mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-31 07:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): update kde profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-01-30 14:59:26 +00:00
parent c08f93de50
commit 4672694d39
Failed to generate hash of commit
33 changed files with 101 additions and 325 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/groups/kde/DiscoverNotifier
View file

@ -9,10 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/DiscoverNotifier
profile DiscoverNotifier @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
network inet dgram,
network inet6 dgram,
@ -26,11 +25,6 @@ profile DiscoverNotifier @{exec_path} {
owner @{user_cache_dirs}/flatpak/{,**} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_share_dirs}/flatpak/{,**} rw,

5
apparmor.d/groups/kde/baloo
View file

@ -12,7 +12,7 @@ profile baloo @{exec_path} {
include <abstractions/deny-sensitive-home>
include <abstractions/disks-read>
include <abstractions/fontconfig-cache-write>
include <abstractions/desktop>
include <abstractions/kde-strict>
include <abstractions/private-files-strict>
network netlink raw,
@ -21,14 +21,11 @@ profile baloo @{exec_path} {
@{lib}/baloo_file_extractor rix,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/poppler/{,**} r,
/etc/fstab r,
/etc/machine-id r,
/etc/xdg/baloofilerc r,
/etc/xdg/kdeglobals r,
# Allow to search user files
owner @{HOME}/{,**} r,

15
apparmor.d/groups/kde/baloorunner
View file

@ -9,34 +9,23 @@ include <tunables/global>
@{exec_path} = @{lib}/baloorunner
profile baloorunner @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
@{exec_path} mr,
@{bin}/dolphin rPx,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
@{bin}/* rPx,
/etc/xdg/baloofilerc r,
/etc/xdg/kdeglobals r,
/etc/xdg/kwinrc r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/baloofilerc r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_share_dirs}/baloo/{,**} rwk,
/tmp/ r,
/tmp/xauth_@{rand6} r,
@{PROC}/sys/kernel/core_pattern r,

13
apparmor.d/groups/kde/dolphin
View file

@ -9,14 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/dolphin
profile dolphin @{exec_path} {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/deny-sensitive-home>
include <abstractions/devices-usb>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/X-strict>
include <abstractions/recent-documents-write>
network netlink raw,
@ -24,10 +23,7 @@ profile dolphin @{exec_path} {
@{exec_path} mr,
@{bin}/konsole rPUx,
@{bin}/ldd rix,
@{bin}/net rPUx,
@{bin}/testparm rPUx,
@{lib}/kf5/kioslave5 rPx,
/usr/share/kf5/kmoretools/{,**} r,
@ -39,6 +35,8 @@ profile dolphin @{exec_path} {
/etc/machine-id r,
/etc/xdg/arkrc r,
/etc/xdg/dolphinrc r,
/etc/xdg/menus/ r,
/etc/xdg/ui/ui_standards.rc r,
# Full access to user's data
/ r,
@ -53,6 +51,7 @@ profile dolphin @{exec_path} {
owner @{user_share_dirs}/dolphin/ rw,
owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int},
owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/dolphinrc rw,

9
apparmor.d/groups/kde/drkonqi
View file

@ -9,9 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/drkonqi
profile drkonqi @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/qt5>
include <abstractions/kde-strict>
network inet stream,
network inet6 stream,
@ -24,15 +22,10 @@ profile drkonqi @{exec_path} {
@{exec_path} mr,
/usr/share/drkonqi/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications5/*.notifyrc r,
owner @{user_cache_dirs}/kcrash-metadata/* w,
owner /tmp/xauth_@{rand6} r,
@{run}/user/@{uid}/xauth_@{rand6} rl,
/dev/tty r,
include if exists <local/drkonqi>

7
apparmor.d/groups/kde/gmenudbusmenuproxy
View file

@ -9,19 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/gmenudbusmenuproxy
profile gmenudbusmenuproxy @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/X-strict>
ptrace (read) peer=kded5,
@{exec_path} mr,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/etc/machine-id r,
owner @{HOME}/.gtkrc-2.0 rw,

