diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 52190ac7..758c5aaa 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -18,14 +18,17 @@ profile kactivitymanagerd @{exec_path} { /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /etc/xdg/kdeglobals r, + /etc/machine-id r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kactivitymanagerdrc r, + owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk, owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 30421fd2..4064a7b3 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -33,8 +33,10 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kgammarc r, + owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index a77a6a7b..532f4073 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -9,17 +9,37 @@ include @{exec_path} = @{lib}/kf5/kconf_update profile kconf_update @{exec_path} { include + include + include @{exec_path} mr, + @{bin}/{,ba,da}sh rix, + @{bin}/grep rix, + @{bin}/qtpaths rix, + @{bin}/sed rix, + + @{lib}/kconf_update_bin/breeze* rix, + @{lib}/kconf_update_bin/konsole_show_menubar rix, + @{lib}/kconf_update_bin/krunnerglobalshortcuts rix, + @{lib}/kconf_update_bin/krunnerhistory rix, + @{lib}/kconf_update_bin/plasmashell-* rix, + /usr/share/kconf_update/kcminputrc_migrate_repeat_value.py rix, + /usr/share/kconf_update/konsole_add_hamburgermenu_to_toolbar.sh rix, + /usr/share/kconf_update/{,**} r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /etc/xdg/kdeglobals r, + owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/kconf_updaterc r, + owner @{user_config_dirs}/kconf_updaterc* rwl, owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kdeglobals* rwl, + + owner /tmp/#[0-9]* rw, + owner /tmp/kconf_update.?????? rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index b665e7b4..d5e73bbd 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -25,13 +25,16 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/xdg/kdeglobals r, + /etc/machine-id r, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, + owner @{user_config_dirs}/#[0-9]* rw, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/powerdevilrc r, + owner @{user_config_dirs}/powerdevilrc rwl, owner @{user_config_dirs}/powermanagementprofilesrc r, + owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, @{run}/systemd/inhibit/*.ref rw, owner @{run}/user/@{uid}kcrash_[0-9]* rw, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 5f7ae40d..466a4425 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -69,15 +69,18 @@ profile kded5 @{exec_path} { owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kconf_updaterc r, - owner @{user_config_dirs}/kded5rc r, + owner @{user_config_dirs}/kded5rc* rwl, + owner @{user_config_dirs}/kded5rc.lock rwk, owner @{user_config_dirs}/kdedefaults/{,**} r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/khotkeysrc.lock rwk, owner @{user_config_dirs}/khotkeysrc* rwl, owner @{user_config_dirs}/ktimezonedrc r, - owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/kwinrc* rwl, + owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, + owner @{user_config_dirs}/libaccounts-glib/ rw, + owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/xsettingsd/{,**} rw, owner @{user_share_dirs}/icc/{,edid-*} r, @@ -117,6 +120,7 @@ profile kded5 @{exec_path} { @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, + @{PROC}/@{pids}/cgroup r, include if exists } diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 97402727..6868740a 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -28,7 +28,7 @@ profile kwin_x11 @{exec_path} { @{bin}/{,ba,da}sh rix, @{lib}/kwin_killer_helper rix, - @{lib}/drkonqi rPx, + @{lib}/drkonqi rPx, /usr/share/hwdata/pnp.ids r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 2263f876..651d6db8 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma-discover profile plasma-discover @{exec_path} { include + include include include include @@ -43,7 +44,7 @@ profile plasma-discover @{exec_path} { /var/lib/flatpak/repo/{,**} r, /var/lib/flatpak/appstream/{,**} r, - owner @{user_cache_dirs}/discover/{,**} rw, + owner @{user_cache_dirs}/discover/{,**} rwl, owner @{user_cache_dirs}/appstream/*.xb r, owner @{user_cache_dirs}/appstream/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 556d8050..6ca6a498 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -60,14 +60,15 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/xauth rCx -> xauth, @{bin}/xsetroot rPx, - @{etc_ro}/X11/xdm/Xsession rPx, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/gnome-keyring-daemon rPx, @{bin}/kwalletd5 rPx, + @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/systemctl rPx -> child-systemctl, @{bin}/xrdb rPx, @{bin}/xset rPx, + @{etc_ro}/X11/xdm/Xsession rPx, /usr/etc/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix,