mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-31 07:17:22 +01:00
feat(profile): update kde profiles.
This commit is contained in:
Alexandre Pujol
parent
c08f93de50
commit
4672694d39
33 changed files with 101 additions and 325 deletions
|
|
@ -9,10 +9,9 @@ include <tunables/global>
|
||||||
@{exec_path} = @{lib}/DiscoverNotifier
|
@{exec_path} = @{lib}/DiscoverNotifier
|
||||||
profile DiscoverNotifier @{exec_path} {
|
profile DiscoverNotifier @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
|
|
@ -27,11 +26,6 @@ profile DiscoverNotifier @{exec_path} {
|
||||||
owner @{user_cache_dirs}/flatpak/{,**} rw,
|
owner @{user_cache_dirs}/flatpak/{,**} rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
|
|
||||||
owner @{user_share_dirs}/flatpak/{,**} rw,
|
owner @{user_share_dirs}/flatpak/{,**} rw,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ profile baloo @{exec_path} {
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/fontconfig-cache-write>
|
include <abstractions/fontconfig-cache-write>
|
||||||
include <abstractions/desktop>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/private-files-strict>
|
include <abstractions/private-files-strict>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
@ -21,14 +21,11 @@ profile baloo @{exec_path} {
|
||||||
|
|
||||||
@{lib}/baloo_file_extractor rix,
|
@{lib}/baloo_file_extractor rix,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/poppler/{,**} r,
|
/usr/share/poppler/{,**} r,
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/baloofilerc r,
|
/etc/xdg/baloofilerc r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
|
|
||||||
# Allow to search user files
|
# Allow to search user files
|
||||||
owner @{HOME}/{,**} r,
|
owner @{HOME}/{,**} r,
|
||||||
|
|
|
||||||
|
|
@ -9,34 +9,23 @@ include <tunables/global>
|
||||||
@{exec_path} = @{lib}/baloorunner
|
@{exec_path} = @{lib}/baloorunner
|
||||||
profile baloorunner @{exec_path} {
|
profile baloorunner @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/dolphin rPx,
|
@{bin}/* rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
|
|
||||||
/etc/xdg/baloofilerc r,
|
/etc/xdg/baloofilerc r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/kwinrc r,
|
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/baloofilerc r,
|
owner @{user_config_dirs}/baloofilerc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
|
|
||||||
owner @{user_share_dirs}/baloo/{,**} rwk,
|
owner @{user_share_dirs}/baloo/{,**} rwk,
|
||||||
|
|
||||||
/tmp/ r,
|
/tmp/ r,
|
||||||
/tmp/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,14 +9,13 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/dolphin
|
@{exec_path} = @{bin}/dolphin
|
||||||
profile dolphin @{exec_path} {
|
profile dolphin @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/app-launcher-user>
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
include <abstractions/recent-documents-write>
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
@ -24,10 +23,7 @@ profile dolphin @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/konsole rPUx,
|
|
||||||
@{bin}/ldd rix,
|
@{bin}/ldd rix,
|
||||||
@{bin}/net rPUx,
|
|
||||||
@{bin}/testparm rPUx,
|
|
||||||
@{lib}/kf5/kioslave5 rPx,
|
@{lib}/kf5/kioslave5 rPx,
|
||||||
|
|
||||||
/usr/share/kf5/kmoretools/{,**} r,
|
/usr/share/kf5/kmoretools/{,**} r,
|
||||||
|
|
@ -39,6 +35,8 @@ profile dolphin @{exec_path} {
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/arkrc r,
|
/etc/xdg/arkrc r,
|
||||||
/etc/xdg/dolphinrc r,
|
/etc/xdg/dolphinrc r,
|
||||||
|
/etc/xdg/menus/ r,
|
||||||
|
/etc/xdg/ui/ui_standards.rc r,
|
||||||
|
|
||||||
# Full access to user's data
|
# Full access to user's data
|
||||||
/ r,
|
/ r,
|
||||||
|
|
@ -53,6 +51,7 @@ profile dolphin @{exec_path} {
|
||||||
|
|
||||||
owner @{user_share_dirs}/dolphin/ rw,
|
owner @{user_share_dirs}/dolphin/ rw,
|
||||||
owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int},
|
owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int},
|
||||||
|
owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
owner @{user_config_dirs}/dolphinrc rw,
|
owner @{user_config_dirs}/dolphinrc rw,
|
||||||
|
|
|
||||||
|
|
@ -9,9 +9,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{lib}/drkonqi
|
@{exec_path} = @{lib}/drkonqi
|
||||||
profile drkonqi @{exec_path} {
|
profile drkonqi @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/qt5>
|
|
||||||
|
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
@ -24,15 +22,10 @@ profile drkonqi @{exec_path} {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/drkonqi/{,**} r,
|
/usr/share/drkonqi/{,**} r,
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/knotifications5/*.notifyrc r,
|
/usr/share/knotifications5/*.notifyrc r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/kcrash-metadata/* w,
|
owner @{user_cache_dirs}/kcrash-metadata/* w,
|
||||||
|
|
||||||
owner /tmp/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
include if exists <local/drkonqi>
|
include if exists <local/drkonqi>
|
||||||
|
|
|
||||||
|
|
@ -9,19 +9,14 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/gmenudbusmenuproxy
|
@{exec_path} = @{bin}/gmenudbusmenuproxy
|
||||||
profile gmenudbusmenuproxy @{exec_path} {
|
profile gmenudbusmenuproxy @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
ptrace (read) peer=kded5,
|
ptrace (read) peer=kded5,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
owner @{HOME}/.gtkrc-2.0 rw,
|
owner @{HOME}/.gtkrc-2.0 rw,
|
||||||
|
|
|
||||||
|
|
@ -10,36 +10,21 @@ include <tunables/global>
|
||||||
profile kaccess @{exec_path} {
|
profile kaccess @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/gsettings rPx,
|
@{bin}/gsettings rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/icons/{,**} r,
|
/usr/share/icons/{,**} r,
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/mime/{,**} r,
|
|
||||||
|
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/kwinrc r,
|
|
||||||
|
|
||||||
owner @{HOME}/.Xauthority r,
|
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kaccessrc r,
|
