mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
fix(profiles): modernise plank & kstart
- Still wip profile - Should enable additional DE to boot
This commit is contained in:
parent
40cec35a58
commit
5af4d3c921
@ -21,7 +21,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
|||||||
@{bin}/cut rix,
|
@{bin}/cut rix,
|
||||||
@{bin}/file rix,
|
@{bin}/file rix,
|
||||||
@{bin}/head rix,
|
@{bin}/head rix,
|
||||||
@{bin}/ktraderclient5 rPUx,
|
|
||||||
@{bin}/mv rix,
|
@{bin}/mv rix,
|
||||||
@{bin}/readlink rix,
|
@{bin}/readlink rix,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
|
@ -19,7 +19,6 @@ profile xdg-settings @{exec_path} {
|
|||||||
@{bin}/basename rix,
|
@{bin}/basename rix,
|
||||||
@{bin}/cat rix,
|
@{bin}/cat rix,
|
||||||
@{bin}/cut rix,
|
@{bin}/cut rix,
|
||||||
@{bin}/kreadconfig5 rPx,
|
|
||||||
@{bin}/mktemp rix,
|
@{bin}/mktemp rix,
|
||||||
@{bin}/mv rix,
|
@{bin}/mv rix,
|
||||||
@{bin}/readlink rix,
|
@{bin}/readlink rix,
|
||||||
|
@ -21,10 +21,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||||||
|
|
||||||
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
||||||
|
|
||||||
unix (connect, receive, send, accept)
|
|
||||||
type=stream
|
|
||||||
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
|
@ -1,25 +1,25 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2023 Jeroen Rijken
|
# Copyright (C) 2023 Jeroen Rijken
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}bin/kstart
|
@{exec_path} = @{bin}/kstart
|
||||||
profile kstart @{exec_path} flags=(complain,attach_disconnected) {
|
profile kstart @{exec_path} flags=(complain,attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
unix (connect, send, receive) type=stream peer=(addr="@/tmp/.ICE-unix/4979"),
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
/{usr/,}bin/** rPUx,
|
|
||||||
/{usr/,}bin/konsole rUx,
|
|
||||||
|
|
||||||
@{HOME}.Xauthority r,
|
@{bin}/** rPUx,
|
||||||
|
|
||||||
|
@{bin}/konsole rPUx,
|
||||||
|
|
||||||
include if exists <local/kstart>
|
include if exists <local/kstart>
|
||||||
}
|
}
|
||||||
|
@ -1,32 +1,33 @@
|
|||||||
# apparmor.d - Full set of apparmor profiles
|
# apparmor.d - Full set of apparmor profiles
|
||||||
# Copyright (C) 2023 Jeroen Rijken
|
# Copyright (C) 2023 Jeroen Rijken
|
||||||
|
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
|
|
||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}bin/plank
|
@{exec_path} = @{bin}/plank
|
||||||
profile plank @{exec_path} flags=(complain) {
|
profile plank @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app-launcher-user>
|
include <abstractions/app-launcher-user>
|
||||||
include <abstractions/dbus-session-strict>
|
include <abstractions/dbus-session-strict>
|
||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
@{exec_path} rm,
|
@{exec_path} rm,
|
||||||
|
|
||||||
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
|
|
||||||
|
|
||||||
@{user_config_dirs}/plank/{,**} rw,
|
|
||||||
/usr/{,local/}share/plank/{,**} r,
|
/usr/{,local/}share/plank/{,**} r,
|
||||||
|
|
||||||
/usr/{,local/}share/mime/mime.cache r,
|
/usr/{,local/}share/mime/mime.cache r,
|
||||||
|
|
||||||
/var/lib/flatpak/exports/share/icons/{,**} r,
|
/var/lib/flatpak/exports/share/icons/{,**} r,
|
||||||
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
/var/lib/flatpak/exports/share/mime/mime.cache r,
|
||||||
|
|
||||||
|
owner @{user_config_dirs}/plank/{,**} rw,
|
||||||
|
|
||||||
include if exists <local/plank>
|
include if exists <local/plank>
|
||||||
}
|
}
|
||||||
|
@ -256,6 +256,7 @@ pinentry-gnome3 complain
|
|||||||
pinentry-gtk-2 complain
|
pinentry-gtk-2 complain
|
||||||
pkexec complain
|
pkexec complain
|
||||||
pkttyagent complain
|
pkttyagent complain
|
||||||
|
plank complain
|
||||||
plasma-browser-integration-host complain
|
plasma-browser-integration-host complain
|
||||||
plasma-discover complain
|
plasma-discover complain
|
||||||
plasmashell mediate_deleted,complain
|
plasmashell mediate_deleted,complain
|
||||||
|
Loading…
Reference in New Issue
Block a user