diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 5583f58c..8e59372c 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -43,10 +43,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd rPx, @{libexec}/* rPUx, @{libexec}/gnome-shell/gnome-shell-calendar-server rPx, + @{libexec}/kauth/* rPx, @{libexec}/kf5/kiod5 rPUx, @{libexec}/xfce[0-9]/xfconf/xfconfd rPx, /{usr/,}bin/[a-z0-9]* rPUx, - /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper rPx, + /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper rPx, /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx, /{usr/,}lib/atril/atrild rPx, diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper index 1ebb8a13..607a3678 100644 --- a/apparmor.d/groups/bus/dbus-daemon-launch-helper +++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper +@{exec_path} = /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper profile dbus-daemon-launch-helper @{exec_path} { include include @@ -19,10 +19,7 @@ profile dbus-daemon-launch-helper @{exec_path} { @{exec_path} mr, @{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx, - @{libexec}/kauth/backlighthelper rPx, - @{libexec}/kauth/chargethresholdhelper rPx, - @{libexec}/kauth/discretegpuhelper rPx, - @{libexec}/kauth/kded-smart-helper rPx, + @{libexec}/kauth/* rPx, @{libexec}/language-selector/ls-dbus-backend rPx, /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx, /{usr/,}lib/software-properties/software-properties-dbus rPx, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 3fd33bb7..13540f1f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -111,7 +111,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/nautilus rPx, /{usr/,}bin/snap rPx, - /{usr/,}bin/kreadconfig5 rPUx, + /{usr/,}bin/kreadconfig5 rPx, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, /{usr/,}lib/gio-launch-desktop rPx -> child-open, /{usr/,}lib/xdg-desktop-portal-validate-icon rPUx, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 371458dc..58e66a50 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -6,16 +6,17 @@ abi , include -@{exec_path} = /{usr/,}lib/baloo_file +@{exec_path} = /{usr/,}bin/baloo_file @{libexec}/baloo_file profile baloo @{exec_path} { include - include - include include + include + include + include + include include include - include - include + include network netlink raw, @@ -23,12 +24,14 @@ profile baloo @{exec_path} { /{usr/,}lib/baloo_file_extractor rix, - /usr/share/qt/translations/*.qm r, /usr/share/hwdata/pnp.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/poppler/{,**} r, /etc/fstab r, /etc/machine-id r, + /etc/xdg/baloofilerc r, + /etc/xdg/kdeglobals r, # Allow to search user files owner @{HOME}/{,**} r, @@ -44,6 +47,7 @@ profile baloo @{exec_path} { @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty r, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index 4ab2e43d..6e06a8ce 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -12,15 +12,20 @@ profile gmenudbusmenuproxy @{exec_path} { include include include + include include @{exec_path} mr, /usr/share/hwdata/*.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /etc/machine-id r, owner @{HOME}/.gtkrc-2.0 rw, + owner @{user_config_dirs}/gtk-{2,3}.0/#[0-9]* rw, + owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.??????} rwl, + owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index f3d44162..b50fbac5 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -6,21 +6,24 @@ abi , include -@{exec_path} = /{usr/,}lib/kactivitymanagerd +@{exec_path} = @{libexec}/kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include @{exec_path} mr, /usr/share/hwdata/*.ids r, - /usr/share/qt/translations/*.qm r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + + /etc/xdg/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kactivitymanagerdrc r, - owner @{user_share_dirs}/kactivitymanagerd/{,**} rwl, + owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index bd2782c6..5ea56f91 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -10,11 +10,14 @@ include profile kauth-backlighthelper @{exec_path} { include include + include capability net_admin, @{exec_path} mr, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + @{sys}/class/backlight/ r, @{sys}/class/leds/ r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 37c27679..e70c0420 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -13,6 +13,8 @@ profile kauth-chargethresholdhelper @{exec_path} { @{exec_path} mr, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + @{sys}/class/power_supply/ r, include if exists diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index faa86f75..cc151d1d 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -13,5 +13,7 @@ profile kauth-discretegpuhelper @{exec_path} { @{exec_path} mr, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 0089de9e..5e3d1ba5 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -15,5 +15,7 @@ profile kauth-kded-smart-helper @{exec_path} { /{usr/,}{s,}bin/smartctl rPx, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index cfd60798..68abcac4 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -13,6 +13,9 @@ profile kconf_update @{exec_path} { @{exec_path} mr, /usr/share/kconf_update/{,**} r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + + /etc/xdg/kdeglobals r, owner @{user_config_dirs}/kconf_updaterc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 82f9415f..38ea4b42 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -18,6 +18,7 @@ profile kded5 @{exec_path} { include include include + include include include @@ -28,28 +29,34 @@ profile kded5 @{exec_path} { ptrace (read), + signal (send) set=hup peer=xsettingsd, + @{exec_path} mr, @{libexec}/kf5/kconf_update rPx, - @{libexec}/utempter/utempter rix, # TODO: rPx ? + @{libexec}/utempter/utempter rPx, + /{usr/,}bin/kcminit rPx, /{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/setxkbmap rix, /{usr/,}bin/xsettingsd rPx, /usr/share/hwdata/*.ids r, - /usr/share/kconf_update/{,**} r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/kded5/{,**} r, /usr/share/khotkeys/{,**} r, /usr/share/knotifications5/{,**} r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/mime/ r, - /usr/share/qt/translations/*.qm r, + /usr/share/kconf_update/ r, /etc/fstab r, /etc/machine-id r, + /etc/xdg/kcminputrc r, /etc/xdg/kde* r, - /etc/xdg/menus/ r, + /etc/xdg/kioslaverc r, + /etc/xdg/kwinrc r, + /etc/xdg/menus/{,**} r, owner @{HOME}/.gtkrc-2.0 rw, @@ -57,7 +64,7 @@ profile kded5 @{exec_path} { owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_config_dirs}/#[0-9]* rw, - owner @{user_config_dirs}/bluedevilglobalrc r, + owner @{user_config_dirs}/bluedevilglobalrc rk, owner @{user_config_dirs}/bluedevilglobalrc* rwkl, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/kcminputrc r, @@ -83,12 +90,15 @@ profile kded5 @{exec_path} { owner /tmp/plasma-csd-generator.??????/{,**} rw, + @{PROC}/@{pids}/cmdline/ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fd/info/[0-9]* r, + @{PROC}/sys/fs/inotify/max_user_{instances,watches} r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/core_pattern r, - /dev/ptmx rw, /dev/rfkill r, diff --git a/apparmor.d/groups/kde/kglobalaccel5 b/apparmor.d/groups/kde/kglobalaccel5 index 7c1f48c6..3d916dcf 100644 --- a/apparmor.d/groups/kde/kglobalaccel5 +++ b/apparmor.d/groups/kde/kglobalaccel5 @@ -10,13 +10,14 @@ include profile kglobalaccel5 @{exec_path} { include include + include include @{exec_path} mr, /usr/share/hwdata/*.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/kglobalaccel/{,**} r, - /usr/share/qt/translations/*.qm r, /usr/share/mime/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig index dd7cd5a9..aff84ce5 100644 --- a/apparmor.d/groups/kde/kreadconfig +++ b/apparmor.d/groups/kde/kreadconfig @@ -10,11 +10,14 @@ include profile kreadconfig @{exec_path} { include + network netlink raw, + @{exec_path} mr, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /etc/xdg/kdeglobals r, + /etc/xdg/kioslaverc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index 86359fc3..d8279526 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -19,6 +19,7 @@ profile kscreenlocker-greet @{exec_path} { include include include + include include network netlink raw, @@ -28,10 +29,14 @@ profile kscreenlocker-greet @{exec_path} { @{exec_path} mr, + @{libexec}/libheif/ r, + @{libexec}/libheif/*.so* rm, + /{usr/,}{s,}bin/unix_chkpwd rPx, /{usr/,}lib/@{multiarch}/libexec/kcheckpass rPx, /usr/share/hwdata/pnp.ids r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/plasma/** r, /usr/share/qt/translations/*.qm r, /usr/share/qt5ct/** r, @@ -39,16 +44,20 @@ profile kscreenlocker-greet @{exec_path} { /usr/share/wallpapers/Path/contents/images/*.