fix(profiles): modernise plank & kstart

- Still wip profile
- Should enable additional DE to boot
This commit is contained in:
Alexandre Pujol 2023-11-29 22:29:41 +00:00
parent 40cec35a58
commit 5af4d3c921
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
6 changed files with 16 additions and 20 deletions

View File

@ -21,7 +21,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{bin}/cut rix, @{bin}/cut rix,
@{bin}/file rix, @{bin}/file rix,
@{bin}/head rix, @{bin}/head rix,
@{bin}/ktraderclient5 rPUx,
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/sed rix, @{bin}/sed rix,

View File

@ -19,7 +19,6 @@ profile xdg-settings @{exec_path} {
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/cut rix, @{bin}/cut rix,
@{bin}/kreadconfig5 rPx,
@{bin}/mktemp rix, @{bin}/mktemp rix,
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/readlink rix, @{bin}/readlink rix,

View File

@ -21,10 +21,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
signal (send) set=(usr1,term) peer=kscreenlocker-greet, signal (send) set=(usr1,term) peer=kscreenlocker-greet,
unix (connect, receive, send, accept)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
@{exec_path} mr, @{exec_path} mr,
@{bin}/rm rix, @{bin}/rm rix,

View File

@ -1,25 +1,25 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Jeroen Rijken # Copyright (C) 2023 Jeroen Rijken
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/kstart @{exec_path} = @{bin}/kstart
profile kstart @{exec_path} flags=(complain,attach_disconnected) { profile kstart @{exec_path} flags=(complain,attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/nameservice-strict>
unix (connect, send, receive) type=stream peer=(addr="@/tmp/.ICE-unix/4979"), include <abstractions/X-strict>
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/** rPUx,
/{usr/,}bin/konsole rUx,
@{HOME}.Xauthority r, @{bin}/** rPUx,
@{bin}/konsole rPUx,
include if exists <local/kstart> include if exists <local/kstart>
} }

View File

@ -1,32 +1,33 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Jeroen Rijken # Copyright (C) 2023 Jeroen Rijken
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}bin/plank @{exec_path} = @{bin}/plank
profile plank @{exec_path} flags=(complain) { profile plank @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dconf> include <abstractions/dconf>
include <abstractions/freedesktop.org>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/X-strict>
@{exec_path} rm, @{exec_path} rm,
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
@{user_config_dirs}/plank/{,**} rw,
/usr/{,local/}share/plank/{,**} r, /usr/{,local/}share/plank/{,**} r,
/usr/{,local/}share/mime/mime.cache r, /usr/{,local/}share/mime/mime.cache r,
/var/lib/flatpak/exports/share/icons/{,**} r, /var/lib/flatpak/exports/share/icons/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/mime/mime.cache r,
owner @{user_config_dirs}/plank/{,**} rw,
include if exists <local/plank> include if exists <local/plank>
} }

View File

@ -256,6 +256,7 @@ pinentry-gnome3 complain
pinentry-gtk-2 complain pinentry-gtk-2 complain
pkexec complain pkexec complain
pkttyagent complain pkttyagent complain
plank complain
plasma-browser-integration-host complain plasma-browser-integration-host complain
plasma-discover complain plasma-discover complain
plasmashell mediate_deleted,complain plasmashell mediate_deleted,complain