feat(profile): improve kde integration.

apparmor.d/abstractions/chromium

@@ -87,11 +87,16 @@
   @{bin}/chrome-gnome-shell            rPx,
   @{bin}/gnome-browser-connector-host  rPx,
 
+  # Plasma integration
+  @{bin}/plasma-browser-integration-host rPx,
+
   /usr/share/@{name}/{,**} r,
   /usr/share/chromium/extensions/{,**} r,
   /usr/share/egl/{,**} r,
+  /usr/share/hwdata/pnp.ids r,
   /usr/share/libdrm/*.ids r,
   /usr/share/mozilla/extensions/{,**} r,
+  /usr/share/qt{5,}/translations/*.qm r,
   /usr/share/webext/{,**} r,
 
   /etc/@{name}/{,**} r,

apparmor.d/groups/bus/ibus-memconf

@@ -12,6 +12,8 @@ profile ibus-memconf @{exec_path} {
   include <abstractions/ibus>
   include <abstractions/nameservice-strict>
 
+  signal (receive) set=(term) peer=ibus-daemon,
+
   @{exec_path} mr,
 
   /etc/machine-id r,

apparmor.d/groups/freedesktop/xdg-mime

@@ -31,6 +31,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{bin}/gio        rPx,
   @{bin}/mimetype   rPx,
   @{bin}/xprop      rPx,
+  @{bin}/ktraderclient5 rPx,
 
   /usr/share/terminfo/x/xterm-256color r,
 

apparmor.d/groups/freedesktop/xrdb

@@ -35,6 +35,8 @@ profile xrdb @{exec_path} {
   owner @{user_config_dirs}/Xresources/.Xresources r,
   owner @{user_config_dirs}/Xresources/* r,
 
+  owner @{user_share_dirs}/sddm/wayland-session.log w,
+
   owner /tmp/kcminit.* r,
   owner /tmp/plasma-apply-lookandfeel.* r,
   owner /tmp/runtime-*/xauth_@{rand6} r,

apparmor.d/groups/freedesktop/xsetroot

@@ -24,6 +24,7 @@ profile xsetroot @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   owner @{user_share_dirs}/sddm/xorg-session.log w,
+  owner @{user_share_dirs}/sddm/wayland-session.log w,
 
   owner /tmp/xauth_@{rand6} r,
 
@@ -31,5 +32,7 @@ profile xsetroot @{exec_path} {
   @{run}/user/@{uid}/xauth_@{rand6} rl,
   @{run}/sddm/xauth_@{rand6} r,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/xsetroot>
 }

apparmor.d/groups/kde/baloorunner

@@ -13,6 +13,7 @@ profile baloorunner @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/freedesktop.org>
   include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   include <abstractions/qt5>
   include <abstractions/vulkan>
 

apparmor.d/groups/kde/kconf_update

@@ -9,16 +9,20 @@ include <tunables/global>
 @{exec_path} = @{lib}/kf5/kconf_update
 profile kconf_update @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/perl>
   include <abstractions/python>
   include <abstractions/qt5>
   include <abstractions/vulkan>
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   @{bin}/{,ba,da}sh                      rix,
@@ -38,6 +42,8 @@ profile kconf_update @{exec_path} {
   /etc/machine-id r,
   /etc/xdg/kdeglobals r,
   /etc/xdg/konsolerc r,
+  /etc/xdg/ui/ui_standards.rc r,
+
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
@@ -78,6 +84,10 @@ profile kconf_update @{exec_path} {
   owner @{user_config_dirs}/kxkbrc.lock rwk,
   owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/plasmashellrc r,
+  owner @{user_config_dirs}/kactivitymanagerd-statsrc rw,
+  owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw,
+  owner @{user_config_dirs}/sed@{rand6} rw,
+  owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw,
 
   owner @{user_share_dirs}/#@{int} rw,
   owner @{user_share_dirs}/krunnerstaterc.lock rwk,
@@ -87,7 +97,18 @@ profile kconf_update @{exec_path} {
   owner /tmp/kconf_update.@{rand6}.lock rwk,
   owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},
 
