mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(kde): add new kde profiles.
This commit is contained in:
Alexandre Pujol
parent
5cc4279e36
commit
19d1a59bd3
6 changed files with 265 additions and 0 deletions
50
apparmor.d/groups/kde/baloo
Normal file
50
apparmor.d/groups/kde/baloo
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}lib/baloo_file
|
||||
profile baloo @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/private-files-strict>
|
||||
include <abstractions/private-files>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/disks-read>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/baloo_file_extractor rix,
|
||||
|
||||
/usr/share/qt/translations/*.qm r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
|
||||
/etc/fstab r,
|
||||
/etc/machine-id r,
|
||||
|
||||
# Allow to search user files
|
||||
owner @{HOME}/{,**} r,
|
||||
owner @{MOUNTS}/{,**} r,
|
||||
owner /tmp/*/{,**} r,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/baloofilerc rwl,
|
||||
owner @{user_config_dirs}/baloofilerc.lock rwkl,
|
||||
|
||||
owner @{user_share_dirs}/baloo/{,**} rwk,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/baloo>
|
||||
}
|
||||
36
apparmor.d/groups/kde/kaccess
Normal file
36
apparmor.d/groups/kde/kaccess
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/kaccess
|
||||
profile kaccess @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/mesa>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/gsettings rPx,
|
||||
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/qt{,5}/translations/*.qm r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/kaccess>
|
||||
}
|
||||
52
apparmor.d/groups/kde/ksmserver
Normal file
52
apparmor.d/groups/kde/ksmserver
Normal file
|
|
@ -0,0 +1,52 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/ksmserver
|
||||
profile ksmserver @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/mesa>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/rm rix,
|
||||
|
||||
/{usr/,}lib/kscreenlocker_greet rPx,
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/icons/{,**} r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/qt/translations/*.qm r,
|
||||
/usr/share/knotifications5/*.notifyrc r,
|
||||
|
||||
owner @{HOME}/?????? rw,
|
||||
owner @{HOME}/.Xauthority rw,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/kwinrc r,
|
||||
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
|
||||
|
||||
owner /tmp/?????? rw,
|
||||
owner /tmp/.ICE-unix/* rw,
|
||||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/ksmserver>
|
||||
}
|
||||
56
apparmor.d/groups/kde/kwin_x11
Normal file
56
apparmor.d/groups/kde/kwin_x11
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/kwin_x11
|
||||
profile kwin_x11 @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}lib/kwin_killer_helper rix,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/kwin/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
/usr/share/plasma/desktoptheme/{,**} r,
|
||||
/usr/share/qt/translations/*.qm r,
|
||||
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
owner @{user_cache_dirs}/ r,
|
||||
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kwin/{,**} rwl,
|
||||
owner @{user_cache_dirs}/plasma_theme_default_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
|
||||
owner @{user_cache_dirs}/qtshadercache-*/@{hex} r,
|
||||
|
||||
owner @{user_config_dirs}/#[0-9]* rw,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||
owner @{user_config_dirs}/kwinrc{,.??????} rwl,
|
||||
owner @{user_config_dirs}/kwinrulesrc r,
|
||||
owner @{user_config_dirs}/kxkbrc r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/kwin_x11>
|
||||
}
|
||||
|
||||
64
apparmor.d/groups/kde/startplasma-x11
Normal file
64
apparmor.d/groups/kde/startplasma-x11
Normal file
|
|
@ -0,0 +1,64 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/startplasma-x11
|
||||
profile startplasma-x11 @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/freedesktop.org>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/kapplymousetheme rPUx,
|
||||
/{usr/,}bin/ksplashqml rPUx,
|
||||
/{usr/,}bin/xrdb rPx,
|
||||
/{usr/,}bin/xsetroot rPx,
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/desktop-directories/{,**} r,
|
||||
/usr/share/knotifications5/{,**} r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
/usr/share/mime/{,**} r,
|
||||
/usr/share/plasma/{,**} r,
|
||||
/usr/share/qt/translations/*.qm r,
|
||||
|
||||
/etc/xdg/menus/{,*.menu} r,
|
||||
/etc/machine-id r,
|
||||
|
||||
owner @{HOME}/.Xauthority r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/ rw,
|
||||
owner @{user_cache_dirs}/ksycoca5_* rwkl,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
|
||||
owner @{user_config_dirs}/gtkrc rl,
|
||||
owner @{user_config_dirs}/gtkrc-2.0 rl,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/ rw,
|
||||
owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**,
|
||||
owner @{user_config_dirs}/kdeglobals{,.??????} rwl,
|
||||
owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
|
||||
owner @{user_config_dirs}/plasma-localerc rwl,
|
||||
owner @{user_config_dirs}/plasma-localerc.lock rwk,
|
||||
owner @{user_config_dirs}/Trolltech.conf rwl,
|
||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||
|
||||
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
||||
|
||||
owner /tmp/#[0-9][0-9] rw,
|
||||
owner /tmp/startplasma-x11.?????? rwl,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
include if exists <local/startplasma-x11>
|
||||
}
|
||||
|
|
@ -13,6 +13,7 @@ avahi-browse complain
|
|||
avahi-publish complain
|
||||
avahi-resolve complain
|
||||
avahi-set-host-name complain
|
||||
baloo complain
|
||||
busctl complain
|
||||
cc-remote-login-helper complain
|
||||
cfdisk complain
|
||||
|
|
@ -123,9 +124,12 @@ install-info complain
|
|||
irqbalance complain
|
||||
iwctl complain
|
||||
iwd complain
|
||||
kaccess complain
|
||||
kernel-install complain
|
||||
kgx complain
|
||||
kmod attach_disconnected,complain
|
||||
ksmserver attach_disconnected,complain
|
||||
kwin_x11 complain
|
||||
landscape-sysinfo complain
|
||||
landscape-sysinfo.wrapper complain
|
||||
last complain
|
||||
|
|
@ -181,6 +185,7 @@ s3fs complain
|
|||
sbctl complain
|
||||
scrcpy complain
|
||||
sdcv complain
|
||||
sddm attach_disconnected,complain
|
||||
sftp-server complain
|
||||
slirp4netns attach_disconnected,complain
|
||||
snap complain
|
||||
|
|
@ -196,6 +201,8 @@ ss complain
|
|||
ssh complain
|
||||
sshd attach_disconnected,complain
|
||||
ssservice complain
|
||||
startplasma-x11 complain
|
||||
startx attach_disconnected,complain
|
||||
steam attach_disconnected,mediate_deleted,complain
|
||||
steam-fossilize attach_disconnected,complain
|
||||
steam-game attach_disconnected,complain
|
||||
|
|
|
|||
Loading…
Reference in a new issue