felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into feat/update

Browse source
This commit is contained in:
Alex 2024-05-06 19:56:11 +01:00 committed by GitHub
commit f75e5047df
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
340 changed files with 1603 additions and 1539 deletions
Download patch file Download diff file Expand all files Collapse all files

32
apparmor.d/groups/kde/DiscoverNotifier
View file

@ -13,14 +13,22 @@ profile DiscoverNotifier @{exec_path} {
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink dgram,
network netlink raw,
@{exec_path} mr,
@{bin}/apt-config rPx,
@{bin}/apt-config rPx,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
/usr/share/knotifications{5,6}/{,**} r,
/usr/share/metainfo/{,**} r,
@ -28,7 +36,7 @@ profile DiscoverNotifier @{exec_path} {
/etc/machine-id r,
/etc/flatpak/remotes.d/{,**} r,
/var/lib/flatpak/repo/{,**} r,
/var/lib/flatpak/{,**} r,
/var/cache/swcatalog/cache/ w,
@ -45,9 +53,29 @@ profile DiscoverNotifier @{exec_path} {
owner @{user_share_dirs}/flatpak/{,**} rw,
owner @{tmp}/ostree-gpg-*/ rw,
@{PROC}/sys/kernel/core_pattern r,
/dev/tty r,
profile gpg {
include <abstractions/base>
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
@{tmp}/ r,
owner @{tmp}/ostree-gpg-*/ r,
owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{run}/user/@{uid}/gnupg/ w,
include if exists <local/DiscoverNotifier_gpg>
}
include if exists <local/DiscoverNotifier>
}

2
apparmor.d/groups/kde/baloo
View file

@ -33,7 +33,7 @@ profile baloo @{exec_path} {
# Allow to search user files
owner @{HOME}/{,**} r,
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner @{tmp}/*/{,**} r,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/baloofilerc rwl,

35
apparmor.d/groups/kde/baloorunner
View file

@ -28,7 +28,42 @@ profile baloorunner @{exec_path} {
/tmp/ r,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+dmi* r, # for motherboard info
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c7:@{int} r, # For Virtual console capture devices
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
@{run}/udev/data/c202:@{int} r, # CPU model-specific registers
@{run}/udev/data/c203:@{int} r, # CPU CPUID information
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
@{PROC}/sys/kernel/core_pattern r,
/dev/tty r,
include if exists <local/baloorunner>
}

13
apparmor.d/groups/kde/dolphin
View file

@ -15,6 +15,7 @@ profile dolphin @{exec_path} {
include <abstractions/bus/org.freedesktop.UDisks2>
include <abstractions/deny-sensitive-home>
include <abstractions/devices-usb>
include <abstractions/disks-read>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
@ -45,9 +46,15 @@ profile dolphin @{exec_path} {
# Full access to user's data
/ r,
/*/ r,
@{bin}/ r,
@{lib}/ r,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/** rw,
owner @{HOME}/{,**} rw,
/var/lib/flatpak/exports/share/mime/ r,
owner @{run}/user/@{uid}/{,**} rw,
owner @{tmp}/{,**} rw,
# Silence non user's data
deny /boot/{,**} r,
@ -65,7 +72,7 @@ profile dolphin @{exec_path} {
owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/dolphinrc.lock rwk,
owner @{user_config_dirs}/kde.org/#@{int} rw,
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwlk -> @{user_config_dirs}/kde.org/#@{int},
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int},
owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk,
owner @{user_config_dirs}/session/ rw,

9
apparmor.d/groups/kde/drkonqi-coredump-processor
View file

@ -12,6 +12,9 @@ profile drkonqi-coredump-processor @{exec_path} {
include <abstractions/base>
include <abstractions/qt5>
capability dac_override,
capability dac_read_search,
@{exec_path} mr,
/etc/machine-id r,
@ -20,7 +23,11 @@ profile drkonqi-coredump-processor @{exec_path} {
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/*@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/system.journal r,
/{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal r,
/{run,var}/log/journal/@{hex32}/user-@{uid}.journal r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r,
/{run,var}/log/journal/remote/ r,
include if exists <local/drkonqi-coredump-processor>
}

8
apparmor.d/groups/kde/kcminit
View file

@ -32,11 +32,11 @@ profile kcminit @{exec_path} {
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
owner /tmp/#@{int} rw,
owner /tmp/kcminit.@{rand6} rwl,
owner @{tmp}/#@{int} rw,
owner @{tmp}/kcminit.@{rand6} rwl,
owner /tmp/.touchpaddefaults wl,
owner /tmp/.touchpaddefaults.lock rwk,
owner @{tmp}/.touchpaddefaults wl,
owner @{tmp}/.touchpaddefaults.lock rwk,
@{run}/user/@{uid}/xauth_@{rand6} rl,

