mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(kde): general update.
This commit is contained in:
Alexandre Pujol
parent
0edde44e1d
commit
12456486f1
@ -25,7 +25,7 @@
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
|
||||
owner @{run}/user/@{uid}/X11/Xauthority r,
|
||||
owner @{run}/user/@{uid}/xauth_* r,
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
|
||||
# Xwayland
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
|
||||
@ -4,9 +4,9 @@
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
owner @{HOME}/.cache/qtshadercache/ rw,
|
||||
owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{HOME}/.cache/qtshadercache/@{hex} rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw,
|
||||
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{HOME}/.cache/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
|
||||
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
|
||||
|
||||
@ -31,7 +31,7 @@ profile dbus-daemon-launch-helper @{exec_path} {
|
||||
/usr/share/usb-creator/usb-creator-helper rPx,
|
||||
/usr/share/hplip/pkservice.py rPx,
|
||||
|
||||
/usr/share/dbus-1/{,**} r,
|
||||
/usr/share/dbus-1*/{,**} r,
|
||||
|
||||
/etc/dbus-1/{,**} r,
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{libexec}/geoclue
|
||||
@{exec_path} = @{libexec}/geoclue @{libexec}/geoclue-2.0/demos/agent
|
||||
profile geoclue @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
@ -40,7 +40,7 @@ profile evolution-addressbook-factory @{exec_path} {
|
||||
@{exec_path}-subprocess rix,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/icu/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
||||
owner @{user_share_dirs}/evolution/{,**} rwk,
|
||||
owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,
|
||||
|
||||
@ -83,7 +83,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/gnome-shell/{,**} r,
|
||||
/usr/share/icu/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
|
||||
|
||||
@ -26,7 +26,7 @@ profile gnome-extensions-app @{exec_path} {
|
||||
/{usr/,}bin/gjs-console rix,
|
||||
|
||||
/usr/share/gnome-shell/org.gnome.Extensions* r,
|
||||
/usr/share/icu/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
|
||||
@ -12,7 +12,7 @@ profile kreadconfig @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/icu/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
|
||||
/etc/xdg/kdeglobals r,
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/ksmserver
|
||||
profile ksmserver @{exec_path} flags=(attach_disconnected) {
|
||||
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/nameservice-strict>
|
||||
@ -26,6 +26,8 @@ profile ksmserver @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/qt/translations/*.qm r,
|
||||
/usr/share/knotifications5/*.notifyrc r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{HOME}/?????? rw,
|
||||
owner @{HOME}/.Xauthority rw,
|
||||
|
||||
@ -34,7 +36,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected) {
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc.?????? rwl,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
|
||||
|
||||
@ -43,8 +48,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
|
||||
owner @{run}/user/@{uid}/xauth_* r,
|
||||
|
||||
# owner @{run}/user/@{uid}/xauth_* r,
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
@ -33,7 +33,7 @@ profile kwalletd5 @{exec_path} {
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/icu/72.1/icudt72l.dat r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/qt/translations/*.qm r,
|
||||
/usr/share/qt5/qtlogging.ini r,
|
||||
/usr/share/qt5ct/** r,
|
||||
|
||||
@ -41,6 +41,7 @@ profile kwin_x11 @{exec_path} {
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
|
||||
owner @{user_cache_dirs}/qtshadercache-*/@{hex} r,
|
||||
owner @{user_cache_dirs}/session/#[0-9]* rw,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
@ -50,6 +51,7 @@ profile kwin_x11 @{exec_path} {
|
||||
owner @{user_config_dirs}/kwinrc{,.??????} rwl,
|
||||
owner @{user_config_dirs}/kwinrulesrc r,
|
||||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/session/kwin_* rwk,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
|
||||
@ -8,9 +8,10 @@ abi <abi/3.0>,
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/sddm
|
||||
profile sddm @{exec_path} flags=(attach_disconnected) {
|
||||
profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
@ -18,7 +19,7 @@ profile sddm @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/wutmp>
|
||||
include <abstractions/bash>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
@ -77,6 +78,7 @@ profile sddm @{exec_path} flags=(attach_disconnected) {
|
||||
/usr/share/plasma/desktoptheme/** r,
|
||||
/usr/share/sddm/faces/.*.icon r,
|
||||
/usr/share/sddm/themes/** r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||
/usr/share/xsessions/{,*.desktop} r,
|
||||
/var/lib/AccountsService/icons/*.icon r,
|
||||
@ -119,10 +121,13 @@ profile sddm @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||
@{run}/sddm.pid rw,
|
||||
@{run}/sddm/* w,
|
||||
@{run}/sddm/\{@{uuid}\} rw,
|
||||
# @{run}/sddm/* w,
|
||||
@{run}/systemd/sessions/*.ref rw,
|
||||
owner @{run}/sddm/ rw,
|
||||
owner @{run}/user/@{uid}/kwallet5.socket rw,
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
owner @{run}/user/@{uid}/#[0-9]* rw,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{PROC}/@{pid}/loginuid rw,
|
||||
|
||||
@ -20,20 +20,30 @@ profile sddm-greeter @{exec_path} {
|
||||
include <abstractions/qt5>
|
||||
include <abstractions/qt5-compose-cache-write>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/usr/share/sddm/{,**} r,
|
||||
@{libexec}/libheif/ r,
|
||||
@{libexec}/libheif/*.so* rm,
|
||||
|
||||
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/plasma/desktoptheme/** r,
|
||||
/usr/share/qt5ct/** r,
|
||||
/usr/share/sddm/{,**} r,
|
||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||
/usr/share/xsessions/{,*.desktop} r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/wallpapers/{,**} r,
|
||||
/usr/share/hunspell/** r,
|
||||
|
||||
/etc/sddm.conf.d/{,*} r,
|
||||
/etc/sddm.conf r,
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
/etc/sddm.conf r,
|
||||
/etc/sddm.conf.d/{,*} r,
|
||||
/etc/xdg/kdeglobals r,
|
||||
/etc/xdg/plasmarc r,
|
||||
/var/lib/AccountsService/icons/*.icon r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
|
||||
@ -10,6 +10,7 @@ include <tunables/global>
|
||||
profile startplasma-x11 @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@ -20,7 +21,7 @@ profile startplasma-x11 @{exec_path} {
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/desktop-directories/{,**} r,
|
||||
/usr/share/icu/{,**} r,
|
||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/knotifications5/{,**} r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
@ -39,12 +40,13 @@ profile startplasma-x11 @{exec_path} {
|
||||
owner @{user_cache_dirs}/ksycoca5_* rwkl,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/gtkrc rl,
|
||||
owner @{user_config_dirs}/gtkrc-2.0 rl,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/ rw,
|
||||
owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**,
|
||||
owner @{user_config_dirs}/kdeglobals{,.??????} rwl,
|
||||
owner @{user_config_dirs}/kdeglobals* rwl,
|
||||
owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
|
||||
owner @{user_config_dirs}/plasma-localerc rwl,
|
||||
owner @{user_config_dirs}/plasma-localerc.lock rwk,
|
||||
@ -56,6 +58,8 @@ profile startplasma-x11 @{exec_path} {
|
||||
owner /tmp/#[0-9][0-9] rw,
|
||||
owner /tmp/startplasma-x11.?????? rwl,
|
||||
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
|
||||
@ -12,6 +12,7 @@ profile xdm-xsession @{exec_path} {
|
||||
include <abstractions/bash>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@ -73,6 +74,7 @@ profile xdm-xsession @{exec_path} {
|
||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
|
||||
owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
|
||||
owner @{run}/user/@{uid}/gnupg/sshcontrol r,
|
||||
@{run}/user/@{uid}/xauth_* rl,
|
||||
|
||||
owner /tmp/ssh-*/ rw,
|
||||
owner /tmp/ssh-*/agent.* rw,
|
||||
|
||||
@ -31,8 +31,8 @@ profile xauth @{exec_path} {
|
||||
owner /tmp/serverauth.*-n rw,
|
||||
owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n,
|
||||
|
||||
owner @{run}/user/@{uid}/xauth_?????? rw,
|
||||
owner /tmp/runtime-*/xauth_?????? r,
|
||||
@{run}/user/@{uid}/xauth_?????? rw,
|
||||
|
||||
include if exists <local/xauth>
|
||||
}
|
||||
|
||||
@ -134,7 +134,7 @@ kauth-kded-smart-helper complain
|
||||
kernel-install complain
|
||||
kgx complain
|
||||
kmod attach_disconnected,complain
|
||||
ksmserver attach_disconnected,complain
|
||||
ksmserver attach_disconnected,mediate_deleted,complain
|
||||
kwin_x11 complain
|
||||
landscape-sysinfo complain
|
||||
landscape-sysinfo.wrapper complain
|
||||
@ -275,7 +275,7 @@ virt-manager attach_disconnected,complain
|
||||
virtinterfaced attach_disconnected,complain
|
||||
virtiofsd complain,attach_disconnected
|
||||
virtlockd complain
|
||||
virtnetworkd complain
|
||||
virtnetworkd complain,attach_disconnected
|
||||
virtnodedevd attach_disconnected,complain
|
||||
virtsecretd attach_disconnected,complain
|
||||
virtstoraged attach_disconnected,complain
|
||||
|
||||
Loading…
Reference in New Issue
Block a user