mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-19 09:28:17 +01:00
Alexandre Pujol
parent
14fae89fdd
commit
93313422bd
34 changed files with 93 additions and 43 deletions
|
|
@ -104,6 +104,7 @@
|
||||||
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
|
owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
|
||||||
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
|
owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
|
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
|
||||||
|
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,8 @@ profile akonadi_control @{exec_path} {
|
||||||
|
|
||||||
owner @{user_share_dirs}/akonadi/{,**} rwl,
|
owner @{user_share_dirs}/akonadi/{,**} rwl,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
include if exists <local/akonadi_control>
|
include if exists <local/akonadi_control>
|
||||||
|
|
|
||||||
|
|
@ -57,14 +57,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||||
owner @{tmp}/@{rand6}.tmp r,
|
owner @{tmp}/@{rand6}.tmp r,
|
||||||
owner @{tmp}/@{rand8}.txt w,
|
owner @{tmp}/@{rand8}.txt w,
|
||||||
owner @{tmp}/* w, # file downloads (to anywhere)
|
owner @{tmp}/* w, # file downloads (to anywhere)
|
||||||
owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk,
|
owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk,
|
||||||
owner @{tmp}/mozilla* rw,
|
owner @{tmp}/mozilla* rw,
|
||||||
owner @{tmp}/mozilla*/ rw,
|
owner @{tmp}/mozilla*/ rw,
|
||||||
owner @{tmp}/mozilla*/* rwk,
|
owner @{tmp}/mozilla*/* rwk,
|
||||||
owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk,
|
owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk,
|
||||||
owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
|
owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k,
|
||||||
owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
|
owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,
|
||||||
owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk,
|
owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk,
|
||||||
|
|
||||||
# Silencer
|
# Silencer
|
||||||
deny @{lib_dirs}/** w,
|
deny @{lib_dirs}/** w,
|
||||||
|
|
|
||||||
|
|
@ -10,8 +10,8 @@ include <tunables/global>
|
||||||
profile firefox-kmozillahelper @{exec_path} {
|
profile firefox-kmozillahelper @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-client>
|
||||||
include <abstractions/desktop>
|
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-settings-write>
|
include <abstractions/qt5-settings-write>
|
||||||
include <abstractions/recent-documents-write>
|
include <abstractions/recent-documents-write>
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,12 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet stream,
|
||||||
|
network inet6 dgram,
|
||||||
|
network inet6 stream,
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
signal (receive) set=(term hup kill) peer=dbus-session,
|
signal (receive) set=(term hup kill) peer=dbus-session,
|
||||||
signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
|
signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
|
||||||
|
|
||||||
|
|
@ -50,6 +56,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
||||||
|
owner @{tmp}/xauth_@{rand6} r,
|
||||||
|
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -66,6 +66,7 @@ profile dbus-system flags=(attach_disconnected) {
|
||||||
@{PROC}/@{pid}/cmdline r,
|
@{PROC}/@{pid}/cmdline r,
|
||||||
@{PROC}/@{pid}/environ r,
|
@{PROC}/@{pid}/environ r,
|
||||||
@{PROC}/@{pid}/mounts r,
|
@{PROC}/@{pid}/mounts r,
|
||||||
|
@{PROC}/@{pid}/oom_score_adj r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/sys/kernel/osrelease r,
|
@{PROC}/sys/kernel/osrelease r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
|
||||||
|
|
@ -57,9 +57,10 @@ profile cron @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{tmp}/#@{int} rw,
|
owner @{tmp}/#@{int} rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/uid_map r,
|
@{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/loginuid rw,
|
|
||||||
@{PROC}/1/limits r,
|
