From 2aace6bccb711102958aca301d252609d1995552 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Sep 2023 19:33:09 +0100 Subject: [PATCH] feat(profile): improve kde integration. --- apparmor.d/abstractions/chromium | 5 +++ apparmor.d/groups/bus/ibus-memconf | 2 + apparmor.d/groups/freedesktop/xdg-mime | 1 + apparmor.d/groups/freedesktop/xrdb | 2 + apparmor.d/groups/freedesktop/xsetroot | 3 ++ apparmor.d/groups/kde/baloorunner | 1 + apparmor.d/groups/kde/kconf_update | 25 ++++++++++- apparmor.d/groups/kde/kglobalaccel5 | 2 + apparmor.d/groups/kde/kioslave5 | 1 + apparmor.d/groups/kde/kwalletd5 | 11 +++-- .../kde/plasma-browser-integration-host | 43 +++++++++++++++++++ apparmor.d/groups/kde/plasma-discover | 2 + dists/flags/main.flags | 1 + 13 files changed, 91 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/groups/kde/plasma-browser-integration-host diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 997c163e..ad304ba2 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -87,11 +87,16 @@ @{bin}/chrome-gnome-shell rPx, @{bin}/gnome-browser-connector-host rPx, + # Plasma integration + @{bin}/plasma-browser-integration-host rPx, + /usr/share/@{name}/{,**} r, /usr/share/chromium/extensions/{,**} r, /usr/share/egl/{,**} r, + /usr/share/hwdata/pnp.ids r, /usr/share/libdrm/*.ids r, /usr/share/mozilla/extensions/{,**} r, + /usr/share/qt{5,}/translations/*.qm r, /usr/share/webext/{,**} r, /etc/@{name}/{,**} r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index b0ea9309..9e09e32b 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -12,6 +12,8 @@ profile ibus-memconf @{exec_path} { include include + signal (receive) set=(term) peer=ibus-daemon, + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index ab009685..364c6a8b 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -31,6 +31,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{bin}/gio rPx, @{bin}/mimetype rPx, @{bin}/xprop rPx, + @{bin}/ktraderclient5 rPx, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index c6137bda..910f769b 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -35,6 +35,8 @@ profile xrdb @{exec_path} { owner @{user_config_dirs}/Xresources/.Xresources r, owner @{user_config_dirs}/Xresources/* r, + owner @{user_share_dirs}/sddm/wayland-session.log w, + owner /tmp/kcminit.* r, owner /tmp/plasma-apply-lookandfeel.* r, owner /tmp/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index bca531ac..3f06e2ae 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -24,6 +24,7 @@ profile xsetroot @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{user_share_dirs}/sddm/xorg-session.log w, + owner @{user_share_dirs}/sddm/wayland-session.log w, owner /tmp/xauth_@{rand6} r, @@ -31,5 +32,7 @@ profile xsetroot @{exec_path} { @{run}/user/@{uid}/xauth_@{rand6} rl, @{run}/sddm/xauth_@{rand6} r, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index f330a835..0ea9eb3d 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -13,6 +13,7 @@ profile baloorunner @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index d729f700..a3d39a16 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -9,16 +9,20 @@ include @{exec_path} = @{lib}/kf5/kconf_update profile kconf_update @{exec_path} { include + include include include include include + include include include include include include + ptrace (read), + @{exec_path} mr, @{bin}/{,ba,da}sh rix, @@ -38,7 +42,9 @@ profile kconf_update @{exec_path} { /etc/machine-id r, /etc/xdg/kdeglobals r, /etc/xdg/konsolerc r, - + /etc/xdg/ui/ui_standards.rc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, @@ -78,6 +84,10 @@ profile kconf_update @{exec_path} { owner @{user_config_dirs}/kxkbrc.lock rwk, owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/plasmashellrc r, + owner @{user_config_dirs}/kactivitymanagerd-statsrc rw, + owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw, + owner @{user_config_dirs}/sed@{rand6} rw, + owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/krunnerstaterc.lock rwk, @@ -87,7 +97,18 @@ profile kconf_update @{exec_path} { owner /tmp/kconf_update.@{rand6}.lock rwk, owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int}, - @{PROC}/@{sys}/kernel/random/boot_id r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + + @{PROC}/ r, + @{PROC}/@{sys}/kernel/random/boot_id r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, + + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/kglobalaccel5 b/apparmor.d/groups/kde/kglobalaccel5 index 1c3cd27c..dd19481d 100644 --- a/apparmor.d/groups/kde/kglobalaccel5 +++ b/apparmor.d/groups/kde/kglobalaccel5 @@ -15,6 +15,8 @@ profile kglobalaccel5 @{exec_path} { @{exec_path} mr, + @{bin}/kstart rPUx, + /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kglobalaccel/{,**} r, diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 index d9c5fbf0..b7795ffc 100644 --- a/apparmor.d/groups/kde/kioslave5 +++ b/apparmor.d/groups/kde/kioslave5 @@ -42,6 +42,7 @@ profile kioslave5 @{exec_path} { /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/kio_desktop/directory.desktop r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/*.desktop r, /usr/share/mime/ r, diff --git a/apparmor.d/groups/kde/kwalletd5 b/apparmor.d/groups/kde/kwalletd5 index aa156671..5c7d125c 100644 --- a/apparmor.d/groups/kde/kwalletd5 +++ b/apparmor.d/groups/kde/kwalletd5 @@ -23,7 +23,7 @@ profile kwalletd5 @{exec_path} { include include include - include + include @{exec_path} mr, @@ -45,19 +45,18 @@ profile kwalletd5 @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwalletrc.lock rwk, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_share_dirs}/kwalletd/ rw, - owner @{user_share_dirs}/kwalletd/kdewallet_attributes.json r, - owner @{user_share_dirs}/kwalletd/*.kwl rw, - owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#@{int}, - owner @{user_share_dirs}/kwalletd/*.salt rw, - owner @{user_share_dirs}/kwalletd/#@{int} rw, + owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, owner /tmp/kwalletd5.* rw, owner /tmp/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host new file mode 100644 index 00000000..1ac9d9ec --- /dev/null +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/plasma-browser-integration-host +profile plasma-browser-integration-host @{exec_path} { + include + include + include + include + include + include + include + include + + capability sys_ptrace, + + ptrace (read) peer={chromium,brave,chrome,opera}, + + @{exec_path} mr, + + /usr/share/kservices5/{,**} r, + + owner @{user_cache_dirs}/ksycoca5_* r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index df373319..f8efa942 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -87,5 +87,7 @@ profile plasma-discover @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mountinfo r, + /dev/tty r, + include if exists } \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 15eb39a5..77130446 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -224,6 +224,7 @@ pinentry-gnome3 complain pinentry-gtk-2 complain pkexec complain pkttyagent complain +plasma-browser-integration-host complain plasma-discover complain plasmashell mediate_deleted,complain plymouth complain