owner @{user_config_dirs}/kaccessrc r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/mime/generic-icons r,
|
owner @{user_share_dirs}/mime/generic-icons r,
|
||||||
|
|
||||||
owner /tmp/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
include if exists <local/kaccess>
|
include if exists <local/kaccess>
|
||||||
|
|
|
||||||
|
|
@ -9,23 +9,17 @@ include <tunables/global>
|
||||||
@{exec_path} = @{lib}/kactivitymanagerd
|
@{exec_path} = @{lib}/kactivitymanagerd
|
||||||
profile kactivitymanagerd @{exec_path} {
|
profile kactivitymanagerd @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/recent-documents-write>
|
include <abstractions/recent-documents-write>
|
||||||
include <abstractions/user-read>
|
include <abstractions/user-read>
|
||||||
include <abstractions/wayland>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/xdg/menus/{,*/} r,
|
/etc/xdg/menus/{,*/} r,
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/kf5/kactivitymanagerd/{,**} r,
|
/usr/share/kf5/kactivitymanagerd/{,**} r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
|
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
|
||||||
|
|
@ -36,8 +30,6 @@ profile kactivitymanagerd @{exec_path} {
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
|
owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
|
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
|
||||||
|
|
|
||||||
|
|
@ -9,11 +9,9 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/kalendarac
|
@{exec_path} = @{bin}/kalendarac
|
||||||
profile kalendarac @{exec_path} {
|
profile kalendarac @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
include <abstractions/kde-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
@ -21,15 +19,12 @@ profile kalendarac @{exec_path} {
|
||||||
|
|
||||||
/usr/share/akonadi/firstrun/{,*} r,
|
/usr/share/akonadi/firstrun/{,*} r,
|
||||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/knotifications5/{,**} r,
|
/usr/share/knotifications5/{,**} r,
|
||||||
/usr/share/sounds/{,**} r,
|
/usr/share/sounds/{,**} r,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/pulse/client.conf r,
|
/etc/pulse/client.conf r,
|
||||||
/etc/pulse/client.conf.d/{,**} r,
|
/etc/pulse/client.conf.d/{,**} r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
|
|
@ -41,15 +36,10 @@ profile kalendarac @{exec_path} {
|
||||||
owner @{user_config_dirs}/kalendaracrc rw,
|
owner @{user_config_dirs}/kalendaracrc rw,
|
||||||
owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl,
|
owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl,
|
||||||
owner @{user_config_dirs}/kalendaracrc.lock rwk,
|
owner @{user_config_dirs}/kalendaracrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kmail2rc r,
|
owner @{user_config_dirs}/kmail2rc r,
|
||||||
owner @{user_config_dirs}/pulse/cookie rk,
|
owner @{user_config_dirs}/pulse/cookie rk,
|
||||||
|
|
||||||
owner /tmp/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/pulse/ r,
|
owner @{run}/user/@{uid}/pulse/ r,
|
||||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,22 +9,17 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/kcminit
|
@{exec_path} = @{bin}/kcminit
|
||||||
profile kcminit @{exec_path} {
|
profile kcminit @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/qt5>
|
include <abstractions/kde-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/xrdb rPx,
|
@{bin}/xrdb rPx,
|
||||||
@{bin}/xsetroot rPx,
|
@{bin}/xsetroot rPx,
|
||||||
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kcmdisplayrc r,
|
/etc/xdg/kcmdisplayrc r,
|
||||||
/etc/xdg/kcminputrc r,
|
/etc/xdg/kcminputrc r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
|
|
||||||
owner @{HOME}/.Xdefaults r,
|
owner @{HOME}/.Xdefaults r,
|
||||||
|
|
||||||
|
|
@ -33,24 +28,17 @@ profile kcminit @{exec_path} {
|
||||||
owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl,
|
owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl,
|
||||||
owner @{user_config_dirs}/kcminputrc r,
|
owner @{user_config_dirs}/kcminputrc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
|
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kgammarc r,
|
owner @{user_config_dirs}/kgammarc r,
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/touchpadrc r,
|
owner @{user_config_dirs}/touchpadrc r,
|
||||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||||
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
||||||
|
|
||||||
owner /tmp/#@{int} rw,
|
owner /tmp/#@{int} rw,
|
||||||
owner /tmp/kcminit.@{rand6} rwl,
|
owner /tmp/kcminit.@{rand6} rwl,
|
||||||
owner /tmp/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
owner /tmp/.touchpaddefaults wl,
|
owner /tmp/.touchpaddefaults wl,
|
||||||
owner /tmp/.touchpaddefaults.lock rwk,
|
owner /tmp/.touchpaddefaults.lock rwk,
|
||||||
|
|
||||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
|
||||||
|
|
@ -10,16 +10,11 @@ include <tunables/global>
|
||||||
profile kconf_update @{exec_path} {
|
profile kconf_update @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/graphics>
|
||||||
include <abstractions/dri-enumerate>
|
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/mesa>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/perl>
|
include <abstractions/perl>
|
||||||
include <abstractions/python>
|
include <abstractions/python>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/vulkan>
|
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
|
|
@ -35,16 +30,13 @@ profile kconf_update @{exec_path} {
|
||||||
/usr/share/kconf_update/*.py rix,
|
/usr/share/kconf_update/*.py rix,
|
||||||
/usr/share/kconf_update/*.sh rix,
|
/usr/share/kconf_update/*.sh rix,
|
||||||
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/kconf_update/{,**} r,
|
/usr/share/kconf_update/{,**} r,
|
||||||
/usr/share/kglobalaccel/org.kde.krunner.desktop r,
|
/usr/share/kglobalaccel/org.kde.krunner.desktop r,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/konsolerc r,
|
/etc/xdg/konsolerc r,
|
||||||
/etc/xdg/ui/ui_standards.rc r,
|
/etc/xdg/ui/ui_standards.rc r,
|
||||||
|
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
|
|