@{PROC}/1/limits r,
|
||||||
|
owner @{PROC}/@{pid}/loginuid rw,
|
||||||
|
owner @{PROC}/@{pid}/uid_map r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,9 +18,9 @@ profile xdm-xsession @{exec_path} {
|
||||||
|
|
||||||
@{shells_path} rix,
|
@{shells_path} rix,
|
||||||
|
|
||||||
@{bin}/checkproc rix,
|
|
||||||
@{bin}/basename rix,
|
@{bin}/basename rix,
|
||||||
@{bin}/cat rix,
|
@{bin}/cat rix,
|
||||||
|
@{bin}/checkproc rix,
|
||||||
@{bin}/dirname rix,
|
@{bin}/dirname rix,
|
||||||
@{bin}/gpg-agent rPx,
|
@{bin}/gpg-agent rPx,
|
||||||
@{bin}/gpg-connect-agent rPx,
|
@{bin}/gpg-connect-agent rPx,
|
||||||
|
|
@ -28,8 +28,10 @@ profile xdm-xsession @{exec_path} {
|
||||||
@{bin}/locale rix,
|
@{bin}/locale rix,
|
||||||
@{bin}/manpath rix,
|
@{bin}/manpath rix,
|
||||||
@{bin}/readlink rix,
|
@{bin}/readlink rix,
|
||||||
|
@{bin}/realpath rix
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{bin}/ssh-agent rix,
|
@{bin}/ssh-agent rix,
|
||||||
|
@{bin}/tput rix
|
||||||
@{bin}/tr rix,
|
@{bin}/tr rix,
|
||||||
@{bin}/tty rix,
|
@{bin}/tty rix,
|
||||||
@{bin}/uname rix,
|
@{bin}/uname rix,
|
||||||
|
|
@ -56,6 +58,7 @@ profile xdm-xsession @{exec_path} {
|
||||||
|
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/mc/mc.sh r,
|
/usr/share/mc/mc.sh r,
|
||||||
|
/usr/share/terminfo/{,**} r,
|
||||||
|
|
||||||
@{etc_ro}/X11/xdm/scripts/{,*} r,
|
@{etc_ro}/X11/xdm/scripts/{,*} r,
|
||||||
@{etc_ro}/X11/xim r,
|
@{etc_ro}/X11/xim r,
|
||||||
|
|
|
||||||
|
|
@ -46,6 +46,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
|
||||||
owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
|
owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
|
||||||
# owner /tmp/xauth_@{rand6} r,
|
# owner /tmp/xauth_@{rand6} r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
|
|
||||||
/dev/shm/#@{int} rw,
|
/dev/shm/#@{int} rw,
|
||||||
|
|
||||||
@{run}/systemd/users/@{uid} r,
|
@{run}/systemd/users/@{uid} r,
|
||||||
|
|
|
||||||
|
|
@ -84,12 +84,14 @@ profile pulseaudio @{exec_path} {
|
||||||
owner @{desktop_config_dirs}/pulse/{,**} rw,
|
owner @{desktop_config_dirs}/pulse/{,**} rw,
|
||||||
owner @{desktop_config_dirs}/pulse/cookie k,
|
owner @{desktop_config_dirs}/pulse/cookie k,
|
||||||
|
|
||||||
|
owner @{HOME}/.pulse/{,**} rw,
|
||||||
owner @{user_config_dirs}/ w,
|
owner @{user_config_dirs}/ w,
|
||||||
owner @{user_config_dirs}/pulse/{,**} rw,
|
owner @{user_config_dirs}/pulse/{,**} rw,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
|
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/ rw,
|
owner @{run}/user/@{uid}/ rw,
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
owner @{run}/user/@{uid}/pulse/ rw,
|
owner @{run}/user/@{uid}/pulse/ rw,
|
||||||
owner @{run}/user/@{uid}/pulse/** rwk,
|
owner @{run}/user/@{uid}/pulse/** rwk,
|
||||||
owner @{run}/user/@{uid}/systemd/notify rw,
|
owner @{run}/user/@{uid}/systemd/notify rw,
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ profile gpg-connect-agent @{exec_path} {
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/gnupg/ w,
|
||||||
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
|
owner @{run}/user/@{uid}/gnupg/d.*/ rw,
|
||||||
|
|
||||||
owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw,
|
owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw,
|
||||||
|
|
|
||||||
|
|
@ -40,6 +40,7 @@ profile DiscoverNotifier @{exec_path} {
|
||||||
/var/lib/flatpak/{,**} r,
|
/var/lib/flatpak/{,**} r,
|
||||||
|
|
||||||
/var/cache/swcatalog/cache/ w,
|
/var/cache/swcatalog/cache/ w,
|
||||||
|
/var/cache/swcatalog/xml/{,**} r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/appstream/ r,
|
owner @{user_cache_dirs}/appstream/ r,
|
||||||
owner @{user_cache_dirs}/appstream/** rw,
|
owner @{user_cache_dirs}/appstream/** rw,
|
||||||
|
|
@ -58,6 +59,8 @@ profile DiscoverNotifier @{exec_path} {
|
||||||
owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw,
|
owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw,
|
||||||
owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw,
|
owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
profile gpg {
|
profile gpg {
|
||||||
|
|
|
||||||
|
|
@ -25,6 +25,8 @@ profile gmenudbusmenuproxy @{exec_path} {
|
||||||
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
|
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
|
||||||
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
|
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
|
|
||||||
include if exists <local/gmenudbusmenuproxy>
|
include if exists <local/gmenudbusmenuproxy>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/kalendarac
|
@{exec_path} = @{bin}/kalendarac
|
||||||
profile kalendarac @{exec_path} {
|
profile kalendarac @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-server>
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/kde-strict>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
@ -36,6 +36,8 @@ profile kalendarac @{exec_path} {
|
||||||
owner @{user_config_dirs}/kalendaracrc.lock rwk,
|
owner @{user_config_dirs}/kalendaracrc.lock rwk,
|
||||||
owner @{user_config_dirs}/kmail2rc r,
|
owner @{user_config_dirs}/kmail2rc r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
include if exists <local/kalendarac>
|
include if exists <local/kalendarac>
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/ddcutil/* r,
|
||||||
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
|
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
|
|
@ -63,7 +64,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
||||||
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
|
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
|
||||||
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
|
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
|
||||||
@{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
|
@{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
|
||||||
@{sys}/devices/@{pci}/i2c-@{int}/name r,
|
@{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
|
||||||
@{sys}/devices/**/ r,
|
@{sys}/devices/**/ r,
|
||||||
@{sys}/devices/i2c-@{int}/name r,
|
@{sys}/devices/i2c-@{int}/name r,
|
||||||
@{sys}/devices/platform/**/i2c-@{int}/**/name r,
|
@{sys}/devices/platform/**/i2c-@{int}/**/name r,
|
||||||
|
|
|
||||||
|
|
@ -59,7 +59,7 @@ profile kded @{exec_path} {
|
||||||
@{bin}/xsettingsd rPx,
|
@{bin}/xsettingsd rPx,
|
||||||
@{lib}/drkonqi rPx,
|
@{lib}/drkonqi rPx,
|
||||||
|
|
||||||
#aa:exec utempter
|
@{lib}/{,@{multiarch}/}utempter/utempter rPx,
|
||||||
#aa:exec kconf_update
|
#aa:exec kconf_update
|
||||||
|
|
||||||
/usr/share/color-schemes/{,**} r,
|
/usr/share/color-schemes/{,**} r,
|
||||||
|
|
@ -123,8 +123,7 @@ profile kded @{exec_path} {
|
||||||
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
owner @{user_config_dirs}/networkmanagement.notifyrc r,
|
||||||
owner @{user_config_dirs}/plasma-nm r,
|
owner @{user_config_dirs}/plasma* r,
|
||||||
owner @{user_config_dirs}/plasma-welcomerc r,
|
|
||||||
owner @{user_config_dirs}/touchpadrc r,
|
owner @{user_config_dirs}/touchpadrc r,
|
||||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||||
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
||||||
|
|
@ -151,6 +150,8 @@ profile kded @{exec_path} {
|
||||||
owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
|
owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
|
||||||
owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,
|
owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,
|
||||||
|
|
||||||
|
@{sys}/class/leds/ r,
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pids}/cmdline/ r,
|
@{PROC}/@{pids}/cmdline/ r,
|
||||||
@{PROC}/@{pids}/fd/ r,
|
@{PROC}/@{pids}/fd/ r,
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@ profile kglobalacceld @{exec_path} {
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/menus/ r,
|
/etc/xdg/menus/ r,
|
||||||
|
/etc/xdg/menus/applications-merged/ r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ksycoca{5,6}_* rw,
|
owner @{user_cache_dirs}/ksycoca{5,6}_* rw,
|
||||||
|
|
||||||
|
|
