diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index 60d18a39..b3641edf 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,3 +11,5 @@ owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + + include if exists diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index ff564508..62ec459c 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -34,7 +34,10 @@ profile kaccess @{exec_path} { owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - + owner @{user_config_dirs}/kaccessrc r, + + owner @{user_share_dirs}/mime/generic-icons r, + owner @{run}/user/@{uid}/xauth_?????? r, @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index 17978924..10b2e29c 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -10,16 +10,19 @@ include profile kalendarac @{exec_path} { include include + include include + include include include - include + include @{exec_path} mr, @{bin}/akonadi_control rPx, /usr/share/akonadi/firstrun/{,*} r, + /usr/share/akonadi/plugins/serializer/{,*.desktop} r, /usr/share/hwdata/*.ids r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, @@ -31,11 +34,14 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, + owner @{user_config_dirs}/emaildefaults r, + owner @{user_config_dirs}/emailidentities r, owner @{user_config_dirs}/kalendaracrc rw, owner @{user_config_dirs}/kalendaracrc.?????? rwl, owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kmail2rc r, @{run}/user/@{uid}/xauth_* rl, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index b9149292..1ee4df22 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/kauth/backlighthelper +@{exec_path} = @{lib}/kauth/{,libexec/}backlighthelper profile kauth-backlighthelper @{exec_path} { include include diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index aff057c7..3f90323b 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/kauth/chargethresholdhelper +@{exec_path} = @{lib}/kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include include diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index 6db19d0d..5999f995 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/kauth/discretegpuhelper +@{exec_path} = @{lib}/kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include include diff --git a/apparmor.d/groups/kde/kauth-fontinst b/apparmor.d/groups/kde/kauth-fontinst index a7408d9b..bc0fb1d0 100644 --- a/apparmor.d/groups/kde/kauth-fontinst +++ b/apparmor.d/groups/kde/kauth-fontinst @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/kauth/fontinst +@{exec_path} = @{lib}/kauth/{,libexec/}fontinst profile kauth-fontinst @{exec_path} { include include diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index ed004668..360c2b7d 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/kauth/kded-smart-helper +@{exec_path} = @{lib}/kauth/{,libexec/}kded-smart-helper profile kauth-kded-smart-helper @{exec_path} { include include diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index 7e09f015..783bd5ac 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/kauth/kinfocenter-dmidecode-helper +@{exec_path} = @{lib}/kauth/{,libexec/}kinfocenter-dmidecode-helper profile kauth-kinfocenter-dmidecode-helper @{exec_path} { include diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 466a4425..b1cb6db1 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -31,6 +31,11 @@ profile kded5 @{exec_path} { signal (send) set=hup peer=xsettingsd, + dbus receive bus=system path=/org/bluez/hci*/** + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*), + @{exec_path} mr, @{lib}/kf5/kconf_update rPx, diff --git a/apparmor.d/groups/kde/kio_http_cache_cleaner b/apparmor.d/groups/kde/kio_http_cache_cleaner index 8a2ef2f3..20e24fa8 100644 --- a/apparmor.d/groups/kde/kio_http_cache_cleaner +++ b/apparmor.d/groups/kde/kio_http_cache_cleaner @@ -12,5 +12,15 @@ profile kio_http_cache_cleaner @{exec_path} { @{exec_path} mr, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + /usr/share/qt{5,}/translations/*.qm r, + + owner @{user_cache_dirs}/kio_http/* rw, + owner @{user_config_dirs}/kio_httprc r, + + owner @{run}/user/@{uid}/kio_http_cache_cleaner rw, + + @{PROC}/sys/kernel/core_pattern r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index ca7ae0c9..ac67f910 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -21,6 +21,7 @@ profile kscreenlocker-greet @{exec_path} { include include include + include network netlink raw, @@ -60,7 +61,7 @@ profile kscreenlocker-greet @{exec_path} { /var/lib/dbus/machine-id r, - owner @{HOME}/.Xauthority r, + owner @{HOME}/.face.icon r, owner @{HOME}/.xsession-errors w, owner @{user_cache_dirs}/ rw, @@ -81,7 +82,7 @@ profile kscreenlocker-greet @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc r, - owner @{user_config_dirs}/qt5ct/{,**} r, + owner @{user_config_dirs}/plasmarc r, # If one is blocked, the others are probed. deny owner @{HOME}/#[0-9]*[0-9] mrw, @@ -91,6 +92,9 @@ profile kscreenlocker-greet @{exec_path} { @{run}/faillock/[a-zA-z0-9]* rwk, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 026ab749..23c10136 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -17,6 +17,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include signal (send) set=(usr1,term) peer=kscreenlocker-greet, @@ -46,10 +47,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/?????? rw, owner @{HOME}/.Xauthority rw, + owner @{user_cache_dirs}/#[0-9]* rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r, - owner @{user_cache_dirs}/ksycoca5_* r, + owner @{user_cache_dirs}/ksycoca5_* rl, + owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kscreenlockerrc r, @@ -61,7 +64,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner /tmp/?????? rw, - owner /tmp/.ICE-unix/* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index d9d9a1c3..7c57a622 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -66,10 +66,17 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/session/kwin_* rwk, + owner @{user_config_dirs}/plasmarc r, + + owner /tmp/#[0-9]* rw, + owner /tmp/kwin.?????? rwl, owner @{run}/user/@{uid}/kcrash_[0-9]* rw, owner @{run}/user/@{uid}/xauth_* rl, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{PROC}/sys/kernel/core_pattern r, /dev/tty rw, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 651d6db8..143a833f 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -9,17 +9,23 @@ include @{exec_path} = @{bin}/plasma-discover profile plasma-discover @{exec_path} { include + include + include + include include + include include include include + include include + include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, - # network netlink raw, + network netlink raw, @{exec_path} mr, @@ -30,6 +36,7 @@ profile plasma-discover @{exec_path} { @{lib}/kf5/kio_http_cache_cleaner rPx, /usr/share/kservices5/{,*} r, + /usr/share/knsrcfiles/{,*} r, /etc/appstream.conf r, /etc/machine-id r, @@ -48,14 +55,25 @@ profile plasma-discover @{exec_path} { owner @{user_cache_dirs}/appstream/*.xb r, owner @{user_cache_dirs}/appstream/ r, - owner @{user_config_dirs}/kde.org/{,**} rwlk, - owner @{user_config_dirs}/discoverrc rwl, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/#[0-9]* rwl, + owner @{user_config_dirs}/discoverrc rwl, owner @{user_config_dirs}/discoverrc.lock rwk, + owner @{user_config_dirs}/kde.org/{,**} rwlk, + owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/libaccounts-glib/ rw, + owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, + + owner @{user_share_dirs}/knewstuff3/ r, owner @{user_share_dirs}/flatpak/repo/{,**} rw, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index d3861fc1..0cb5eddd 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -7,13 +7,14 @@ abi , include @{exec_path} = @{bin}/plasmashell -profile plasmashell @{exec_path} { +profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include include include include + include include include include @@ -24,7 +25,7 @@ profile plasmashell @{exec_path} { include include include - # include + include include include @@ -93,7 +94,7 @@ profile plasmashell @{exec_path} { owner @{user_cache_dirs}/#[0-9]* rwk, owner @{user_cache_dirs}/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca5_* r, + owner @{user_cache_dirs}/ksycoca5_* rl, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements.?????? rwlk, @@ -107,6 +108,7 @@ profile plasmashell @{exec_path} { owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, + owner @{user_config_dirs}/eventviewsrc r, owner @{user_config_dirs}/kactivitymanagerd-statsrc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/KDE/{,**} r, @@ -114,19 +116,15 @@ profile plasmashell @{exec_path} { owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klipperrc r, + owner @{user_config_dirs}/kmail2.notifyrc r, + owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc.?????? rk, - owner @{user_config_dirs}/plasma-pk-updates r, - owner @{user_config_dirs}/plasma*desktop* rwlk, - owner @{user_config_dirs}/plasmanotifyrc rw, - owner @{user_config_dirs}/plasmanotifyrc.* rwl, - owner @{user_config_dirs}/plasmanotifyrc.lock rwk, - owner @{user_config_dirs}/plasmaparc r, - owner @{user_config_dirs}/plasmashellrc r, + owner @{user_config_dirs}/plasma* rwlk, owner @{user_config_dirs}/pulse/cookie rwk, owner @{user_config_dirs}/trashrc r, @@ -157,6 +155,10 @@ profile plasmashell @{exec_path} { @{sys}/bus/usb/devices/ r, @{sys}/class/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + @{PROC}/ r, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 6ca6a498..29927613 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -30,6 +30,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability setgid, capability setuid, capability sys_resource, + capability sys_tty_config, network netlink raw, @@ -46,6 +47,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/{,ba,da}sh rix, @{bin}/cat rix, @{bin}/checkproc rix, + @{bin}/pidof rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/xdm r, @@ -121,17 +123,23 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/sddm-* rw, owner /tmp/*/{,s} rw, + owner /tmp/#[0-9]* rw, owner /tmp/sddm-auth* rw, + owner /tmp/xauth_?????? rw, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, @{run}/sddm/\{@{uuid}\} rw, + @{run}/sddm/xauth_?????? rwl, @{run}/systemd/sessions/*.ref rw, - @{run}/user/@{uid}/xauth_* rwl, + @{run}/user/@{uid}/xauth_?????? rwl, owner @{run}/sddm/ rw, owner @{run}/user/@{uid}/#[0-9]* rw, owner @{run}/user/@{uid}/kwallet5.socket rw, + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 37bafe82..80cb20b7 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -68,6 +68,7 @@ profile sddm-greeter @{exec_path} { owner @{HOME}/.glvnd* mrw, owner /tmp/runtime-sddm/ rw, + owner /tmp/xauth_?????? rw, owner @{run}/sddm/{,*} rw, diff --git a/apparmor.d/groups/kde/startplasma-x11 b/apparmor.d/groups/kde/startplasma-x11 index 50c4322a..18b5fc3d 100644 --- a/apparmor.d/groups/kde/startplasma-x11 +++ b/apparmor.d/groups/kde/startplasma-x11 @@ -49,11 +49,16 @@ profile startplasma-x11 @{exec_path} { owner @{user_config_dirs}/kdedefaults/ rw, owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**, owner @{user_config_dirs}/kdeglobals* rwl, + owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/plasma-localerc rwl, owner @{user_config_dirs}/plasma-localerc.lock rwk, + owner @{user_config_dirs}/plasma-workspace/env/ r, owner @{user_config_dirs}/Trolltech.conf rwl, owner @{user_config_dirs}/Trolltech.conf.lock rwk, + owner @{user_share_dirs}/kservices5/{,**} r, owner @{user_share_dirs}/sddm/xorg-session.log rw, diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter index 65e39eae..a0d2b381 100644 --- a/apparmor.d/groups/kde/utempter +++ b/apparmor.d/groups/kde/utempter @@ -14,6 +14,8 @@ profile utempter @{exec_path} { @{exec_path} mr, + /usr/share/sounds/{,**} r, + /dev/ptmx rw, include if exists