feat(profile): improve kde integration.

see #484
This commit is contained in:
Alexandre Pujol 2024-09-13 20:41:22 +01:00
parent 4ccf2156de
commit b03b9b05eb
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
12 changed files with 81 additions and 26 deletions

View File

@ -137,6 +137,12 @@
owner @{cache_dirs}/{,**} rw,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/kcminputrc r,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
# For importing data (bookmarks, cookies, etc) from Firefox
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
# owner @{HOME}/.mozilla/firefox/*/ r,

View File

@ -34,9 +34,6 @@ profile brave @{exec_path} {
/etc/opt/chrome/native-messaging-hosts/* r,
owner @{user_config_dirs}/BraveSoftware/ rw,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw,
owner @{cache_dirs}/BraveSoftware/ rw,
@ -44,6 +41,7 @@ profile brave @{exec_path} {
owner @{tmp}/net-export/ rw, # For brave://net-export/
# Silencer
deny /etc/opt/ w,
deny /etc/opt/chrome/ w,
deny /dev/disk/by-uuid/ r,

View File

@ -87,6 +87,25 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/server-* rwk,
owner @{tmp}/serverauth.* r,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+dmi* r, # for motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r, # for ?
@{run}/udev/data/+serio:* r, # for touchpad?
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
@{sys}/bus/ r,
@{sys}/bus/pci/devices/ r,
@{sys}/class/ r,
@ -103,23 +122,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/platform/ r,
@{sys}/module/i915/{,**} r,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+dmi* r, # for motherboard info
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
@{run}/udev/data/+i2c:* r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r, # for ?
@{run}/udev/data/+serio:* r, # for touchpad?
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
@{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]*
@{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
@{PROC}/@{pids}/cmdline r,
@{PROC}/cmdline r,
@{PROC}/ioports r,
@ -127,6 +129,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
/dev/fb@{int} rw,
/dev/input/event@{int} rw,
/dev/input/mouse@{int} rw,
/dev/shm/#@{int} rw,
/dev/shm/shmfd-* rw,
/dev/tty rw,

View File

@ -42,8 +42,33 @@ profile baloo @{exec_path} {
owner @{user_share_dirs}/baloo/{,**} rwk,
@{run}/udev/data/+acpi:* r, # for acpi
@{run}/udev/data/+backlight:* r,
@{run}/udev/data/+bluetooth:* r,
@{run}/udev/data/+dmi:* r, # For motherboard info
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/+platform:* r,
@{run}/udev/data/+power_supply* r,
@{run}/udev/data/+rfkill:* r,
@{run}/udev/data/+sound:card@{int} r, # for sound card
@{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/c7:@{int} r, # For Virtual console capture devices
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c13:@{int} r, # For /dev/input/*
@{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]*
@{run}/udev/data/c89:@{int} r, # For I2C bus interface
@{run}/udev/data/c116:@{int} r, # For ALSA
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,

View File

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner
profile baloorunner @{exec_path} {
include <abstractions/base>
include <abstractions/deny-sensitive-home>
include <abstractions/graphics>
include <abstractions/kde-strict>
include <abstractions/nameservice-strict>
@ -20,6 +21,11 @@ profile baloorunner @{exec_path} {
/etc/xdg/baloofilerc r,
# Allow to search user files
owner @{HOME}/{,**} r,
owner @{MOUNTS}/{,**} r,
owner @{tmp}/*/{,**} r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/baloofilerc r,

View File

@ -59,6 +59,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
@{sys}/devices/ r,
@{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r,
@{sys}/devices/@{pci}/card@{int}/*/dpms r,
@{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r,
@{sys}/devices/@{pci}/drm/card@{int}/**/dev r,
@{sys}/devices/@{pci}/drm/card@{int}/*/dpms r,
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,

View File

@ -73,7 +73,9 @@ profile kscreenlocker_greet @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/kscreenlocker_greet/ w,
owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk,
owner @{user_cache_dirs}/ksvg-elements r,
owner @{user_cache_dirs}/ksvg-elements rw,
owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,

View File

@ -56,6 +56,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
owner @{user_config_dirs}/ksmserverrc.lock rwk,
owner @{user_config_dirs}/menus/ r,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
owner @{user_share_dirs}/kservices{5,6}/ r,

View File

@ -89,6 +89,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/khotkeysrc r,
owner @{user_config_dirs}/klaunchrc r,
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/kwinoutputconfig.json rw,
@ -110,6 +111,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
@{sys}/class/drm/ r,
@{sys}/class/input/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/board_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{run}/udev/data/+acpi:* r, # for ACPI
@{run}/udev/data/+dmi:* r, # for motherboard info

View File

@ -151,6 +151,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_config_dirs}/plasma* rwlk,
owner @{user_config_dirs}/trashrc r,
owner @{user_share_dirs}/*/sessions/ r,
owner @{user_share_dirs}/#@{int} rw,
owner @{user_share_dirs}/akonadi/search_db/{,**} r,
owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk,
@ -174,6 +175,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_share_dirs}/user-places.xbel{,*} rwl,
owner @{user_share_dirs}/wallpapers/{,**} rw,
owner @{user_state_dirs}/#@{int} rw,
owner @{user_state_dirs}/plasmashellstaterc rw,
owner @{user_state_dirs}/plasmashellstaterc.lock rwk,
owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl,
/tmp/.mount_nextcl@{rand6}/{,*} r,
owner @{tmp}/#@{int} rw,

View File

@ -29,12 +29,13 @@ profile sddm-greeter @{exec_path} {
@{lib}/libheif/*.so* rm,
/usr/share/desktop-base/*-theme/login/*.svg r,
/usr/share/endeavouros/backgrounds/** r,
/usr/share/hunspell/** r,
/usr/share/plasma/desktoptheme/** r,
/usr/share/sddm/{,**} r,
/usr/share/wallpapers/{,**} r,
/usr/share/wayland-sessions/{,*.desktop} r,
/usr/share/xsessions/{,*.desktop} r,
/usr/share/wallpapers/{,**} r,
/usr/share/hunspell/** r,
/etc/fstab r,
/etc/os-release r,

View File

@ -21,12 +21,13 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
capability syslog,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network inet raw,
network inet stream,
network inet6 dgram,
network inet6 raw,
network inet6 stream,
network netlink raw,
network packet dgram,
ptrace (read),