mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(kde): improve support for support.

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-20 21:04:22 +01:00
parent d2a650f6c6
commit a3d121fe23
Failed to generate hash of commit
20 changed files with 103 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/qt5-shader-cache
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -10,3 +11,5 @@
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
include if exists <abstractions/qt5-shader-cache.d>

5
apparmor.d/groups/kde/kaccess
View file

@ -34,7 +34,10 @@ profile kaccess @{exec_path} {
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/kaccessrc r,
owner @{user_share_dirs}/mime/generic-icons r,
owner @{run}/user/@{uid}/xauth_?????? r,
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,

8
apparmor.d/groups/kde/kalendarac
View file

@ -10,16 +10,19 @@ include <tunables/global>
profile kalendarac @{exec_path} {
include <abstractions/base>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/mesa>
include <abstractions/vulkan>
@{exec_path} mr,
@{bin}/akonadi_control rPx,
/usr/share/akonadi/firstrun/{,*} r,
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
/usr/share/hwdata/*.ids r,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
@ -31,11 +34,14 @@ profile kalendarac @{exec_path} {
owner @{user_config_dirs}/#[0-9]* rw,
owner @{user_config_dirs}/akonadi-firstrunrc r,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/emaildefaults r,
owner @{user_config_dirs}/emailidentities r,
owner @{user_config_dirs}/kalendaracrc rw,
owner @{user_config_dirs}/kalendaracrc.?????? rwl,
owner @{user_config_dirs}/kalendaracrc.lock rwk,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kmail2rc r,
@{run}/user/@{uid}/xauth_* rl,

2
apparmor.d/groups/kde/kauth-backlighthelper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/kauth/backlighthelper
@{exec_path} = @{lib}/kauth/{,libexec/}backlighthelper
profile kauth-backlighthelper @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/kde/kauth-chargethresholdhelper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/kauth/chargethresholdhelper
@{exec_path} = @{lib}/kauth/{,libexec/}chargethresholdhelper
profile kauth-chargethresholdhelper @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/kde/kauth-discretegpuhelper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/kauth/discretegpuhelper
@{exec_path} = @{lib}/kauth/{,libexec/}discretegpuhelper
profile kauth-discretegpuhelper @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/kde/kauth-fontinst
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/kauth/fontinst
@{exec_path} = @{lib}/kauth/{,libexec/}fontinst
profile kauth-fontinst @{exec_path} {
include <abstractions/base>
include <abstractions/qt5>

2
apparmor.d/groups/kde/kauth-kded-smart-helper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/kauth/kded-smart-helper
@{exec_path} = @{lib}/kauth/{,libexec/}kded-smart-helper
profile kauth-kded-smart-helper @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/kauth/kinfocenter-dmidecode-helper
@{exec_path} = @{lib}/kauth/{,libexec/}kinfocenter-dmidecode-helper
profile kauth-kinfocenter-dmidecode-helper @{exec_path} {
include <abstractions/base>

5
apparmor.d/groups/kde/kded5
View file

@ -31,6 +31,11 @@ profile kded5 @{exec_path} {
signal (send) set=hup peer=xsettingsd,
dbus receive bus=system path=/org/bluez/hci*/**
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*),
@{exec_path} mr,
@{lib}/kf5/kconf_update rPx,

10
apparmor.d/groups/kde/kio_http_cache_cleaner
View file

@ -12,5 +12,15 @@ profile kio_http_cache_cleaner @{exec_path} {
@{exec_path} mr,
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/usr/share/qt{5,}/translations/*.qm r,
owner @{user_cache_dirs}/kio_http/* rw,
owner @{user_config_dirs}/kio_httprc r,
owner @{run}/user/@{uid}/kio_http_cache_cleaner rw,
@{PROC}/sys/kernel/core_pattern r,
include if exists <local/kio_http_cache_cleaner>
}

