diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index 39d5df21..af6aa16d 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -1,76 +1,92 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kscreenlocker_greet +@{exec_path} = @{libexec}/kscreenlocker_greet +@{exec_path} += /{usr/,}lib/@{multiarch}/libexec/kscreenlocker_greet profile kscreenlocker-greet @{exec_path} { include - include - include - include - include include + include + include + include include + include include include - include + include + + network netlink raw, signal (send) peer=kcheckpass, + signal (receive) set=usr1 peer=ksmserver, @{exec_path} mr, + /{usr/,}{s,}bin/unix_chkpwd rPx, /{usr/,}lib/@{multiarch}/libexec/kcheckpass rPx, + /usr/share/hwdata/pnp.ids r, /usr/share/plasma/** r, + /usr/share/qt/translations/*.qm r, + /usr/share/qt5ct/** r, + /usr/share/wallpapers/{,**} r, /usr/share/wallpapers/Path/contents/images/*.{jpg,png} r, - - # List of graphical sessions - /usr/share/xsessions/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r, + /usr/share/xsessions/{,*.desktop} r, + + /etc/environment r, + /etc/fstab r, + /etc/fstab r, + /etc/login.defs r, + /etc/machine-id r, + /etc/pam.d/* r, + /etc/security/faillock.conf r, + /etc/security/pam_env.conf r, + /etc/shells r, + /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, - - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kscreenlockerrc r, - - owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, + owner @{HOME}/.xsession-errors w, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/kscreenlocker_greet/ w, + owner @{user_cache_dirs}/kscreenlocker_greet/** rwl, + owner @{user_cache_dirs}/plasma_theme_default_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements-default_v* r, + owner @{user_cache_dirs}/plasma-svgelements.lock rwk, + owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/ rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, + + owner @{user_config_dirs}/kdedefaults/* r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/qt5ct/{,**} r, # If one is blocked, the others are probed. deny owner @{HOME}/#[0-9]*[0-9] mrw, owner @{HOME}/.glvnd* mrw, - # owner /tmp/#[0-9]*[0-9] mrw, - # owner /tmp/.glvnd* mrw, + + owner /tmp/*-cover-*.{jpg,png} r, + + @{run}/faillock/[a-zA-z0-9]* rwk, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/core_pattern r, - /etc/fstab r, - - /usr/share/hwdata/pnp.ids r, - - # Audio player covers - owner /tmp/*-cover-*.{jpg,png} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner @{HOME}/.xsession-errors w, + /dev/tty r, include if exists } diff --git a/apparmor.d/profiles-g-l/kwalletd5 b/apparmor.d/groups/kde/kwalletd5 similarity index 96% rename from apparmor.d/profiles-g-l/kwalletd5 rename to apparmor.d/groups/kde/kwalletd5 index 5fbd0dda..95334763 100644 --- a/apparmor.d/profiles-g-l/kwalletd5 +++ b/apparmor.d/groups/kde/kwalletd5 @@ -30,8 +30,10 @@ profile kwalletd5 @{exec_path} { /{usr/,}bin/gpg{,2} rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, + /usr/share/color-schemes/{,**} r, /usr/share/hwdata/pnp.ids r, /usr/share/icu/72.1/icudt72l.dat r, + /usr/share/qt/translations/*.qm r, /usr/share/qt5/qtlogging.ini r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-g-l/kwalletmanager5 b/apparmor.d/groups/kde/kwalletmanager5 similarity index 83% rename from apparmor.d/profiles-g-l/kwalletmanager5 rename to apparmor.d/groups/kde/kwalletmanager5 index da18f3d1..aab4e91a 100644 --- a/apparmor.d/profiles-g-l/kwalletmanager5 +++ b/apparmor.d/groups/kde/kwalletmanager5 @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,46 +10,48 @@ include @{exec_path} = /{usr/,}bin/kwalletmanager5 profile kwalletmanager5 @{exec_path} { include - include - include - include - include - include - include include - include + include + include + include + include + include + include + include + include include include - include - include - include + include + include + include @{exec_path} mr, - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/FrameworkIntegrationPlugin.so mr, - /{usr/,}lib/@{multiarch}/qt5/plugins/phonon_platform/kde.so mr, - /{usr/,}lib/@{multiarch}/qt5/plugins/phonon4qt5_backend/phonon_vlc.so