # For RAM disk
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
+  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
   @{run}/udev/data/c7:@{int} r,           # For Virtual console capture devices
   @{run}/udev/data/c10:@{int} r,          # For non-serial mice, misc features
   @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
   @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
   @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
+  @{run}/udev/data/c99:@{int} r,          # For raw parallel ports /dev/parport*
   @{run}/udev/data/c116:@{int} r,         # For ALSA
   @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
+  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
   @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index c37ee870b..0747d1b47 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -27,6 +27,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   @{bin}/grep         rix,
   @{bin}/kcminit      rPx,
   @{bin}/sed          rix,
+  @{bin}/uname        rPx,
   @{bin}/xargs        rix,
   @{lib}/drkonqi      rPx,
 
@@ -45,10 +46,13 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
   owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
 
-        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
-        @{run}/udev/data/c189:@{int} r,       # for /dev/bus/usb/**
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
+        @{run}/mount/utab r,
   owner @{run}/user/@{uid}kcrash_@{int} rw,
 
+  @{run}/udev/data/c189:@{int} r,       # for /dev/bus/usb/**
+
   @{sys}/bus/ r,
   @{sys}/bus/i2c/devices/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker
index e992e09fd..592e5811e 100644
--- a/apparmor.d/groups/kde/kioworker
+++ b/apparmor.d/groups/kde/kioworker
@@ -30,7 +30,7 @@ profile kioworker @{exec_path} {
   signal receive set=term peer=firefox-kmozillahelper,
   signal receive set=term peer=plasma-discover,
   signal receive set=term peer=plasmashell,
-  signal receive set=term peer=xdg-desktop-portal-kde,     
+  signal receive set=term peer=xdg-desktop-portal-kde,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index 24d86bec6..240869a31 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -30,6 +30,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   @{exec_path} mr,
 
   /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi,
+  /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio,
   #aa:exec kscreenlocker_greet
 
   /usr/share/color-schemes/*.colors r,
@@ -119,6 +120,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/+platform:* r,         # for ?
+  @{run}/udev/data/+serio:* r,            # for touchpad
   @{run}/udev/data/+sound:card@{int} r,   # for sound card
   @{run}/udev/data/+usb:* r,
 
@@ -137,6 +139,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
 
   profile at-spi {
     include <abstractions/base>
+    include <abstractions/consoles>
 
     @{sh_path}    r,
     @{bin}/busctl rix,
@@ -151,6 +154,20 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
     include if exists <local/kwin_wayland_at-spi>
   }
 
+  profile pulseaudio {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    @{sh_path}   rix,
+    @{bin}/pactl  Px,
+
+    /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 r,
+
+    owner @{HOME}/ r,
+
+    include if exists <local/kwin_wayland_pulseaudio>
+  }
+
   include if exists <local/kwin_wayland>
 }
 
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index f800136e0..059760bd3 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -158,7 +158,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
   owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
   owner @{user_share_dirs}/kio/servicemenus/{,**} r,
-  owner @{user_share_dirs}/klipper/{,**} rwl,
+  owner @{user_share_dirs}/klipper/{,**} rwlk,
   owner @{user_share_dirs}/konsole/ r,
   owner @{user_share_dirs}/kpeople/persondb rwk,
   owner @{user_share_dirs}/kpeoplevcard/ r,
diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
index 0205dacd7..a7525d099 100644
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@@ -97,8 +97,8 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/Hyprland             rPx,
   @{bin}/kwalletd{5,6}        rPx,
   @{bin}/kwin_wayland         rPx,
-  @{bin}/sddm-greeter{,-qt6}  rPx,
   @{bin}/labwc                rPx,
+  @{bin}/sddm-greeter{,-qt6}  rPx,
   @{bin}/startlxqt            rPx,
   @{bin}/startlxqtwayland     rPx,
   @{bin}/startplasma-wayland  rPx,