feat(kde): improve kde integration (wip).

apparmor.d/groups/kde/kactivitymanagerd

@@ -18,14 +18,17 @@ profile kactivitymanagerd @{exec_path} {
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
 
   /etc/xdg/kdeglobals r,
+  /etc/machine-id r,
 
   owner @{user_config_dirs}/kdedefaults/kdeglobals r,
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/kactivitymanagerdrc r,
+  owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
 
   owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
 
   @{PROC}/sys/kernel/core_pattern r,
+  @{PROC}/sys/kernel/random/boot_id r,
 
   /dev/tty r,
 

apparmor.d/groups/kde/kcminit

@@ -33,8 +33,10 @@ profile kcminit @{exec_path} {
   owner @{user_config_dirs}/kcminputrc r,
   owner @{user_config_dirs}/kdedefaults/kcminputrc r,
   owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+  owner @{user_config_dirs}/kdedefaults/kwinrc r,
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/kgammarc r,
+  owner @{user_config_dirs}/kwinrc r,
   owner @{user_config_dirs}/touchpadrc r,
   owner @{user_config_dirs}/Trolltech.conf.lock rwk,
   owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl,

apparmor.d/groups/kde/kconf_update

@@ -9,17 +9,37 @@ include <tunables/global>
 @{exec_path} = @{lib}/kf5/kconf_update
 profile kconf_update @{exec_path} {
   include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/python>
 
   @{exec_path} mr,
 
+  @{bin}/{,ba,da}sh                      rix,
+  @{bin}/grep                            rix,
+  @{bin}/qtpaths                         rix,
+  @{bin}/sed                             rix,
+
+  @{lib}/kconf_update_bin/breeze*                                  rix,
+  @{lib}/kconf_update_bin/konsole_show_menubar                     rix,
+  @{lib}/kconf_update_bin/krunnerglobalshortcuts                   rix,
+  @{lib}/kconf_update_bin/krunnerhistory                           rix,
+  @{lib}/kconf_update_bin/plasmashell-*                            rix,
+  /usr/share/kconf_update/kcminputrc_migrate_repeat_value.py       rix,
+  /usr/share/kconf_update/konsole_add_hamburgermenu_to_toolbar.sh  rix,
+
   /usr/share/kconf_update/{,**} r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
 
   /etc/xdg/kdeglobals r,
 
+  owner @{user_config_dirs}/#[0-9]* rw,
   owner @{user_config_dirs}/kconf_updaterc r,
+  owner @{user_config_dirs}/kconf_updaterc* rwl,
   owner @{user_config_dirs}/kdedefaults/kdeglobals r,
-  owner @{user_config_dirs}/kdeglobals r,
+  owner @{user_config_dirs}/kdeglobals* rwl,
+
+  owner /tmp/#[0-9]* rw,
+  owner /tmp/kconf_update.?????? rw,
 
   include if exists <local/kconf_update>
 }

apparmor.d/groups/kde/kde-powerdevil

@@ -25,13 +25,16 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
 
   /etc/fstab r,
   /etc/xdg/kdeglobals r,
+  /etc/machine-id r,
 
   owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
 
+  owner @{user_config_dirs}/#[0-9]* rw,
   owner @{user_config_dirs}/kdedefaults/kdeglobals r,
   owner @{user_config_dirs}/kdeglobals r,
-  owner @{user_config_dirs}/powerdevilrc r,
+  owner @{user_config_dirs}/powerdevilrc rwl,
   owner @{user_config_dirs}/powermanagementprofilesrc r,
+  owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
 
         @{run}/systemd/inhibit/*.ref rw,
   owner @{run}/user/@{uid}kcrash_[0-9]* rw,

apparmor.d/groups/kde/kded5

@@ -69,15 +69,18 @@ profile kded5 @{exec_path} {
   owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
   owner @{user_config_dirs}/kcminputrc r,
   owner @{user_config_dirs}/kconf_updaterc r,
-  owner @{user_config_dirs}/kded5rc r,
+  owner @{user_config_dirs}/kded5rc* rwl,
+  owner @{user_config_dirs}/kded5rc.lock rwk,
   owner @{user_config_dirs}/kdedefaults/{,**} r,
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/khotkeysrc.lock rwk,
   owner @{user_config_dirs}/khotkeysrc* rwl,
   owner @{user_config_dirs}/ktimezonedrc r,
-  owner @{user_config_dirs}/kwinrc r,
+  owner @{user_config_dirs}/kwinrc* rwl,
+  owner @{user_config_dirs}/kwinrc.lock rwk,
   owner @{user_config_dirs}/kxkbrc r,
-  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,
+  owner @{user_config_dirs}/libaccounts-glib/ rw,
+  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
   owner @{user_config_dirs}/xsettingsd/{,**} rw,
 
   owner @{user_share_dirs}/icc/{,edid-*} r,
@@ -117,6 +120,7 @@ profile kded5 @{exec_path} {
     @{PROC}/@{pids}/stat r,
     @{PROC}/sys/kernel/osrelease r,
     @{PROC}/uptime r,
+    @{PROC}/@{pids}/cgroup r,
 
     include if exists <local/kded5_pgrep>
   }

apparmor.d/groups/kde/plasma-discover

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/plasma-discover
 profile plasma-discover @{exec_path} {
   include <abstractions/base>
+  include <abstractions/fonts>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
@@ -43,7 +44,7 @@ profile plasma-discover @{exec_path} {
   /var/lib/flatpak/repo/{,**} r,
   /var/lib/flatpak/appstream/{,**} r,
 
-  owner @{user_cache_dirs}/discover/{,**} rw,
+  owner @{user_cache_dirs}/discover/{,**} rwl,
   owner @{user_cache_dirs}/appstream/*.xb r,
   owner @{user_cache_dirs}/appstream/ r,
 

apparmor.d/groups/kde/sddm

@@ -60,14 +60,15 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/xauth        rCx -> xauth,
   @{bin}/xsetroot     rPx,
 
-  @{etc_ro}/X11/xdm/Xsession  rPx,
   @{bin}/dbus-update-activation-environment rCx -> dbus,
   @{bin}/gnome-keyring-daemon rPx,
   @{bin}/kwalletd5            rPx,
+  @{bin}/startplasma-wayland  rPx,
   @{bin}/startplasma-x11      rPx,
   @{bin}/systemctl            rPx -> child-systemctl,
   @{bin}/xrdb                 rPx,
   @{bin}/xset                 rPx,
+  @{etc_ro}/X11/xdm/Xsession  rPx,
 
   /usr/etc/X11/xdm/Xsetup                 rix,
   /usr/share/sddm/scripts/wayland-session rix,