mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat(kde): add new kde profiles.
This commit is contained in:
Alexandre Pujol
parent
5cc4279e36
commit
19d1a59bd3
6 changed files with 265 additions and 0 deletions
50
apparmor.d/groups/kde/baloo
Normal file
50
apparmor.d/groups/kde/baloo
Normal file
|
|
@ -0,0 +1,50 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}lib/baloo_file
|
||||||
|
profile baloo @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/deny-sensitive-home>
|
||||||
|
include <abstractions/private-files-strict>
|
||||||
|
include <abstractions/private-files>
|
||||||
|
include <abstractions/fontconfig-cache-write>
|
||||||
|
include <abstractions/disks-read>
|
||||||
|
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}lib/baloo_file_extractor rix,
|
||||||
|
|
||||||
|
/usr/share/qt/translations/*.qm r,
|
||||||
|
/usr/share/hwdata/pnp.ids r,
|
||||||
|
|
||||||
|
/etc/fstab r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
# Allow to search user files
|
||||||
|
owner @{HOME}/{,**} r,
|
||||||
|
owner @{MOUNTS}/{,**} r,
|
||||||
|
owner /tmp/*/{,**} r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/#[0-9]* rw,
|
||||||
|
owner @{user_config_dirs}/baloofilerc rwl,
|
||||||
|
owner @{user_config_dirs}/baloofilerc.lock rwkl,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/baloo/{,**} rwk,
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
|
/dev/tty r,
|
||||||
|
|
||||||
|
include if exists <local/baloo>
|
||||||
|
}
|
||||||
36
apparmor.d/groups/kde/kaccess
Normal file
36
apparmor.d/groups/kde/kaccess
Normal file
|
|
@ -0,0 +1,36 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/kaccess
|
||||||
|
profile kaccess @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/dri-common>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/mesa>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}bin/gsettings rPx,
|
||||||
|
|
||||||
|
/usr/share/icons/{,**} r,
|
||||||
|
/usr/share/mime/{,**} r,
|
||||||
|
/usr/share/qt{,5}/translations/*.qm r,
|
||||||
|
/usr/share/hwdata/pnp.ids r,
|
||||||
|
|
||||||
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/kdedefaults/* r,
|
||||||
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
|
owner @{user_config_dirs}/kwinrc r,
|
||||||
|
|
||||||
|
/dev/tty r,
|
||||||
|
|
||||||
|
include if exists <local/kaccess>
|
||||||
|
}
|
||||||
52
apparmor.d/groups/kde/ksmserver
Normal file
52
apparmor.d/groups/kde/ksmserver
Normal file
|
|
@ -0,0 +1,52 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/ksmserver
|
||||||
|
profile ksmserver @{exec_path} flags=(attach_disconnected) {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/dri-common>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/mesa>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}bin/rm rix,
|
||||||
|
|
||||||
|
/{usr/,}lib/kscreenlocker_greet rPx,
|
||||||
|
|
||||||
|
/usr/share/color-schemes/{,**} r,
|
||||||
|
/usr/share/hwdata/pnp.ids r,
|
||||||
|
/usr/share/icons/{,**} r,
|
||||||
|
/usr/share/mime/{,**} r,
|
||||||
|
/usr/share/qt/translations/*.qm r,
|
||||||
|
/usr/share/knotifications5/*.notifyrc r,
|
||||||
|
|
||||||
|
owner @{HOME}/?????? rw,
|
||||||
|
owner @{HOME}/.Xauthority rw,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/kdedefaults/* r,
|
||||||
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
|
owner @{user_config_dirs}/ksmserverrc r,
|
||||||
|
owner @{user_config_dirs}/kwinrc r,
|
||||||
|
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
|
||||||
|
|
||||||
|
owner /tmp/?????? rw,
|
||||||
|
owner /tmp/.ICE-unix/* rw,
|
||||||
|
|
||||||
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
|
/dev/tty r,
|
||||||
|
|
||||||
|
include if exists <local/ksmserver>
|
||||||
|
}
|
||||||
56
apparmor.d/groups/kde/kwin_x11
Normal file
56
apparmor.d/groups/kde/kwin_x11
Normal file
|
|
@ -0,0 +1,56 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/kwin_x11
|
||||||
|
profile kwin_x11 @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/dri-common>
|
||||||
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}lib/kwin_killer_helper rix,
|
||||||
|
|
||||||
|
/usr/share/hwdata/pnp.ids r,
|
||||||
|
/usr/share/kwin/{,**} r,
|
||||||
|
/usr/share/X11/xkb/{,**} r,
|
||||||
|
/usr/share/plasma/desktoptheme/{,**} r,
|
||||||
|
/usr/share/qt/translations/*.qm r,
|
||||||
|
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/ r,
|
||||||
|
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||||
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
owner @{user_cache_dirs}/kwin/{,**} rwl,
|
||||||
|
owner @{user_cache_dirs}/plasma_theme_default_*.kcache rw,
|
||||||
|
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||||
|
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
|
||||||
|
owner @{user_cache_dirs}/qtshadercache-*/@{hex} r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/#[0-9]* rw,
|
||||||
|
