diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 6ab543a6..4c680710 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -9,10 +9,9 @@ include @{exec_path} = @{lib}/DiscoverNotifier profile DiscoverNotifier @{exec_path} { include - include include + include include - include network inet dgram, network inet6 dgram, @@ -26,11 +25,6 @@ profile DiscoverNotifier @{exec_path} { owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index fc92d3ab..714fa5cf 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -12,7 +12,7 @@ profile baloo @{exec_path} { include include include - include + include include network netlink raw, @@ -21,14 +21,11 @@ profile baloo @{exec_path} { @{lib}/baloo_file_extractor rix, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/poppler/{,**} r, /etc/fstab r, /etc/machine-id r, /etc/xdg/baloofilerc r, - /etc/xdg/kdeglobals r, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 6def9b54..a7eab46e 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -9,34 +9,23 @@ include @{exec_path} = @{lib}/baloorunner profile baloorunner @{exec_path} { include - include include + include include - include @{exec_path} mr, - @{bin}/dolphin rPx, - - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, + @{bin}/* rPx, /etc/xdg/baloofilerc r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/baloofilerc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/baloo/{,**} rwk, /tmp/ r, - /tmp/xauth_@{rand6} r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index ae664a3b..b7121ad7 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -9,14 +9,13 @@ include @{exec_path} = @{bin}/dolphin profile dolphin @{exec_path} { include + include include include - include - include include + include include - include - include + include network netlink raw, @@ -24,10 +23,7 @@ profile dolphin @{exec_path} { @{exec_path} mr, - @{bin}/konsole rPUx, @{bin}/ldd rix, - @{bin}/net rPUx, - @{bin}/testparm rPUx, @{lib}/kf5/kioslave5 rPx, /usr/share/kf5/kmoretools/{,**} r, @@ -39,6 +35,8 @@ profile dolphin @{exec_path} { /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, + /etc/xdg/menus/ r, + /etc/xdg/ui/ui_standards.rc r, # Full access to user's data / r, @@ -53,6 +51,7 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, + owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rw, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 29036dd7..5e1a02b7 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/drkonqi profile drkonqi @{exec_path} { include - include - include - include + include network inet stream, network inet6 stream, @@ -24,15 +22,10 @@ profile drkonqi @{exec_path} { @{exec_path} mr, /usr/share/drkonqi/{,**} r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications5/*.notifyrc r, owner @{user_cache_dirs}/kcrash-metadata/* w, - owner /tmp/xauth_@{rand6} r, - - @{run}/user/@{uid}/xauth_@{rand6} rl, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index 9ec064eb..b2a84d40 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,19 +9,14 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include include + include include - include - include ptrace (read) peer=kded5, @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /etc/machine-id r, owner @{HOME}/.gtkrc-2.0 rw, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 8b0c6c93..602d07d1 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,36 +10,21 @@ include profile kaccess @{exec_path} { include include + include include - include @{exec_path} mr, @{bin}/gsettings rPx, - /usr/share/hwdata/pnp.ids r, /usr/share/icons/{,**} r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/mime/{,**} r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{HOME}/.Xauthority r, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/kdedefaults/* r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/kaccessrc r, owner @{user_share_dirs}/mime/generic-icons r, - owner /tmp/xauth_@{rand6} r, - - owner @{run}/user/@{uid}/xauth_@{rand6} r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index a883528f..d439798d 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -9,23 +9,17 @@ include @{exec_path} = @{lib}/kactivitymanagerd profile kactivitymanagerd @{exec_path} { include - include include - include include include - include - include + include @{exec_path} mr, /etc/xdg/menus/{,*/} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kf5/kactivitymanagerd/{,**} r, /usr/share/kservices5/{,**} r, - /etc/xdg/kdeglobals r, /etc/machine-id r, owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, @@ -36,8 +30,6 @@ profile kactivitymanagerd @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk, owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/menus/{,**} r, owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index ce8f3140..c50b41ac 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -9,11 +9,9 @@ include @{exec_path} = @{bin}/kalendarac profile kalendarac @{exec_path} { include - include - include include include - include + include @{exec_path} mr, @@ -21,15 +19,12 @@ profile kalendarac @{exec_path} { /usr/share/akonadi/firstrun/{,*} r, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications5/{,**} r, /usr/share/sounds/{,**} r, /etc/machine-id r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, - /etc/xdg/kdeglobals r, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -41,15 +36,10 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc rw, owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl, owner @{user_config_dirs}/kalendaracrc.lock rwk, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/pulse/cookie rk, - owner /tmp/xauth_@{rand6} r, - owner @{run}/user/@{uid}/pulse/ r, - owner @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index fd1aa5ab..cc9ee0ef 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -9,22 +9,17 @@ include @{exec_path} = @{bin}/kcminit profile kcminit @{exec_path} { include - include include - include + include @{exec_path} mr, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/hwdata/pnp.ids r, - /etc/machine-id r, /etc/xdg/kcmdisplayrc r, /etc/xdg/kcminputrc r, - /etc/xdg/kdeglobals r, owner @{HOME}/.Xdefaults r, @@ -33,24 +28,17 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kgammarc r, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner /tmp/#@{int} rw, owner /tmp/kcminit.@{rand6} rwl, - owner /tmp/xauth_@{rand6} r, owner /tmp/.touchpaddefaults wl, owner /tmp/.touchpaddefaults.lock rwk, - @{run}/user/@{uid}/xauth_@{rand6} rl, - @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 90cf9175..81d2a36f 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -10,16 +10,11 @@ include profile kconf_update @{exec_path} { include include - include - include - include - include + include include - include + include include include - include - include ptrace (read), @@ -35,16 +30,13 @@ profile kconf_update @{exec_path} { /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, /etc/machine-id r, - /etc/xdg/kdeglobals r, /etc/xdg/konsolerc r, /etc/xdg/ui/ui_standards.rc r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, @@ -60,7 +52,6 @@ profile kconf_update @{exec_path} { owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kconf_updaterc.lock rwk, owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals.lock rwk, owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d7bb2464..b61eae46 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -9,11 +9,9 @@ include @{exec_path} = @{lib}/org_kde_powerdevil profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include - include - include include - include - include + include + include capability wake_alarm, @@ -21,22 +19,24 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{exec_path} mrix, - @{bin}/kcminit rPx, - @{lib}/drkonqi rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/find rix, + @{bin}/grep rix, + @{bin}/kcminit rPx, + @{bin}/sed rix, + @{bin}/xargs rix, + @{lib}/drkonqi rPx, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications5/*.notifyrc r, /etc/fstab r, - /etc/xdg/kdeglobals r, /etc/machine-id r, + owner @{HOME}/ r, + owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/powerdevilrc.lock rwk, owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, @@ -46,20 +46,23 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** owner @{run}/user/@{uid}kcrash_[0-9]* rw, - @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, - @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/i2c-dev/ r, @{sys}/class/usbmisc/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, + @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/@{pci}/i2c-[0-9]*/name r, + @{sys}/devices/**/ r, + @{sys}/devices/i2c-[0-9]*/name r, @{sys}/devices/platform/*/i2c-[0-9]*/name r, + @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + /dev/tty rw, /dev/rfkill r, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 19bd2942..1ce2028e 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -14,17 +14,11 @@ profile kded5 @{exec_path} { include include include - include - include - include - include + include include - include + include include - include - include include - include network inet dgram, network inet6 dgram, @@ -42,11 +36,10 @@ profile kded5 @{exec_path} { @{bin}/setxkbmap rix, @{bin}/xrdb