{jpg,png} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, + /usr/share/hunspell/* r, - /etc/environment r, + /{usr/,}etc/environment r, + /{usr/,}etc/login.defs r, + /{usr/,}etc/login.defs.d/ r, + /{usr/,}etc/security/*.conf r, /etc/fstab r, - /etc/fstab r, - /etc/login.defs r, /etc/machine-id r, /etc/pam.d/* r, - /etc/security/faillock.conf r, - /etc/security/pam_env.conf r, /etc/shells r, + /etc/xdg/kdeglobals r, + /etc/xdg/kscreenlockerrc r, + /etc/xdg/plasmarc r, + /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, @@ -58,7 +67,7 @@ profile kscreenlocker-greet @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kscreenlocker_greet/ w, owner @{user_cache_dirs}/kscreenlocker_greet/** rwl, - owner @{user_cache_dirs}/plasma_theme_default_*.kcache rw, + owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements-default_v* r, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl, @@ -82,9 +91,10 @@ profile kscreenlocker-greet @{exec_path} { @{run}/faillock/[a-zA-z0-9]* rwk, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/core_pattern r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/loginuid r, /dev/tty r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index fa3c04b9..6d3a5cb4 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -18,7 +18,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - signal (send) set=term peer=kscreenlocker-greet, + signal (send) set=(usr1,term) peer=kscreenlocker-greet, @{exec_path} mr, @@ -35,6 +35,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/kservices5/{,**} r, /usr/share/mime/{,**} r, + /etc/xdg/menus/applications-merged/ r, /etc/machine-id r, /etc/xdg/kdeglobals r, /etc/xdg/kscreenlockerrc r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index e83e9481..a078be3c 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -20,11 +20,15 @@ profile kwin_x11 @{exec_path} { network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, - /{usr/,}lib/kwin_killer_helper rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}lib/kwin_killer_helper rix, + @{libexec}/drkonqi rPx, /usr/share/hwdata/pnp.ids r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, @@ -43,6 +47,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#[0-9]* rw, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, owner @{user_cache_dirs}/kwin/{,**} rwl, owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, @@ -61,11 +66,12 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/session/kwin_* rwk, - @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/kcrash_[0-9]* rw, + owner @{run}/user/@{uid}/xauth_* rl, @{PROC}/sys/kernel/core_pattern r, - /dev/tty r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 6c20c879..56a24cdf 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -9,22 +9,46 @@ include @{exec_path} = /{usr/,}bin/plasma-discover profile plasma-discover @{exec_path} { include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + # network netlink raw, @{exec_path} mr, - /{usr/,}lib/kf5/kioslave5 rPUx, # TODO: rPx, - /{usr/,}lib/kf5/kio_http_cache_cleaner rPUx, # TODO: rPx, + @{libexec}/kf5/kioslave5 rPx, + @{libexec}/kf5/kio_http_cache_cleaner rPx, + /etc/appstream.conf r, /etc/machine-id r, + /etc/flatpak/remotes.d/{,**} r, /var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#[0-9]* rw, + /var/cache/swcatalog/ rw, + + /var/lib/flatpak/repo/{,**} r, + /var/lib/flatpak/appstream/{,**} r, + + owner @{user_cache_dirs}/discover/{,**} rw, + owner @{user_cache_dirs}/appstream/*.xb r, + owner @{user_cache_dirs}/appstream/ r, + owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/discoverrc rwl, owner @{user_config_dirs}/#[0-9]* rwl, owner @{user_config_dirs}/discoverrc.lock rwk, + owner @{user_share_dirs}/flatpak/repo/{,**} rw, + + @{PROC}/sys/kernel/random/boot_id r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 60dfecd3..2dc7446c 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -12,11 +12,14 @@ profile plasmashell @{exec_path} { include include include + include + include include include include include include + include include include include @@ -29,16 +32,18 @@ profile plasmashell @{exec_path} { @{exec_path} mr, - /{usr/,}bin/plasma-discover rPx, - /{usr/,}lib/kf5/kioslave5 rPUx, # TODO: rPx, + @{libexec}/libheif/ r, + @{libexec}/libheif/*.so* rm, + @{libexec}/kf5/kioslave5 rPx, /{usr/,}bin/dolphin rPUx, # TODO: rPx, + /{usr/,}bin/plasma-discover rPUx, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/hwdata/*.ids r, /usr/share/kservices5/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/mime/{,**} r, /usr/share/plasma/{,**} r, - /usr/share/qt/translations/*.qm r, /usr/share/solid/actions/{,**} r, /usr/share/wallpapers/{,**} r, /usr/share/krunner/{,**} r, @@ -46,53 +51,79 @@ profile plasmashell @{exec_path} { /usr/share/akonadi/firstrun/{,*} r, /etc/appstream.conf r, - /etc/pulse/client.conf r, - /etc/xdg/taskmanagerrulesrc r, - /etc/xdg/menus/ r, - /etc/machine-id r, + /etc/cups/client.conf r, /etc/fstab r, + /etc/machine-id r, + /etc/pulse/client.conf r, + /etc/pulse/client.conf.d/ r, + /etc/xdg/baloofilerc r, + /etc/xdg/dolphinrc r, + /etc/xdg/kdeglobals r, + /etc/xdg/kioslaverc r, + /etc/xdg/krunnerrc r, + /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, + /etc/xdg/plasmanotifyrc r, + /etc/xdg/plasmarc r, + /etc/xdg/taskmanagerrulesrc r, + /etc/xdg/kshorturifilterrc r, + + owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_templates_dirs}/ r, + owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#[0-9]* rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca5_* r, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, + owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements.?????? rwlk, + owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_cache_dirs}/plasma-svgelements* rwl, - owner @{user_cache_dirs}/plasma_theme_default_v*.kcache rw, owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl, owner @{user_config_dirs}/*kde*.desktop* r, owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/akonadi-firstrunrc r, + owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, + owner @{user_config_dirs}/kactivitymanagerd-statsrc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/KDE/{,**} r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/klipperrc r, + owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc.?????? rk, + owner @{user_config_dirs}/plasma-pk-updates r, owner @{user_config_dirs}/plasma*desktop* rwlk, - owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc.* rk, owner @{user_config_dirs}/plasmanotifyrc r, owner @{user_config_dirs}/plasmaparc r, owner @{user_config_dirs}/plasmashellrc r, - owner @{user_config_dirs}/pulse/cookie rk, + owner @{user_config_dirs}/pulse/cookie rwk, owner @{user_config_dirs}/trashrc r, - + owner @{user_share_dirs}/#[0-9]* rw, owner @{user_share_dirs}/akonadi/search_db/{,**} r, - owner @{user_share_dirs}/kactivitymanagerd/resources/database k, - owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, + owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, + owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/klipper/{,*} rwl, + owner @{user_share_dirs}/konsole/ r, + owner @{user_share_dirs}/kpeople/persondb rwk, + owner @{user_share_dirs}/kpeoplevcard/ r, + owner @{user_share_dirs}/krunnerstaterc rwl, + owner @{user_share_dirs}/krunnerstaterc.?????? rwl, owner @{user_share_dirs}/krunnerstaterc.lock rwk, - owner @{user_share_dirs}/krunnerstaterc* rwk, + owner @{user_share_dirs}/ktp/cache.db rwk, owner @{user_share_dirs}/plasma_icons/*.desktop r, owner @{user_share_dirs}/plasma/plasmoids/{,**} r, owner @{user_share_dirs}/user-places.xbel r, @@ -100,16 +131,20 @@ profile plasmashell @{exec_path} { owner @{run}/user/@{uid}/#[0-9]* rw, owner @{run}/user/@{uid}/plasmashell??????.[0-9].kioworker.socket rwl, owner @{run}/user/@{uid}/gvfs/ r, - owner @{run}/user/@{uid}/pulse/ r, + owner @{run}/user/@{uid}/pulse/ rw, + + @{sys}/bus/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/class/ r, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/{environ,mounts,mountinfo} r, - - @{sys}/bus/{,**} r, - @{sys}/class/ r, - @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, - + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/shm/ r, + /dev/tty r, include if exists } diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 6624ca3b..8fb023e1 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -43,21 +43,22 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /{usr/,}lib/@{multiarch}/sddm/sddm-helper rix, /{usr/,}lib/plasma-dbus-run-session-if-needed rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/xmodmap rix, /{usr/,}{s,}bin/checkproc rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/tty rix, + /{usr/,}bin/xdm r, + /{usr/,}bin/xmodmap rix, /{usr/,}bin/sddm-greeter rPx, - /etc/sddm/Xsession rPx, /{usr/,}bin/Xorg rPx, + /etc/sddm/Xsession rPx, + /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/sway rPUx, /{usr/,}bin/xauth rCx -> xauth, /{usr/,}bin/xsetroot rPx, - /{usr/,}bin/sway rPUx, - /{usr/,}bin/flatpak rPUx, @{etc_ro}/X11/xdm/Xsession rPx, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, @@ -69,26 +70,25 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /{usr/,}bin/xset rPx, /usr/etc/X11/xdm/Xsetup rix, - /usr/share/sddm/scripts/Xsetup rix, - /usr/share/sddm/scripts/Xstop rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, + /usr/share/sddm/scripts/Xsetup rix, + /usr/share/sddm/scripts/Xstop rix, /usr/share/desktop-base/softwaves-theme/login/*.svg r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/faces/.*.icon r, /usr/share/sddm/themes/** r, - /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, /var/lib/AccountsService/icons/*.icon r, - /usr/share/qt5/qtlogging.ini r, /etc/X11/xinit/xinitrc.d/{,*} r, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/ r, - @{etc_ro}/X11/Xmodmap r, + /{usr/,}etc/environment r, + /{usr/,}etc/security/limits.d/{,*.conf} r, + /{usr/,}etc/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/default/locale r, /etc/locale.conf r, @@ -100,10 +100,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { / r, - owner /var/lib/sddm/** rw, + /var/lib/lastlog/ r, + /var/lib/lastlog/* rwk, + + /var/lib/sddm/state.conf rw, owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw, owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw, - /var/lib/sddm/state.conf rw, + owner /var/lib/sddm/** rw, owner @{HOME}/.local/ w, owner @{HOME}/.Xauthority rw, @@ -122,12 +125,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, @{run}/sddm/\{@{uuid}\} rw, - # @{run}/sddm/* w, @{run}/systemd/sessions/*.ref rw, + @{run}/user/@{uid}/xauth_* rwl, owner @{run}/sddm/ rw, - owner @{run}/user/@{uid}/kwallet5.socket rw, - @{run}/user/@{uid}/xauth_* rl, owner @{run}/user/@{uid}/#[0-9]* rw, + owner @{run}/user/@{uid}/kwallet5.socket rw, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/loginuid rw, diff --git a/apparmor.d/groups/kde/startplasma-x11 b/apparmor.d/groups/kde/startplasma-x11 index 264e260c..98c4ab72 100644 --- a/apparmor.d/groups/kde/startplasma-x11 +++ b/apparmor.d/groups/kde/startplasma-x11 @@ -10,6 +10,7 @@ include profile startplasma-x11 @{exec_path} { include include + include include @{exec_path} mr, @@ -27,10 +28,11 @@ profile startplasma-x11 @{exec_path} { /usr/share/kservicetypes5/{,**} r, /usr/share/mime/{,**} r, /usr/share/plasma/{,**} r, - /usr/share/qt*/translations/*.qm r, - /etc/xdg/menus/{,*.menu} r, /etc/machine-id r, + /etc/xdg/kcminputrc r, + /etc/xdg/kdeglobals r, + /etc/xdg/menus/{,**} r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 546abd5a..34486c18 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -11,6 +11,7 @@ profile xdm-xsession @{exec_path} { include include include + include include include @@ -56,22 +57,25 @@ profile xdm-xsession @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/bash-completion/{,**} r, + @{etc_ro}/profile.d/{,*} r, @{etc_ro}/X11/xdm/scripts/{,*} r, - @{etc_ro}/X11/xinit/xinitrc.common r, - @{etc_ro}/X11/xinit/xinitrc.d/{,*} r, @{etc_ro}/X11/xim r, @{etc_ro}/X11/xim.d/none r, - @{etc_ro}/profile.d/{,*} r, + @{etc_ro}/X11/xinit/xinitrc.common r, + @{etc_ro}/X11/xinit/xinitrc.d/{,*} r, + /etc/debuginfod/{,*} r, /etc/gcrypt/hwf.deny r, /etc/locale.conf r, /etc/manpath.config r, - /etc/sysconfig/* r, /etc/shells r, + /etc/sysconfig/* r, owner @{HOME}/ r, owner @{HOME}/.alias r, owner @{HOME}/.i18n r, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, @@ -94,6 +98,8 @@ profile xdm-xsession @{exec_path} { /{usr/,}bin/dbus-update-activation-environment mr, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + owner @{run}/user/@{uid}/bus rw, include if exists diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 44c84289..cada4c2a 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -10,6 +10,8 @@ include profile xsettingsd @{exec_path} { include + signal (receive) set=hup peer=kded5, + @{exec_path} mr, owner @{user_config_dirs}/xsettingsd/{,**} rw, diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 74fa9ec2..18480e02 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -9,6 +9,7 @@ root/usr/lib/initcpio root/usr/lib/systemd/ apparmor.d/groups/apps +plasma-discover anki man