212 lines
7.2 KiB
Text
212 lines
7.2 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = @{bin}/kded5 @{bin}/kded6
|
|
profile kded @{exec_path} {
|
|
include <abstractions/base>
|
|
include <abstractions/apt> #aa:only apt
|
|
include <abstractions/audio-client>
|
|
include <abstractions/bus-accessibility>
|
|
include <abstractions/bus-session>
|
|
include <abstractions/bus-system>
|
|
include <abstractions/bus/org.a11y>
|
|
include <abstractions/bus/org.bluez>
|
|
include <abstractions/bus/org.freedesktop.ModemManager1>
|
|
include <abstractions/bus/org.freedesktop.PolicyKit1>
|
|
include <abstractions/bus/org.freedesktop.UDisks2>
|
|
include <abstractions/consoles>
|
|
include <abstractions/dconf-write>
|
|
include <abstractions/devices-usb>
|
|
include <abstractions/graphics>
|
|
include <abstractions/kde-globals-write>
|
|
include <abstractions/kde-strict>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/ssl_certs>
|
|
include <abstractions/wutmp>
|
|
|
|
capability sys_ptrace,
|
|
|
|
network inet dgram,
|
|
network inet stream,
|
|
network inet6 dgram,
|
|
network inet6 stream,
|
|
network netlink dgram,
|
|
network netlink raw,
|
|
|
|
ptrace read,
|
|
|
|
signal send set=hup peer=xsettingsd,
|
|
signal send set=term peer=kioworker,
|
|
|
|
# Owned by KDE
|
|
|
|
#aa:dbus own bus=system name=com.redhat.NewPrinterNotification
|
|
|
|
#aa:dbus own bus=session name=org.gtk.Settings
|
|
#aa:dbus own bus=session name=org.kde.DistroReleaseNotifier
|
|
#aa:dbus own bus=session name=org.kde.GtkConfig
|
|
#aa:dbus own bus=session name=org.kde.kappmenu
|
|
#aa:dbus own bus=session name=org.kde.kcookiejar5
|
|
#aa:dbus own bus=session name=org.kde.kded5
|
|
#aa:dbus own bus=session name=org.kde.keyboard
|
|
#aa:dbus own bus=session name=org.kde.KeyboardLayouts
|
|
#aa:dbus own bus=session name=org.kde.plasmanetworkmanagement
|
|
#aa:dbus own bus=session name=org.kde.plasmashell.accentColor
|
|
#aa:dbus own bus=session name=org.kde.StatusNotifierWatcher
|
|
#aa:dbus own bus=session name=org.kde.Wacom
|
|
#aa:dbus own bus=session name=org.kubuntu.NotificationHelper
|
|
#aa:dbus own bus=session name=org.kubuntu.restrictedInstall
|
|
|
|
# Talk with KDE
|
|
|
|
#aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
|
|
#aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
|
|
|
|
#aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}"
|
|
#aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}"
|
|
|
|
dbus receive bus=system path=/
|
|
interface=org.kde.kf5auth
|
|
member=remoteSignal
|
|
peer=(name=@{busname}, label=kauth-kded-smart-helper),
|
|
|
|
dbus send bus=system path=/
|
|
interface=org.kde.kf5auth
|
|
member=performAction
|
|
peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper),
|
|
|
|
@{exec_path} mrix,
|
|
|
|
@{python_path} rix,
|
|
@{bin}/dpkg rPx -> child-dpkg,
|
|
@{bin}/flatpak rPx,
|
|
@{bin}/kcminit rPx,
|
|
@{bin}/lsb_release rPx,
|
|
@{bin}/pgrep rCx -> pgrep,
|
|
@{bin}/plasma-welcome rPUx,
|
|
@{bin}/setxkbmap rix,
|
|
@{bin}/xmodmap rPUx,
|
|
@{bin}/xrdb rPx,
|
|
@{bin}/xsetroot rPx,
|
|
@{bin}/xsettingsd rPx,
|
|
@{lib}/drkonqi rPx,
|
|
|
|
@{lib}/{,@{multiarch}/}utempter/utempter rPx,
|
|
#aa:exec kconf_update
|
|
|
|
/usr/share/color-schemes/{,**} r,
|
|
/usr/share/distro-info/{,**} r,
|
|
/usr/share/distro-release-notifier/{,**} r,
|
|
/usr/share/kconf_update/ r,
|
|
/usr/share/kded{5,6}/{,**} r,
|
|
/usr/share/kf{5,6}/kcookiejar/* r,
|
|
/usr/share/khotkeys/{,**} r,