owner @{user_config_dirs}/kcminputrc r,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/* r,
|
||||||
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
|
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||||
|
owner @{user_config_dirs}/kwinrc{,.??????} rwl,
|
||||||
|
owner @{user_config_dirs}/kwinrulesrc r,
|
||||||
|
owner @{user_config_dirs}/kxkbrc r,
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
|
/dev/tty r,
|
||||||
|
|
||||||
|
include if exists <local/kwin_x11>
|
||||||
|
}
|
||||||
|
|
||||||
64
apparmor.d/groups/kde/startplasma-x11
Normal file
64
apparmor.d/groups/kde/startplasma-x11
Normal file
|
|
@ -0,0 +1,64 @@
|
||||||
|
# apparmor.d - Full set of apparmor profiles
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
|
abi <abi/3.0>,
|
||||||
|
|
||||||
|
include <tunables/global>
|
||||||
|
|
||||||
|
@{exec_path} = /{usr/,}bin/startplasma-x11
|
||||||
|
profile startplasma-x11 @{exec_path} {
|
||||||
|
include <abstractions/base>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
|
|
||||||
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/{usr/,}bin/kapplymousetheme rPUx,
|
||||||
|
/{usr/,}bin/ksplashqml rPUx,
|
||||||
|
/{usr/,}bin/xrdb rPx,
|
||||||
|
/{usr/,}bin/xsetroot rPx,
|
||||||
|
|
||||||
|
/usr/share/color-schemes/{,**} r,
|
||||||
|
/usr/share/desktop-directories/{,**} r,
|
||||||
|
/usr/share/knotifications5/{,**} r,
|
||||||
|
/usr/share/kservices5/{,**} r,
|
||||||
|
/usr/share/kservicetypes5/{,**} r,
|
||||||
|
/usr/share/mime/{,**} r,
|
||||||
|
/usr/share/plasma/{,**} r,
|
||||||
|
/usr/share/qt/translations/*.qm r,
|
||||||
|
|
||||||
|
/etc/xdg/menus/{,*.menu} r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/ rw,
|
||||||
|
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||||
|
owner @{user_cache_dirs}/kcrash-metadata/ rw,
|
||||||
|
owner @{user_cache_dirs}/ksycoca5_* rwkl,
|
||||||
|
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/gtkrc rl,
|
||||||
|
owner @{user_config_dirs}/gtkrc-2.0 rl,
|
||||||
|
owner @{user_config_dirs}/kcminputrc r,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/ rw,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**,
|
||||||
|
owner @{user_config_dirs}/kdeglobals{,.??????} rwl,
|
||||||
|
owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
|
||||||
|
owner @{user_config_dirs}/plasma-localerc rwl,
|
||||||
|
owner @{user_config_dirs}/plasma-localerc.lock rwk,
|
||||||
|
owner @{user_config_dirs}/Trolltech.conf rwl,
|
||||||
|
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
||||||
|
|
||||||
|
owner /tmp/#[0-9][0-9] rw,
|
||||||
|
owner /tmp/startplasma-x11.?????? rwl,
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
|
/dev/tty r,
|
||||||
|
|
||||||
|
include if exists <local/startplasma-x11>
|
||||||
|
}
|
||||||
|
|
@ -13,6 +13,7 @@ avahi-browse complain
|
||||||
avahi-publish complain
|
avahi-publish complain
|
||||||
avahi-resolve complain
|
avahi-resolve complain
|
||||||
avahi-set-host-name complain
|
avahi-set-host-name complain
|
||||||
|
baloo complain
|
||||||
busctl complain
|
busctl complain
|
||||||
cc-remote-login-helper complain
|
cc-remote-login-helper complain
|
||||||
cfdisk complain
|
cfdisk complain
|
||||||
|
|
@ -123,9 +124,12 @@ install-info complain
|
||||||
irqbalance complain
|
irqbalance complain
|
||||||
iwctl complain
|
iwctl complain
|
||||||
iwd complain
|
iwd complain
|
||||||
|
kaccess complain
|
||||||
kernel-install complain
|
kernel-install complain
|
||||||
kgx complain
|
kgx complain
|
||||||
kmod attach_disconnected,complain
|
kmod attach_disconnected,complain
|
||||||
|
ksmserver attach_disconnected,complain
|
||||||
|
kwin_x11 complain
|
||||||
landscape-sysinfo complain
|
landscape-sysinfo complain
|
||||||
landscape-sysinfo.wrapper complain
|
landscape-sysinfo.wrapper complain
|
||||||
last complain
|
last complain
|
||||||
|
|
@ -181,6 +185,7 @@ s3fs complain
|
||||||
sbctl complain
|
sbctl complain
|
||||||
scrcpy complain
|
scrcpy complain
|
||||||
sdcv complain
|
sdcv complain
|
||||||
|
sddm attach_disconnected,complain
|
||||||
sftp-server complain
|
sftp-server complain
|
||||||
slirp4netns attach_disconnected,complain
|
slirp4netns attach_disconnected,complain
|
||||||
snap complain
|
snap complain
|
||||||
|
|
@ -196,6 +201,8 @@ ss complain
|
||||||
ssh complain
|
ssh complain
|
||||||
sshd attach_disconnected,complain
|
sshd attach_disconnected,complain
|
||||||
ssservice complain
|
ssservice complain
|
||||||
|
startplasma-x11 complain
|
||||||
|
startx attach_disconnected,complain
|
||||||
steam attach_disconnected,mediate_deleted,complain
|
steam attach_disconnected,mediate_deleted,complain
|
||||||
steam-fossilize attach_disconnected,complain
|
steam-fossilize attach_disconnected,complain
|
||||||
steam-game attach_disconnected,complain
|
steam-game attach_disconnected,complain
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue