diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index ba0df0b6..9ec064eb 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -15,6 +15,8 @@ profile gmenudbusmenuproxy @{exec_path} { include include + ptrace (read) peer=kded5, + @{exec_path} mr, /usr/share/hwdata/*.ids r, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index e06fb987..905b8cc4 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -30,12 +30,12 @@ profile kactivitymanagerd @{exec_path} { owner @{user_cache_dirs}/ksycoca5_* r, - owner @{user_config_dirs}/kactivitymanagerdrc r, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk, + owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/menus/{,**} r, owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices5/{,**} r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index ea3b18e8..d729f700 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -17,28 +17,29 @@ profile kconf_update @{exec_path} { include include include + include @{exec_path} mr, @{bin}/{,ba,da}sh rix, - @{bin}/grep rix, + @{bin}/{,p}grep rix, @{bin}/python3.[0-9]* rix, @{bin}/qtpaths rix, @{bin}/sed rix, - @{lib}/kconf_update_bin/breeze* rix, - @{lib}/kconf_update_bin/konsole_show_menubar rix, - @{lib}/kconf_update_bin/krunnerglobalshortcuts rix, - @{lib}/kconf_update_bin/krunnerhistory rix, - @{lib}/kconf_update_bin/plasmashell-* rix, - /usr/share/kconf_update/kcminputrc_migrate_repeat_value.py rix, - /usr/share/kconf_update/konsole_add_hamburgermenu_to_toolbar.sh rix, + @{lib}/kconf_update_bin/* rix, + /usr/share/kconf_update/*.py rix, + /usr/share/kconf_update/*.sh rix, - /usr/share/kconf_update/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/kconf_update/{,**} r, + /usr/share/kglobalaccel/org.kde.krunner.desktop r, /etc/machine-id r, /etc/xdg/kdeglobals r, + /etc/xdg/konsolerc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akregatorrc.lock rwk, @@ -79,6 +80,8 @@ profile kconf_update @{exec_path} { owner @{user_config_dirs}/plasmashellrc r, owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/krunnerstaterc.lock rwk, + owner @{user_share_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner /tmp/#@{int} rw, owner /tmp/kconf_update.@{rand6}.lock rwk, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index a3dcda46..2b7cce34 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -11,6 +11,7 @@ profile kded5 @{exec_path} { include include include + include include include include @@ -38,7 +39,7 @@ profile kded5 @{exec_path} { member=PropertiesChanged peer=(name=:*), - @{exec_path} mr, + @{exec_path} mrix, @{bin}/kcminit rPx, @{bin}/pgrep rCx -> pgrep, @@ -76,7 +77,7 @@ profile kded5 @{exec_path} { owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, - owner @{user_config_dirs}/gtk-{3,4}/settings.ini.lock rk, + owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kconf_updaterc rw, owner @{user_config_dirs}/kconf_updaterc.lock rwk, @@ -87,12 +88,12 @@ profile kded5 @{exec_path} { owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kdedefaults/{,**} r, owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rw, - owner @{user_config_dirs}/khotkeysrc.@{rand6} l -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/khotkeysrc.lock rwk, + owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/ktimezonedrc r, + owner @{user_config_dirs}/ktimezonedrc.lock rwk, + owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kxkbrc r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index e0af933b..e3187350 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -11,11 +11,12 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include include + include + include + include include include - include include - include include include @@ -61,12 +62,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner /var/lib/sddm/.config/#@{int} rw, owner /var/lib/sddm/.config/kdeglobals r, - owner /var/lib/sddm/.config/kglobalshortcutsrc rw, owner /var/lib/sddm/.config/kglobalshortcutsrc.lock rwk, - owner /var/lib/sddm/.config/kglobalshortcutsrc.@{rand6} rwl -> /var/lib/sddm/.config/#@{int}, - owner /var/lib/sddm/.config/kwinrc rw, + owner /var/lib/sddm/.config/kglobalshortcutsrc{,.@{rand6}} rwl -> /var/lib/sddm/.config/#@{int}, owner /var/lib/sddm/.config/kwinrc.lock rwk, - owner /var/lib/sddm/.config/kwinrc.@{rand6} rwl -> /var/lib/sddm/.config/#@{int}, + owner /var/lib/sddm/.config/kwinrc{,.