8
apparmor.d/groups/kde/kscreenlocker-greet
View file

@ -21,6 +21,7 @@ profile kscreenlocker-greet @{exec_path} {
include <abstractions/qt5-shader-cache>
include <abstractions/qt5>
include <abstractions/X>
include <abstractions/vulkan>
network netlink raw,
@ -60,7 +61,7 @@ profile kscreenlocker-greet @{exec_path} {
/var/lib/dbus/machine-id r,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.face.icon r,
owner @{HOME}/.xsession-errors w,
owner @{user_cache_dirs}/ rw,
@ -81,7 +82,7 @@ profile kscreenlocker-greet @{exec_path} {
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_config_dirs}/plasmarc r,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
@ -91,6 +92,9 @@ profile kscreenlocker-greet @{exec_path} {
@{run}/faillock/[a-zA-z0-9]* rwk,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,

6
apparmor.d/groups/kde/ksmserver
View file

@ -17,6 +17,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/nameservice-strict>
include <abstractions/qt5>
include <abstractions/vulkan>
include <abstractions/X-strict>
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
@ -46,10 +47,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{HOME}/?????? rw,
owner @{HOME}/.Xauthority rw,
owner @{user_cache_dirs}/#[0-9]* rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_cache_dirs}/ksycoca5_* rl,
owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kscreenlockerrc r,
@ -61,7 +64,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
owner /tmp/?????? rw,
owner /tmp/.ICE-unix/* rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
owner @{run}/user/@{uid}/KSMserver__[0-9] rw,

7
apparmor.d/groups/kde/kwin_x11
View file

@ -66,10 +66,17 @@ profile kwin_x11 @{exec_path} {
owner @{user_config_dirs}/kwinrulesrc r,
owner @{user_config_dirs}/kxkbrc r,
owner @{user_config_dirs}/session/kwin_* rwk,
owner @{user_config_dirs}/plasmarc r,
owner /tmp/#[0-9]* rw,
owner /tmp/kwin.?????? rwl,
owner @{run}/user/@{uid}/kcrash_[0-9]* rw,
owner @{run}/user/@{uid}/xauth_* rl,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{PROC}/sys/kernel/core_pattern r,
/dev/tty rw,

24
apparmor.d/groups/kde/plasma-discover
View file

@ -9,17 +9,23 @@ include <tunables/global>
@{exec_path} = @{bin}/plasma-discover
profile plasma-discover @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/qt5-shader-cache>
include <abstractions/ssl_certs>
include <abstractions/vulkan>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
# network netlink raw,
network netlink raw,
@{exec_path} mr,
@ -30,6 +36,7 @@ profile plasma-discover @{exec_path} {
@{lib}/kf5/kio_http_cache_cleaner rPx,
/usr/share/kservices5/{,*} r,
/usr/share/knsrcfiles/{,*} r,
/etc/appstream.conf r,
/etc/machine-id r,
@ -48,14 +55,25 @@ profile plasma-discover @{exec_path} {
owner @{user_cache_dirs}/appstream/*.xb r,
owner @{user_cache_dirs}/appstream/ r,
owner @{user_config_dirs}/kde.org/{,**} rwlk,
owner @{user_config_dirs}/discoverrc rwl,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/#[0-9]* rwl,
owner @{user_config_dirs}/discoverrc rwl,
owner @{user_config_dirs}/discoverrc.lock rwk,
owner @{user_config_dirs}/kde.org/{,**} rwlk,
owner @{user_config_dirs}/kdedefaults/ r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/libaccounts-glib/ rw,
owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
owner @{user_share_dirs}/knewstuff3/ r,
owner @{user_share_dirs}/flatpak/repo/{,**} rw,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/plasma-discover>
}