@ -60,7 +52,6 @@ profile kconf_update @{exec_path} {
|
||||||
owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
|
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
|
||||||
owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals.lock rwk,
|
owner @{user_config_dirs}/kdeglobals.lock rwk,
|
||||||
owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
||||||
|
|
|
||||||
|
|
@ -9,11 +9,9 @@ include <tunables/global>
|
||||||
@{exec_path} = @{lib}/org_kde_powerdevil
|
@{exec_path} = @{lib}/org_kde_powerdevil
|
||||||
profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dri-enumerate>
|
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/qt5>
|
include <abstractions/graphics>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/kde-strict>
|
||||||
|
|
||||||
capability wake_alarm,
|
capability wake_alarm,
|
||||||
|
|
||||||
|
|
@ -21,22 +19,24 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
@{bin}/kcminit rPx,
|
@{bin}/{,ba,da}sh rix,
|
||||||
@{lib}/drkonqi rPx,
|
@{bin}/find rix,
|
||||||
|
@{bin}/grep rix,
|
||||||
|
@{bin}/kcminit rPx,
|
||||||
|
@{bin}/sed rix,
|
||||||
|
@{bin}/xargs rix,
|
||||||
|
@{lib}/drkonqi rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/knotifications5/*.notifyrc r,
|
/usr/share/knotifications5/*.notifyrc r,
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
owner @{HOME}/ r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
|
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/powerdevilrc.lock rwk,
|
owner @{user_config_dirs}/powerdevilrc.lock rwk,
|
||||||
owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
|
owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
|
||||||
|
|
@ -46,20 +46,23 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
||||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||||
owner @{run}/user/@{uid}kcrash_[0-9]* rw,
|
owner @{run}/user/@{uid}kcrash_[0-9]* rw,
|
||||||
|
|
||||||
@{PROC}/@{pid}/mounts r,
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
|
||||||
|
|
||||||
@{sys}/bus/ r,
|
@{sys}/bus/ r,
|
||||||
@{sys}/class/ r,
|
@{sys}/class/ r,
|
||||||
@{sys}/class/drm/ r,
|
@{sys}/class/drm/ r,
|
||||||
@{sys}/class/i2c-dev/ r,
|
@{sys}/class/i2c-dev/ r,
|
||||||
@{sys}/class/usbmisc/ r,
|
@{sys}/class/usbmisc/ r,
|
||||||
|
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
|
||||||
|
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
|
||||||
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
|
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
|
||||||
@{sys}/devices/i2c-[0-9]*/name r,
|
|
||||||
@{sys}/devices/@{pci}/i2c-[0-9]*/name r,
|
@{sys}/devices/@{pci}/i2c-[0-9]*/name r,
|
||||||
|
@{sys}/devices/**/ r,
|
||||||
|
@{sys}/devices/i2c-[0-9]*/name r,
|
||||||
@{sys}/devices/platform/*/i2c-[0-9]*/name r,
|
@{sys}/devices/platform/*/i2c-[0-9]*/name r,
|
||||||
|
|
||||||
|
@{PROC}/@{pid}/mounts r,
|
||||||
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
/dev/rfkill r,
|
/dev/rfkill r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,17 +14,11 @@ profile kded5 @{exec_path} {
|
||||||
include <abstractions/bus/org.bluez>
|
include <abstractions/bus/org.bluez>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/graphics>
|
||||||
include <abstractions/dri-enumerate>
|
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/mesa>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/vulkan>
|
|
||||||
include <abstractions/wutmp>
|
include <abstractions/wutmp>
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
|
|
@ -42,11 +36,10 @@ profile kded5 @{exec_path} {
|
||||||
@{bin}/setxkbmap rix,
|
@{bin}/setxkbmap rix,
|
||||||
@{bin}/xrdb rPx,
|
@{bin}/xrdb rPx,
|
||||||
@{bin}/xsettingsd rPx,
|
@{bin}/xsettingsd rPx,
|
||||||
|
@{lib}/drkonqi rPx,
|
||||||
@{lib}/kf5/kconf_update rPx,
|
@{lib}/kf5/kconf_update rPx,
|
||||||
@{lib}/utempter/utempter rPx,
|
@{lib}/utempter/utempter rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/kconf_update/ r,
|
/usr/share/kconf_update/ r,
|
||||||
/usr/share/kded5/{,**} r,
|
/usr/share/kded5/{,**} r,
|
||||||
/usr/share/kf5/kcookiejar/* r,
|
/usr/share/kf5/kcookiejar/* r,
|
||||||
|
|
@ -54,7 +47,6 @@ profile kded5 @{exec_path} {
|
||||||
/usr/share/knotifications5/{,**} r,
|
/usr/share/knotifications5/{,**} r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
/usr/share/kservicetypes5/{,**} r,
|
/usr/share/kservicetypes5/{,**} r,
|
||||||
/usr/share/mime/ r,
|
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
@ -62,7 +54,6 @@ profile kded5 @{exec_path} {
|
||||||
/etc/xdg/kcminputrc r,
|
/etc/xdg/kcminputrc r,
|
||||||
/etc/xdg/kde* r,
|
/etc/xdg/kde* r,
|
||||||
/etc/xdg/kioslaverc r,
|
/etc/xdg/kioslaverc r,
|
||||||
/etc/xdg/kwinrc r,
|
|
||||||
/etc/xdg/menus/{,**} r,
|
/etc/xdg/menus/{,**} r,
|
||||||
|
|
||||||
owner @{HOME}/.gtkrc-2.0 rw,
|
owner @{HOME}/.gtkrc-2.0 rw,
|
||||||
|
|
@ -85,7 +76,6 @@ profile kded5 @{exec_path} {
|
||||||
owner @{user_config_dirs}/kded5rc.lock rwk,
|
owner @{user_config_dirs}/kded5rc.lock rwk,
|
||||||
owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kdedefaults/{,**} r,
|
owner @{user_config_dirs}/kdedefaults/{,**} r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/khotkeysrc.lock rwk,
|
owner @{user_config_dirs}/khotkeysrc.lock rwk,
|
||||||
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
|
|
@ -121,9 +111,6 @@ profile kded5 @{exec_path} {
|
||||||
|
|
||||||
owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
|
owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
|
||||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
|
||||||
|
|
||||||
@{PROC}/@{pids}/cmdline/ r,
|
@{PROC}/@{pids}/cmdline/ r,
|
||||||
@{PROC}/@{pids}/fd/ r,
|
@{PROC}/@{pids}/fd/ r,
|
||||||
@{PROC}/@{pids}/fd/info/@{int} r,
|
@{PROC}/@{pids}/fd/info/@{int} r,
|
||||||
|
|
@ -155,9 +142,8 @@ profile kded5 @{exec_path} {
|
||||||
@{PROC}/@{pids}/cmdline r,
|
@{PROC}/@{pids}/cmdline r,
|
||||||
@{PROC}/@{pids}/stat r,
|
@{PROC}/@{pids}/stat r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
@{PROC}/uptime r,
|
|
||||||
@{PROC}/@{pids}/cgroup r,
|
|
||||||