|
|
/usr/share/kservices{5,6}/{,**} r,
|
|
/usr/share/kservicetypes5/{,**} r,
|
|
/usr/share/ubuntu-release-upgrader/{,*} r,
|
|
|
|
/etc/fstab r,
|
|
/etc/xdg/accept-languages.codes r,
|
|
/etc/xdg/kde* r,
|
|
/etc/xdg/kioslaverc r,
|
|
/etc/xdg/menus/{,**} r,
|
|
/etc/update-manager/{,**} r,
|
|
|
|
/etc/machine-id r,
|
|
/var/lib/dbus/machine-id r,
|
|
|
|
/ r,
|
|
@{efi}/ r,
|
|
|
|
owner /var/lib/update-manager/meta-release-lts rw,
|
|
|
|
owner @{HOME}/ r,
|
|
owner @{HOME}/.gtkrc-2.0 rw,
|
|
|
|
owner @{HOME}/.var/ w,
|
|
owner @{HOME}/.var/app/ w,
|
|
owner @{HOME}/.var/app/org.mozilla.firefox/**/ w,
|
|
owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w,
|
|
owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w,
|
|
|
|
@{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
|
|
owner @{user_cache_dirs}/plasmashell/ rw,
|
|
owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**,
|
|
owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw,
|
|
|
|
@{user_config_dirs}/kcookiejarrc.lock rwk,
|
|
@{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/*rc.lock rwk,
|
|
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
|
|
owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk,
|
|
owner @{user_config_dirs}/kdedefaults/{,**} r,
|
|
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
|
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
|
owner @{user_config_dirs}/menus/{,**} r,
|
|
owner @{user_config_dirs}/plasma* r,
|
|
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
|
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
|
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
|
|
|
owner @{user_share_dirs}/icc/{,edid-*} r,
|
|
owner @{user_share_dirs}/kcookiejar/#@{int} rw,
|
|
owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
|
|
owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
|
|
owner @{user_share_dirs}/kded{5,6}/{,**} rw,
|
|
owner @{user_share_dirs}/kscreen/{,**} rwl,
|
|
owner @{user_share_dirs}/kservices{5,6}/{,**} r,
|
|
owner @{user_share_dirs}/ktp/cache.db rwk,
|
|
owner @{user_share_dirs}/remoteview/ r,
|
|
owner @{user_share_dirs}/services5/{,**} r,
|
|
owner @{user_share_dirs}/user-places.xbel r,
|
|
|
|
owner @{user_state_dirs}/#@{int} rw,
|
|
owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int},
|
|
|
|
@{run}/mount/utab r,
|
|
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
|
@{run}/user/@{uid}/gvfs/ r,
|
|
owner @{run}/user/@{uid}/#@{int} rw,
|
|
owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl,
|
|
|
|
owner @{tmp}/#@{int} rw,
|
|
owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
|
|
owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,
|
|
|
|
@{sys}/class/leds/ r,
|
|
|
|
@{run}/udev/data/b8:@{int} r, # for /dev/sd*
|
|
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
|
|
|
@{PROC}/ r,
|
|
@{PROC}/@{pids}/cmdline/ r,
|
|
@{PROC}/@{pids}/fd/ r,
|
|
@{PROC}/@{pids}/fdinfo/@{int} r,
|
|
@{PROC}/@{pids}/fd/info/@{int} r,
|
|
@{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
|
|
owner @{PROC}/@{pid}/cmdline r,
|
|
owner @{PROC}/@{pid}/mountinfo r,
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
|
|
/dev/disk/by-label/ r,
|
|
/dev/ptmx rw,
|
|
/dev/rfkill rw,
|
|
|
|
profile pgrep {
|
|
include <abstractions/base>
|
|
include <abstractions/app/pgrep>
|
|
|
|
include if exists <local/kded_pgrep>
|
|
}
|
|
|
|
include if exists <local/kded>
|
|
}
|
|
|
|
# vim:syntax=apparmor
|