mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): improve kde integration.

Browse source
This commit is contained in:
Alexandre Pujol 2023-09-29 19:33:09 +01:00
parent 047c819e8c
commit 2aace6bccb
Failed to generate hash of commit
13 changed files with 91 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/abstractions/chromium
View file

@ -87,11 +87,16 @@
@{bin}/chrome-gnome-shell rPx,
@{bin}/gnome-browser-connector-host rPx,
# Plasma integration
@{bin}/plasma-browser-integration-host rPx,
/usr/share/@{name}/{,**} r,
/usr/share/chromium/extensions/{,**} r,
/usr/share/egl/{,**} r,
/usr/share/hwdata/pnp.ids r,
/usr/share/libdrm/*.ids r,
/usr/share/mozilla/extensions/{,**} r,
/usr/share/qt{5,}/translations/*.qm r,
/usr/share/webext/{,**} r,
/etc/@{name}/{,**} r,

2
apparmor.d/groups/bus/ibus-memconf
View file

@ -12,6 +12,8 @@ profile ibus-memconf @{exec_path} {
include <abstractions/ibus>
include <abstractions/nameservice-strict>
signal (receive) set=(term) peer=ibus-daemon,
@{exec_path} mr,
/etc/machine-id r,

1
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -31,6 +31,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{bin}/gio rPx,
@{bin}/mimetype rPx,
@{bin}/xprop rPx,
@{bin}/ktraderclient5 rPx,
/usr/share/terminfo/x/xterm-256color r,

2
apparmor.d/groups/freedesktop/xrdb
View file

@ -35,6 +35,8 @@ profile xrdb @{exec_path} {
owner @{user_config_dirs}/Xresources/.Xresources r,
owner @{user_config_dirs}/Xresources/* r,
owner @{user_share_dirs}/sddm/wayland-session.log w,
owner /tmp/kcminit.* r,
owner /tmp/plasma-apply-lookandfeel.* r,
owner /tmp/runtime-*/xauth_@{rand6} r,

3
apparmor.d/groups/freedesktop/xsetroot
View file

@ -24,6 +24,7 @@ profile xsetroot @{exec_path} {
owner @{HOME}/.xsession-errors w,
owner @{user_share_dirs}/sddm/xorg-session.log w,
owner @{user_share_dirs}/sddm/wayland-session.log w,
owner /tmp/xauth_@{rand6} r,
@ -31,5 +32,7 @@ profile xsetroot @{exec_path} {
@{run}/user/@{uid}/xauth_@{rand6} rl,
@{run}/sddm/xauth_@{rand6} r,
/dev/tty@{int} rw,
include if exists <local/xsetroot>
}

1
apparmor.d/groups/kde/baloorunner
View file

@ -13,6 +13,7 @@ profile baloorunner @{exec_path} {
include <abstractions/dri-enumerate>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/vulkan>

25
apparmor.d/groups/kde/kconf_update
View file

@ -9,16 +9,20 @@ include <tunables/global>
@{exec_path} = @{lib}/kf5/kconf_update
profile kconf_update @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/perl>
include <abstractions/python>
include <abstractions/qt5>
include <abstractions/vulkan>
ptrace (read),
@{exec_path} mr,
@{bin}/{,ba,da}sh rix,
@ -38,7 +42,9 @@ profile kconf_update @{exec_path} {
/etc/machine-id r,
/etc/xdg/kdeglobals r,
/etc/xdg/konsolerc r,
/etc/xdg/ui/ui_standards.rc r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{int} rw,
@ -78,6 +84,10 @@ profile kconf_update @{exec_path} {
owner @{user_config_dirs}/kxkbrc.lock rwk,
owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/plasmashellrc r,
owner @{user_config_dirs}/kactivitymanagerd-statsrc rw,
owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw,
owner @{user_config_dirs}/sed@{rand6} rw,
owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw,
owner @{user_share_dirs}/#@{int} rw,
owner @{user_share_dirs}/krunnerstaterc.lock rwk,
@ -87,7 +97,18 @@ profile kconf_update @{exec_path} {
owner /tmp/kconf_update.@{rand6}.lock rwk,
owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},
@{PROC}/@{sys}/kernel/random/boot_id r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/ r,
@{PROC}/@{sys}/kernel/random/boot_id r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,
/dev/tty rw,
include if exists <local/kconf_update>
}

2
apparmor.d/groups/kde/kglobalaccel5
View file

@ -15,6 +15,8 @@ profile kglobalaccel5 @{exec_path} {
@{exec_path} mr,
@{bin}/kstart rPUx,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kglobalaccel/{,**} r,

1
apparmor.d/groups/kde/kioslave5
View file

@ -42,6 +42,7 @@ profile kioslave5 @{exec_path} {
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kio_desktop/directory.desktop r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/*.desktop r,
/usr/share/mime/ r,

11
apparmor.d/groups/kde/kwalletd5
View file

@ -23,7 +23,7 @@ profile kwalletd5 @{exec_path} {
include <abstractions/qt5>
include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/X>
include <abstractions/X-strict>
@{exec_path} mr,
@ -45,19 +45,18 @@ profile kwalletd5 @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwalletrc r,
owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwalletrc.lock rwk,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/kdewallet_attributes.json r,
owner @{user_share_dirs}/kwalletd/*.kwl rw,
owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#@{int},
owner @{user_share_dirs}/kwalletd/*.salt rw,
owner @{user_share_dirs}/kwalletd/#@{int} rw,
owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},
owner /tmp/kwalletd5.* rw,
owner /tmp/runtime-*/xauth_@{rand6} r,

43
apparmor.d/groups/kde/plasma-browser-integration-host Normal file
View file

@ -0,0 +1,43 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/plasma-browser-integration-host
profile plasma-browser-integration-host @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/qt5>
include <abstractions/vulkan>
include <abstractions/nameservice-strict>
capability sys_ptrace,
ptrace (read) peer={chromium,brave,chrome,opera},
@{exec_path} mr,
/usr/share/kservices5/{,**} r,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/kdedefaults/ r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,
include if exists <local/plasma-browser-integration-host>
}

2
apparmor.d/groups/kde/plasma-discover
View file

@ -87,5 +87,7 @@ profile plasma-discover @{exec_path} {
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
/dev/tty r,
include if exists <local/plasma-discover>
}

1
dists/flags/main.flags
View file

@ -224,6 +224,7 @@ pinentry-gnome3 complain
pinentry-gtk-2 complain
pkexec complain
pkttyagent complain
plasma-browser-integration-host complain
plasma-discover complain
plasmashell mediate_deleted,complain
plymouth complain