feat(profiles): better kde integration

Step 1: Ensure it can boot.
2023-03-29 23:54:23 +01:00 · 2023-03-29 23:54:23 +01:00 · f3d4912be8
commit f3d4912be8
parent 1aab4f1557
9 changed files with 111 additions and 172 deletions
--- a/apparmor.d/groups/bus/dbus-daemon-launch-helper
+++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper
@ -22,6 +22,10 @@ profile dbus-daemon-launch-helper @{exec_path} {
  @{libexec}/language-selector/ls-dbus-backend              rPx,
  /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
  /{usr/,}lib/software-properties/software-properties-dbus  rPx,
+  /{usr/,}lib/kauth/discretegpuhelper rPUx, # TODO: rPx,
+  /{usr/,}lib/kauth/chargethresholdhelper rPUx, # TODO: rPx,
+  /{usr/,}lib/kauth/backlighthelper  rPUx, # TODO: rPx,
+  /{usr/,}lib/kauth/kded-smart-helper  rPUx, # TODO: rPx,

  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
  /usr/share/usb-creator/usb-creator-helper rPx,
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -60,6 +60,7 @@ profile plymouthd @{exec_path} {

  /dev/ptmx rw,
  /dev/tty[0-9]* rw,
+  /dev/ttyS[0-9]* rw,

  include if exists <local/plymouthd>
 }
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
@ -26,6 +26,17 @@ profile xdg-user-dirs-update @{exec_path} {
  /var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw,
  /var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw,

+  /var/lib/sddm/.config/user-dirs.dirs{,*} rw,
+  /var/lib/sddm/.config/user-dirs.locale rw,
+  /var/lib/sddm/@{XDG_DESKTOP_DIR}/ rw,
+  /var/lib/sddm/@{XDG_DOCUMENTS_DIR}/ rw,
+  /var/lib/sddm/@{XDG_DOWNLOAD_DIR}/ rw,
+  /var/lib/sddm/@{XDG_MUSIC_DIR}/ rw,
+  /var/lib/sddm/@{XDG_PICTURES_DIR}/ rw,
+  /var/lib/sddm/@{XDG_PUBLICSHARE_DIR}/ rw,
+  /var/lib/sddm/@{XDG_TEMPLATES_DIR}/ rw,
+  /var/lib/sddm/@{XDG_VIDEOS_DIR}/ rw,
+
  # new user; change to 'c'
  owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
  owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ w,
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -22,6 +22,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/opencl>
  include <abstractions/vulkan>

+  capability dac_read_search,
  capability ipc_owner,
  capability setgid,
  capability setuid,
--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -32,6 +32,7 @@ profile xrdb @{exec_path} {

  owner /tmp/kcminit.* r,
  owner /tmp/runtime-cb/xauth_?????? r,
+  owner /tmp/startplasma-x11.?????? r,
  owner /tmp/xauth-[0-9]*-_[0-9] r,

  # file_inherit
--- a/apparmor.d/groups/freedesktop/xsetroot
+++ b/apparmor.d/groups/freedesktop/xsetroot
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -10,16 +11,19 @@ include <tunables/global>
 profile xsetroot @{exec_path} {
  include <abstractions/base>

+  capability dac_read_search,
+
  @{exec_path} mr,

-  owner @{HOME}/.Xauthority r,
+  /usr/share/icons/{,**} r,

  /etc/X11/cursors/*.theme r,
-  /usr/share/icons/*/cursors/default r,
-  /usr/share/icons/*/index.theme r,

-  # file_inherit
+  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,
+  owner @{user_share_dirs}/sddm/xorg-session.log w,
+
+  @{run}/sddm/\{@{uuid}\} r,

  include if exists <local/xsetroot>
 }