@ -29,6 +30,8 @@ profile kglobalacceld @{exec_path} {
|
||||||
owner @{user_config_dirs}/menus/ r,
|
owner @{user_config_dirs}/menus/ r,
|
||||||
owner @{user_config_dirs}/menus/applications-merged/ r,
|
owner @{user_config_dirs}/menus/applications-merged/ r,
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
include if exists <local/kglobalacceld>
|
include if exists <local/kglobalacceld>
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ profile kiod @{exec_path} {
|
||||||
include <abstractions/graphics>
|
include <abstractions/graphics>
|
||||||
include <abstractions/kde-strict>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/ssl_certs>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{bin}/@{shells} rUx,
|
@{bin}/@{shells} rUx,
|
||||||
@{browsers_path} rPx,
|
@{browsers_path} rPx,
|
||||||
|
|
||||||
#aa:exec utempter
|
@{lib}/libheif/ r,
|
||||||
|
@{lib}/libheif/** mr,
|
||||||
|
@{lib}/{,@{multiarch}/}utempter/utempter rPx,
|
||||||
|
|
||||||
/usr/share/color-schemes/{,**} r,
|
/usr/share/color-schemes/{,**} r,
|
||||||
/usr/share/kf6/{,**} r,
|
/usr/share/kf6/{,**} r,
|
||||||
|
|
@ -47,12 +49,15 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rwl,
|
owner @{user_config_dirs}/#@{int} rwl,
|
||||||
owner @{user_config_dirs}/breezerc r,
|
owner @{user_config_dirs}/breezerc r,
|
||||||
|
owner @{user_config_dirs}/kbookmarkrc r,
|
||||||
|
owner @{user_config_dirs}/konsole.notifyrc r,
|
||||||
owner @{user_config_dirs}/konsolerc{,*} rwlk,
|
owner @{user_config_dirs}/konsolerc{,*} rwlk,
|
||||||
owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||||
owner @{user_config_dirs}/konsolesshconfig.lock rwk,
|
owner @{user_config_dirs}/konsolesshconfig.lock rwk,
|
||||||
owner @{user_config_dirs}/kservicemenurc r,
|
owner @{user_config_dirs}/kservicemenurc r,
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
|
owner @{user_config_dirs}/session/** rwlk,
|
||||||
|
|
||||||
owner @{user_share_dirs}/color-schemes/{,**} r,
|
owner @{user_share_dirs}/color-schemes/{,**} r,
|
||||||
owner @{user_share_dirs}/konsole/ rw,
|
owner @{user_share_dirs}/konsole/ rw,
|
||||||
|
|
@ -62,6 +67,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
owner @{tmp}/#@{int} rw,
|
owner @{tmp}/#@{int} rw,
|
||||||
owner @{tmp}/konsole.@{rand6} rw,
|
owner @{tmp}/konsole.@{rand6} rw,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/cmdline r,
|
@{PROC}/@{pid}/cmdline r,
|
||||||
@{PROC}/@{pid}/stat r,
|
@{PROC}/@{pid}/stat r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} {
|
||||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
owner @{user_config_dirs}/ksmserverrc r,
|
owner @{user_config_dirs}/ksmserverrc r,
|
||||||
owner @{user_config_dirs}/plasmarc r,
|
owner @{user_config_dirs}/plasmarc r,
|
||||||
|
owner @{user_config_dirs}/plasmashellrc r,
|
||||||
|
|
||||||
# If one is blocked, the others are probed.
|
# If one is blocked, the others are probed.
|
||||||
deny owner @{HOME}/#@{int} mrw,
|
deny owner @{HOME}/#@{int} mrw,
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk,
|
owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#@{int} rw,
|
owner @{user_config_dirs}/#@{int} rw,
|
||||||
|
owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
|
||||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||||
owner @{user_config_dirs}/ksmserverrc rw,
|
owner @{user_config_dirs}/ksmserverrc rw,
|
||||||
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
|
||||||
|
|
@ -62,6 +63,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
owner @{user_share_dirs}/kservices{5,6}/ r,
|
owner @{user_share_dirs}/kservices{5,6}/ r,
|
||||||
owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,
|
owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/#@{int} rw,
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int},
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6}-c w,
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c,
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw,
|
||||||
|
|
||||||
owner @{tmp}/@{rand6} rw,
|
owner @{tmp}/@{rand6} rw,
|
||||||
|
|