6
apparmor.d/groups/kde/kconf_update
View file

@ -91,9 +91,9 @@ profile kconf_update @{exec_path} {
owner @{user_share_dirs}/krunnerstaterc.lock rwk,
owner @{user_share_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner /tmp/#@{int} rw,
owner /tmp/kconf_update.@{rand6}.lock rwk,
owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},
owner @{tmp}/#@{int} rw,
owner @{tmp}/kconf_update.@{rand6}.lock rwk,
owner @{tmp}/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,

2
apparmor.d/groups/kde/kde-powerdevil
View file

@ -62,7 +62,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
@{sys}/devices/@{pci}/drm/i2c-@{int}/**/dev r,
@{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
@{sys}/devices/@{pci}/i2c-@{int}/name r,
@{sys}/devices/**/ r,
@{sys}/devices/i2c-@{int}/name r,

8
apparmor.d/groups/kde/kded
View file

@ -113,6 +113,8 @@ profile kded @{exec_path} {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/ r,
owner @{HOME}/.gtkrc-2.0 rw,
@{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
@ -177,9 +179,9 @@ profile kded @{exec_path} {
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl,
owner /tmp/#@{int} rw,
owner /tmp/kded6.@{rand6} rwl -> /tmp/#@{int},
owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
owner @{tmp}/#@{int} rw,
owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,
@{PROC}/ r,
@{PROC}/@{pids}/cmdline/ r,

4
apparmor.d/groups/kde/kioworker
View file

@ -60,7 +60,7 @@ profile kioworker @{exec_path} {
@{MOUNTS}/** rw,
owner @{HOME}/{,**} rw,
owner @{run}/user/@{uid}/{,**} rw,
owner /tmp/{,**} rw,
owner @{tmp}/{,**} rw,
# Silence non user's data
deny /boot/{,**} r,
@ -86,7 +86,7 @@ profile kioworker @{exec_path} {
owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
owner @{user_share_dirs}/kservices{5,6}/{,**} r,
owner /tmp/#@{int} rw,
owner @{tmp}/#@{int} rw,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw,

11
apparmor.d/groups/kde/konsole
View file

@ -36,30 +36,31 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/usr/share/sounds/** r,
/etc/xdg/konsolerc r,
/etc/xdg/kshorturifilterrc r,
/etc/xdg/menus/{,**} r,
/etc/xdg/ui/ui_standards.rc r,
owner @{HOME}/@{XDG_SSH_DIR}/config r,
owner @{user_config_dirs}/#@{int} rwl,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
owner @{user_config_dirs}/#@{int} rwl,
owner @{user_config_dirs}/breezerc r,
owner @{user_config_dirs}/konsolerc{,*} rwlk,
owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/konsolesshconfig.lock rwk,
owner @{user_config_dirs}/kservicemenurc r,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_share_dirs}/color-schemes/{,**} r,
owner @{user_share_dirs}/konsole/ rw,
owner @{user_share_dirs}/konsole/** rwlk,
owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r,
owner /tmp/#@{int} rw,
owner /tmp/konsole.@{rand6} rw,
owner @{tmp}/#@{int} rw,
owner @{tmp}/konsole.@{rand6} rw,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/@{pid}/cmdline r,

2
apparmor.d/groups/kde/kscreenlocker_greet
View file

@ -91,7 +91,7 @@ profile kscreenlocker_greet @{exec_path} {
deny owner @{HOME}/#@{int} mrw,
owner @{HOME}/.glvnd* mrw,
owner /tmp/*-cover-*.{jpg,png} r,
owner @{tmp}/*-cover-*.{jpg,png} r,
@{run}/faillock/[a-zA-z0-9]* rwk,

4
apparmor.d/groups/kde/ksmserver
View file

@ -43,8 +43,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/etc/xdg/kscreenlockerrc r,
/etc/xdg/menus/{,*} r,
/var/lib/flatpak/exports/share/mime/ r,
owner @{HOME}/@{rand6} rw,
owner @{HOME}/.Xauthority rw,
@ -64,7 +62,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/kservices{5,6}/ r,
owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,
owner /tmp/@{rand6} rw,
owner @{tmp}/@{rand6} rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,

2
apparmor.d/groups/kde/ksmserver-logout-greeter
View file

@ -30,8 +30,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
/usr/share/plasma/desktoptheme/** r,
/usr/share/plasma/look-and-feel/** r,
/var/lib/AccountsService/icons/ r,
/var/lib/flatpak/exports/share/icons/{,**} r,
/var/lib/flatpak/exports/share/mime/generic-icons r,
owner @{HOME}/ r,

2
apparmor.d/groups/kde/kstart
View file

@ -22,8 +22,6 @@ profile kstart @{exec_path} flags=(attach_disconnected) {
@{bin}/** rPUx,
@{bin}/konsole rPx,
/var/lib/flatpak/exports/share/mime/ r,
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{user_share_dirs}/kservices{5,6}/ r,
owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,