@{PROC}/tty/drivers r,
|
@{PROC}/tty/drivers r,
|
||||||
|
@{PROC}/uptime r,
|
||||||
|
|
||||||
include if exists <local/kded5_pgrep>
|
include if exists <local/kded5_pgrep>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -9,18 +9,13 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/kglobalaccel5
|
@{exec_path} = @{bin}/kglobalaccel5
|
||||||
profile kglobalaccel5 @{exec_path} {
|
profile kglobalaccel5 @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/kstart rPx,
|
@{bin}/kstart rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/kglobalaccel/{,**} r,
|
/usr/share/kglobalaccel/{,**} r,
|
||||||
/usr/share/mime/{,**} r,
|
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile kiod5 @{exec_path} {
|
profile kiod5 @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
|
|
||||||
|
|
@ -19,19 +20,13 @@ profile kiod5 @{exec_path} {
|
||||||
|
|
||||||
/usr/share/icons/breeze/index.theme r,
|
/usr/share/icons/breeze/index.theme r,
|
||||||
/usr/share/mime/{,**} r,
|
/usr/share/mime/{,**} r,
|
||||||
/usr/share/mime/generic-icons r,
|
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/qt/translations/*.qm r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
|
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/ksslcertificatemanager.lock rwk,
|
owner @{user_config_dirs}/ksslcertificatemanager.lock rwk,
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,14 +10,12 @@ include <tunables/global>
|
||||||
profile kioslave5 @{exec_path} {
|
profile kioslave5 @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-write>
|
||||||
include <abstractions/trash>
|
include <abstractions/trash>
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
|
|
@ -38,23 +36,20 @@ profile kioslave5 @{exec_path} {
|
||||||
@{lib}/libheif/*.so* rm,
|
@{lib}/libheif/*.so* rm,
|
||||||
@{lib}/kf5/kio_http_cache_cleaner rPx,
|
@{lib}/kf5/kio_http_cache_cleaner rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/kio_desktop/directory.desktop r,
|
/usr/share/kio_desktop/directory.desktop r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
/usr/share/kservicetypes5/*.desktop r,
|
/usr/share/kservicetypes5/*.desktop r,
|
||||||
/usr/share/remoteview/* r,
|
/usr/share/remoteview/* r,
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/kioslaverc r,
|
/etc/xdg/kioslaverc r,
|
||||||
/etc/xdg/kwinrc r,
|
|
||||||
/etc/xdg/menus/{,**} r,
|
/etc/xdg/menus/{,**} r,
|
||||||
|
|
||||||
# Full access to user's data
|
# Full access to user's data
|
||||||
/ r,
|
/ r,
|
||||||
/*/ r,
|
/*/ r,
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
|
@{bin}/* r,
|
||||||
@{lib}/ r,
|
@{lib}/ r,
|
||||||
@{MOUNTDIRS}/ r,
|
@{MOUNTDIRS}/ r,
|
||||||
@{MOUNTS}/ r,
|
@{MOUNTS}/ r,
|
||||||
|
|
@ -74,13 +69,8 @@ profile kioslave5 @{exec_path} {
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/kio_http/* rwl,
|
owner @{user_cache_dirs}/kio_http/* rwl,
|
||||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||||
owner @{user_cache_dirs}/thumbnails/*/ r,
|
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kio_httprc r,
|
owner @{user_config_dirs}/kio_httprc r,
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/baloo/index rw,
|
owner @{user_share_dirs}/baloo/index rw,
|
||||||
|
|
@ -91,12 +81,10 @@ profile kioslave5 @{exec_path} {
|
||||||
owner @{user_share_dirs}/kservices5/{,**} r,
|
owner @{user_share_dirs}/kservices5/{,**} r,
|
||||||
|
|
||||||
owner /tmp/#@{int} rw,
|
owner /tmp/#@{int} rw,
|
||||||
owner /tmp/xauth_@{int} r,
|
|
||||||
|
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
owner @{run}/user/@{uid}/#@{int} rw,
|
owner @{run}/user/@{uid}/#@{int} rw,
|
||||||
owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl,
|
owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
|
||||||
|
|
@ -9,14 +9,10 @@ include <tunables/global>
|
||||||
@{exec_path} = @{lib}/kf5/kscreen_backend_launcher
|
@{exec_path} = @{lib}/kf5/kscreen_backend_launcher
|
||||||
profile kscreen_backend_launcher @{exec_path} {
|
profile kscreen_backend_launcher @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/qt5>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
include if exists <local/kscreen_backend_launcher>
|
include if exists <local/kscreen_backend_launcher>
|
||||||
|
|
|
||||||
|
|
@ -12,14 +12,11 @@ include <tunables/global>
|
||||||
profile kscreenlocker-greet @{exec_path} {
|
profile kscreenlocker-greet @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/X>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
@ -35,8 +32,6 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
@{bin}/unix_chkpwd rPx,
|
@{bin}/unix_chkpwd rPx,
|
||||||
@{lib}/@{multiarch}/libexec/kcheckpass rPx,
|
@{lib}/@{multiarch}/libexec/kcheckpass rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/plasma/** r,
|
/usr/share/plasma/** r,
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/qt/translations/*.qm r,
|
||||||
/usr/share/qt5ct/** r,
|
/usr/share/qt5ct/** r,
|
||||||
|
|
@ -54,7 +49,6 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/pam.d/* r,
|
/etc/pam.d/* r,
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/kscreenlockerrc r,
|
/etc/xdg/kscreenlockerrc r,
|
||||||
/etc/xdg/plasmarc r,
|
/etc/xdg/plasmarc r,
|
||||||
|
|
||||||
|
|
@ -72,8 +66,8 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||||
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
|
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
owner @{user_config_dirs}/ksmserverrc r,
|
owner @{user_config_dirs}/ksmserverrc r,
|
||||||
owner @{user_config_dirs}/plasmarc r,
|
owner @{user_config_dirs}/plasmarc r,
|
||||||
|
|
@ -83,7 +77,6 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
owner @{HOME}/.glvnd* mrw,
|
owner @{HOME}/.glvnd* mrw,
|
||||||
|
|
||||||
owner /tmp/*-cover-*.{jpg,png} r,
|
owner /tmp/*-cover-*.{jpg,png} r,
|
||||||
owner /tmp/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,12 +10,9 @@ include <tunables/global>
|
||||||
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app-launcher-user>
|
include <abstractions/app-launcher-user>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
||||||