||||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||||
|
|
|
||||||
|
|
@ -43,6 +43,8 @@ profile kwalletd @{exec_path} {
|
||||||
|
|
||||||
owner @{tmp}/kwalletd5.* rw,
|
owner @{tmp}/kwalletd5.* rw,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile plasma_waitforname @{exec_path} {
|
profile plasma_waitforname @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
include <abstractions/qt5>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -178,6 +178,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||||
@{run}/mount/utab r,
|
@{run}/mount/utab r,
|
||||||
@{run}/user/@{uid}/gvfs/ r,
|
@{run}/user/@{uid}/gvfs/ r,
|
||||||
owner @{run}/user/@{uid}/#@{int} rw,
|
owner @{run}/user/@{uid}/#@{int} rw,
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
owner @{run}/user/@{uid}/kdesud_:@{int} w,
|
owner @{run}/user/@{uid}/kdesud_:@{int} w,
|
||||||
owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||||
|
|
||||||
|
|
@ -187,9 +188,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
||||||
@{sys}/devices/platform/** r,
|
@{sys}/devices/platform/** r,
|
||||||
|
|
||||||
@{sys}/devices/@{pci}/name r,
|
@{sys}/devices/@{pci}/name r,
|
||||||
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
|
|
||||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
@{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||||
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
@{sys}/devices/virtual/thermal/**/{name,type} r,
|
@{sys}/devices/virtual/thermal/**/{name,type} r,
|
||||||
|
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,8 @@ profile sddm-greeter @{exec_path} {
|
||||||
owner @{SDDM_HOME}/#@{int} mrw,
|
owner @{SDDM_HOME}/#@{int} mrw,
|
||||||
owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,
|
owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,
|
||||||
|
|
||||||
|
owner @{HOME}/.face.icon r,
|
||||||
|
|
||||||
owner @{user_cache_dirs}/ rw,
|
owner @{user_cache_dirs}/ rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,7 @@ profile startplasma @{exec_path} {
|
||||||
@{bin}/env rix,
|
@{bin}/env rix,
|
||||||
@{bin}/grep rix,
|
@{bin}/grep rix,
|
||||||
@{bin}/kapplymousetheme rPUx,
|
@{bin}/kapplymousetheme rPUx,
|
||||||
|
@{bin}/kdeinit5_shutdown rPUx,
|
||||||
@{bin}/ksplashqml rPUx,
|
@{bin}/ksplashqml rPUx,
|
||||||
@{bin}/plasma_session rPx,
|
@{bin}/plasma_session rPx,
|
||||||
@{bin}/xrdb rPx,
|
@{bin}/xrdb rPx,
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,8 @@ profile xembedsniproxy @{exec_path} {
|
||||||
|
|
||||||
owner @{tmp}/xauth_@{rand6} r,
|
owner @{tmp}/xauth_@{rand6} r,
|
||||||
|
|
||||||
|
owner @{run}/user/@{uid}/iceauth_@{rand6} r,
|
||||||
|
|
||||||
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
@{run}/user/@{uid}/xauth_@{rand6} rl,
|
||||||
|
|
||||||
include if exists <local/xembedsniproxy>
|
include if exists <local/xembedsniproxy>
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/amixer
|
@{exec_path} = @{bin}/amixer
|
||||||
profile amixer @{exec_path} {
|
profile amixer @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/audio-client>
|
include <abstractions/audio-server>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ profile dmesg @{exec_path} {
|
||||||
|
|
||||||
/usr/share/terminfo/** r,
|
/usr/share/terminfo/** r,
|
||||||
|
|
||||||
owner @{PROC}/sys/kernel/pid_max r,
|
@{PROC}/sys/kernel/pid_max r,
|
||||||
|
|
||||||
/dev/kmsg r,
|
/dev/kmsg r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -43,6 +43,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
|
||||||
# These are needed for "git submodule update"
|
# These are needed for "git submodule update"
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/{,e}grep rix,
|
@{bin}/{,e}grep rix,
|
||||||
|
@{bin}/alts rix,
|
||||||
@{bin}/basename rix,
|
@{bin}/basename rix,
|
||||||
@{bin}/cat rix,
|
@{bin}/cat rix,
|
||||||
@{bin}/date rix,
|
@{bin}/date rix,
|
||||||
|
|
@ -78,6 +79,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
|
||||||
@{bin}/vim.* rCx -> editor,
|
@{bin}/vim.* rCx -> editor,
|
||||||