rPx, @{bin}/xsettingsd rPx, + @{lib}/drkonqi rPx, @{lib}/kf5/kconf_update rPx, @{lib}/utempter/utempter rPx, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kconf_update/ r, /usr/share/kded5/{,**} r, /usr/share/kf5/kcookiejar/* r, @@ -54,7 +47,6 @@ profile kded5 @{exec_path} { /usr/share/knotifications5/{,**} r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/{,**} r, - /usr/share/mime/ r, /etc/fstab r, /etc/machine-id r, @@ -62,7 +54,6 @@ profile kded5 @{exec_path} { /etc/xdg/kcminputrc r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, - /etc/xdg/kwinrc r, /etc/xdg/menus/{,**} r, owner @{HOME}/.gtkrc-2.0 rw, @@ -85,7 +76,6 @@ profile kded5 @{exec_path} { owner @{user_config_dirs}/kded5rc.lock rwk, owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kdedefaults/{,**} r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/khotkeysrc.lock rwk, owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, @@ -121,9 +111,6 @@ profile kded5 @{exec_path} { owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fd/info/@{int} r, @@ -155,9 +142,8 @@ profile kded5 @{exec_path} { @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, - @{PROC}/uptime r, - @{PROC}/@{pids}/cgroup r, @{PROC}/tty/drivers r, + @{PROC}/uptime r, include if exists } diff --git a/apparmor.d/groups/kde/kglobalaccel5 b/apparmor.d/groups/kde/kglobalaccel5 index d2b00315..43d56fda 100644 --- a/apparmor.d/groups/kde/kglobalaccel5 +++ b/apparmor.d/groups/kde/kglobalaccel5 @@ -9,18 +9,13 @@ include @{exec_path} = @{bin}/kglobalaccel5 profile kglobalaccel5 @{exec_path} { include - include - include - include + include @{exec_path} mr, @{bin}/kstart rPx, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kglobalaccel/{,**} r, - /usr/share/mime/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kiod5 b/apparmor.d/groups/kde/kiod5 index c2ed54ba..cd20c285 100644 --- a/apparmor.d/groups/kde/kiod5 +++ b/apparmor.d/groups/kde/kiod5 @@ -10,6 +10,7 @@ include profile kiod5 @{exec_path} { include include + include include include @@ -19,19 +20,13 @@ profile kiod5 @{exec_path} { /usr/share/icons/breeze/index.theme r, /usr/share/mime/{,**} r, - /usr/share/mime/generic-icons r, /usr/share/qt/translations/*.qm r, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/mesa_shader_cache/index rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, - owner @{user_config_dirs}/kwinrc r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 index 016e57f6..b8255a39 100644 --- a/apparmor.d/groups/kde/kioslave5 +++ b/apparmor.d/groups/kde/kioslave5 @@ -10,14 +10,12 @@ include profile kioslave5 @{exec_path} { include include - include - include include + include include include - include include - include + include include network inet dgram, @@ -38,23 +36,20 @@ profile kioslave5 @{exec_path} { @{lib}/libheif/*.so* rm, @{lib}/kf5/kio_http_cache_cleaner rPx, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kio_desktop/directory.desktop r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/*.desktop r, /usr/share/remoteview/* r, /etc/fstab r, - /etc/xdg/kdeglobals r, /etc/xdg/kioslaverc r, - /etc/xdg/kwinrc r, /etc/xdg/menus/{,**} r, # Full access to user's data / r, /*/ r, @{bin}/ r, + @{bin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @@ -74,13 +69,8 @@ profile kioslave5 @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kio_http/* rwl, owner @{user_cache_dirs}/ksycoca5_* r, - owner @{user_cache_dirs}/thumbnails/*/ r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kio_httprc r, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/menus/{,**} r, owner @{user_share_dirs}/baloo/index rw, @@ -91,12 +81,10 @@ profile kioslave5 @{exec_path} { owner @{user_share_dirs}/kservices5/{,**} r, owner /tmp/#@{int} rw, - owner /tmp/xauth_@{int} r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl, - owner @{run}/user/@{uid}/xauth_@{rand6} rl, + owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 55ed9eeb..9bc60f46 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -9,14 +9,10 @@ include @{exec_path} = @{lib}/kf5/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include - include + include @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index 511bb563..e77c1af0 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -12,14 +12,11 @@ include profile kscreenlocker-greet @{exec_path} { include include - include - include include + include include include include - include - include network netlink raw, @@ -35,8 +32,6 @@ profile kscreenlocker-greet @{exec_path} { @{bin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/plasma/** r, /usr/share/qt/translations/*.qm r, /usr/share/qt5ct/** r, @@ -54,7 +49,6 @@ profile kscreenlocker-greet @{exec_path} { /etc/machine-id r, /etc/pam.d/* r, /etc/shells r, - /etc/xdg/kdeglobals r, /etc/xdg/kscreenlockerrc r, /etc/xdg/plasmarc r, @@ -72,8 +66,8 @@ profile kscreenlocker-greet @{exec_path} { owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl, - owner @{user_config_dirs}/kdedefaults/* r, - owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/plasmarc r, @@ -83,7 +77,6 @@ profile kscreenlocker-greet @{exec_path} { owner @{HOME}/.glvnd* mrw, owner /tmp/*-cover-*.