17
apparmor.d/groups/kde/kaccess
View file

@ -10,36 +10,21 @@ include <tunables/global>
profile kaccess @{exec_path} {
include <abstractions/base>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
@{exec_path} mr,
@{bin}/gsettings rPx,
/usr/share/hwdata/pnp.ids r,
/usr/share/icons/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/mime/{,**} r,
/etc/xdg/kdeglobals r,
/etc/xdg/kwinrc r,
owner @{HOME}/.Xauthority r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/kaccessrc r,
owner @{user_share_dirs}/mime/generic-icons r,
owner /tmp/xauth_@{rand6} r,
owner @{run}/user/@{uid}/xauth_@{rand6} r,
/dev/tty r,
include if exists <local/kaccess>

10
apparmor.d/groups/kde/kactivitymanagerd
View file

@ -9,23 +9,17 @@ include <tunables/global>
@{exec_path} = @{lib}/kactivitymanagerd
profile kactivitymanagerd @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/user-read>
include <abstractions/wayland>
include <abstractions/X-strict>
include <abstractions/kde-strict>
@{exec_path} mr,
/etc/xdg/menus/{,*/} r,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kf5/kactivitymanagerd/{,**} r,
/usr/share/kservices5/{,**} r,
/etc/xdg/kdeglobals r,
/etc/machine-id r,
owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
@ -36,8 +30,6 @@ profile kactivitymanagerd @{exec_path} {
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,

12
apparmor.d/groups/kde/kalendarac
View file

@ -9,11 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/kalendarac
profile kalendarac @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/kde-strict>
@{exec_path} mr,
@ -21,15 +19,12 @@ profile kalendarac @{exec_path} {
/usr/share/akonadi/firstrun/{,*} r,
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications5/{,**} r,
/usr/share/sounds/{,**} r,
/etc/machine-id r,
/etc/pulse/client.conf r,
/etc/pulse/client.conf.d/{,**} r,
/etc/xdg/kdeglobals r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
@ -41,15 +36,10 @@ profile kalendarac @{exec_path} {
owner @{user_config_dirs}/kalendaracrc rw,
owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl,
owner @{user_config_dirs}/kalendaracrc.lock rwk,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kmail2rc r,
owner @{user_config_dirs}/pulse/cookie rk,
owner /tmp/xauth_@{rand6} r,
owner @{run}/user/@{uid}/pulse/ r,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
@{PROC}/sys/kernel/core_pattern r,

14
apparmor.d/groups/kde/kcminit
View file

@ -9,22 +9,17 @@ include <tunables/global>
@{exec_path} = @{bin}/kcminit
profile kcminit @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/qt5>
include <abstractions/kde-strict>
@{exec_path} mr,
@{bin}/xrdb rPx,
@{bin}/xsetroot rPx,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/hwdata/pnp.ids r,
/etc/machine-id r,
/etc/xdg/kcmdisplayrc r,
/etc/xdg/kcminputrc r,
/etc/xdg/kdeglobals r,
owner @{HOME}/.Xdefaults r,
@ -33,24 +28,17 @@ profile kcminit @{exec_path} {
owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kgammarc r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/touchpadrc r,
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
owner /tmp/#@{int} rw,
owner /tmp/kcminit.@{rand6} rwl,
owner /tmp/xauth_@{rand6} r,
owner /tmp/.touchpaddefaults wl,
owner /tmp/.touchpaddefaults.lock rwk,
@{run}/user/@{uid}/xauth_@{rand6} rl,
@{PROC}/sys/kernel/random/boot_id r,
/dev/tty r,

13
apparmor.d/groups/kde/kconf_update
View file

@ -10,16 +10,11 @@ include <tunables/global>
profile kconf_update @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/kde-strict>
include <abstractions/perl>
include <abstractions/python>
include <abstractions/qt5>
include <abstractions/vulkan>
ptrace (read),
@ -35,16 +30,13 @@ profile kconf_update @{exec_path} {
/usr/share/kconf_update/*.py rix,
/usr/share/kconf_update/*.sh rix,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kconf_update/{,**} r,
/usr/share/kglobalaccel/org.kde.krunner.desktop r,
/etc/machine-id r,
/etc/xdg/kdeglobals r,
/etc/xdg/konsolerc r,
/etc/xdg/ui/ui_standards.rc r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{int} rw,
@ -60,7 +52,6 @@ profile kconf_update @{exec_path} {
owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals.lock rwk,
owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,

35
apparmor.d/groups/kde/kde-powerdevil
View file

@ -9,11 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/org_kde_powerdevil
profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) {
include <abstractions/base>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/qt5>
include <abstractions/X-strict>
include <abstractions/graphics>
include <abstractions/kde-strict>
capability wake_alarm,
@ -21,22 +19,24 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{exec_path} mrix,
@{bin}/kcminit rPx,
@{lib}/drkonqi rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/find rix,
@{bin}/grep rix,
@{bin}/kcminit rPx,
@{bin}/sed rix,
@{bin}/xargs rix,
@{lib}/drkonqi rPx,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications5/*.notifyrc r,
/etc/fstab r,
/etc/xdg/kdeglobals r,
/etc/machine-id r,
owner @{HOME}/ r,
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/powerdevilrc.lock rwk,
owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
@ -46,20 +46,23 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
owner @{run}/user/@{uid}kcrash_[0-9]* rw,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/drm/ r,
@{sys}/class/i2c-dev/ r,
@{sys}/class/usbmisc/ r,
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
@{sys}/devices/i2c-[0-9]*/name r,
@{sys}/devices/@{pci}/i2c-[0-9]*/name r,
@{sys}/devices/**/ r,
@{sys}/devices/i2c-[0-9]*/name r,
@{sys}/devices/platform/*/i2c-[0-9]*/name r,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
/dev/tty rw,
/dev/rfkill r,

22
apparmor.d/groups/kde/kded5
View file

@ -14,17 +14,11 @@ profile kded5 @{exec_path} {
include <abstractions/bus/org.bluez>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/vulkan>
include <abstractions/wutmp>
include <abstractions/X-strict>
network inet dgram,
network inet6 dgram,
@ -42,11 +36,10 @@ profile kded5 @{exec_path} {
@{bin}/setxkbmap rix,
@{bin}/xrdb rPx,
@{bin}/xsettingsd rPx,
@{lib}/drkonqi rPx,
@{lib}/kf5/kconf_update rPx,
@{lib}/utempter/utempter rPx,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kconf_update/ r,
/usr/share/kded5/{,**} r,
/usr/share/kf5/kcookiejar/* r,
@ -54,7 +47,6 @@ profile kded5 @{exec_path} {
/usr/share/knotifications5/{,**} r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/{,**} r,
/usr/share/mime/ r,
/etc/fstab r,
/etc/machine-id r,
@ -62,7 +54,6 @@ profile kded5 @{exec_path} {
/etc/xdg/kcminputrc r,
/etc/xdg/kde* r,
/etc/xdg/kioslaverc r,
/etc/xdg/kwinrc r,
/etc/xdg/menus/{,**} r,
owner @{HOME}/.gtkrc-2.0 rw,
@ -85,7 +76,6 @@ profile kded5 @{exec_path} {
owner @{user_config_dirs}/kded5rc.lock rwk,
owner @{user_config_dirs}/kded5rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdedefaults/{,**} r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/khotkeysrc.lock rwk,
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
@ -121,9 +111,6 @@ profile kded5 @{exec_path} {
owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,
@{PROC}/@{pids}/cmdline/ r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/fd/info/@{int} r,
@ -155,9 +142,8 @@ profile kded5 @{exec_path} {
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/uptime r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
include if exists <local/kded5_pgrep>
}

7
apparmor.d/groups/kde/kglobalaccel5
View file

@ -9,18 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/kglobalaccel5
profile kglobalaccel5 @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/qt5>
include <abstractions/X-strict>
include <abstractions/kde-strict>
@{exec_path} mr,
@{bin}/kstart rPx,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kglobalaccel/{,**} r,
/usr/share/mime/{,**} r,
/etc/machine-id r,

7
apparmor.d/groups/kde/kiod5
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile kiod5 @{exec_path} {
include <abstractions/base>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
@ -19,19 +20,13 @@ profile kiod5 @{exec_path} {
/usr/share/icons/breeze/index.theme r,
/usr/share/mime/{,**} r,
/usr/share/mime/generic-icons r,
/usr/share/qt/translations/*.qm r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/mesa_shader_cache/index rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/ksslcertificatemanager.lock rwk,
owner @{user_config_dirs}/kwinrc r,
owner @{PROC}/@{pid}/mounts r,

20
apparmor.d/groups/kde/kioslave5
View file

@ -10,14 +10,12 @@ include <tunables/global>
profile kioslave5 @{exec_path} {
include <abstractions/base>
include <abstractions/deny-sensitive-home>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/qt5>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/thumbnails-cache-write>
include <abstractions/trash>
network inet dgram,
@ -38,23 +36,20 @@ profile kioslave5 @{exec_path} {
@{lib}/libheif/*.so* rm,
@{lib}/kf5/kio_http_cache_cleaner rPx,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kio_desktop/directory.desktop r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/*.desktop r,
/usr/share/remoteview/* r,
/etc/fstab r,
/etc/xdg/kdeglobals r,
/etc/xdg/kioslaverc r,
/etc/xdg/kwinrc r,
/etc/xdg/menus/{,**} r,
# Full access to user's data
/ r,
/*/ r,
@{bin}/ r,
@{bin}/* r,
@{lib}/ r,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@ -74,13 +69,8 @@ profile kioslave5 @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/kio_http/* rwl,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_cache_dirs}/thumbnails/*/ r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kio_httprc r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_share_dirs}/baloo/index rw,
@ -91,12 +81,10 @@ profile kioslave5 @{exec_path} {
owner @{user_share_dirs}/kservices5/{,**} r,
owner /tmp/#@{int} rw,
owner /tmp/xauth_@{int} r,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int},
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/mountinfo r,

6
apparmor.d/groups/kde/kscreen_backend_launcher
View file

@ -9,14 +9,10 @@ include <tunables/global>
@{exec_path} = @{lib}/kf5/kscreen_backend_launcher
profile kscreen_backend_launcher @{exec_path} {
include <abstractions/base>
include <abstractions/qt5>
include <abstractions/X-strict>
include <abstractions/kde-strict>
@{exec_path} mr,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/dev/tty r,
include if exists <local/kscreen_backend_launcher>

13
apparmor.d/groups/kde/kscreenlocker-greet
View file

@ -12,14 +12,11 @@ include <tunables/global>
profile kscreenlocker-greet @{exec_path} {
include <abstractions/base>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-shader-cache>
include <abstractions/qt5>
include <abstractions/X>
network netlink raw,
@ -35,8 +32,6 @@ profile kscreenlocker-greet @{exec_path} {
@{bin}/unix_chkpwd rPx,
@{lib}/@{multiarch}/libexec/kcheckpass rPx,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/plasma/** r,
/usr/share/qt/translations/*.qm r,
/usr/share/qt5ct/** r,
@ -54,7 +49,6 @@ profile kscreenlocker-greet @{exec_path} {
/etc/machine-id r,
/etc/pam.d/* r,
/etc/shells r,
/etc/xdg/kdeglobals r,
/etc/xdg/kscreenlockerrc r,
/etc/xdg/plasmarc r,
@ -72,8 +66,8 @@ profile kscreenlocker-greet @{exec_path} {
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/plasmarc r,
@ -83,7 +77,6 @@ profile kscreenlocker-greet @{exec_path} {
owner @{HOME}/.glvnd* mrw,
owner /tmp/*-cover-*.{jpg,png} r,
owner /tmp/xauth_@{rand6} r,
@{run}/faillock/[a-zA-z0-9]* rwk,

25
apparmor.d/groups/kde/ksmserver
View file

@ -10,12 +10,9 @@ include <tunables/global>
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/X-strict>
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
@ -29,43 +26,33 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{lib}/kscreenlocker_greet rPx,
/usr/share/color-schemes/{,**} r,
/usr/share/hwdata/pnp.ids r,
/usr/share/icons/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications5/*.notifyrc r,
/usr/share/kservices5/{,**} r,
/etc/xdg/menus/applications-merged/ r,
/etc/machine-id r,
/etc/xdg/kdeglobals r,
/etc/xdg/kscreenlockerrc r,
/etc/xdg/kwinrc r,
/etc/xdg/menus/ r,
owner @{HOME}/@{rand6} rw,
owner @{HOME}/.Xauthority rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca5_* rl,
owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
owner @{user_config_dirs}/ksmserverrc.lock rwk,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
owner @{user_config_dirs}/menus/ r,
owner /tmp/@{rand6} rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
@{PROC}/sys/kernel/core_pattern r,

8
apparmor.d/groups/kde/ksplashqml
View file

@ -9,9 +9,8 @@ include <tunables/global>
@{exec_path} = @{bin}/ksplashqml
profile ksplashqml @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
@ -26,8 +25,9 @@ profile ksplashqml @{exec_path} {
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/ksplashrc r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,
@{PROC}/sys/kernel/core_pattern r,

3
apparmor.d/groups/kde/kstart
View file

@ -11,9 +11,8 @@ include <tunables/global>
profile kstart @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/X-strict>
@{exec_path} mr,

18
apparmor.d/groups/kde/kwalletd5
View file

@ -13,15 +13,11 @@ profile kwalletd5 @{exec_path} {
include <abstractions/audio>
include <abstractions/consoles>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/gtk>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5>
include <abstractions/wayland>
include <abstractions/X-strict>
@{exec_path} mr,
@ -30,35 +26,25 @@ profile kwalletd5 @{exec_path} {
@{bin}/gpgsm rCx -> gpg,
/usr/share/color-schemes/{,**} r,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/qt/translations/*.qm r,
/usr/share/qt5/qtlogging.ini r,
/usr/share/qt5ct/** r,
/etc/machine-id r,
/etc/xdg/kdeglobals r,
/etc/xdg/kwinrc r,
/var/lib/dbus/machine-id r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwalletrc r,
owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwalletrc.lock rwk,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},
owner /tmp/kwalletd5.* rw,
owner /tmp/runtime-*/xauth_@{rand6} r,
owner /tmp/xauth_@{rand6} r,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/cmdline r,
@ -76,8 +62,8 @@ profile kwalletd5 @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
include if exists <local/kwalletd5_gpg>
}
include if exists <local/kwalletd5>
}

20
apparmor.d/groups/kde/kwalletmanager5
View file

@ -13,22 +13,18 @@ profile kwalletmanager5 @{exec_path} {
include <abstractions/audio>
include <abstractions/consoles>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/gtk>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/qt5>
include <abstractions/user-download-strict>
include <abstractions/X>
@{exec_path} mr,
/usr/share/kxmlgui5/kwalletmanager5/kwalletmanager.rc r,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,
/etc/fstab r,
/etc/machine-id r,
@ -48,15 +44,11 @@ profile kwalletmanager5 @{exec_path} {
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int},
owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk,
owner @{user_config_dirs}/kdeglobals r,
owner /tmp/xauth-[0-9]*-_[0-9] r,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/core_pattern r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cmdline r,
/dev/shm/ r,
/dev/shm/#@{int} rw,

14
apparmor.d/groups/kde/kwin_wayland
View file

@ -10,12 +10,10 @@ include <tunables/global>
profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
include <abstractions/base>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
include <abstractions/wayland>
capability sys_nice,
@ -36,7 +34,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
/usr/share/color-schemes/*.colors r,
/usr/share/desktop-directories/*.directory r,
/usr/share/hwdata/pnp.ids r,
/usr/share/kglobalaccel/{,**} r,
/usr/share/knotifications5/ksmserver.notifyrc r,
/usr/share/kservices5/{,**} r,
@ -45,7 +42,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
/usr/share/libinput/{,**} r,
/usr/share/plasma/desktoptheme/default/** r,
/usr/share/qt/translations/*.qm r,
/usr/share/X11/xkb/{,**} r,
/etc/machine-id r,
/etc/xdg/menus/{,applications.menu} r,
@ -80,12 +76,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
owner @{user_share_dirs}/kscreen/* r,
owner @{user_config_dirs}/#@{int} rwl,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kscreenlockerrc r,
@ -94,7 +88,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
owner @{user_config_dirs}/kwinrulesrc r,
owner @{user_config_dirs}/kxkbrc r,
owner @{user_config_dirs}/menus/{,applications-merged/} r,
owner @{user_config_dirs}/session/* r,
# owner @{user_config_dirs}/session/* r,
owner @{user_share_dirs}/kscreen/* r,
owner @{user_share_dirs}/kwin/scripts/{,**} r,
@{run}/systemd/inhibit/*.ref rw,
@ -117,6 +114,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
@{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,

2
apparmor.d/groups/kde/kwin_wayland_wrapper
View file

@ -21,7 +21,5 @@ profile kwin_wayland_wrapper @{exec_path} {
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/xauth_@{rand6} w,
owner /tmp/.X@{int}-lock rw,
include if exists <local/kwin_wayland_wrapper>
}

15
apparmor.d/groups/kde/kwin_x11
View file

@ -10,12 +10,10 @@ include <tunables/global>
profile kwin_x11 @{exec_path} {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
include <abstractions/qt5>
network inet dgram,
network inet6 dgram,
@ -29,20 +27,13 @@ profile kwin_x11 @{exec_path} {
@{lib}/kwin_killer_helper rix,
@{lib}/drkonqi rPx,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kwin/{,**} r,
/usr/share/plasma/desktoptheme/{,**} r,
/usr/share/X11/xkb/{,**} r,
/etc/machine-id r,
/etc/xdg/kcminputrc r,
/etc/xdg/kdeglobals r,
/etc/xdg/kwinrc r,
/etc/xdg/plasmarc r,
owner @{HOME}/.Xauthority r,
owner @{user_cache_dirs}/ r,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
@ -56,8 +47,6 @@ profile kwin_x11 @{exec_path} {
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc.lock rwk,
owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl,
owner @{user_config_dirs}/kwinrulesrc r,
@ -67,10 +56,8 @@ profile kwin_x11 @{exec_path} {
owner /tmp/#@{int} rw,
owner /tmp/kwin.@{rand6} rwl,
owner /tmp/xauth_@{rand6} r,
owner @{run}/user/@{uid}/kcrash_[0-9]* rw,
owner @{run}/user/@{uid}/xauth_@{rand6} rl,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node@{int}/meminfo r,

11
apparmor.d/groups/kde/plasma-browser-integration-host
View file

@ -9,11 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/plasma-browser-integration-host
profile plasma-browser-integration-host @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
capability sys_ptrace,
@ -29,13 +27,6 @@ profile plasma-browser-integration-host @{exec_path} {
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/kdedefaults/ r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,

20
apparmor.d/groups/kde/plasma-discover
View file

@ -10,9 +10,8 @@ include <tunables/global>
profile plasma-discover @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/qt5-shader-cache>
@ -22,6 +21,7 @@ profile plasma-discover @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
signal (send) set=(term) peer=kioslave5,
@ -40,6 +40,7 @@ profile plasma-discover @{exec_path} {
/usr/share/knotifications5/plasma_workspace.notifyrc r,
/usr/share/knsrcfiles/{,*} r,
/usr/share/kservices5/{,*} r,
/usr/share/kservicetypes5/{,*} r,
/usr/share/libdiscover/** r,
/usr/share/qt/translations/*.qm r,
@ -70,22 +71,21 @@ profile plasma-discover @{exec_path} {
owner @{user_config_dirs}/discoverrc rwl,
owner @{user_config_dirs}/discoverrc.lock rwk,
owner @{user_config_dirs}/kde.org/{,**} rwlk,
owner @{user_config_dirs}/kdedefaults/ r,
owner @{user_config_dirs}/KDE/* r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/libaccounts-glib/ rw,
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
owner @{user_share_dirs}/flatpak/repo/{,**} rw,
owner @{user_share_dirs}/knewstuff3/ r,
owner @{user_share_dirs}/knewstuff3/ w,
owner @{user_share_dirs}/knewstuff3/{,*} rw,
owner @{user_share_dirs}/kwin/ rw,
owner @{user_share_dirs}/kwin/** rwlk -> @{user_share_dirs}/kwin/**,
owner /tmp/*.kwinscript rwl -> /tmp/#@{int},
owner /tmp/#@{int} rw,
owner /tmp/discover-@{rand6}/{,**} rw,
owner /tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner /tmp/#@{int} rw,
owner @{run}/user/@{uid}/.flatpak-cache rw,
owner @{run}/user/@{uid}/.flatpak/{,**} rw,

16
apparmor.d/groups/kde/plasmashell
View file

@ -18,15 +18,12 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
include <abstractions/devices-usb>
include <abstractions/disks-read>
include <abstractions/enchant>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/thumbnails-cache-read>
include <abstractions/X-strict>
network inet dgram,
network inet6 dgram,
@ -57,8 +54,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
/usr/share/akonadi/firstrun/{,*} r,
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
/usr/share/desktop-directories/kf5-*.directory r,
/usr/share/hwdata/*.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/kio/servicemenus/{,*.desktop} r,
/usr/share/knotifications5/*.notifyrc r,
/usr/share/konsole/ r,
@ -119,8 +114,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_config_dirs}/kactivitymanagerd-*.lock rwk,
owner @{user_config_dirs}/kactivitymanagerd-*{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kcookiejarrc r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,
owner @{user_config_dirs}/kdiff3fileitemactionrc r,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/klipperrc r,
@ -129,7 +123,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_config_dirs}/krunnerrc r,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/kwalletrc r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/plasma* rwlk,
owner @{user_config_dirs}/pulse/cookie rwk,
@ -177,15 +170,16 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
@{PROC}/cmdline r,
@{PROC}/diskstats r,
@{PROC}/loadavg r,
@{PROC}/uptime r,
@{PROC}/vmstat r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/uptime r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r,
owner @{PROC}/@{pid}/attr/current r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/ptmx rw,
/dev/rfkill r,