|
|
||||||
|
|
@ -29,43 +26,33 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{lib}/kscreenlocker_greet rPx,
|
@{lib}/kscreenlocker_greet rPx,
|
||||||
|
|
||||||
/usr/share/color-schemes/{,**} r,
|
/usr/share/color-schemes/{,**} r,
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/icons/{,**} r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/knotifications5/*.notifyrc r,
|
/usr/share/knotifications5/*.notifyrc r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
|
|
||||||
/etc/xdg/menus/applications-merged/ r,
|
/etc/xdg/menus/applications-merged/ r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/kscreenlockerrc r,
|
/etc/xdg/kscreenlockerrc r,
|
||||||
/etc/xdg/kwinrc r,
|
|
||||||
/etc/xdg/menus/ r,
|
/etc/xdg/menus/ r,
|
||||||
|
|
||||||
owner @{HOME}/@{rand6} rw,
|
owner @{HOME}/@{rand6} rw,
|
||||||
owner @{HOME}/.Xauthority rw,
|
owner @{HOME}/.Xauthority rw,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/#@{int} rw,
|
owner @{user_cache_dirs}/#@{int} rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
|
||||||
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
|
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
|
||||||
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/ksycoca5_* rl,
|
owner @{user_cache_dirs}/ksycoca5_* rl,
|
||||||
|
|
||||||
owner @{user_config_dirs}/menus/ r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
|
||||||
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
|
||||||
owner @{user_config_dirs}/ksmserverrc r,
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
|
owner @{user_config_dirs}/ksmserverrc r,
|
||||||
|
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
||||||
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
owner @{user_config_dirs}/ksmserverrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
owner @{user_config_dirs}/menus/ r,
|
||||||
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
|
|
||||||
|
|
||||||
owner /tmp/@{rand6} rw,
|
owner /tmp/@{rand6} rw,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
|
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
|
||||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,9 +9,8 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/ksplashqml
|
@{exec_path} = @{bin}/ksplashqml
|
||||||
profile ksplashqml @{exec_path} {
|
profile ksplashqml @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
|
|
||||||
|
|
@ -26,8 +25,9 @@ profile ksplashqml @{exec_path} {
|
||||||
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
|
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
|
||||||
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
|
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
|
||||||
owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw,
|
owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
owner @{user_config_dirs}/kdedefaults/ksplashrc r,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,9 +11,8 @@ include <tunables/global>
|
||||||
profile kstart @{exec_path} flags=(complain,attach_disconnected) {
|
profile kstart @{exec_path} flags=(complain,attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,15 +13,11 @@ profile kwalletd5 @{exec_path} {
|
||||||
include <abstractions/audio>
|
include <abstractions/audio>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/wayland>
|
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
@ -30,35 +26,25 @@ profile kwalletd5 @{exec_path} {
|
||||||
@{bin}/gpgsm rCx -> gpg,
|
@{bin}/gpgsm rCx -> gpg,
|
||||||
|
|
||||||
/usr/share/color-schemes/{,**} r,
|
/usr/share/color-schemes/{,**} r,
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/qt/translations/*.qm r,
|
||||||
/usr/share/qt5/qtlogging.ini r,
|
/usr/share/qt5/qtlogging.ini r,
|
||||||
/usr/share/qt5ct/** r,
|
/usr/share/qt5ct/** r,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/kwinrc r,
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kwalletrc r,
|
owner @{user_config_dirs}/kwalletrc r,
|
||||||
owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kwalletrc.lock rwk,
|
owner @{user_config_dirs}/kwalletrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/kwalletd/ rw,
|
owner @{user_share_dirs}/kwalletd/ rw,
|
||||||
owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},
|
owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},
|
||||||
|
|
||||||
owner /tmp/kwalletd5.* rw,
|
owner /tmp/kwalletd5.* rw,
|
||||||
owner /tmp/runtime-*/xauth_@{rand6} r,
|
|
||||||
owner /tmp/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
|
@ -76,8 +62,8 @@ profile kwalletd5 @{exec_path} {
|
||||||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||||
|
|
||||||
|
include if exists <local/kwalletd5_gpg>
|
||||||
}
|
}
|
||||||
|
|
||||||
include if exists <local/kwalletd5>
|
include if exists <local/kwalletd5>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,22 +13,18 @@ profile kwalletmanager5 @{exec_path} {
|
||||||
include <abstractions/audio>
|
include <abstractions/audio>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
include <abstractions/qt5-settings-write>
|
include <abstractions/qt5-settings-write>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
include <abstractions/X>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/kxmlgui5/kwalletmanager5/kwalletmanager.rc r,
|
/usr/share/kxmlgui5/kwalletmanager5/kwalletmanager.rc r,
|
||||||
/usr/share/qt5ct/** r,
|
/usr/share/qt5ct/** r,
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
@ -48,15 +44,11 @@ profile kwalletmanager5 @{exec_path} {
|
||||||
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int},
|
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int},
|
||||||
owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk,
|
owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
@{PROC}/@{pid}/mountinfo r,
|
||||||
|
@{PROC}/@{pid}/mounts r,
|
||||||
owner /tmp/xauth-[0-9]*-_[0-9] r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
deny owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
|
||||||
deny @{PROC}/sys/kernel/random/boot_id r,
|
|
||||||
@{PROC}/@{pid}/mountinfo r,
|
|
