feat(profile): update kde integration.

See #310
2024-04-08 19:17:01 +01:00 · 2024-04-08 19:17:01 +01:00 · f96e5a9713
commit f96e5a9713
parent edf32f923c
28 changed files with 114 additions and 41 deletions
--- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme
+++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme
@ -18,7 +18,11 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
  @{bin}/grep        rix,
  @{bin}/plymouth    rPx,

+  /usr/share/plymouth/{,**} r,
+
  /etc/plymouth/{,*} r,

+  /dev/tty rw,
+
  include if exists <local/plymouth-set-default-theme>
 }
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@ -35,6 +35,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected)
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

+  owner @{user_config_dirs}/breezerc r,
  owner @{user_config_dirs}/qt5ct/{,**} r,

  owner @{user_cache_dirs}/icon-cache.kcache rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@ -10,8 +10,8 @@ include <tunables/global>
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde
 profile xdg-desktop-portal-kde @{exec_path} {
  include <abstractions/base>
-  include <abstractions/kde-strict>
  include <abstractions/graphics>
+  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>

  network inet dgram,
@ -22,12 +22,21 @@ profile xdg-desktop-portal-kde @{exec_path} {

  @{exec_path} mr,

+  #aa:exec kioworker
+
+  owner @{desktop_config_dirs}/user-dirs.dirs r,
+
  owner @{user_cache_dirs}/*.kcache r,

  owner @{user_cache_dirs}/icon-cache.kcache rw,

+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/autostart/org.kde.*.desktop r,
-  owner @{user_config_dirs}/xdg-desktop-portal-kderc r,
+  owner @{user_config_dirs}/breezerc r,
+  owner @{user_config_dirs}/kdeglobals{,.*} rwlk,
+  owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk,
+
+  owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw,

  @{PROC}/sys/kernel/core_pattern r,

--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -11,6 +11,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
+  include <abstractions/deny-sensitive-home>

  capability sys_admin,
  capability sys_nice,
@ -40,6 +41,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  / r,
  owner /.flatpak-info r,

+  owner @{HOME}/*/{,**} r,
+
  owner @{user_share_dirs}/flatpak/db/documents r,
  owner @{user_share_dirs}/Trash/files/** r,

--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -38,6 +38,7 @@ profile xrdb @{exec_path} {
  owner @{user_share_dirs}/sddm/wayland-session.log w,

  owner /tmp/kcminit.* r,
+  owner /tmp/kded{5,6}.@{rand6} r,
  owner /tmp/plasma-apply-lookandfeel.* r,
  owner /tmp/runtime-*/xauth_@{rand6} r,
  owner /tmp/startplasma-x11.@{rand6} r,