feat(kde): add initial version for more kde profles.

apparmor.d/groups/kde/gmenudbusmenuproxy

@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/gmenudbusmenuproxy
+profile gmenudbusmenuproxy @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+  include <abstractions/X-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/hwdata/*.ids r,
+
+  /etc/machine-id r,
+
+  owner @{HOME}/.gtkrc-2.0 rw,
+
+  @{PROC}/sys/kernel/random/boot_id r,
+
+  include if exists <local/gmenudbusmenuproxy>
+}

apparmor.d/groups/kde/kactivitymanagerd

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/kactivitymanagerd
+profile kactivitymanagerd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/X-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/hwdata/*.ids r,
+  /usr/share/qt/translations/*.qm r,
+
+  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+  owner @{user_config_dirs}/kdeglobals r,
+  owner @{user_config_dirs}/kactivitymanagerdrc r,
+
+  owner @{user_share_dirs}/kactivitymanagerd/{,**} rwl,
+
+  @{PROC}/sys/kernel/core_pattern r,
+
+  /dev/tty r,
+
+  include if exists <local/kactivitymanagerd>
+}

apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper

@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{libexec}/kauth/kinfocenter-dmidecode-helper
+profile kauth-kinfocenter-dmidecode-helper @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}{s,}bin/dmidecode  rPx,
+
+  include if exists <local/kauth-kinfocenter-dmidecode-helper>
+}

apparmor.d/groups/kde/kconf_update

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{libexec}/kf5/kconf_update
+profile kconf_update @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /usr/share/kconf_update/{,**} r,
+
+  owner @{user_config_dirs}/kconf_updaterc r,
+  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+  owner @{user_config_dirs}/kdeglobals r,
+
+  include if exists <local/kconf_update>
+}

apparmor.d/groups/kde/kglobalaccel5

@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/kglobalaccel5
+profile kglobalaccel5 @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/X-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/hwdata/*.ids r,
+  /usr/share/kglobalaccel/{,**} r,
+  /usr/share/qt/translations/*.qm r,
+  /usr/share/mime/{,**} r,
+
+  /etc/machine-id r,
+
+  owner @{user_config_dirs}/kglobalshortcutsrc* rwl,
+  owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
+  owner @{user_config_dirs}/#[0-9]* rw,
+
+  @{PROC}/sys/kernel/random/boot_id r,
+  @{PROC}/sys/kernel/core_pattern r,
+
+  /dev/tty r,
+
+  include if exists <local/kglobalaccel5>
+}

apparmor.d/groups/kde/plasma-discover

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/plasma-discover
+profile plasma-discover @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}lib/kf5/kioslave5               rPUx, # TODO: rPx,
+  /{usr/,}lib/kf5/kio_http_cache_cleaner  rPUx, # TODO: rPx,
+
+  /etc/machine-id r,
+
+  /var/tmp/flatpak-cache-*/ rw,
+  /var/tmp/flatpak-cache-*/** rwkl,
+  /var/tmp/#[0-9]* rw,
+
+  owner @{user_config_dirs}/kde.org/{,**} rwlk,
+  owner @{user_config_dirs}/discoverrc rwl,
+  owner @{user_config_dirs}/#[0-9]* rwl,
+  owner @{user_config_dirs}/discoverrc.lock rwk,
+
+  include if exists <local/plasma-discover>
+}

apparmor.d/groups/kde/plasmashell

@@ -0,0 +1,88 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/plasmashell
+profile plasmashell @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
+  include <abstractions/disks-read>
+  include <abstractions/dri-common>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-shader-cache>
+  include <abstractions/X-strict>
+
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal (send),
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/plasma-discover  rPx,
+  /{usr/,}lib/kf5/kioslave5    rPUx, # TODO: rPx,
+  /{usr/,}bin/dolphin          rPUx, # TODO: rPx,
+
+  /usr/share/hwdata/*.ids r,
+  /usr/share/kservices5/{,**} r,
+  /usr/share/kservicetypes5/{,**} r,
+  /usr/share/plasma/{,**} r,
+  /usr/share/qt/translations/*.qm r,
+  /usr/share/solid/actions/{,**} r,
+  /usr/share/wallpapers/{,**} r,
+  /usr/share/krunner/{,**} r,
+  /usr/share/konsole/ r,
+  /usr/share/akonadi/firstrun/{,*} r,
+
+  /etc/appstream.conf r,
+  /etc/xdg/taskmanagerrulesrc r,
+  /etc/xdg/menus/ r,
+  /etc/machine-id r,
+  /etc/fstab r,
+
+  owner @{user_templates_dirs}/ r,
+
+  owner @{user_cache_dirs}/#[0-9]* rw,
+  owner @{user_cache_dirs}/icon-cache.kcache rw,
+  owner @{user_cache_dirs}/ksycoca5_* r,
+  owner @{user_cache_dirs}/plasma-svgelements* rwl,
+  owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
+
+  owner @{user_config_dirs}/*kde*.desktop* r,
+  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/baloofilerc r,
+  owner @{user_config_dirs}/dolphinrc r,
+  owner @{user_config_dirs}/kde.org/{,**} rwlk,
+  owner @{user_config_dirs}/KDE/{,**} r,
+  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+  owner @{user_config_dirs}/kdedefaults/kwinrc r,
+  owner @{user_config_dirs}/kdedefaults/plasmarc r,
+  owner @{user_config_dirs}/kdeglobals r,
+  owner @{user_config_dirs}/ksmserverrc r,
+  owner @{user_config_dirs}/kwinrc r,
+  owner @{user_config_dirs}/plasma*desktop* rwlk,
+  owner @{user_config_dirs}/plasmashellrc r,
+
+  owner @{user_share_dirs}/#[0-9]* rw,
+  owner @{user_share_dirs}/akonadi/search_db/{,**} r,
+  owner @{user_share_dirs}/klipper/{,*} rwl,
+  owner @{user_share_dirs}/krunnerstaterc.lock rwk,
+  owner @{user_share_dirs}/krunnerstaterc* rwk,
+
+  owner @{run}/user/@{uid}/#[0-9]* rw,
+  owner @{run}/user/@{uid}/plasmashell??????.[0-9].kioworker.socket rwl,
+
+        @{PROC}/sys/kernel/core_pattern r,
+        @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/plasmashell>
+}

dists/flags/main.flags

@@ -108,6 +108,7 @@ gdm-runtime-config complain
 gdm-x-session attach_disconnected,complain
 gdm-xsession complain
 glib-compile-resources complain
+gmenudbusmenuproxy complain
 gnome-browser-connector-host complain
 gnome-characters complain
 gnome-control-center attach_disconnected,complain
@@ -164,12 +165,16 @@ irqbalance complain
 iwctl complain
 iwd complain
 kaccess complain
+kactivitymanagerd complain
 kauth-backlighthelper complain
 kauth-chargethresholdhelper complain
 kauth-discretegpuhelper complain
 kauth-kded-smart-helper complain
+kauth-kinfocenter-dmidecode-helper complain
+kconf_update complain
 kded5 complain
 kernel-install complain
+kglobalaccel5 complain
 kgx complain
 kmod attach_disconnected,complain
 ksmserver attach_disconnected,mediate_deleted,complain