From dcf92e8e885fd1d6d5d9c42a35671df62dd7de20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 4 Jul 2024 21:38:46 +0100 Subject: [PATCH] feat(profile): update kde profiles. --- apparmor.d/groups/bus/dbus-session | 2 +- apparmor.d/groups/kde/DiscoverNotifier | 11 +++-- apparmor.d/groups/kde/baloo | 3 ++ apparmor.d/groups/kde/dolphin | 3 ++ .../groups/kde/drkonqi-coredump-processor | 4 +- apparmor.d/groups/kde/kbuildsycoca5 | 2 +- .../groups/kde/kde-systemd-start-condition | 3 ++ apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 8 +++- apparmor.d/groups/kde/ksmserver | 2 +- apparmor.d/groups/kde/kwin_x11 | 13 ++++-- apparmor.d/groups/kde/plasmashell | 3 ++ apparmor.d/groups/kde/sddm | 1 + apparmor.d/groups/kde/systemsettings | 40 ++++++++++++++++--- apparmor.d/profiles-m-r/qdbus | 18 +++++++++ 15 files changed, 94 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/profiles-m-r/qdbus diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 88266bcb..423df6a2 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -11,7 +11,7 @@ abi , include -@{exec_path} = @{bin}/dbus-run-session +@{exec_path} = @{bin}/dbus-run-session @{bin}/dbus-update-activation-environment @{exec_path} += @{bin}/dbus-broker @{bin}/dbus-broker-launch @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-session flags=(attach_disconnected) { diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 972173e6..9b305e5f 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include include include include @@ -41,7 +42,7 @@ profile DiscoverNotifier @{exec_path} { /var/cache/swcatalog/cache/ w, owner @{user_cache_dirs}/appstream/ r, - owner @{user_cache_dirs}/appstream/** r, + owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -53,7 +54,9 @@ profile DiscoverNotifier @{exec_path} { owner @{user_share_dirs}/flatpak/{,**} rw, - owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw, + owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw, /dev/tty r, @@ -67,8 +70,8 @@ profile DiscoverNotifier @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{tmp}/ r, - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 0fdfa391..3b5efe38 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -42,6 +42,9 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index bb5ab9fe..89e5685d 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -86,6 +86,9 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/#@{int} rw, + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index bfe6ec10..f014b671 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -24,9 +24,9 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/kde/kbuildsycoca5 b/apparmor.d/groups/kde/kbuildsycoca5 index 5bd97e1a..8d9fa0bc 100644 --- a/apparmor.d/groups/kde/kbuildsycoca5 +++ b/apparmor.d/groups/kde/kbuildsycoca5 @@ -15,7 +15,7 @@ profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{user_cache_dirs}/ksycoca5_* rw, + owner @{user_cache_dirs}/ksycoca{5,6}_* rw, owner link @{user_cache_dirs}/ksycoca5_* -> @{user_cache_dirs}/#@{int}, /dev/tty r, diff --git a/apparmor.d/groups/kde/kde-systemd-start-condition b/apparmor.d/groups/kde/kde-systemd-start-condition index 8f368ef7..a913dba6 100644 --- a/apparmor.d/groups/kde/kde-systemd-start-condition +++ b/apparmor.d/groups/kde/kde-systemd-start-condition @@ -16,6 +16,9 @@ profile kde-systemd-start-condition @{exec_path} { /usr/share/desktop-base/kf{5,6}-settings/baloofilerc r, owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/kalendaracrc r, + owner @{user_config_dirs}/kgpgrc r, + owner @{user_config_dirs}/kmixrc r, owner @{user_config_dirs}/konquerorrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 6fc97403..e0cc7f5b 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -157,6 +157,7 @@ profile kded @{exec_path} { @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/fd/info/@{int} r, @{PROC}/sys/fs/inotify/max_user_{instances,watches} r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 85ff38d6..1995838c 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -18,10 +18,16 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, /etc/machine-id r, + /etc/xdg/menus/ r, + + owner @{user_cache_dirs}/ksycoca{5,6}_* rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, + owner @{user_config_dirs}/kglobalshortcutsrc* rwl, + owner @{user_config_dirs}/khotkeysrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, /dev/tty r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 08db5687..b7e1858d 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -57,7 +57,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, owner @{user_config_dirs}/menus/ r, - # owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, + owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index f53e9803..a52a2233 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -14,6 +14,7 @@ profile kwin_x11 @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -32,30 +33,34 @@ profile kwin_x11 @{exec_path} { /usr/share/plasma/desktoptheme/{,**} r, /etc/machine-id r, - /etc/xdg/kcminputrc r, /etc/xdg/plasmarc r, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, + owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/kwin/{,**} rwl, - owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, + owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/kwinoutputconfig.json r, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/session/kwin_* rwk, + + owner @{user_share_dirs}/kwin/scripts/ r, + owner @{tmp}/#@{int} rw, owner @{tmp}/kwin.@{rand6} rwl, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e4cde431..9a21b9df 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -56,6 +56,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker + /opt/**/share/icons/{,**} r, + /opt/*/**/*.desktop r, + /opt/*/**/*.png r, /usr/share/akonadi/{,**} r, /usr/share/desktop-base/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 8aea34ad..1b52954d 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -88,6 +88,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/xmodmap rix, @{bin}/dbus-run-session rPx -> dbus-session, + @{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, @{bin}/kwalletd{5,6} rPx, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 8de52a49..ffcf9378 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -14,14 +14,27 @@ profile systemsettings @{exec_path} { include include include + include network netlink raw, + signal send set=term peer=kioworker, + @{exec_path} mr, + @{bin}/cat rix, @{bin}/kcminit rPx, + @{bin}/lspci rPx, + @{bin}/openssl rix, + @{bin}/pactl rPx, + @{bin}/plasma-discover rPx, + @{bin}/plasmashell rPx, + @{bin}/xdpyinfo rPUx, + @{lib}/qt{5,6}/bin/qdbus rPx, + #aa:exec kioworker /usr/share/kcm_networkmanagement/{,**} r, + /usr/share/kcm_recentFiles/{,**} r, /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kglobalaccel/* r, /usr/share/kinfocenter/{,**} r, @@ -29,15 +42,18 @@ profile systemsettings @{exec_path} { /usr/share/kpackage/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/kwin/{,**} r, /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, /usr/share/sddm/themes/{,**} r, /usr/share/systemsettings/{,**} r, + /usr/share/wallpapers/{,**} r, /etc/fstab r, /etc/machine-id r, /etc/xdg/menus/{,applications-merged/} r, + /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -52,23 +68,35 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, + owner @{user_config_dirs}/{P,p}lasma* r, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/plasmarc r, + owner @{user_config_dirs}/kactivitymanagerdrc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, + owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, + owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/kxkbrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/plasmarc r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_share_dirs}/kservices5/{,ServiceMenus/} r, - owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, + owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, - + owner @{user_share_dirs}/kinfocenter/ rw, + owner @{user_share_dirs}/kinfocenter/** rwlk, + owner @{user_share_dirs}/knotifications{5,6}/{,**} r, + owner @{user_share_dirs}/krdpserver/ rw, + owner @{user_share_dirs}/kservices{5,6}/{,ServiceMenus/} r, owner @{user_share_dirs}/systemsettings/ rw, owner @{user_share_dirs}/systemsettings/** rwlk, + owner @{user_share_dirs}/wallpapers/{,**} r, @{sys}/bus/ r, @{sys}/bus/cpu/devices/ r, diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus new file mode 100644 index 00000000..f8e028b8 --- /dev/null +++ b/apparmor.d/profiles-m-r/qdbus @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus +profile qdbus @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor