diff --git a/apparmor.d/abstractions/qt5.d/complete b/apparmor.d/abstractions/qt5.d/complete new file mode 100644 index 00000000..e16e369e --- /dev/null +++ b/apparmor.d/abstractions/qt5.d/complete @@ -0,0 +1,5 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /usr/share/qt{5,}/translations/*.qm r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 948a82ea..04e2cfda 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -132,6 +132,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{firefox_lib_dirs}/{,**} r, @{firefox_lib_dirs}/*.so mr, @{firefox_lib_dirs}/crashreporter rPx, + @{firefox_lib_dirs}/kmozillahelper rPUx, @{firefox_lib_dirs}/minidump-analyzer rPx, @{firefox_lib_dirs}/pingsender rPx, @{firefox_lib_dirs}/plugin-container rPx, diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index f8b0c21b..320b0cde 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -42,6 +42,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner /tmp/runtime-*/xauth_?????? r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/xauth_?????? r, /var/lib/lightdm/.Xauthority r, /var/lib/gdm{3,}/.config/dconf/user r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index d6d922cc..8796f87b 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -92,6 +92,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { owner /tmp/runtime-*/xauth_?????? r, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/xauth_?????? r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index faf347ab..d2206237 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -20,6 +20,7 @@ profile polkit-kde-authentication-agent @{exec_path} { include include include + include include include include @@ -29,14 +30,15 @@ profile polkit-kde-authentication-agent @{exec_path} { @{exec_path} mr, /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /usr/share/hwdata/pnp.ids r, - /usr/share/qt/translations/*.qm r, /usr/share/qt5ct/** r, - /var/lib/dbus/machine-id r, /etc/machine-id r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/icon-cache.kcache rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index ea02b27d..4dbc0bcf 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -13,13 +13,17 @@ profile xdg-desktop-portal-kde @{exec_path} { include include include + include include @{exec_path} mr, /usr/share/hwdata/pnp.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/mime/{,**} r, - /usr/share/qt/translations/*.qm r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, owner @{HOME}/.Xauthority r, owner @{HOME}/.cache/*.kcache r, diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index c1c2b704..c5003c88 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -13,12 +13,14 @@ profile xprop @{exec_path} { @{exec_path} mr, + /usr/etc/X11/xdm/Xresources r, /usr/share/icons/*/cursors/crosshair r, owner @{HOME}/.Xauthority r, owner @{HOME}/.icons/default/index.theme r, owner /tmp/runtime-*/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_* rl, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index ec2e2b3b..371458dc 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -25,6 +25,7 @@ profile baloo @{exec_path} { /usr/share/qt/translations/*.qm r, /usr/share/hwdata/pnp.ids r, + /usr/share/poppler/{,**} r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 784d173c..a8d8636a 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,17 +10,22 @@ include profile kaccess @{exec_path} { include include - include include + include + include + include @{exec_path} mr, /{usr/,}bin/gsettings rPx, - /usr/share/icons/{,**} r, - /usr/share/mime/{,**} r, - /usr/share/qt{,5}/translations/*.qm r, /usr/share/hwdata/pnp.ids r, + /usr/share/icons/{,**} r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + /usr/share/mime/{,**} r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 7fb0eb11..1ac553a0 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -30,13 +30,15 @@ profile kded5 @{exec_path} { @{exec_path} mr, + @{libexec}/kf5/kconf_update rix, # TODO: rPx ? + @{libexec}/utempter/utempter rix, # TODO: rPx ? /{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/setxkbmap rix, - /{usr/,}lib/kf5/kconf_update rix, - /{usr/,}lib/utempter/utempter rix, + /{usr/,}bin/xsettingsd rPx, /usr/share/hwdata/*.ids