24
apparmor.d/groups/kde/plasmashell
View file

@ -7,13 +7,14 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/plasmashell
profile plasmashell @{exec_path} {
profile plasmashell @{exec_path} flags=(mediate_deleted) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/audio>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/devices-usb>
include <abstractions/disks-read>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
@ -24,7 +25,7 @@ profile plasmashell @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/qt5-shader-cache>
include <abstractions/qt5>
# include <abstractions/user-tmp>
include <abstractions/thumbnails-cache-read>
include <abstractions/vulkan>
include <abstractions/X-strict>
@ -93,7 +94,7 @@ profile plasmashell @{exec_path} {
owner @{user_cache_dirs}/#[0-9]* rwk,
owner @{user_cache_dirs}/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_cache_dirs}/ksycoca5_* rl,
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements.?????? rwlk,
@ -107,6 +108,7 @@ profile plasmashell @{exec_path} {
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/baloofilerc r,
owner @{user_config_dirs}/dolphinrc r,
owner @{user_config_dirs}/eventviewsrc r,
owner @{user_config_dirs}/kactivitymanagerd-statsrc r,
owner @{user_config_dirs}/kde.org/{,**} rwlk,
owner @{user_config_dirs}/KDE/{,**} r,
@ -114,19 +116,15 @@ profile plasmashell @{exec_path} {
owner @{user_config_dirs}/kdedefaults/kwinrc r,
owner @{user_config_dirs}/kdedefaults/plasmarc r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/klipperrc r,
owner @{user_config_dirs}/kmail2.notifyrc r,
owner @{user_config_dirs}/korganizerrc r,
owner @{user_config_dirs}/krunnerrc r,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/menus/{,**} r,
owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc.?????? rk,
owner @{user_config_dirs}/plasma-pk-updates r,
owner @{user_config_dirs}/plasma*desktop* rwlk,
owner @{user_config_dirs}/plasmanotifyrc rw,
owner @{user_config_dirs}/plasmanotifyrc.* rwl,
owner @{user_config_dirs}/plasmanotifyrc.lock rwk,
owner @{user_config_dirs}/plasmaparc r,
owner @{user_config_dirs}/plasmashellrc r,
owner @{user_config_dirs}/plasma* rwlk,
owner @{user_config_dirs}/pulse/cookie rwk,
owner @{user_config_dirs}/trashrc r,
@ -157,6 +155,10 @@ profile plasmashell @{exec_path} {
@{sys}/bus/usb/devices/ r,
@{sys}/class/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{PROC}/ r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/{cgroup,cmdline,stat,statm} r,

10
apparmor.d/groups/kde/sddm
View file

@ -30,6 +30,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
capability setgid,
capability setuid,
capability sys_resource,
capability sys_tty_config,
network netlink raw,
@ -46,6 +47,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/checkproc rix,
@{bin}/pidof rix,
@{bin}/tr rix,
@{bin}/tty rix,
@{bin}/xdm r,
@ -121,17 +123,23 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/tmp/sddm-* rw,
owner /tmp/*/{,s} rw,
owner /tmp/#[0-9]* rw,
owner /tmp/sddm-auth* rw,
owner /tmp/xauth_?????? rw,
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/sddm.pid rw,
@{run}/sddm/\{@{uuid}\} rw,
@{run}/sddm/xauth_?????? rwl,
@{run}/systemd/sessions/*.ref rw,
@{run}/user/@{uid}/xauth_* rwl,
@{run}/user/@{uid}/xauth_?????? rwl,
owner @{run}/sddm/ rw,
owner @{run}/user/@{uid}/#[0-9]* rw,
owner @{run}/user/@{uid}/kwallet5.socket rw,
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/mounts r,

1
apparmor.d/groups/kde/sddm-greeter
View file

@ -68,6 +68,7 @@ profile sddm-greeter @{exec_path} {
owner @{HOME}/.glvnd* mrw,
owner /tmp/runtime-sddm/ rw,
owner /tmp/xauth_?????? rw,
owner @{run}/sddm/{,*} rw,

5
apparmor.d/groups/kde/startplasma-x11
View file

@ -49,11 +49,16 @@ profile startplasma-x11 @{exec_path} {
owner @{user_config_dirs}/kdedefaults/ rw,
owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**,
owner @{user_config_dirs}/kdeglobals* rwl,
owner @{user_config_dirs}/ksplashrc r,
owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/plasma-localerc rwl,
owner @{user_config_dirs}/plasma-localerc.lock rwk,
owner @{user_config_dirs}/plasma-workspace/env/ r,
owner @{user_config_dirs}/Trolltech.conf rwl,
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
owner @{user_share_dirs}/kservices5/{,**} r,
owner @{user_share_dirs}/sddm/xorg-session.log rw,

2
apparmor.d/groups/kde/utempter
View file

@ -14,6 +14,8 @@ profile utempter @{exec_path} {
@{exec_path} mr,
/usr/share/sounds/{,**} r,
/dev/ptmx rw,
include if exists <local/utempter>