-  @{PROC}/@{sys}/kernel/random/boot_id r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
+        @{PROC}/ r,
+        @{PROC}/@{sys}/kernel/random/boot_id r,
+        @{PROC}/tty/drivers r,
+        @{PROC}/uptime r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/stat r,
+
+  /dev/tty rw,
 
   include if exists <local/kconf_update>
 }

apparmor.d/groups/kde/kglobalaccel5

@@ -15,6 +15,8 @@ profile kglobalaccel5 @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/kstart rPUx,
+
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/kglobalaccel/{,**} r,

apparmor.d/groups/kde/kioslave5

@@ -42,6 +42,7 @@ profile kioslave5 @{exec_path} {
 
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
+  /usr/share/kio_desktop/directory.desktop r,
   /usr/share/kservices5/{,**} r,
   /usr/share/kservicetypes5/*.desktop r,
   /usr/share/mime/ r,

apparmor.d/groups/kde/kwalletd5

@@ -23,7 +23,7 @@ profile kwalletd5 @{exec_path} {
   include <abstractions/qt5>
   include <abstractions/vulkan>
   include <abstractions/wayland>
-  include <abstractions/X>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
@@ -45,19 +45,18 @@ profile kwalletd5 @{exec_path} {
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
+  owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/kdedefaults/kdeglobals r,
   owner @{user_config_dirs}/kdedefaults/kwinrc r,
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/kwalletrc r,
+  owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/kwalletrc.lock rwk,
   owner @{user_config_dirs}/kwinrc r,
   owner @{user_config_dirs}/qt5ct/{,**} r,
 
   owner @{user_share_dirs}/kwalletd/ rw,
-  owner @{user_share_dirs}/kwalletd/kdewallet_attributes.json r,
-  owner @{user_share_dirs}/kwalletd/*.kwl rw,
-  owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#@{int},
-  owner @{user_share_dirs}/kwalletd/*.salt rw,
-  owner @{user_share_dirs}/kwalletd/#@{int} rw,
+  owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},
 
   owner /tmp/kwalletd5.* rw,
   owner /tmp/runtime-*/xauth_@{rand6} r,

apparmor.d/groups/kde/plasma-browser-integration-host

@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/plasma-browser-integration-host
+profile plasma-browser-integration-host @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/qt5>
+  include <abstractions/vulkan>
+  include <abstractions/nameservice-strict>
+
+  capability sys_ptrace,
+
+  ptrace (read) peer={chromium,brave,chrome,opera},
+
+  @{exec_path} mr,
+
+  /usr/share/kservices5/{,**} r,
+
+  owner @{user_cache_dirs}/ksycoca5_* r,
+  owner @{user_cache_dirs}/icon-cache.kcache rw,
+
+  owner @{user_config_dirs}/ r,
+  owner @{user_config_dirs}/kdedefaults/ r,
+  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+  owner @{user_config_dirs}/kdedefaults/kwinrc r,
+  owner @{user_config_dirs}/kdeglobals r,
+  owner @{user_config_dirs}/kwinrc r,
+
+        @{PROC}/sys/kernel/core_pattern r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/stat r,
+
+  include if exists <local/plasma-browser-integration-host>
+}

apparmor.d/groups/kde/plasma-discover

@@ -87,5 +87,7 @@ profile plasma-discover @{exec_path} {
         @{PROC}/sys/kernel/random/boot_id r,
   owner @{PROC}/@{pid}/mountinfo r,
 
+  /dev/tty r,
+
   include if exists <local/plasma-discover>
 }

dists/flags/main.flags

@@ -224,6 +224,7 @@ pinentry-gnome3 complain
 pinentry-gtk-2 complain
 pkexec complain
 pkttyagent complain
+plasma-browser-integration-host complain
 plasma-discover complain
 plasmashell mediate_deleted,complain
 plymouth complain