2
apparmor.d/groups/kde/kwalletd
View file

@ -41,7 +41,7 @@ profile kwalletd @{exec_path} {
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},
owner /tmp/kwalletd5.* rw,
owner @{tmp}/kwalletd5.* rw,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/cmdline r,

5
apparmor.d/groups/kde/kwin_wayland
View file

@ -52,6 +52,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/ r,
owner @{HOME}/ r,
owner @{sddm_cache_dirs}/#@{int} rwk,
owner @{sddm_cache_dirs}/fontconfig/* rwk,
owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.LCK l -> @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.TMP-@{rand6},
@ -73,7 +76,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/kwin/ rw,
owner @{user_cache_dirs}/kwin/** rwl -> @{user_cache_dirs}/kwin/**,
owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},

4
apparmor.d/groups/kde/kwin_x11
View file

@ -56,8 +56,8 @@ profile kwin_x11 @{exec_path} {
owner @{user_config_dirs}/session/kwin_* rwk,
owner @{user_config_dirs}/plasmarc r,
owner @{user_config_dirs}/session/#@{int} rw,
owner /tmp/#@{int} rw,
owner /tmp/kwin.@{rand6} rwl,
owner @{tmp}/#@{int} rw,
owner @{tmp}/kwin.@{rand6} rwl,
owner @{run}/user/@{uid}/kcrash_@{int} rw,

4
apparmor.d/groups/kde/okular
View file

@ -45,8 +45,8 @@ profile okular @{exec_path} {
owner @{user_cache_dirs}/okular/{,**} rw,
owner /tmp/#@{int} rw,
owner /tmp/okular_@{rand6}.ps rwl -> /tmp/#@{int},
owner @{tmp}/#@{int} rw,
owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int},
@{PROC}/sys/kernel/core_pattern r,

3
apparmor.d/groups/kde/plasma-browser-integration-host
View file

@ -28,12 +28,11 @@ profile plasma-browser-integration-host @{exec_path} {
/etc/xdg/menus/ r,
/etc/xdg/taskmanagerrulesrc r,
/var/lib/flatpak/exports/share/mime/ r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_share_dirs}/kservices{5,6}/ r,
owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,

14
apparmor.d/groups/kde/plasma-discover
View file

@ -83,11 +83,11 @@ profile plasma-discover @{exec_path} {
owner @{user_share_dirs}/kwin/ rw,
owner @{user_share_dirs}/kwin/** rwlk -> @{user_share_dirs}/kwin/**,
owner /tmp/*.kwinscript rwl -> /tmp/#@{int},
owner /tmp/#@{int} rw,
owner /tmp/discover-@{rand6}/{,**} rw,
owner /tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int},
owner @{tmp}/#@{int} rw,
owner @{tmp}/discover-@{rand6}/{,**} rw,
owner @{tmp}/ostree-gpg-*/ rw,
owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{run}/user/@{uid}/.flatpak-cache rw,
owner @{run}/user/@{uid}/.flatpak/{,**} rw,
@ -109,8 +109,8 @@ profile plasma-discover @{exec_path} {
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
owner /tmp/ostree-gpg-*/ r,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner @{tmp}/ostree-gpg-*/ r,
owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
include if exists <local/plasma-discover_gpg>
}

25
apparmor.d/groups/kde/plasma-emojier Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/plasma-emojier
profile plasma-emojier @{exec_path} {
include <abstractions/base>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
@{exec_path} mr,
owner @{user_cache_dirs}/plasma.emojier/{,**} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/plasma.emojierrc rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/plasma.emojierrc.lock rwk,
include if exists <local/plasma-emojier>
}

1
apparmor.d/groups/kde/plasma_waitforname
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/plasma_waitforname
profile plasma_waitforname @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,

8
apparmor.d/groups/kde/plasmashell
View file

@ -69,6 +69,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
/usr/share/metainfo/{,**} r,
/usr/share/plasma/{,**} r,
/usr/share/plasma5support/** r,
/usr/share/rider/{,**} r,
/usr/share/solid/actions/{,**} r,
/usr/share/swcatalog/{,**} r,
/usr/share/templates/{,*.desktop} r,
@ -79,8 +80,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
/etc/fstab r,
/etc/ksysguarddrc r,
/etc/machine-id r,
/etc/sensors3.conf r,
/etc/os-release r,
/etc/sensors.d/ r,
/etc/sensors3.conf r,
/etc/xdg/** r,
/var/lib/AccountsService/icons/* r,
@ -105,6 +107,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
owner @{user_cache_dirs}/plasma_engine_potd/{,**} rw,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
@ -164,9 +167,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_share_dirs}/plasma/{,**} r,
owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**,
owner @{user_share_dirs}/user-places.xbel{,*} rwl,
owner @{user_share_dirs}/wallpapers/{,**} rw,
/tmp/.mount_nextcl@{rand6}/{,*} r,
owner /tmp/#@{int} rw,
owner @{tmp}/#@{int} rw,
@{run}/mount/utab r,
@{run}/user/@{uid}/gvfs/ r,