||||||
@{PROC}/@{pid}/mounts r,
|
|
||||||
|
|
||||||
/dev/shm/ r,
|
/dev/shm/ r,
|
||||||
/dev/shm/#@{int} rw,
|
/dev/shm/#@{int} rw,
|
||||||
|
|
|
||||||
|
|
@ -10,12 +10,10 @@ include <tunables/global>
|
||||||
profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fontconfig-cache-write>
|
include <abstractions/fontconfig-cache-write>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/wayland>
|
|
||||||
|
|
||||||
capability sys_nice,
|
capability sys_nice,
|
||||||
|
|
||||||
|
|
@ -36,7 +34,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||||
|
|
||||||
/usr/share/color-schemes/*.colors r,
|
/usr/share/color-schemes/*.colors r,
|
||||||
/usr/share/desktop-directories/*.directory r,
|
/usr/share/desktop-directories/*.directory r,
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/kglobalaccel/{,**} r,
|
/usr/share/kglobalaccel/{,**} r,
|
||||||
/usr/share/knotifications5/ksmserver.notifyrc r,
|
/usr/share/knotifications5/ksmserver.notifyrc r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
|
|
@ -45,7 +42,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||||
/usr/share/libinput/{,**} r,
|
/usr/share/libinput/{,**} r,
|
||||||
/usr/share/plasma/desktoptheme/default/** r,
|
/usr/share/plasma/desktoptheme/default/** r,
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/qt/translations/*.qm r,
|
||||||
/usr/share/X11/xkb/{,**} r,
|
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/menus/{,applications.menu} r,
|
/etc/xdg/menus/{,applications.menu} r,
|
||||||
|
|
@ -80,12 +76,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||||
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
|
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
|
||||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||||
owner @{user_share_dirs}/kscreen/* r,
|
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rwl,
|
owner @{user_config_dirs}/#@{int} rwl,
|
||||||
owner @{user_config_dirs}/kcminputrc r,
|
owner @{user_config_dirs}/kcminputrc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
owner @{user_config_dirs}/kdedefaults/* r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
|
|
@ -94,7 +88,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||||
owner @{user_config_dirs}/kwinrulesrc r,
|
owner @{user_config_dirs}/kwinrulesrc r,
|
||||||
owner @{user_config_dirs}/kxkbrc r,
|
owner @{user_config_dirs}/kxkbrc r,
|
||||||
owner @{user_config_dirs}/menus/{,applications-merged/} r,
|
owner @{user_config_dirs}/menus/{,applications-merged/} r,
|
||||||
owner @{user_config_dirs}/session/* r,
|
# owner @{user_config_dirs}/session/* r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/kscreen/* r,
|
||||||
|
owner @{user_share_dirs}/kwin/scripts/{,**} r,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/*.ref rw,
|
@{run}/systemd/inhibit/*.ref rw,
|
||||||
|
|
||||||
|
|
@ -117,6 +114,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
||||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||||
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
||||||
|
|
||||||
|
@{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,5 @@ profile kwin_wayland_wrapper @{exec_path} {
|
||||||
owner @{run}/user/@{uid}/#@{int} rw,
|
owner @{run}/user/@{uid}/#@{int} rw,
|
||||||
owner @{run}/user/@{uid}/xauth_@{rand6} w,
|
owner @{run}/user/@{uid}/xauth_@{rand6} w,
|
||||||
|
|
||||||
owner /tmp/.X@{int}-lock rw,
|
|
||||||
|
|
||||||
include if exists <local/kwin_wayland_wrapper>
|
include if exists <local/kwin_wayland_wrapper>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,12 +10,10 @@ include <tunables/global>
|
||||||
profile kwin_x11 @{exec_path} {
|
profile kwin_x11 @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/qt5>
|
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
|
|
@ -29,20 +27,13 @@ profile kwin_x11 @{exec_path} {
|
||||||
@{lib}/kwin_killer_helper rix,
|
@{lib}/kwin_killer_helper rix,
|
||||||
@{lib}/drkonqi rPx,
|
@{lib}/drkonqi rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/kwin/{,**} r,
|
/usr/share/kwin/{,**} r,
|
||||||
/usr/share/plasma/desktoptheme/{,**} r,
|
/usr/share/plasma/desktoptheme/{,**} r,
|
||||||
/usr/share/X11/xkb/{,**} r,
|
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kcminputrc r,
|
/etc/xdg/kcminputrc r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/kwinrc r,
|
|
||||||
/etc/xdg/plasmarc r,
|
/etc/xdg/plasmarc r,
|
||||||
|
|
||||||
owner @{HOME}/.Xauthority r,
|
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ r,
|
owner @{user_cache_dirs}/ r,
|
||||||
owner @{user_cache_dirs}/#@{int} rw,
|
owner @{user_cache_dirs}/#@{int} rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
@ -56,8 +47,6 @@ profile kwin_x11 @{exec_path} {
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kcminputrc r,
|
owner @{user_config_dirs}/kcminputrc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kwinrc.lock rwk,
|
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl,
|
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl,
|
||||||
owner @{user_config_dirs}/kwinrulesrc r,
|
owner @{user_config_dirs}/kwinrulesrc r,
|
||||||
|
|
@ -67,10 +56,8 @@ profile kwin_x11 @{exec_path} {
|
||||||
|
|
||||||
owner /tmp/#@{int} rw,
|
owner /tmp/#@{int} rw,
|
||||||
owner /tmp/kwin.@{rand6} rwl,
|
owner /tmp/kwin.@{rand6} rwl,
|
||||||
owner /tmp/xauth_@{rand6} r,
|
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/kcrash_[0-9]* rw,
|
owner @{run}/user/@{uid}/kcrash_[0-9]* rw,
|
||||||
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
|
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
@{sys}/devices/system/node/ r,
|
||||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||||
|
|
|
||||||
|
|
@ -9,11 +9,9 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/plasma-browser-integration-host
|
@{exec_path} = @{bin}/plasma-browser-integration-host
|
||||||
profile plasma-browser-integration-host @{exec_path} {
|
profile plasma-browser-integration-host @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
|
|
||||||
capability sys_ptrace,
|
capability sys_ptrace,
|
||||||
|
|
||||||
|
|
@ -29,13 +27,6 @@ profile plasma-browser-integration-host @{exec_path} {
|
||||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/ r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/ r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
|
||||||
|
|
@ -10,9 +10,8 @@ include <tunables/global>
|
||||||
profile plasma-discover @{exec_path} {
|
profile plasma-discover @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
|
|
@ -22,6 +21,7 @@ profile plasma-discover @{exec_path} {
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
network netlink dgram,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
signal (send) set=(term) peer=kioslave5,
|
signal (send) set=(term) peer=kioslave5,
|
||||||
|
|
@ -40,6 +40,7 @@ profile plasma-discover @{exec_path} {
|
||||||
/usr/share/knotifications5/plasma_workspace.notifyrc r,
|
/usr/share/knotifications5/plasma_workspace.notifyrc r,
|
||||||
/usr/share/knsrcfiles/{,*} r,
|
/usr/share/knsrcfiles/{,*} r,
|
||||||
/usr/share/kservices5/{,*} r,
|
/usr/share/kservices5/{,*} r,
|
||||||
|
/usr/share/kservicetypes5/{,*} r,
|
||||||
/usr/share/libdiscover/** r,
|
/usr/share/libdiscover/** r,
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/qt/translations/*.qm r,
|
||||||
|
|
||||||
|
|
@ -70,22 +71,21 @@ profile plasma-discover @{exec_path} {
|
||||||
owner @{user_config_dirs}/discoverrc rwl,
|
owner @{user_config_dirs}/discoverrc rwl,
|
||||||
owner @{user_config_dirs}/discoverrc.lock rwk,
|
owner @{user_config_dirs}/discoverrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
||||||
owner @{user_config_dirs}/kdedefaults/ r,
|
owner @{user_config_dirs}/KDE/* r,
|
||||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
owner @{user_config_dirs}/libaccounts-glib/ rw,
|
||||||
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
||||||
|
|
||||||
owner @{user_share_dirs}/flatpak/repo/{,**} rw,
|
owner @{user_share_dirs}/flatpak/repo/{,**} rw,
|
||||||
owner @{user_share_dirs}/knewstuff3/ r,
|
owner @{user_share_dirs}/knewstuff3/{,*} rw,
|
||||||
owner @{user_share_dirs}/knewstuff3/ w,
|
owner @{user_share_dirs}/kwin/ rw,
|
||||||
|
owner @{user_share_dirs}/kwin/** rwlk -> @{user_share_dirs}/kwin/**,
|
||||||
|
|
||||||
|
owner /tmp/*.kwinscript rwl -> /tmp/#@{int},
|
||||||
|
owner /tmp/#@{int} rw,
|
||||||
|
owner /tmp/discover-@{rand6}/{,**} rw,
|
||||||
owner /tmp/ostree-gpg-*/ rw,
|
owner /tmp/ostree-gpg-*/ rw,
|
||||||
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
|
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
|
||||||
owner /tmp/#@{int} rw,
|
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/.flatpak-cache rw,
|
owner @{run}/user/@{uid}/.flatpak-cache rw,
|
||||||
owner @{run}/user/@{uid}/.flatpak/{,**} rw,
|
owner @{run}/user/@{uid}/.flatpak/{,**} rw,
|
||||||
|
|
|
||||||
|
|
@ -18,15 +18,12 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||||
include <abstractions/devices-usb>
|
include <abstractions/devices-usb>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/enchant>
|
include <abstractions/enchant>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/recent-documents-write>
|
include <abstractions/recent-documents-write>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
|
|
@ -57,8 +54,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||||
/usr/share/akonadi/firstrun/{,*} r,
|
/usr/share/akonadi/firstrun/{,*} r,
|
||||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||||
/usr/share/desktop-directories/kf5-*.directory r,
|
/usr/share/desktop-directories/kf5-*.directory r,
|
||||||
/usr/share/hwdata/*.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/kio/servicemenus/{,*.desktop} r,
|
/usr/share/kio/servicemenus/{,*.desktop} r,
|
||||||
/usr/share/knotifications5/*.notifyrc r,
|
/usr/share/knotifications5/*.notifyrc r,
|
||||||
/usr/share/konsole/ r,
|
/usr/share/konsole/ r,
|
||||||
|
|
@ -119,8 +114,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||||
owner @{user_config_dirs}/kactivitymanagerd-*.lock rwk,
|
owner @{user_config_dirs}/kactivitymanagerd-*.lock rwk,
|
||||||
owner @{user_config_dirs}/kactivitymanagerd-*{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/kactivitymanagerd-*{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/kcookiejarrc r,
|
owner @{user_config_dirs}/kcookiejarrc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdiff3fileitemactionrc r,
|
owner @{user_config_dirs}/kdiff3fileitemactionrc r,
|
||||||
owner @{user_config_dirs}/kioslaverc r,
|
owner @{user_config_dirs}/kioslaverc r,
|
||||||
owner @{user_config_dirs}/klipperrc r,
|
owner @{user_config_dirs}/klipperrc r,
|
||||||
|
|
@ -129,7 +123,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||||
owner @{user_config_dirs}/krunnerrc r,
|
owner @{user_config_dirs}/krunnerrc r,
|
||||||
owner @{user_config_dirs}/ksmserverrc r,
|
owner @{user_config_dirs}/ksmserverrc r,
|
||||||
owner @{user_config_dirs}/kwalletrc r,
|
owner @{user_config_dirs}/kwalletrc r,
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
owner @{user_config_dirs}/plasma* rwlk,
|
owner @{user_config_dirs}/plasma* rwlk,
|
||||||
owner @{user_config_dirs}/pulse/cookie rwk,
|
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||||
|
|
@ -177,15 +170,16 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/diskstats r,
|
@{PROC}/diskstats r,
|
||||||
@{PROC}/loadavg r,
|
@{PROC}/loadavg r,
|
||||||
@{PROC}/uptime r,
|
|
||||||
@{PROC}/vmstat r,
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
@{PROC}/uptime r,
|
||||||
|
@{PROC}/vmstat r,
|
||||||
owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r,
|
owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r,
|
||||||
owner @{PROC}/@{pid}/attr/current r,
|
owner @{PROC}/@{pid}/attr/current r,
|
||||||
owner @{PROC}/@{pid}/environ r,
|
owner @{PROC}/@{pid}/environ r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
/dev/ptmx rw,
|
/dev/ptmx rw,
|
||||||
/dev/rfkill r,
|
/dev/rfkill r,
|
||||||
|
|
|
||||||
|
|
@ -12,15 +12,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/authentication>
|
include <abstractions/authentication>
|
||||||
include <abstractions/bash>