{jpg,png} r, - owner /tmp/xauth_@{rand6} r, @{run}/faillock/[a-zA-z0-9]* rwk, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 80bcc170..439b20c1 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -10,12 +10,9 @@ include profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include - include include + include include - include - include signal (send) set=(usr1,term) peer=kscreenlocker-greet, @@ -29,43 +26,33 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/kscreenlocker_greet rPx, /usr/share/color-schemes/{,**} r, - /usr/share/hwdata/pnp.ids r, - /usr/share/icons/{,**} r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications5/*.notifyrc r, /usr/share/kservices5/{,**} r, /etc/xdg/menus/applications-merged/ r, /etc/machine-id r, - /etc/xdg/kdeglobals r, /etc/xdg/kscreenlockerrc r, - /etc/xdg/kwinrc r, /etc/xdg/menus/ r, owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca5_* rl, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/kdedefaults/* r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, - owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, + owner @{user_config_dirs}/menus/ r, owner /tmp/@{rand6} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, - owner @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 74a999f4..eec90161 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,9 +9,8 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include - include - include include + include include include @@ -26,8 +25,9 @@ profile ksplashqml @{exec_path} { owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw, - owner @{user_config_dirs}/kdedefaults/* r, - owner @{user_config_dirs}/kdeglobals r, + + owner @{user_config_dirs}/kdedefaults/ksplashrc r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 38b6f924..ccc7f50f 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -11,9 +11,8 @@ include profile kstart @{exec_path} flags=(complain,attach_disconnected) { include include - include + include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kwalletd5 b/apparmor.d/groups/kde/kwalletd5 index 6224a7ee..78783842 100644 --- a/apparmor.d/groups/kde/kwalletd5 +++ b/apparmor.d/groups/kde/kwalletd5 @@ -13,15 +13,11 @@ profile kwalletd5 @{exec_path} { include include include - include - include include include + include include include - include - include - include @{exec_path} mr, @@ -30,35 +26,25 @@ profile kwalletd5 @{exec_path} { @{bin}/gpgsm rCx -> gpg, /usr/share/color-schemes/{,**} r, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/qt/translations/*.qm r, /usr/share/qt5/qtlogging.ini r, /usr/share/qt5ct/** r, /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, owner /tmp/kwalletd5.* rw, - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6} r, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, @@ -76,8 +62,8 @@ profile kwalletd5 @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists } - diff --git a/apparmor.d/groups/kde/kwalletmanager5 b/apparmor.d/groups/kde/kwalletmanager5 index 19cdb540..bd8b8fc7 100644 --- a/apparmor.d/groups/kde/kwalletmanager5 +++ b/apparmor.d/groups/kde/kwalletmanager5 @@ -13,22 +13,18 @@ profile kwalletmanager5 @{exec_path} { include include include - include - include include include + include include include include - include include - include @{exec_path} mr, /usr/share/kxmlgui5/kwalletmanager5/kwalletmanager.rc r, /usr/share/qt5ct/** r, - /usr/share/hwdata/pnp.ids r, /etc/fstab r, /etc/machine-id r, @@ -48,15 +44,11 @@ profile kwalletmanager5 @{exec_path} { owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, - owner @{user_config_dirs}/kdeglobals r, - - owner /tmp/xauth-[0-9]*-_[0-9] r, - - deny owner @{PROC}/@{pid}/cmdline r, - @{PROC}/sys/kernel/core_pattern r, - deny @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, /dev/shm/ r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index c428bcae..3531c237 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,12 +10,10 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include - include include + include include include - include capability sys_nice, @@ -36,7 +34,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/color-schemes/*.colors r, /usr/share/desktop-directories/*.directory r, - /usr/share/hwdata/pnp.ids r, /usr/share/kglobalaccel/{,**} r, /usr/share/knotifications5/ksmserver.notifyrc r, /usr/share/kservices5/{,**} r, @@ -45,7 +42,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/libinput/{,**} r, /usr/share/plasma/desktoptheme/default/** r, /usr/share/qt/translations/*.qm r, - /usr/share/X11/xkb/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,applications.menu} r, @@ -80,12 +76,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_share_dirs}/kscreen/* r, owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/* r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kscreenlockerrc r, @@ -94,7 +88,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/menus/{,applications-merged/} r, - owner @{user_config_dirs}/session/* r, + # owner @{user_config_dirs}/session/* r, + + owner @{user_share_dirs}/kscreen/* r, + owner @{user_share_dirs}/kwin/scripts/{,**} r, @{run}/systemd/inhibit/*.ref rw, @@ -117,6 +114,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 8b3a31e1..3c6a2e45 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -21,7 +21,5 @@ profile kwin_wayland_wrapper @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xauth_@{rand6} w, - owner /tmp/.X@{int}-lock rw, - include if exists } diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 40b82d22..fe27edee 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -10,12 +10,10 @@ include profile kwin_x11 @{exec_path} { include include - include - include include + include include include - include network inet dgram, network inet6 dgram, @@ -29,20 +27,13 @@ profile kwin_x11 @{exec_path} { @{lib}/kwin_killer_helper rix, @{lib}/drkonqi rPx, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, - /usr/share/X11/xkb/{,**} r, /etc/machine-id r, /etc/xdg/kcminputrc r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, /etc/xdg/plasmarc r, - owner @{HOME}/.Xauthority r, - owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -56,8 +47,6 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/* r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, @@ -67,10 +56,8 @@ profile kwin_x11 @{exec_path} { owner /tmp/#@{int} rw, owner /tmp/kwin.@{rand6} rwl, - owner /tmp/xauth_@{rand6} r, owner @{run}/user/@{uid}/kcrash_[0-9]* rw, - owner @{run}/user/@{uid}/xauth_@{rand6} rl, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index b5da03af..68182daf 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -9,11 +9,9 @@ include @{exec_path} = @{bin}/plasma-browser-integration-host profile plasma-browser-integration-host @{exec_path} { include - include - include include + include include - include capability sys_ptrace, @@ -29,13 +27,6 @@ profile plasma-browser-integration-host @{exec_path} { owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/kdedefaults/ r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 680f961c..5180f36f 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -10,9 +10,8 @@ include profile plasma-discover @{exec_path} { include include - include - include include + include include include include @@ -22,6 +21,7 @@ profile plasma-discover @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink dgram, network netlink raw, signal (send) set=(term) peer=kioslave5, @@ -40,6 +40,7 @@ profile plasma-discover @{exec_path} { /usr/share/knotifications5/plasma_workspace.notifyrc r, /usr/share/knsrcfiles/{,*} r, /usr/share/kservices5/{,*} r, + /usr/share/kservicetypes5/{,*} r, /usr/share/libdiscover/** r, /usr/share/qt/translations/*.qm r, @@ -70,22 +71,21 @@ profile plasma-discover @{exec_path} { owner @{user_config_dirs}/discoverrc rwl, owner @{user_config_dirs}/discoverrc.lock rwk, owner @{user_config_dirs}/kde.org/{,**} rwlk, - owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/KDE/* r, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_share_dirs}/flatpak/repo/{,**} rw, - owner @{user_share_dirs}/knewstuff3/ r, - owner @{user_share_dirs}/knewstuff3/ w, + owner @{user_share_dirs}/knewstuff3/{,*} rw, + owner @{user_share_dirs}/kwin/ rw, + owner @{user_share_dirs}/kwin/** rwlk -> @{user_share_dirs}/kwin/**, + owner /tmp/*.kwinscript rwl -> /tmp/#@{int}, + owner /tmp/#@{int} rw, + owner /tmp/discover-@{rand6}/{,**} rw, owner /tmp/ostree-gpg-*/ rw, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/#@{int} rw, owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 3b10976f..9a7a4360 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -18,15 +18,12 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include - include include + include include include - include include include - include network inet dgram, network inet6 dgram, @@ -57,8 +54,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/akonadi/firstrun/{,*} r, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, /usr/share/desktop-directories/kf5-*.directory r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/kio/servicemenus/{,*.desktop} r, /usr/share/knotifications5/*.notifyrc r, /usr/share/konsole/ r, @@ -119,8 +114,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kactivitymanagerd-*.lock rwk, owner @{user_config_dirs}/kactivitymanagerd-*{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kcookiejarrc r, - owner @{user_config_dirs}/kdedefaults/* r, - owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klipperrc r, @@ -129,7 +123,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/plasma* rwlk, owner @{user_config_dirs}/pulse/cookie rwk, @@ -177,15 +170,16 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{PROC}/cmdline r, @{PROC}/diskstats r, @{PROC}/loadavg r, - @{PROC}/uptime r, - @{PROC}/vmstat r, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/uptime r, + @{PROC}/vmstat r, owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ptmx rw, /dev/rfkill r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 6ea00c5e..52d4e021 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -12,15 +12,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include - include - include - include + include + include include include include - include capability audit_write, capability chown, @@ -128,8 +125,6 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.local/ w, owner @{HOME}/.Xauthority rw, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/startkderc r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index db03d42b..34f30055 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -11,13 +11,11 @@ include profile sddm-greeter @{exec_path} { include include - include - include - include include + include + include include include - include network netlink raw, @@ -27,8 +25,6 @@ profile sddm-greeter @{exec_path} { @{lib}/libheif/*.so* rm, /usr/share/desktop-base/softwaves-theme/login/*.svg r, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/plasma/desktoptheme/** r, /usr/share/qt5ct/** r, /usr/share/sddm/{,**} r, @@ -41,7 +37,6 @@ profile sddm-greeter @{exec_path} { /etc/machine-id r, /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, - /etc/xdg/kdeglobals r, /etc/xdg/plasmarc r, /var/lib/AccountsService/icons/*.icon r, /var/lib/dbus/machine-id r, @@ -57,7 +52,6 @@ profile sddm-greeter @{exec_path} { owner @{user_cache_dirs}/plasma-svgelements-* rw, owner @{user_cache_dirs}/sddm-greeter/{,**} rwl, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/qt5ct/{,**} r, @@ -66,7 +60,6 @@ profile sddm-greeter @{exec_path} { owner @{HOME}/.glvnd* mrw, owner /tmp/runtime-sddm/ rw, - owner /tmp/xauth_@{rand6} rw, owner @{run}/sddm/{,*} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index d106288c..de0ec76a 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/startplasma-wayland @{bin}/startplasma-x11 profile startplasma @{exec_path} { include - include - include - include + include signal (receive) set=(term) peer=sddm, @@ -24,7 +22,6 @@ profile startplasma @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications5/{,**} r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/{,**} r, @@ -32,15 +29,11 @@ profile startplasma @{exec_path} { /etc/machine-id r, /etc/xdg/kcminputrc r, - /etc/xdg/kdeglobals r, /etc/xdg/menus/{,**} r, - owner @{HOME}/.Xauthority r, - - owner @{user_cache_dirs}/ rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, - @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_config_dirs}/#@{int} rw, @@ -69,7 +62,6 @@ profile startplasma @{exec_path} { owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int}, owner @{run}/user/@{uid}/ r, - @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 1f63a258..69cebcfa 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -9,12 +9,10 @@ include @{exec_path} = @{bin}/systemsettings profile systemsettings @{exec_path} { include - include - include include + include include include - include network netlink raw, @@ -22,7 +20,6 @@ profile systemsettings @{exec_path} { @{bin}/kcminit rPx, - /usr/share/hwdata/pnp.ids r, /usr/share/kpackage/{,**} r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/{,**} r, @@ -45,10 +42,8 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kde.org/{,**} rwlk, - owner @{user_config_dirs}/kdedefaults/* r, - owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},