9
apparmor.d/groups/kde/sddm
View file

@ -42,6 +42,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
signal (receive) set=(hup) peer=@{p_systemd},
signal (send) set=(kill, term) peer=startplasma,
signal (send) set=(kill, term) peer=xorg,
signal (send) set=(kill, term) peer=xsetroot,
signal (send) set=(term) peer=kwin_wayland,
signal (send) set=(term) peer=sddm-greeter,
signal (send) set=(term) peer=startplasma-wayland,
@ -76,6 +77,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/disable-paste rix,
@{bin}/locale rix,
@{bin}/manpath rix,
@{bin}/mktemp rix,
@{bin}/pidof rix,
@{bin}/readlink rix,
@{bin}/realpath rix,
@ -151,6 +153,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.jsc mrw,
owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.qmlc mrw,
owner @{HOME}/ r,
owner @{HOME}/.local/ w,
owner @{HOME}/.Xauthority rw,
@ -165,9 +168,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/tmp/sddm-* rw,
/tmp/xauth_@{rand6} rwl -> /tmp/#@{int},
owner /tmp/*/{,s} rw,
owner /tmp/#@{int} rw,
owner /tmp/sddm-auth* rw,
owner @{tmp}/*/{,s} rw,
owner @{tmp}/#@{int} rw,
owner @{tmp}/sddm-auth* rw,
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/sddm.pid rw,

5
apparmor.d/groups/kde/sddm-greeter
View file

@ -37,6 +37,7 @@ profile sddm-greeter @{exec_path} {
/usr/share/hunspell/** r,
/etc/fstab r,
/etc/os-release r,
/etc/sddm.conf r,
/etc/sddm.conf.d/{,*} r,
/etc/xdg/plasmarc r,
@ -62,8 +63,8 @@ profile sddm-greeter @{exec_path} {
deny owner @{HOME}/#@{int} mrw,
owner @{HOME}/.glvnd* mrw,
owner /tmp/runtime-sddm/ rw,
owner /tmp/sddm-:@{int}-@{rand6} rw,
owner @{tmp}/runtime-sddm/ rw,
owner @{tmp}/sddm-:@{int}-@{rand6} rw,
owner @{run}/sddm/{,*} rw,

6
apparmor.d/groups/kde/sddm-xsession
View file

@ -70,9 +70,9 @@ profile sddm-xsession @{exec_path} {
owner @{user_share_dirs}/sddm/xorg-session.log w,
owner /tmp/xsess-env-* rw,
owner /tmp/file* rw,
owner /tmp/tmp.* rw,
owner @{tmp}/xsess-env-* rw,
owner @{tmp}/file* rw,
owner @{tmp}/tmp.* rw,
owner @{PROC}/@{pid}/loginuid r,

6
apparmor.d/groups/kde/startplasma
View file

@ -65,6 +65,7 @@ profile startplasma @{exec_path} {
owner @{user_config_dirs}/ksplashrc r,
owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/plasma_workspace.notifyrc r,
owner @{user_config_dirs}/plasma-localerc rwl,
owner @{user_config_dirs}/plasma-localerc.lock rwk,
owner @{user_config_dirs}/plasma-workspace/env/ r,
@ -72,12 +73,13 @@ profile startplasma @{exec_path} {
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
owner @{user_share_dirs}/color-schemes/{,**} r,
owner @{user_share_dirs}/kservices{5,6}/{,**} r,
owner @{user_share_dirs}/sddm/wayland-session.log rw,
owner @{user_share_dirs}/sddm/xorg-session.log rw,
owner /tmp/#@{int} rw,
owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int},
owner @{tmp}/#@{int} rw,
owner @{tmp}/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int},
owner @{run}/user/@{uid}/ r,

2
apparmor.d/groups/kde/xembedsniproxy
View file

@ -18,7 +18,7 @@ profile xembedsniproxy @{exec_path} {
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
owner /tmp/xauth_@{rand6} r,
owner @{tmp}/xauth_@{rand6} r,
@{run}/user/@{uid}/xauth_@{rand6} rl,

2
apparmor.d/groups/kde/xsettingsd
View file

@ -16,7 +16,7 @@ profile xsettingsd @{exec_path} {
owner @{user_config_dirs}/xsettingsd/{,**} rw,
owner /tmp/xauth_@{rand6} r,
owner @{tmp}/xauth_@{rand6} r,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,