r, /usr/share/kconf_update/{,**} r, + /usr/share/kded5/{,**} r, /usr/share/khotkeys/{,**} r, /usr/share/knotifications5/{,**} r, /usr/share/kservices5/{,**} r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 56fc00ef..439c0872 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -9,29 +9,40 @@ include @{exec_path} = /{usr/,}bin/ksmserver profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include - include + include include + include + include + include @{exec_path} mr, /{usr/,}bin/rm rix, @{libexec}/kscreenlocker_greet rPx, + @{libexec}/DiscoverNotifier rPUx, # TODO: rPx, /usr/share/color-schemes/{,**} r, /usr/share/hwdata/pnp.ids r, /usr/share/icons/{,**} r, - /usr/share/mime/{,**} r, - /usr/share/qt/translations/*.qm r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/knotifications5/*.notifyrc r, + /usr/share/kservices5/{,**} r, + /usr/share/mime/{,**} r, /etc/machine-id r, + /etc/xdg/kdeglobals r, + /etc/xdg/kscreenlockerrc r, + /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, owner @{HOME}/?????? rw, owner @{HOME}/.Xauthority rw, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, @@ -48,8 +59,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, - # owner @{run}/user/@{uid}/xauth_* r, - @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/xauth_* rl, @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 53b17012..e83e9481 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -10,10 +10,13 @@ include profile kwin_x11 @{exec_path} { include include + include include include include include + include + include network inet dgram, network inet6 dgram, @@ -24,12 +27,16 @@ profile kwin_x11 @{exec_path} { /{usr/,}lib/kwin_killer_helper rix, /usr/share/hwdata/pnp.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/kwin/{,**} r, - /usr/share/X11/xkb/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, - /usr/share/qt/translations/*.qm r, + /usr/share/X11/xkb/{,**} r, /etc/machine-id r, + /etc/xdg/kcminputrc r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + /etc/xdg/plasmarc r, owner @{HOME}/.Xauthority r, @@ -37,7 +44,8 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/#[0-9]* rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kwin/{,**} rwl, - owner @{user_cache_dirs}/plasma_theme_default_*.kcache rw, + owner @{user_cache_dirs}/plasmarc r, + owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl, owner @{user_cache_dirs}/qtshadercache-*/@{hex} r, @@ -53,6 +61,8 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/session/kwin_* rwk, + @{run}/user/@{uid}/xauth_* rl, + @{PROC}/sys/kernel/core_pattern r, /dev/tty r, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 0a048455..cfc6047c 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -16,9 +16,11 @@ profile xdm-xsession @{exec_path} { @{exec_path} mr, + /{usr/,}{s,}bin/checkproc rix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, /{usr/,}bin/gpg-agent rix, /{usr/,}bin/gpg-connect-agent rix, /{usr/,}bin/grep rix, @@ -27,9 +29,10 @@ profile xdm-xsession @{exec_path} { /{usr/,}bin/readlink rix, /{usr/,}bin/sed rix, /{usr/,}bin/ssh-agent rix, + /{usr/,}bin/tr rix, /{usr/,}bin/tty rix, /{usr/,}bin/uname rix, - /{usr/,}bin/tr rix, + /{usr/,}bin/whoami rix, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/flatpak rPUx, @@ -47,6 +50,7 @@ profile xdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/sys.xsession rix, @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh rix, @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh rix, + @{HOME}/.xinitrc rix, @{libexec}/xinit/xinitrc rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd new file mode 100644 index 00000000..44c84289 --- /dev/null +++ b/apparmor.d/groups/kde/xsettingsd @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/xsettingsd +profile xsettingsd @{exec_path} { + include + + @{exec_path} mr, + + owner @{user_config_dirs}/xsettingsd/{,**} rw, + + owner @{run}/user/@{uid}/xauth_* rl, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 68b2d449..5ce6e6c1 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -215,6 +215,7 @@ pinentry-gnome3 complain pinentry-gtk-2 complain pkexec complain pkttyagent complain +plasma-discover complain plasmashell complain plymouth complain plymouth-set-default-theme attach_disconnected,complain @@ -331,3 +332,4 @@ xdg-permission-store attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xorg attach_disconnected,complain +xsettingsd complain