|
|
||||||
/usr/share/git{,-core}/{,**} r,
|
/usr/share/git{,-core}/{,**} r,
|
||||||
|
/usr/share/libalternatives/{,**} r,
|
||||||
/usr/share/terminfo/** r,
|
/usr/share/terminfo/** r,
|
||||||
|
|
||||||
/etc/gitconfig r,
|
/etc/gitconfig r,
|
||||||
|
|
@ -139,14 +141,15 @@ profile git @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{bin}/ssh mr,
|
@{bin}/ssh mr,
|
||||||
|
|
||||||
/etc/ssh/ssh_config.d/{,*} r,
|
@{etc_ro}/ssh/ssh_config.d/{,*} r,
|
||||||
/etc/ssh/ssh_config r,
|
@{etc_ro}/ssh/ssh_config r,
|
||||||
|
|
||||||
owner @{HOME}/@{XDG_SSH_DIR}/* r,
|
owner @{HOME}/@{XDG_SSH_DIR}/* r,
|
||||||
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
|
|
||||||
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
|
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
|
||||||
|
owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
|
||||||
|
owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl,
|
||||||
|
|
||||||
owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*,
|
owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*,
|
||||||
owner @{tmp}/ssh-*/agent.@{int} rw,
|
owner @{tmp}/ssh-*/agent.@{int} rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,7 @@ profile issue-generator @{exec_path} {
|
||||||
@{bin}/sort rix,
|
@{bin}/sort rix,
|
||||||
|
|
||||||
/etc/issue.d/{,**} r,
|
/etc/issue.d/{,**} r,
|
||||||
|
/etc/sysconfig/issue-generator r,
|
||||||
|
|
||||||
@{run}/issue r,
|
@{run}/issue r,
|
||||||
@{run}/issue.@{rand10} rw,
|
@{run}/issue.@{rand10} rw,
|
||||||
|
|
|
||||||
|
|
@ -10,40 +10,23 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/pinentry-qt
|
@{exec_path} = @{bin}/pinentry-qt
|
||||||
profile pinentry-qt @{exec_path} {
|
profile pinentry-qt @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/dri-enumerate>
|
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/fonts>
|
include <abstractions/graphics>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/kde-strict>
|
||||||
include <abstractions/gtk>
|
|
||||||
include <abstractions/mesa>
|
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
include <abstractions/qt5>
|
|
||||||
include <abstractions/vulkan>
|
|
||||||
include <abstractions/X>
|
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
|
||||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kdeglobals r,
|
/var/lib/dbus/machine-id r,
|
||||||
/etc/xdg/kwinrc r,
|
|
||||||
|
|
||||||
owner @{user_cache_dirs}/#@{int} rw,
|
owner @{user_cache_dirs}/#@{int} rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
|
||||||
|
|
||||||
owner @{tmp}/xauth_@{rand6} r,
|
owner @{tmp}/xauth_@{rand6} r,
|
||||||
owner /dev/shm/#@{int} rw,
|
owner /dev/shm/#@{int} rw,
|
||||||
|
|
||||||
@{sys}/devices/system/node/ r,
|
|
||||||
@{sys}/devices/system/node/node@{int}/meminfo r,
|
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cmdline r,
|
owner @{PROC}/@{pid}/cmdline r,
|
||||||
|
|
||||||
include if exists <local/pinentry-qt>
|
include if exists <local/pinentry-qt>
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@
|
||||||
@{XDG_CONFIG_DIR}=".config"
|
@{XDG_CONFIG_DIR}=".config"
|
||||||
@{XDG_DATA_DIR}=".local/share"
|
@{XDG_DATA_DIR}=".local/share"
|
||||||
@{XDG_STATE_DIR}=".local/state"
|
@{XDG_STATE_DIR}=".local/state"
|
||||||
@{XDG_BIN_DIR}=".local/bin"
|
@{XDG_BIN_DIR}="bin" ".bin" ".local/bin"
|
||||||
@{XDG_LIB_DIR}=".local/lib"
|
@{XDG_LIB_DIR}=".local/lib"
|
||||||
|
|
||||||
# Full path of the user configuration directories
|
# Full path of the user configuration directories
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,7 @@
|
||||||
@{hex8}=@{hex4}@{hex4}
|
@{hex8}=@{hex4}@{hex4}
|
||||||
@{hex9}=@{hex8}@{h}
|
@{hex9}=@{hex8}@{h}
|
||||||
@{hex10}=@{hex8}@{hex2}
|
@{hex10}=@{hex8}@{hex2}
|
||||||
|
@{hex15}=@{hex8}@{hex4}@{hex2}@{h}
|
||||||
@{hex16}=@{hex8}@{hex8}
|
@{hex16}=@{hex8}@{hex8}
|
||||||
@{hex32}=@{hex16}@{hex16}
|
@{hex32}=@{hex16}@{hex16}
|
||||||
@{hex38}=@{hex32}@{hex6}
|
@{hex38}=@{hex32}@{hex6}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue