diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 490cf48a..d85e5842 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -27,7 +27,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??[_-]*.@{rand6} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index aa67ba5f..5a4f480a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -34,6 +34,8 @@ profile baloo @{exec_path} { owner @{MOUNTS}/{,**} r, owner @{tmp}/*/{,**} r, + owner @{user_cache_dirs}/kcrash-metadata/ w, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, owner @{user_config_dirs}/baloofilerc.lock rwkl, @@ -60,6 +62,7 @@ profile baloo @{exec_path} { @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index 1d85b3a6..d9879941 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index d699f9d5..e152325e 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -44,12 +44,15 @@ profile kconf_update @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, + owner @{HOME}/.gtkrc-@{version} w, + owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/*rc.lock rwk, owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**, owner @{user_config_dirs}/sed@{rand6} rw, owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw, + owner @{user_config_dirs}/kcmfonts.lock rwk, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/krunnerstaterc.lock rwk, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c14ba7e9..0ff08d02 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -93,34 +93,16 @@ profile kded @{exec_path} { @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, - owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.lock rwk, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk, - owner @{user_config_dirs}/gtkrc{,*} rwlk, - owner @{user_config_dirs}/kconf_updaterc rw, - owner @{user_config_dirs}/kconf_updaterc.lock rwk, - owner @{user_config_dirs}/kdebugrc r, - owner @{user_config_dirs}/kded{5,6}rc.lock rwk, - owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl, owner @{user_config_dirs}/kdedefaults/{,**} r, - owner @{user_config_dirs}/khotkeysrc.lock rwk, - owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/ksmserverrc r, - owner @{user_config_dirs}/ktimezonedrc.lock rwk, - owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/plasma* r, - owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, @@ -137,6 +119,9 @@ profile kded @{exec_path} { owner @{user_share_dirs}/services5/{,**} r, owner @{user_share_dirs}/user-places.xbel r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, + @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/user/@{uid}/gvfs/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 9922eff9..c02f3f87 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -29,6 +29,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{exec_path} mr, + /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -47,6 +48,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/xdg/menus/{,applications.menu} r, /etc/xdg/menus/applications-merged/ r, /etc/xdg/plasmarc r, + /etc/xdg/Xwayland-session.d/{,*} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -127,10 +129,28 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, + @{att}/dev/dri/card@{int} rw, + /dev/tty r, /dev/tty@{int} rw, + profile at-spi { + include + + @{sh_path} r, + @{bin}/busctl rix, + @{bin}/sed rix, + @{bin}/xprop rPx, + + /etc/xdg/Xwayland-session.d/00-at-spi r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index a7bde918..0d8a5d8c 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -76,6 +76,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, + /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /etc/appstream.conf r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 54284f03..f2c133ce 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -14,7 +14,7 @@ profile sddm-greeter @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e7846425..f10e80d7 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -62,6 +62,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/startkderc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index dc6b215f..969a82f6 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -10,6 +10,7 @@ include profile xembedsniproxy @{exec_path} { include include + include include include