mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
Updating sddm, plasmashell, kwin_wayland, startplasma, kscreenlocker-greet and mesa and wayland abstractions (#200)
* Update sddm * Update plasmashell * Update kwin_wayland * Update kscreenlocker-greet * Update startplasma * Update complete Needed by various applications, e.g. kwin_wayland. * Mesa rules for sddm
This commit is contained in:
curiosityseeker
GitHub
parent
266db5d030
commit
86b1ee4df2
7 changed files with 56 additions and 14 deletions
|
|
@ -9,3 +9,11 @@
|
|||
/var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/ rw,
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
|
||||
/var/lib/gdm/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
|
||||
|
||||
# Extra Mesa rules for SDDM
|
||||
/var/lib/sddm/.cache/ w,
|
||||
/var/lib/sddm/.cache/mesa_shader_cache/ rw,
|
||||
/var/lib/sddm/.cache/mesa_shader_cache/index rw,
|
||||
/var/lib/sddm/.cache/mesa_shader_cache/@{h}@{h}/ rw,
|
||||
/var/lib/sddm/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
|
||||
/var/lib/sddm/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
|
||||
|
|
|
|||
|
|
@ -4,3 +4,5 @@
|
|||
|
||||
owner /dev/shm/sway* rw,
|
||||
owner /dev/shm/dunst-@{rand6} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-@{int}.lock rk,
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ profile kscreenlocker-greet @{exec_path} {
|
|||
|
||||
signal (send) peer=kcheckpass,
|
||||
signal (receive) set=(usr1, term) peer=ksmserver,
|
||||
signal (receive) set=(term) peer=kwin_wayland,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
signal (receive) set=term peer=sddm,
|
||||
signal (receive) set=(kill, term) peer=kwin_wayland_wrapper,
|
||||
signal (send) set=(kill, term) peer=xwayland,
|
||||
|
||||
|
|
@ -38,6 +39,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
/usr/share/kglobalaccel/{,**} r,
|
||||
/usr/share/knotifications5/ksmserver.notifyrc r,
|
||||
/usr/share/kservices5/{,**} r,
|
||||
/usr/share/kservicetypes5/{,*.desktop} r,
|
||||
/usr/share/kwin/{,**} r,
|
||||
/usr/share/libinput/{,**} r,
|
||||
/usr/share/mime/ r,
|
||||
|
|
@ -46,21 +48,27 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/xdg/menus/ r,
|
||||
/etc/xdg/menus/{,applications.menu} r,
|
||||
/etc/pipewire/client.conf.d/ r,
|
||||
/usr/share/pipewire/client.conf r,
|
||||
|
||||
|
||||
owner /var/lib/sddm/.cache/#@{int} rw,
|
||||
owner /var/lib/sddm/.cache/fontconfig/* r,
|
||||
owner /var/lib/sddm/.cache/mesa_shader_cache/** r,
|
||||
owner /var/lib/sddm/.cache/mesa_shader_cache/index rw,
|
||||
owner /var/lib/sddm/.cache/ksycoca5_* r,
|
||||
owner /var/lib/sddm/.cache/ksycoca5_* rwkl -> /var/lib/sddm/.cache/#@{int},
|
||||
|
||||
owner /var/lib/sddm/.config/#@{int} rw,
|
||||
owner /var/lib/sddm/.config/kdeglobals r,
|
||||
owner /var/lib/sddm/.config/kglobalshortcutsrc r,
|
||||
owner /var/lib/sddm/.config/kglobalshortcutsrc.lock rw,
|
||||
owner /var/lib/sddm/.config/kwinrc r,
|
||||
owner /var/lib/sddm/.config/kwinrc.lock rw,
|
||||
owner /var/lib/sddm/.config/kglobalshortcutsrc rw,
|
||||
owner /var/lib/sddm/.config/kglobalshortcutsrc.lock rwk,
|
||||
owner /var/lib/sddm/.config/kglobalshortcutsrc.@{rand6} rwl -> /var/lib/sddm/.config/#@{int},
|
||||
owner /var/lib/sddm/.config/kwinrc rw,
|
||||
owner /var/lib/sddm/.config/kwinrc.lock rwk,
|
||||
owner /var/lib/sddm/.config/kwinrc.@{rand6} rwl -> /var/lib/sddm/.config/#@{int},
|
||||
|
||||
owner @{user_cache_dirs}/{,plasma-svgelements} r,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_share_dirs}/kscreen/* r,
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
|
|
@ -96,6 +104,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
||||
|
||||
@{run}/udev/data/+hid:* r, # for HID subsystem
|
||||
@{run}/udev/data/+pci:* r,
|
||||
@{run}/udev/data/+sound:card@{int} r,
|
||||
@{run}/udev/data/+usb:* r,
|
||||
|
|
|
|||
|
|
@ -56,13 +56,16 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
@{lib}/kf5/kioslave5 rPx,
|
||||
@{lib}/kf5/kdesu{,d} rix,
|
||||
@{bin}/dolphin rPUx, # TODO: rPx,
|
||||
@{bin}/ksysguardd rix,
|
||||
@{bin}/plasma-discover rPUx,
|
||||
@{bin}/xrdb rPx,
|
||||
|
||||
/usr/share/akonadi/firstrun/{,*} r,
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/desktop-directories/kf5-*.directory r,
|
||||
/usr/share/hwdata/*.ids r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/kio/servicemenus/{,*.desktop} r,
