154 lines
5.1 KiB
Text
154 lines
5.1 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = @{bin}/kded5
|
|
profile kded5 @{exec_path} {
|
|
include <abstractions/base>
|
|
include <abstractions/audio>
|
|
include <abstractions/bus-system>
|
|
include <abstractions/bus/org.bluez>
|
|
include <abstractions/consoles>
|
|
include <abstractions/dconf-write>
|
|
include <abstractions/graphics>
|
|
include <abstractions/gtk>
|
|
include <abstractions/kde-strict>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/wutmp>
|
|
|
|
network inet dgram,
|
|
network inet6 dgram,
|
|
network netlink raw,
|
|
network netlink dgram,
|
|
|
|
ptrace (read),
|
|
|
|
signal (send) set=hup peer=xsettingsd,
|
|
|
|
@{exec_path} mrix,
|
|
|
|
@{bin}/kcminit rPx,
|
|
@{bin}/pgrep rCx -> pgrep,
|
|
@{bin}/setxkbmap rix,
|
|
@{bin}/xrdb rPx,
|
|
@{bin}/xsettingsd rPx,
|
|
@{lib}/drkonqi rPx,
|
|
@{lib}/kf5/kconf_update rPx,
|
|
@{lib}/utempter/utempter rPx,
|
|
|
|
/usr/share/kconf_update/ r,
|
|
/usr/share/kded5/{,**} r,
|
|
/usr/share/kf5/kcookiejar/* r,
|
|
/usr/share/khotkeys/{,**} r,
|
|
/usr/share/knotifications5/{,**} r,
|
|
/usr/share/kservices5/{,**} r,
|
|
/usr/share/kservicetypes5/{,**} r,
|
|
|
|
/etc/fstab r,
|
|
/etc/machine-id r,
|
|
/etc/xdg/accept-languages.codes r,
|
|
/etc/xdg/kcminputrc r,
|
|
/etc/xdg/kde* r,
|
|
/etc/xdg/kioslaverc r,
|
|
/etc/xdg/menus/{,**} r,
|
|
|
|
owner @{HOME}/.gtkrc-2.0 rw,
|
|
|
|
@{user_cache_dirs}/ksycoca5_* rwlk -> @{user_cache_dirs}/#@{int},
|
|
owner @{user_cache_dirs}/#@{int} rw,
|
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
|
owner @{user_cache_dirs}/plasmashell/ rw,
|
|
owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**,
|
|
|
|
@{user_config_dirs}/kcookiejarrc.lock rwk,
|
|
@{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/#@{int} rw,
|
|
owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
|
|
owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
|
|
owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk,
|
|
owner @{user_config_dirs}/kcminputrc r,
|
|
owner @{user_config_dirs}/kconf_updaterc rw,
|
|
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
|
|
owner @{user_config_dirs}/kdebugrc r,
|
|
owner @{user_config_dirs}/kded5rc.lock rwk,
|
|
owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/kdedefaults/{,**} r,
|
|
owner @{user_config_dirs}/khotkeysrc.lock rwk,
|
|
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/ktimezonedrc.lock rwk,
|
|
owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/kwalletrc r,
|
|
owner @{user_config_dirs}/kwinrc.lock rwk,
|
|
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
|
owner @{user_config_dirs}/kxkbrc r,
|
|
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
|
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
|
owner @{user_config_dirs}/menus/{,**} r,
|
|
owner @{user_config_dirs}/plasma-nm r,
|
|
owner @{user_config_dirs}/touchpadrc r,
|
|
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
|
|
|
@{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
|
|
owner @{user_share_dirs}/icc/{,edid-*} r,
|
|
owner @{user_share_dirs}/kcookiejar/#@{int} rw,
|
|
owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
|
|
owner @{user_share_dirs}/kded5/{,**} rw,
|
|
owner @{user_share_dirs}/kscreen/{,**} rwl,
|
|
owner @{user_share_dirs}/kservices5/{,**} r,
|
|
owner @{user_share_dirs}/ktp/cache.db rwk,
|
|
owner @{user_share_dirs}/remoteview/ r,
|
|
owner @{user_share_dirs}/services5/{,**} r,
|
|
|
|
@{run}/mount/utab r,
|
|
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
|
@{run}/user/@{uid}/gvfs/ r,
|
|
owner @{run}/user/@{uid}/#@{int} rw,
|
|
owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,
|
|
|
|
owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
|
|
|
|
@{PROC}/@{pids}/cmdline/ r,
|
|
@{PROC}/@{pids}/fd/ r,
|
|
@{PROC}/@{pids}/fd/info/@{int} r,
|
|
@{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
|
|
@{PROC}/sys/kernel/core_pattern r,
|
|
@{PROC}/sys/kernel/random/boot_id r,
|
|
owner @{PROC}/@{pid}/mountinfo r,
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
|
|
/dev/disk/by-label/ r,
|
|
/dev/ptmx rw,
|
|
/dev/rfkill r,
|
|
|
|
profile pgrep {
|
|
include <abstractions/base>
|
|
include <abstractions/consoles>
|
|
|
|
capability sys_ptrace,
|
|
|
|
ptrace (read),
|
|
|
|
@{bin}/pgrep mr,
|
|
|
|
@{sys}/devices/system/node/ r,
|
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
|
|
|
@{PROC}/ r,
|
|
@{PROC}/@{pids}/cgroup r,
|
|
@{PROC}/@{pids}/cmdline r,
|
|
@{PROC}/@{pids}/stat r,
|
|
@{PROC}/sys/kernel/osrelease r,
|
|
@{PROC}/tty/drivers r,
|
|
@{PROC}/uptime r,
|
|
|
|
include if exists <local/kded5_pgrep>
|
|
}
|
|
|
|
include if exists <local/kded5>
|
|
}
|