mr, - /usr/share/kxmlgui5/kwalletmanager5/kwalletmanager.rc r, + /usr/share/qt5ct/** r, + /usr/share/hwdata/pnp.ids r, + /etc/fstab r, + /etc/machine-id r, + /etc/xdg/ui/ui_standards.rc r, + /var/lib/dbus/machine-id r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/#[0-9]*[0-9] rw, - owner @{user_config_dirs}/kwalletrc rw, - owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/kwalletmanager5rc rw, - owner @{user_config_dirs}/kwalletmanager5rc.lock rwk, owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/kwalletmanager5rc.lock rwk, + owner @{user_config_dirs}/kwalletrc rw, + owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/kwalletrc.lock rwk, owner @{user_config_dirs}/session/#[0-9]*[0-9] rw, owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#[0-9]*[0-9], owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, owner @{user_config_dirs}/kdeglobals r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration - owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, + owner /tmp/xauth-[0-9]*-_[0-9] r, deny owner @{PROC}/@{pid}/cmdline r, @{PROC}/sys/kernel/core_pattern r, @@ -56,19 +59,8 @@ profile kwalletmanager5 @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - /etc/xdg/ui/ui_standards.rc r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - /dev/shm/ r, /dev/shm/#[0-9]*[0-9] rw, - owner /tmp/xauth-[0-9]*-_[0-9] r, - include if exists } diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 57d8725f..d955eec2 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -18,16 +18,17 @@ profile sddm @{exec_path} flags=(attach_disconnected) { include include include + include + capability audit_write, capability chown, - capability setgid, + capability dac_override, + capability dac_read_search, capability fowner, + capability net_admin, + capability setgid, capability setuid, capability sys_resource, - capability audit_write, - capability dac_read_search, - capability net_admin, - capability dac_override, network netlink raw, @@ -37,10 +38,13 @@ profile sddm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}lib{,exec}/sddm/sddm-helper rix, - /{usr/,}lib/@{multiarch}/sddm/sddm-helper rix, + /{usr/,}lib{,exec}/sddm/sddm-helper rix, + /{usr/,}lib/@{multiarch}/sddm/sddm-helper rix, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/tty rix, /{usr/,}bin/sddm-greeter rPx, /etc/sddm/Xsession rPx, @@ -49,22 +53,19 @@ profile sddm @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xauth rCx -> xauth, /{usr/,}bin/xsetroot rPx, /{usr/,}bin/sway rPUx, + /{usr/,}bin/flatpak rPUx, - # System keyrings + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/gnome-keyring-daemon rPx, /{usr/,}bin/kwalletd5 rPx, + /{usr/,}bin/startplasma-x11 rPx, - # SDDM scripts - # What to do with it? (#FIXME#) - /usr/etc/X11/xdm/Xsetup rPUx, - /usr/share/sddm/scripts/Xsetup rPUx, - /usr/share/sddm/scripts/Xstop rPUx, - /usr/share/sddm/scripts/wayland-session rPUx, - /usr/share/sddm/scripts/Xsession rPUx, - #/usr/share/sddm/scripts/Xsetup rCx -> scripts, - #/usr/share/sddm/scripts/Xstop rCx -> scripts, - #/usr/share/sddm/scripts/wayland-session rCx -> scripts, - #/usr/share/sddm/scripts/Xsession rCx -> scripts, + /usr/etc/X11/xdm/Xsetup rix, + /usr/share/sddm/scripts/Xsetup rix, + /usr/share/sddm/scripts/Xstop rix, + /usr/share/sddm/scripts/wayland-session rix, + /usr/share/sddm/scripts/Xsession rix, /usr/share/desktop-base/softwaves-theme/login/*.svg r, /usr/share/plasma/desktoptheme/** r, @@ -74,13 +75,17 @@ profile sddm @{exec_path} flags=(attach_disconnected) { /usr/share/xsessions/{,*.desktop} r, /var/lib/AccountsService/icons/*.icon r, + /etc/X11/xinit/xinitrc.d/{,*} r, + @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, + /etc/debuginfod/{,*} r, /etc/default/locale r, /etc/locale.conf r, /etc/machine-id r, /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, + /etc/shells r, / r, @@ -91,12 +96,14 @@ profile sddm @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.local/ w, owner @{HOME}/.Xauthority rw, + owner @{user_share_dirs}/ w, owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/kdewallet.salt r, owner @{user_share_dirs}/kwalletd/kdewallet.salt rw, owner @{user_share_dirs}/sddm/ w, - + owner @{user_share_dirs}/sddm/xorg-session.log w, + /tmp/sddm-* rw, owner /tmp/*/{,s} rw, owner /tmp/sddm-auth* rw, @@ -114,31 +121,7 @@ profile sddm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/1/limits r, /dev/tty[0-9]* rw, - - profile scripts { - include - include - include - - /{usr/,}bin/{,ba,da}sh rix, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/zsh rix, - - /{usr/,}bin/id rix, - /{usr/,}bin/flatpak rPUx, - /{usr/,}bin/sway rPUx, - - /{usr/,}bin/dbus-run-session rix, - /{usr/,}bin/dbus-daemon rPUx, - - /usr/share/sddm/scripts/Xsetup r, - /usr/share/sddm/scripts/Xstop r, - /usr/share/sddm/scripts/wayland-session r, - /usr/share/sddm/scripts/Xsession r, - - include if exists - } + /dev/tty rw, profile xauth { include @@ -150,11 +133,24 @@ profile sddm @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority-n rw, owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, + owner @{user_share_dirs}/sddm/xorg-session.log w, + owner @{run}/sddm/\{@{uuid}\}-c w, owner @{run}/sddm/\{@{uuid}\}-l wl -> @{run}/sddm/\{@{uuid}\}-c, owner @{run}/sddm/\{@{uuid}\}-n rw, owner @{run}/sddm/\{@{uuid}\} rwl -> @{run}/sddm/\{@{uuid}\}-n, + include if exists + } + + profile dbus { + include + + /{usr/,}bin/dbus-update-activation-environment mr, + + owner @{user_share_dirs}/sddm/xorg-session.log w, + + include if exists } include if exists diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 9460acc8..30b9c197 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,65 +13,55 @@ profile sddm-xsession @{exec_path} { include include include + include @{exec_path} r, + + /{usr/,}{local,}bin/ r, /{usr/,}bin/{,ba,da}sh rix, - - /{usr/,}bin/rm rix, - /{usr/,}bin/touch rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/id rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/date rix, /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/tempfile rix, - /{usr/,}bin/mktemp rix, - - /{usr/,}bin/ r, - /{usr/,}bin/zsh rix, - /{usr/,}bin/tcsh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, /{usr/,}bin/csh rix, + /{usr/,}bin/date rix, /{usr/,}bin/fish rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tcsh rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/which{,.*} rix, + /{usr/,}bin/zsh rix, - /usr/local/bin/ r, + /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, + /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/numlockx rPx, + /{usr/,}bin/xhost rPx, + /{usr/,}bin/xrdb rPx, + /etc/X11/Xsession rPx, + /{usr/,}bin/ssh-agent rPx, + /{usr/,}bin/udevadm rPx, - /etc/X11/Xsession rPx, - - /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, - - /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/udevadm rCx -> udevadm, - - /{usr/,}bin/flatpak rPUx, - /{usr/,}bin/xrdb rPx, - /{usr/,}bin/numlockx rPx, - /{usr/,}bin/xhost rPx, - # Allowed GUI sessions to start #/{usr/,}bin/openbox-session rPx, #/{usr/,}bin/openbox rPx, - /{usr/,}bin/ssh-agent rPx, + + /etc/default/{,*} r, + /etc/X11/{,**} r, + + owner @{HOME}/.xsession-errors w, + + owner @{user_share_dirs}/sddm/xorg-session.log w, owner /tmp/xsess-env-* rw, owner /tmp/file* rw, - /etc/default/{,*} r, - - /etc/X11/{,**} r, - owner @{PROC}/@{pid}/loginuid r, - # Xsession logs - owner @{user_share_dirs}/sddm/xorg-session.log w, - owner @{HOME}/.xsession-errors w, - - /etc/zsh/* r, - - profile run-parts { include @@ -79,9 +70,9 @@ profile sddm-xsession @{exec_path} { /etc/X11/Xsession.d/ r, /etc/X11/Xresources/ r, - # file_inherit owner @{HOME}/.xsession-errors w, + include if exists } profile dbus { @@ -89,47 +80,9 @@ profile sddm-xsession @{exec_path} { /{usr/,}bin/dbus-update-activation-environment mr, - # file_inherit owner @{HOME}/.xsession-errors w, - } - - profile gpg { - include - - /{usr/,}bin/gpgconf mr, - - /{usr/,}bin/gpg-agent rix, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - @{PROC}/@{pid}/fd/ r, - - } - - profile udevadm { - include - - /{usr/,}bin/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{hex}-@{hex}-@{hex}@{hex} r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, - + include if exists } include if exists