feat(fsp): allow signal from system-user for some user app.

apparmor.d/groups/browsers/firefox-pingsender

@@ -21,6 +21,7 @@ profile firefox-pingsender @{exec_path} {
   network inet stream,
   network inet6 stream,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (receive) set=(term, kill) peer=firefox,
 
   @{exec_path} mr,

apparmor.d/groups/freedesktop/at-spi2-registryd

@@ -17,6 +17,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (receive) set=(term hup kill) peer=@{systemd},
   signal (receive) set=(term hup kill) peer=dbus-daemon,
   signal (receive) set=(term hup kill) peer=gdm*,

apparmor.d/groups/freedesktop/geoclue

@@ -24,6 +24,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   # dbus: own bus=system name=org.freedesktop.GeoClue2
 
   dbus send bus=system path=/org/freedesktop/DBus

apparmor.d/groups/freedesktop/polkit-kde-authentication-agent

@@ -24,6 +24,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected)
   network inet6 stream,
   network netlink raw,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
   @{exec_path} mr,

apparmor.d/groups/freedesktop/xdg-desktop-portal-kde

@@ -20,6 +20,8 @@ profile xdg-desktop-portal-kde @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   /usr/share/hwdata/pnp.ids r,

apparmor.d/groups/gnome/gnome-terminal-server

@@ -18,7 +18,7 @@ profile gnome-terminal-server @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
 
-  signal (receive) set=(cont, term) peer=systemd-user,
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (send) set=(hup) peer=htop,
   signal (send) set=(term hup kill) peer=unconfined,
 

apparmor.d/groups/kde/DiscoverNotifier

@@ -17,6 +17,8 @@ profile DiscoverNotifier @{exec_path} {
   network inet6 dgram,
   network netlink dgram,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   /etc/flatpak/remotes.d/ r,

apparmor.d/groups/kde/baloo

@@ -17,6 +17,8 @@ profile baloo @{exec_path} {
 
   network netlink raw,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   @{lib}/baloo_file_extractor rix,

apparmor.d/groups/kde/gmenudbusmenuproxy

@@ -15,6 +15,8 @@ profile gmenudbusmenuproxy @{exec_path} {
 
   ptrace (read) peer=kded5,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   /etc/machine-id r,

apparmor.d/groups/kde/kaccess

@@ -13,6 +13,8 @@ profile kaccess @{exec_path} {
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   @{bin}/gsettings rPx,

apparmor.d/groups/kde/kactivitymanagerd

@@ -14,6 +14,8 @@ profile kactivitymanagerd @{exec_path} {
   include <abstractions/user-read>
   include <abstractions/kde-strict>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   /etc/xdg/menus/{,*/} r,

apparmor.d/groups/kde/kde-powerdevil

@@ -17,6 +17,8 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
 
   network netlink raw,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mrix,
 
   @{sh_path}          rix,

apparmor.d/groups/kde/kded5

@@ -32,6 +32,7 @@ profile kded5 @{exec_path} {
 
   ptrace (read),
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (send) set=hup peer=xsettingsd,
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent

apparmor.d/groups/kde/kscreenlocker-greet

@@ -25,9 +25,10 @@ profile kscreenlocker-greet @{exec_path} {
 
   network netlink raw,
 
-  signal (send) peer=kcheckpass,
+  signal (receive) set=(cont, term) peer=@{systemd_user},
-  signal (receive) set=(usr1, term) peer=ksmserver,
   signal (receive) set=(term) peer=kwin_wayland,
+  signal (receive) set=(usr1, term) peer=ksmserver,
+  signal (send) peer=kcheckpass,
 
   unix (send,receive) type=stream peer=(label="ksmserver",addr=none),
 

apparmor.d/groups/kde/ksmserver

@@ -15,6 +15,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (send) set=(usr1,term) peer=kscreenlocker-greet,
 
   unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none),

apparmor.d/groups/kde/kwin_wayland

@@ -19,6 +19,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
 
   ptrace (read),
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (receive) set=term peer=sddm,
   signal (receive) set=(kill, term) peer=kwin_wayland_wrapper,
   signal (send) set=(kill, term) peer=xwayland,

apparmor.d/groups/kde/kwin_wayland_wrapper

@@ -12,6 +12,7 @@ profile kwin_wayland_wrapper @{exec_path} {
   include <abstractions/wayland>
   include <abstractions/X-strict>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (send) set=(term, kill) peer=kwin_wayland,
 
   @{exec_path} mr,

apparmor.d/groups/kde/plasmashell

@@ -42,6 +42,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   ptrace (read) peer=libreoffice*,
   ptrace (read) peer=pinentry-qt,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (send),
 
   @{exec_path} mr,

apparmor.d/groups/kde/sddm

@@ -40,11 +40,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   ptrace (read),
   ptrace (trace) peer=@{profile_name},
 
-  signal (send) set=(term) peer=kwin_wayland,
+  signal (receive) set=(hup) peer=@{systemd},
   signal (send) set=(kill, term) peer=startplasma,
-  signal (send) set=(term) peer=startplasma-wayland,
-  signal (send) set=(term) peer=sddm-greeter,
   signal (send) set=(kill, term) peer=xorg,
+  signal (send) set=(term) peer=kwin_wayland,
+  signal (send) set=(term) peer=sddm-greeter,
+  signal (send) set=(term) peer=startplasma-wayland,
 
   dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/kde/startplasma

@@ -11,6 +11,7 @@ profile startplasma @{exec_path} {
   include <abstractions/base>
   include <abstractions/kde-strict>
 
+  signal (receive) set=(hup) peer=@{systemd},
   signal (receive) set=(term) peer=sddm,
 
   @{exec_path} mr,

apparmor.d/groups/kde/xembedsniproxy

@@ -13,6 +13,8 @@ profile xembedsniproxy @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/qt5>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   /usr/share/hwdata/*.ids r,

apparmor.d/groups/systemd/systemd-generator-ds-identify

@@ -12,6 +12,8 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  ptrace (read) peer=@{systemd},
+
   @{exec_path} mr,
 
   @{sh_path}                     rix,

apparmor.d/groups/systemd/systemd-sulogin-shell

@@ -14,6 +14,8 @@ profile systemd-sulogin-shell @{exec_path} {
   capability net_admin,
   capability sys_resource,
 
+  signal (receive) set=(hup) peer=@{systemd},
+
   @{exec_path} mr,
 
   @{bin}/sulogin rPx,

apparmor.d/profiles-a-f/blueman

@@ -29,6 +29,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read) peer=gjs-console,
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mrix,
 
   @{bin}/{b,d}ash            rix,