@{rand6}} rwl -> /var/lib/sddm/.config/#@{int}, owner @{user_cache_dirs}/{,plasma-svgelements} r, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -81,8 +80,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/kwinrc rw, - owner @{user_config_dirs}/kwinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, @@ -98,17 +96,16 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{run}/udev/data/+acpi:* r, # for ACPI @{run}/udev/data/+dmi* r, # for ? - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, # for ? - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform:* r, # for ? @{run}/udev/data/+sound:card@{int} r, @{run}/udev/data/+usb:* r, + + @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e34c357a..b72c03d7 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -56,9 +56,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/kf5/kioslave5 rPx, @{lib}/kf5/kdesu{,d} rix, @{bin}/dolphin rPUx, # TODO: rPx, - @{bin}/ksysguardd rix, + @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, - @{bin}/xrdb rPx, + @{bin}/xrdb rPx, /usr/share/akonadi/firstrun/{,*} r, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, @@ -72,9 +72,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/lshw/artwork/logo.svg r, + /usr/share/metainfo/{,**} r, /usr/share/mime/{,**} r, /usr/share/plasma/{,**} r, /usr/share/solid/actions/{,**} r, + /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, /usr/share/wallpapers/{,**} r, @@ -96,16 +98,19 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#@{int} rwk, + owner @{user_cache_dirs}/appstream/ rw, + owner @{user_cache_dirs}/appstream/*.xb rw, + owner @{user_cache_dirs}/bookmarksrunner/ rw, + owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int}, owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca5_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, - owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl, - owner @{user_cache_dirs}/bookmarksrunner/ rw, - owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int}, + owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/plasmashell/ rw, + owner @{user_cache_dirs}/plasmashell/** rwkl -> @{user_cache_dirs}/plasmashell/**, owner @{user_config_dirs}/{KDE,kde.org}/ rw, owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#@{int}, @@ -113,21 +118,19 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/akonadi* r, owner @{user_config_dirs}/akonadi/akonadi*rc r, - owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/baloofileinformationrc r, + owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/eventviewsrc r, - owner @{user_config_dirs}/kactivitymanagerd-statsrc r, - owner @{user_config_dirs}/kactivitymanagerd-switcher rw, - owner @{user_config_dirs}/kactivitymanagerd-switcher.lock rwk, - owner @{user_config_dirs}/kactivitymanagerd-switcher.* rwl, + owner @{user_config_dirs}/kactivitymanagerd-*.lock rwk, + owner @{user_config_dirs}/kactivitymanagerd-*{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, - owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -154,7 +157,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/ktp/cache.db rwk, owner @{user_share_dirs}/plasma_icons/*.desktop r, owner @{user_share_dirs}/plasma/plasmoids/{,**} r, - owner @{user_share_dirs}/user-places.xbel r, + owner @{user_share_dirs}/user-places.xbel{,*} rwl -> @{user_share_dirs}/#@{int}, owner /tmp/#@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 402753bb..2c470747 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -41,7 +41,7 @@ profile startplasma @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/kcrash-metadata/ rw, - owner @{user_cache_dirs}/ksycoca5* rwkl -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_config_dirs}/#@{int} rw, @@ -50,7 +50,8 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ rw, owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**, - owner @{user_config_dirs}/kdeglobals* rwl, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, owner @{user_config_dirs}/menus/{,**.menu} r, @@ -60,13 +61,13 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/startkderc r, owner @{user_config_dirs}/Trolltech.conf rwl, owner @{user_config_dirs}/Trolltech.conf.lock rwk, - owner @{user_share_dirs}/kservices5/{,**} r, - owner @{user_share_dirs}/sddm/xorg-session.log rw, + owner @{user_share_dirs}/kservices5/{,**} r, owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, owner /tmp/#@{int} rw, - owner /tmp/startplasma-x11.@{rand6} rwl, + owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int}, owner @{run}/user/@{uid}/ r, @{run}/user/@{uid}/xauth_@{rand6} rl,