9
apparmor.d/groups/kde/sddm
View file

@ -12,15 +12,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/bash>
include <abstractions/dri-common>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/wutmp>
include <abstractions/X-strict>
capability audit_write,
capability chown,
@ -128,8 +125,6 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{HOME}/.local/ w,
owner @{HOME}/.Xauthority rw,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/startkderc r,

11
apparmor.d/groups/kde/sddm-greeter
View file

@ -11,13 +11,11 @@ include <tunables/global>
profile sddm-greeter @{exec_path} {
include <abstractions/base>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-shader-cache>
include <abstractions/qt5>
network netlink raw,
@ -27,8 +25,6 @@ profile sddm-greeter @{exec_path} {
@{lib}/libheif/*.so* rm,
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
/usr/share/hwdata/pnp.ids r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/plasma/desktoptheme/** r,
/usr/share/qt5ct/** r,
/usr/share/sddm/{,**} r,
@ -41,7 +37,6 @@ profile sddm-greeter @{exec_path} {
/etc/machine-id r,
/etc/sddm.conf r,
/etc/sddm.conf.d/{,*} r,
/etc/xdg/kdeglobals r,
/etc/xdg/plasmarc r,
/var/lib/AccountsService/icons/*.icon r,
/var/lib/dbus/machine-id r,
@ -57,7 +52,6 @@ profile sddm-greeter @{exec_path} {
owner @{user_cache_dirs}/plasma-svgelements-* rw,
owner @{user_cache_dirs}/sddm-greeter/{,**} rwl,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/plasmarc r,
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -66,7 +60,6 @@ profile sddm-greeter @{exec_path} {
owner @{HOME}/.glvnd* mrw,
owner /tmp/runtime-sddm/ rw,
owner /tmp/xauth_@{rand6} rw,
owner @{run}/sddm/{,*} rw,

12
apparmor.d/groups/kde/startplasma
View file

@ -9,9 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/startplasma-wayland @{bin}/startplasma-x11
profile startplasma @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
include <abstractions/qt5>
include <abstractions/X-strict>
include <abstractions/kde-strict>
signal (receive) set=(term) peer=sddm,
@ -24,7 +22,6 @@ profile startplasma @{exec_path} {
/usr/share/color-schemes/{,**} r,
/usr/share/desktop-directories/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r,
/usr/share/knotifications5/{,**} r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/{,**} r,
@ -32,15 +29,11 @@ profile startplasma @{exec_path} {
/etc/machine-id r,
/etc/xdg/kcminputrc r,
/etc/xdg/kdeglobals r,
/etc/xdg/menus/{,**} r,
owner @{HOME}/.Xauthority r,
owner @{user_cache_dirs}/ rw,
@{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/#@{int} rwk,
owner @{user_cache_dirs}/kcrash-metadata/ rw,
@{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_config_dirs}/#@{int} rw,
@ -69,7 +62,6 @@ profile startplasma @{exec_path} {
owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int},
owner @{run}/user/@{uid}/ r,
@{run}/user/@{uid}/xauth_@{rand6} rl,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,

9
apparmor.d/groups/kde/systemsettings
View file

@ -9,12 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/systemsettings
profile systemsettings @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
include <abstractions/qt5>
network netlink raw,
@ -22,7 +20,6 @@ profile systemsettings @{exec_path} {
@{bin}/kcminit rPx,
/usr/share/hwdata/pnp.ids r,
/usr/share/kpackage/{,**} r,
/usr/share/kservices5/{,**} r,
/usr/share/kservicetypes5/{,**} r,
@ -45,10 +42,8 @@ profile systemsettings @{exec_path} {
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kde.org/{,**} rwlk,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,
owner @{user_config_dirs}/kinfocenterrc* rwlk,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/systemsettingsrc.lock rwk,
owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},