|
include <abstractions/bash>
|
||||||
include <abstractions/dri-common>
|
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/graphics>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/mesa>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5>
|
include <abstractions/qt5>
|
||||||
include <abstractions/wutmp>
|
include <abstractions/wutmp>
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
capability audit_write,
|
capability audit_write,
|
||||||
capability chown,
|
capability chown,
|
||||||
|
|
@ -128,8 +125,6 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
owner @{HOME}/.local/ w,
|
owner @{HOME}/.local/ w,
|
||||||
owner @{HOME}/.Xauthority rw,
|
owner @{HOME}/.Xauthority rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
owner @{user_config_dirs}/startkderc r,
|
owner @{user_config_dirs}/startkderc r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,13 +11,11 @@ include <tunables/global>
|
||||||
profile sddm-greeter @{exec_path} {
|
profile sddm-greeter @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/nameservice-strict>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/qt5>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
@ -27,8 +25,6 @@ profile sddm-greeter @{exec_path} {
|
||||||
@{lib}/libheif/*.so* rm,
|
@{lib}/libheif/*.so* rm,
|
||||||
|
|
||||||
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
|
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/plasma/desktoptheme/** r,
|
/usr/share/plasma/desktoptheme/** r,
|
||||||
/usr/share/qt5ct/** r,
|
/usr/share/qt5ct/** r,
|
||||||
/usr/share/sddm/{,**} r,
|
/usr/share/sddm/{,**} r,
|
||||||
|
|
@ -41,7 +37,6 @@ profile sddm-greeter @{exec_path} {
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/sddm.conf r,
|
/etc/sddm.conf r,
|
||||||
/etc/sddm.conf.d/{,*} r,
|
/etc/sddm.conf.d/{,*} r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/plasmarc r,
|
/etc/xdg/plasmarc r,
|
||||||
/var/lib/AccountsService/icons/*.icon r,
|
/var/lib/AccountsService/icons/*.icon r,
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
@ -57,7 +52,6 @@ profile sddm-greeter @{exec_path} {
|
||||||
owner @{user_cache_dirs}/plasma-svgelements-* rw,
|
owner @{user_cache_dirs}/plasma-svgelements-* rw,
|
||||||
owner @{user_cache_dirs}/sddm-greeter/{,**} rwl,
|
owner @{user_cache_dirs}/sddm-greeter/{,**} rwl,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/plasmarc r,
|
owner @{user_config_dirs}/plasmarc r,
|
||||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||||
|
|
||||||
|
|
@ -66,7 +60,6 @@ profile sddm-greeter @{exec_path} {
|
||||||
owner @{HOME}/.glvnd* mrw,
|
owner @{HOME}/.glvnd* mrw,
|
||||||
|
|
||||||
owner /tmp/runtime-sddm/ rw,
|
owner /tmp/runtime-sddm/ rw,
|
||||||
owner /tmp/xauth_@{rand6} rw,
|
|
||||||
|
|
||||||
owner @{run}/sddm/{,*} rw,
|
owner @{run}/sddm/{,*} rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,9 +9,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/startplasma-wayland @{bin}/startplasma-x11
|
@{exec_path} = @{bin}/startplasma-wayland @{bin}/startplasma-x11
|
||||||
profile startplasma @{exec_path} {
|
profile startplasma @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/X-strict>
|
|
||||||
|
|
||||||
signal (receive) set=(term) peer=sddm,
|
signal (receive) set=(term) peer=sddm,
|
||||||
|
|
||||||
|
|
@ -24,7 +22,6 @@ profile startplasma @{exec_path} {
|
||||||
|
|
||||||
/usr/share/color-schemes/{,**} r,
|
/usr/share/color-schemes/{,**} r,
|
||||||
/usr/share/desktop-directories/{,**} r,
|
/usr/share/desktop-directories/{,**} r,
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
/usr/share/knotifications5/{,**} r,
|
/usr/share/knotifications5/{,**} r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
/usr/share/kservicetypes5/{,**} r,
|
/usr/share/kservicetypes5/{,**} r,
|
||||||
|
|
@ -32,15 +29,11 @@ profile startplasma @{exec_path} {
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kcminputrc r,
|
/etc/xdg/kcminputrc r,
|
||||||
/etc/xdg/kdeglobals r,
|
|
||||||
/etc/xdg/menus/{,**} r,
|
/etc/xdg/menus/{,**} r,
|
||||||
|
|
||||||
owner @{HOME}/.Xauthority r,
|
@{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int},
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ rw,
|
|
||||||
owner @{user_cache_dirs}/#@{int} rwk,
|
owner @{user_cache_dirs}/#@{int} rwk,
|
||||||
owner @{user_cache_dirs}/kcrash-metadata/ rw,
|
owner @{user_cache_dirs}/kcrash-metadata/ rw,
|
||||||
@{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int},
|
|
||||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
|
|
@ -69,7 +62,6 @@ profile startplasma @{exec_path} {
|
||||||
owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int},
|
owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int},
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/ r,
|
owner @{run}/user/@{uid}/ r,
|
||||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
|
||||||
|
|
@ -9,12 +9,10 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/systemsettings
|
@{exec_path} = @{bin}/systemsettings
|
||||||
profile systemsettings @{exec_path} {
|
profile systemsettings @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
include <abstractions/qt5>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
@ -22,7 +20,6 @@ profile systemsettings @{exec_path} {
|
||||||
|
|
||||||
@{bin}/kcminit rPx,
|
@{bin}/kcminit rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/kpackage/{,**} r,
|
/usr/share/kpackage/{,**} r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
/usr/share/kservicetypes5/{,**} r,
|
/usr/share/kservicetypes5/{,**} r,
|
||||||
|
|
@ -45,10 +42,8 @@ profile systemsettings @{exec_path} {
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
||||||
owner @{user_config_dirs}/kdedefaults/* r,
|
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kinfocenterrc* rwlk,
|
owner @{user_config_dirs}/kinfocenterrc* rwlk,
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
owner @{user_config_dirs}/systemsettingsrc.lock rwk,
|
owner @{user_config_dirs}/systemsettingsrc.lock rwk,
|
||||||
owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue