diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 34850c023..c35849015 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -46,6 +46,7 @@ ptrace (read) peer=gnome-browser-connector-host, ptrace (read) peer=keepassxc-proxy, ptrace (read) peer=lsb_release, + ptrace (read) peer=plasma-browser-integration-host, ptrace (read) peer=xdg-settings, ptrace (trace) peer=@{profile_name}, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 2a2e07cac..171a7185f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -64,10 +64,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{tmp}/runtime-*/xauth_@{rand6} r, - @{run}/mount/utab r, - @{run}/user/@{uid}/xauth_@{rand6} rl, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 259ae8b23..f4e6a1262 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -121,6 +121,7 @@ profile gnome-software @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, + @{tmp}/ r, owner @{tmp}/ostree-gpg-*/ r, owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index c6fd38ed1..6646d69d7 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -66,6 +66,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_share_dirs}/applications/ r, owner /var/tmp/etilqs_@{hex} rw, + owner @{tmp}/etilqs_@{hex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 59965425e..b7fc61d2e 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -13,14 +13,22 @@ profile DiscoverNotifier @{exec_path} { include include include + include network inet dgram, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink dgram, + network netlink raw, @{exec_path} mr, - @{bin}/apt-config rPx, + @{bin}/apt-config rPx, + + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, /usr/share/knotifications{5,6}/{,**} r, /usr/share/metainfo/{,**} r, @@ -28,7 +36,7 @@ profile DiscoverNotifier @{exec_path} { /etc/machine-id r, /etc/flatpak/remotes.d/{,**} r, - /var/lib/flatpak/repo/{,**} r, + /var/lib/flatpak/{,**} r, /var/cache/swcatalog/cache/ w, @@ -45,9 +53,29 @@ profile DiscoverNotifier @{exec_path} { owner @{user_share_dirs}/flatpak/{,**} rw, + owner @{tmp}/ostree-gpg-*/ rw, + @{PROC}/sys/kernel/core_pattern r, /dev/tty r, + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{HOME}/@{XDG_GPG_DIR}/*.conf r, + + @{tmp}/ r, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + + owner @{run}/user/@{uid}/gnupg/ w, + + include if exists + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index ad3ef62e3..b92bcd005 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,6 +28,39 @@ profile baloorunner @{exec_path} { /tmp/ r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + @{PROC}/sys/kernel/core_pattern r, /dev/tty r, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 4b1841b1c..db597a560 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -12,6 +12,9 @@ profile drkonqi-coredump-processor @{exec_path} { include include + capability dac_override, + capability dac_read_search, + @{exec_path} mr, /etc/machine-id r, @@ -20,7 +23,11 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex32}/user-1000@@{hex32}-@{hex}-@{hex}.journal r, + /{run,var}/log/journal/remote/ r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 35d5e2cde..9e596c410 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -62,7 +62,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/drm/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/ r, @{sys}/devices/i2c-@{int}/name r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 9da20954c..c3701fa78 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -92,6 +92,8 @@ profile kded @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, + / r, + owner @{HOME}/.gtkrc-2.0 rw, @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index a9be8644e..c6a5a8d02 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -34,6 +34,7 @@ profile plasma-browser-integration-host @{exec_path} { owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma-emojier b/apparmor.d/groups/kde/plasma-emojier new file mode 100644 index 000000000..58339039f --- /dev/null +++ b/apparmor.d/groups/kde/plasma-emojier @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/plasma-emojier +profile plasma-emojier @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + owner @{user_cache_dirs}/plasma.emojier/{,**} rw, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/plasma.emojierrc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/plasma.emojierrc.lock rwk, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index c3515edb7..ec5450de0 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index b67f69f60..34d53add0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -68,6 +68,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, + /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 8dfc1a22b..4171015f5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -53,6 +53,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/plasma_workspace.notifyrc r, owner @{user_config_dirs}/plasma-localerc rwl, owner @{user_config_dirs}/plasma-localerc.lock rwk, owner @{user_config_dirs}/plasma-workspace/env/ r, @@ -60,6 +61,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/sddm/wayland-session.log rw, owner @{user_share_dirs}/sddm/xorg-session.log rw,