diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo new file mode 100644 index 00000000..ec2e2b3b --- /dev/null +++ b/apparmor.d/groups/kde/baloo @@ -0,0 +1,50 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/baloo_file +profile baloo @{exec_path} { + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}lib/baloo_file_extractor rix, + + /usr/share/qt/translations/*.qm r, + /usr/share/hwdata/pnp.ids r, + + /etc/fstab r, + /etc/machine-id r, + + # Allow to search user files + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner /tmp/*/{,**} r, + + owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/baloofilerc rwl, + owner @{user_config_dirs}/baloofilerc.lock rwkl, + + owner @{user_share_dirs}/baloo/{,**} rwk, + + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty r, + + include if exists +} diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess new file mode 100644 index 00000000..220beaab --- /dev/null +++ b/apparmor.d/groups/kde/kaccess @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/kaccess +profile kaccess @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/gsettings rPx, + + /usr/share/icons/{,**} r, + /usr/share/mime/{,**} r, + /usr/share/qt{,5}/translations/*.qm r, + /usr/share/hwdata/pnp.ids r, + + owner @{HOME}/.Xauthority r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/kdedefaults/* r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver new file mode 100644 index 00000000..4310411e --- /dev/null +++ b/apparmor.d/groups/kde/ksmserver @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/ksmserver +profile ksmserver @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/rm rix, + + /{usr/,}lib/kscreenlocker_greet rPx, + + /usr/share/color-schemes/{,**} r, + /usr/share/hwdata/pnp.ids r, + /usr/share/icons/{,**} r, + /usr/share/mime/{,**} r, + /usr/share/qt/translations/*.qm r, + /usr/share/knotifications5/*.notifyrc r, + + owner @{HOME}/?????? rw, + owner @{HOME}/.Xauthority rw, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/kdedefaults/* r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, + + owner /tmp/?????? rw, + owner /tmp/.ICE-unix/* rw, + + @{run}/systemd/inhibit/[0-9]*.ref rw, + owner @{run}/user/@{uid}/KSMserver__[0-9] rw, + + @{PROC}/sys/kernel/core_pattern r, + + /dev/tty r, + + include if exists +} diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 new file mode 100644 index 00000000..007b36ad --- /dev/null +++ b/apparmor.d/groups/kde/kwin_x11 @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/kwin_x11 +profile kwin_x11 @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}lib/kwin_killer_helper rix, + + /usr/share/hwdata/pnp.ids r, + /usr/share/kwin/{,**} r, + /usr/share/X11/xkb/{,**} r, + /usr/share/plasma/desktoptheme/{,**} r, + /usr/share/qt/translations/*.qm r, + + /etc/machine-id r, + + owner @{HOME}/.Xauthority r, + + owner @{user_cache_dirs}/ r, + owner @{user_cache_dirs}/#[0-9]* rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/kwin/{,**} rwl, + owner @{user_cache_dirs}/plasma_theme_default_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements.lock rwk, + owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl, + owner @{user_cache_dirs}/qtshadercache-*/@{hex} r, + + owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/* r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc.lock rwk, + owner @{user_config_dirs}/kwinrc{,.??????} rwl, + owner @{user_config_dirs}/kwinrulesrc r, + owner @{user_config_dirs}/kxkbrc r, + + @{PROC}/sys/kernel/core_pattern r, + + /dev/tty r, + + include if exists +} + diff --git a/apparmor.d/groups/kde/startplasma-x11 b/apparmor.d/groups/kde/startplasma-x11 new file mode 100644 index 00000000..c8578bb3 --- /dev/null +++ b/apparmor.d/groups/kde/startplasma-x11 @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/startplasma-x11 +profile startplasma-x11 @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/kapplymousetheme rPUx, + /{usr/,}bin/ksplashqml rPUx, + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/xsetroot rPx, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/knotifications5/{,**} r, + /usr/share/kservices5/{,**} r, + /usr/share/kservicetypes5/{,**} r, + /usr/share/mime/{,**} r, + /usr/share/plasma/{,**} r, + /usr/share/qt/translations/*.qm r, + + /etc/xdg/menus/{,*.menu} r, + /etc/machine-id r, + + owner @{HOME}/.Xauthority r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#[0-9]* rw, + owner @{user_cache_dirs}/kcrash-metadata/ rw, + owner @{user_cache_dirs}/ksycoca5_* rwkl, + owner @{user_cache_dirs}/plasma-svgelements rw, + + owner @{user_config_dirs}/gtkrc rl, + owner @{user_config_dirs}/gtkrc-2.0 rl, + owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/ rw, + owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**, + owner @{user_config_dirs}/kdeglobals{,.??????} rwl, + owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, + owner @{user_config_dirs}/plasma-localerc rwl, + owner @{user_config_dirs}/plasma-localerc.lock rwk, + owner @{user_config_dirs}/Trolltech.conf rwl, + owner @{user_config_dirs}/Trolltech.conf.lock rwk, + + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#[0-9][0-9] rw, + owner /tmp/startplasma-x11.?????? rwl, + + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + + /dev/tty r, + + include if exists +} diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 45891dae..9a0f6ee1 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -13,6 +13,7 @@ avahi-browse complain avahi-publish complain avahi-resolve complain avahi-set-host-name complain +baloo complain busctl complain cc-remote-login-helper complain cfdisk complain @@ -123,9 +124,12 @@ install-info complain irqbalance complain iwctl complain iwd complain +kaccess complain kernel-install complain kgx complain kmod attach_disconnected,complain +ksmserver attach_disconnected,complain +kwin_x11 complain landscape-sysinfo complain landscape-sysinfo.wrapper complain last complain @@ -181,6 +185,7 @@ s3fs complain sbctl complain scrcpy complain sdcv complain +sddm attach_disconnected,complain sftp-server complain slirp4netns attach_disconnected,complain snap complain @@ -196,6 +201,8 @@ ss complain ssh complain sshd attach_disconnected,complain ssservice complain +startplasma-x11 complain +startx attach_disconnected,complain steam attach_disconnected,mediate_deleted,complain steam-fossilize attach_disconnected,complain steam-game attach_disconnected,complain