|
||||
/usr/share/knotifications5/*.notifyrc r,
|
||||
/usr/share/konsole/ r,
|
||||
/usr/share/krunner/{,**} r,
|
||||
|
|
@ -72,15 +75,19 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
/usr/share/mime/{,**} r,
|
||||
/usr/share/plasma/{,**} r,
|
||||
/usr/share/solid/actions/{,**} r,
|
||||
/usr/share/templates/{,*.desktop} r,
|
||||
/usr/share/wallpapers/{,**} r,
|
||||
|
||||
/etc/appstream.conf r,
|
||||
/etc/cups/client.conf r,
|
||||
/etc/fstab r,
|
||||
/etc/ksysguarddrc r,
|
||||
/etc/machine-id r,
|
||||
/etc/pipewire/client.conf.d/ r,
|
||||
/etc/pulse/client.conf r,
|
||||
/etc/pulse/client.conf.d/ r,
|
||||
/etc/sensors3.conf r,
|
||||
/etc/sensors.d/ r,
|
||||
/etc/xdg/** r,
|
||||
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
|
|
@ -107,14 +114,20 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_config_dirs}/akonadi* r,
|
||||
owner @{user_config_dirs}/akonadi/akonadi*rc r,
|
||||
owner @{user_config_dirs}/baloofilerc r,
|
||||
owner @{user_config_dirs}/baloofileinformationrc r,
|
||||
owner @{user_config_dirs}/dolphinrc r,
|
||||
owner @{user_config_dirs}/eventviewsrc r,
|
||||
owner @{user_config_dirs}/kactivitymanagerd-statsrc r,
|
||||
owner @{user_config_dirs}/kactivitymanagerd-switcher rw,
|
||||
owner @{user_config_dirs}/kactivitymanagerd-switcher.lock rwk,
|
||||
owner @{user_config_dirs}/kactivitymanagerd-switcher.* rwl,
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kdiff3fileitemactionrc r,
|
||||
owner @{user_config_dirs}/kioslaverc r,
|
||||
owner @{user_config_dirs}/klipperrc r,
|
||||
owner @{user_config_dirs}/kmail2.notifyrc r,
|
||||
owner @{user_config_dirs}/kcookiejarrc r,
|
||||
owner @{user_config_dirs}/korganizerrc r,
|
||||
owner @{user_config_dirs}/krunnerrc r,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
|
|
@ -148,19 +161,27 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
@{run}/mount/utab r,
|
||||
@{run}/user/@{uid}/gvfs/ r,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kdesud_:1 w,
|
||||
owner @{run}/user/@{uid}/plasmashell@{rand6}.[0-9].kioworker.socket rwl,
|
||||
owner @{run}/user/@{uid}/kdesud_:@{int} w,
|
||||
owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
owner @{run}/user/@{uid}/pulse/ rw,
|
||||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/usb/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/{,*} r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/name r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
||||
@{sys}/devices/system/node/ r,
|
||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
||||
@{sys}/devices/virtual/thermal/**/{name,type} r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/diskstats r,
|
||||
@{PROC}/loadavg r,
|
||||
@{PROC}/uptime r,
|
||||
@{PROC}/vmstat r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r,
|
||||
|
|
|
|||
|
|
@ -38,8 +38,8 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
|
||||
ptrace (trace) peer=@{profile_name},
|
||||
ptrace (read) peer=unconfined,
|
||||
ptrace (read) peer=kwalletd5,
|
||||
|
||||
signal (send) set=term peer=kwin_wayland,
|
||||
signal (send) set=(kill, term) peer=startplasma,
|
||||
signal (send) set=term peer=startplasma-wayland,
|
||||
signal (send) set=term peer=sddm-greeter,
|
||||
|
|
@ -151,6 +151,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
@{run}/systemd/sessions/*.ref rw,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rwl,
|
||||
owner @{run}/sddm/ rw,
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kwallet5.socket rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -53,8 +53,7 @@ profile startplasma @{exec_path} {
|
|||
owner @{user_config_dirs}/kdeglobals* rwl,
|
||||
owner @{user_config_dirs}/ksplashrc r,
|
||||
owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
|
||||
owner @{user_config_dirs}/menus/ r,
|
||||
owner @{user_config_dirs}/menus/applications-merged/{,*.menu} r,
|
||||
owner @{user_config_dirs}/menus/{,**.menu} r,
|
||||
owner @{user_config_dirs}/plasma-localerc rwl,
|
||||
owner @{user_config_dirs}/plasma-localerc.lock rwk,
|
||||
owner @{user_config_dirs}/plasma-workspace/env/ r,
|
||||
|
|
@ -69,6 +68,7 @@ profile startplasma @{exec_path} {
|
|||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/startplasma-x11.@{rand6} rwl,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
|
|
|||
Loading…
Reference in a new issue