mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 08:58:15 +01:00
feat(kde): big kde profiles update.
This commit is contained in:
Alexandre Pujol
parent
57e995e4be
commit
ee10658d09
24 changed files with 214 additions and 89 deletions
|
|
@ -43,10 +43,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
|
||||||
@{libexec}/{,at-spi2{,-core}/}at-spi2-registryd rPx,
|
@{libexec}/{,at-spi2{,-core}/}at-spi2-registryd rPx,
|
||||||
@{libexec}/* rPUx,
|
@{libexec}/* rPUx,
|
||||||
@{libexec}/gnome-shell/gnome-shell-calendar-server rPx,
|
@{libexec}/gnome-shell/gnome-shell-calendar-server rPx,
|
||||||
|
@{libexec}/kauth/* rPx,
|
||||||
@{libexec}/kf5/kiod5 rPUx,
|
@{libexec}/kf5/kiod5 rPUx,
|
||||||
@{libexec}/xfce[0-9]/xfconf/xfconfd rPx,
|
@{libexec}/xfce[0-9]/xfconf/xfconfd rPx,
|
||||||
/{usr/,}bin/[a-z0-9]* rPUx,
|
/{usr/,}bin/[a-z0-9]* rPUx,
|
||||||
/{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper rPx,
|
/{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper rPx,
|
||||||
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
|
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
|
||||||
/{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
|
/{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd rPx,
|
||||||
/{usr/,}lib/atril/atrild rPx,
|
/{usr/,}lib/atril/atrild rPx,
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper
|
@{exec_path} = /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper
|
||||||
profile dbus-daemon-launch-helper @{exec_path} {
|
profile dbus-daemon-launch-helper @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/app-launcher-root>
|
include <abstractions/app-launcher-root>
|
||||||
|
|
@ -19,10 +19,7 @@ profile dbus-daemon-launch-helper @{exec_path} {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx,
|
@{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism rPx,
|
||||||
@{libexec}/kauth/backlighthelper rPx,
|
@{libexec}/kauth/* rPx,
|
||||||
@{libexec}/kauth/chargethresholdhelper rPx,
|
|
||||||
@{libexec}/kauth/discretegpuhelper rPx,
|
|
||||||
@{libexec}/kauth/kded-smart-helper rPx,
|
|
||||||
@{libexec}/language-selector/ls-dbus-backend rPx,
|
@{libexec}/language-selector/ls-dbus-backend rPx,
|
||||||
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
|
/{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism rPx,
|
||||||
/{usr/,}lib/software-properties/software-properties-dbus rPx,
|
/{usr/,}lib/software-properties/software-properties-dbus rPx,
|
||||||
|
|
|
||||||
|
|
@ -111,7 +111,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||||
/{usr/,}bin/nautilus rPx,
|
/{usr/,}bin/nautilus rPx,
|
||||||
/{usr/,}bin/snap rPx,
|
/{usr/,}bin/snap rPx,
|
||||||
|
|
||||||
/{usr/,}bin/kreadconfig5 rPUx,
|
/{usr/,}bin/kreadconfig5 rPx,
|
||||||
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||||
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
|
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
|
||||||
/{usr/,}lib/xdg-desktop-portal-validate-icon rPUx,
|
/{usr/,}lib/xdg-desktop-portal-validate-icon rPUx,
|
||||||
|
|
|
||||||
|
|
@ -6,16 +6,17 @@ abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}lib/baloo_file
|
@{exec_path} = /{usr/,}bin/baloo_file @{libexec}/baloo_file
|
||||||
profile baloo @{exec_path} {
|
profile baloo @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/deny-sensitive-home>
|
include <abstractions/deny-sensitive-home>
|
||||||
|
include <abstractions/disks-read>
|
||||||
|
include <abstractions/fontconfig-cache-write>
|
||||||
|
include <abstractions/fonts>
|
||||||
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/private-files-strict>
|
include <abstractions/private-files-strict>
|
||||||
include <abstractions/private-files>
|
include <abstractions/private-files>
|
||||||
include <abstractions/fontconfig-cache-write>
|
include <abstractions/qt5>
|
||||||
include <abstractions/disks-read>
|
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
|
|
@ -23,12 +24,14 @@ profile baloo @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}lib/baloo_file_extractor rix,
|
/{usr/,}lib/baloo_file_extractor rix,
|
||||||
|
|
||||||
/usr/share/qt/translations/*.qm r,
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
/usr/share/hwdata/pnp.ids r,
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
/usr/share/poppler/{,**} r,
|
/usr/share/poppler/{,**} r,
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
/etc/xdg/baloofilerc r,
|
||||||
|
/etc/xdg/kdeglobals r,
|
||||||
|
|
||||||
# Allow to search user files
|
# Allow to search user files
|
||||||
owner @{HOME}/{,**} r,
|
owner @{HOME}/{,**} r,
|
||||||
|
|
@ -44,6 +47,7 @@ profile baloo @{exec_path} {
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,15 +12,20 @@ profile gmenudbusmenuproxy @{exec_path} {
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/qt5>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
||||||
owner @{HOME}/.gtkrc-2.0 rw,
|
owner @{HOME}/.gtkrc-2.0 rw,
|
||||||
|
owner @{user_config_dirs}/gtk-{2,3}.0/#[0-9]* rw,
|
||||||
|
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.??????} rwl,
|
||||||
|
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -6,21 +6,24 @@ abi <abi/3.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = /{usr/,}lib/kactivitymanagerd
|
@{exec_path} = @{libexec}/kactivitymanagerd
|
||||||
profile kactivitymanagerd @{exec_path} {
|
profile kactivitymanagerd @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/qt5>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
||||||
|
/etc/xdg/kdeglobals r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
owner @{user_config_dirs}/kactivitymanagerdrc r,
|
owner @{user_config_dirs}/kactivitymanagerdrc r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwl,
|
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,11 +10,14 @@ include <tunables/global>
|
||||||
profile kauth-backlighthelper @{exec_path} {
|
profile kauth-backlighthelper @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/qt5>
|
||||||
|
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
||||||
@{sys}/class/backlight/ r,
|
@{sys}/class/backlight/ r,
|
||||||
@{sys}/class/leds/ r,
|
@{sys}/class/leds/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,8 @@ profile kauth-chargethresholdhelper @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
||||||
@{sys}/class/power_supply/ r,
|
@{sys}/class/power_supply/ r,
|
||||||
|
|
||||||
include if exists <local/kauth-chargethresholdhelper>
|
include if exists <local/kauth-chargethresholdhelper>
|
||||||
|
|
|
||||||
|
|
@ -13,5 +13,7 @@ profile kauth-discretegpuhelper @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
||||||
include if exists <local/kauth-discretegpuhelper>
|
include if exists <local/kauth-discretegpuhelper>
|
||||||
}
|
}
|
||||||
|
|
@ -15,5 +15,7 @@ profile kauth-kded-smart-helper @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}{s,}bin/smartctl rPx,
|
/{usr/,}{s,}bin/smartctl rPx,
|
||||||
|
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
||||||
include if exists <local/kauth-kded-smart-helper>
|
include if exists <local/kauth-kded-smart-helper>
|
||||||
}
|
}
|
||||||
|
|
@ -13,6 +13,9 @@ profile kconf_update @{exec_path} {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/kconf_update/{,**} r,
|
/usr/share/kconf_update/{,**} r,
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
||||||
|
/etc/xdg/kdeglobals r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kconf_updaterc r,
|
owner @{user_config_dirs}/kconf_updaterc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ profile kded5 @{exec_path} {
|
||||||
include <abstractions/gtk>
|
include <abstractions/gtk>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/qt5>
|
||||||
include <abstractions/wutmp>
|
include <abstractions/wutmp>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
|
|
@ -28,28 +29,34 @@ profile kded5 @{exec_path} {
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
|
signal (send) set=hup peer=xsettingsd,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{libexec}/kf5/kconf_update rPx,
|
@{libexec}/kf5/kconf_update rPx,
|
||||||
@{libexec}/utempter/utempter rix, # TODO: rPx ?
|
@{libexec}/utempter/utempter rPx,
|
||||||
|
/{usr/,}bin/kcminit rPx,
|
||||||
/{usr/,}bin/pgrep rCx -> pgrep,
|
/{usr/,}bin/pgrep rCx -> pgrep,
|
||||||
/{usr/,}bin/setxkbmap rix,
|
/{usr/,}bin/setxkbmap rix,
|
||||||
/{usr/,}bin/xsettingsd rPx,
|
/{usr/,}bin/xsettingsd rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
/usr/share/kconf_update/{,**} r,
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
/usr/share/kded5/{,**} r,
|
/usr/share/kded5/{,**} r,
|
||||||
/usr/share/khotkeys/{,**} r,
|
/usr/share/khotkeys/{,**} r,
|
||||||
/usr/share/knotifications5/{,**} r,
|
/usr/share/knotifications5/{,**} r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
/usr/share/kservicetypes5/{,**} r,
|
/usr/share/kservicetypes5/{,**} r,
|
||||||
/usr/share/mime/ r,
|
/usr/share/mime/ r,
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/kconf_update/ r,
|
||||||
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
/etc/xdg/kcminputrc r,
|
||||||
/etc/xdg/kde* r,
|
/etc/xdg/kde* r,
|
||||||
/etc/xdg/menus/ r,
|
/etc/xdg/kioslaverc r,
|
||||||
|
/etc/xdg/kwinrc r,
|
||||||
|
/etc/xdg/menus/{,**} r,
|
||||||
|
|
||||||
owner @{HOME}/.gtkrc-2.0 rw,
|
owner @{HOME}/.gtkrc-2.0 rw,
|
||||||
|
|
||||||
|
|
@ -57,7 +64,7 @@ profile kded5 @{exec_path} {
|
||||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/#[0-9]* rw,
|
owner @{user_config_dirs}/#[0-9]* rw,
|
||||||
owner @{user_config_dirs}/bluedevilglobalrc r,
|
owner @{user_config_dirs}/bluedevilglobalrc rk,
|
||||||
owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
|
owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
|
||||||
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
|
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
|
||||||
owner @{user_config_dirs}/kcminputrc r,
|
owner @{user_config_dirs}/kcminputrc r,
|
||||||
|
|
@ -83,12 +90,15 @@ profile kded5 @{exec_path} {
|
||||||
|
|
||||||
owner /tmp/plasma-csd-generator.??????/{,**} rw,
|
owner /tmp/plasma-csd-generator.??????/{,**} rw,
|
||||||
|
|
||||||
|
@{PROC}/@{pids}/cmdline/ r,
|
||||||
|
@{PROC}/@{pids}/fd/ r,
|
||||||
|
@{PROC}/@{pids}/fd/info/[0-9]* r,
|
||||||
|
@{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
|
||||||
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
|
||||||
|
|
||||||
/dev/ptmx rw,
|
/dev/ptmx rw,
|
||||||
/dev/rfkill r,
|
/dev/rfkill r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,13 +10,14 @@ include <tunables/global>
|
||||||
profile kglobalaccel5 @{exec_path} {
|
profile kglobalaccel5 @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/qt5>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
/usr/share/kglobalaccel/{,**} r,
|
/usr/share/kglobalaccel/{,**} r,
|
||||||
/usr/share/qt/translations/*.qm r,
|
|
||||||
/usr/share/mime/{,**} r,
|
/usr/share/mime/{,**} r,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
|
|
||||||
|
|
@ -10,11 +10,14 @@ include <tunables/global>
|
||||||
profile kreadconfig @{exec_path} {
|
profile kreadconfig @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
||||||
/etc/xdg/kdeglobals r,
|
/etc/xdg/kdeglobals r,
|
||||||
|
/etc/xdg/kioslaverc r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-compose-cache-write>
|
include <abstractions/qt5-compose-cache-write>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
|
include <abstractions/qt5>
|
||||||
include <abstractions/X>
|
include <abstractions/X>
|
||||||
|
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
@ -28,10 +29,14 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{libexec}/libheif/ r,
|
||||||
|
@{libexec}/libheif/*.so* rm,
|
||||||
|
|
||||||
/{usr/,}{s,}bin/unix_chkpwd rPx,
|
/{usr/,}{s,}bin/unix_chkpwd rPx,
|
||||||
/{usr/,}lib/@{multiarch}/libexec/kcheckpass rPx,
|
/{usr/,}lib/@{multiarch}/libexec/kcheckpass rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
/usr/share/hwdata/pnp.ids r,
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
/usr/share/plasma/** r,
|
/usr/share/plasma/** r,
|
||||||
/usr/share/qt/translations/*.qm r,
|
/usr/share/qt/translations/*.qm r,
|
||||||
/usr/share/qt5ct/** r,
|
/usr/share/qt5ct/** r,
|
||||||
|
|
@ -39,16 +44,20 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
/usr/share/wallpapers/Path/contents/images/*.{jpg,png} r,
|
/usr/share/wallpapers/Path/contents/images/*.{jpg,png} r,
|
||||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||||
/usr/share/xsessions/{,*.desktop} r,
|
/usr/share/xsessions/{,*.desktop} r,
|
||||||
|
/usr/share/hunspell/* r,
|
||||||
|
|
||||||
/etc/environment r,
|
/{usr/,}etc/environment r,
|
||||||
|
/{usr/,}etc/login.defs r,
|
||||||
|
/{usr/,}etc/login.defs.d/ r,
|
||||||
|
/{usr/,}etc/security/*.conf r,
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
/etc/fstab r,
|
|
||||||
/etc/login.defs r,
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/pam.d/* r,
|
/etc/pam.d/* r,
|
||||||
/etc/security/faillock.conf r,
|
|
||||||
/etc/security/pam_env.conf r,
|
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
/etc/xdg/kdeglobals r,
|
||||||
|
/etc/xdg/kscreenlockerrc r,
|
||||||
|
/etc/xdg/plasmarc r,
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
/var/lib/dbus/machine-id r,
|
||||||
|
|
||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
@ -58,7 +67,7 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/kscreenlocker_greet/ w,
|
owner @{user_cache_dirs}/kscreenlocker_greet/ w,
|
||||||
owner @{user_cache_dirs}/kscreenlocker_greet/** rwl,
|
owner @{user_cache_dirs}/kscreenlocker_greet/** rwl,
|
||||||
owner @{user_cache_dirs}/plasma_theme_default_*.kcache rw,
|
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||||
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
|
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
|
||||||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||||
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
|
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
|
||||||
|
|
@ -82,9 +91,10 @@ profile kscreenlocker-greet @{exec_path} {
|
||||||
|
|
||||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||||
|
|
||||||
@{PROC}/@{pid}/cmdline r,
|
@{PROC}/@{pid}/cmdline r,
|
||||||
@{PROC}/@{pid}/mounts r,
|
@{PROC}/@{pid}/mounts r,
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
owner @{PROC}/@{pid}/loginuid r,
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
include <abstractions/qt5>
|
include <abstractions/qt5>
|
||||||
include <abstractions/vulkan>
|
include <abstractions/vulkan>
|
||||||
|
|
||||||
signal (send) set=term peer=kscreenlocker-greet,
|
signal (send) set=(usr1,term) peer=kscreenlocker-greet,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
@ -35,6 +35,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
/usr/share/mime/{,**} r,
|
/usr/share/mime/{,**} r,
|
||||||
|
|
||||||
|
/etc/xdg/menus/applications-merged/ r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/xdg/kdeglobals r,
|
/etc/xdg/kdeglobals r,
|
||||||
/etc/xdg/kscreenlockerrc r,
|
/etc/xdg/kscreenlockerrc r,
|
||||||
|
|
|
||||||
|
|
@ -20,11 +20,15 @@ profile kwin_x11 @{exec_path} {
|
||||||
|
|
||||||
network inet dgram,
|
network inet dgram,
|
||||||
network inet6 dgram,
|
network inet6 dgram,
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
network netlink raw,
|
network netlink raw,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mrix,
|
||||||
|
|
||||||
/{usr/,}lib/kwin_killer_helper rix,
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
|
/{usr/,}lib/kwin_killer_helper rix,
|
||||||
|
@{libexec}/drkonqi rPx,
|
||||||
|
|
||||||
/usr/share/hwdata/pnp.ids r,
|
/usr/share/hwdata/pnp.ids r,
|
||||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
|
|
@ -43,6 +47,7 @@ profile kwin_x11 @{exec_path} {
|
||||||
owner @{user_cache_dirs}/ r,
|
owner @{user_cache_dirs}/ r,
|
||||||
owner @{user_cache_dirs}/#[0-9]* rw,
|
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
|
owner @{user_cache_dirs}/kcrash-metadata/*.ini rw,
|
||||||
owner @{user_cache_dirs}/kwin/{,**} rwl,
|
owner @{user_cache_dirs}/kwin/{,**} rwl,
|
||||||
owner @{user_cache_dirs}/plasmarc r,
|
owner @{user_cache_dirs}/plasmarc r,
|
||||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||||
|
|
@ -61,11 +66,12 @@ profile kwin_x11 @{exec_path} {
|
||||||
owner @{user_config_dirs}/kxkbrc r,
|
owner @{user_config_dirs}/kxkbrc r,
|
||||||
owner @{user_config_dirs}/session/kwin_* rwk,
|
owner @{user_config_dirs}/session/kwin_* rwk,
|
||||||
|
|
||||||
@{run}/user/@{uid}/xauth_* rl,
|
owner @{run}/user/@{uid}/kcrash_[0-9]* rw,
|
||||||
|
owner @{run}/user/@{uid}/xauth_* rl,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
|
|
||||||
/dev/tty r,
|
/dev/tty rw,
|
||||||
|
|
||||||
include if exists <local/kwin_x11>
|
include if exists <local/kwin_x11>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -9,22 +9,46 @@ include <tunables/global>
|
||||||
@{exec_path} = /{usr/,}bin/plasma-discover
|
@{exec_path} = /{usr/,}bin/plasma-discover
|
||||||
profile plasma-discover @{exec_path} {
|
profile plasma-discover @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/mesa>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/ssl_certs>
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
network inet stream,
|
||||||
|
network inet6 stream,
|
||||||
|
# network netlink raw,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}lib/kf5/kioslave5 rPUx, # TODO: rPx,
|
@{libexec}/kf5/kioslave5 rPx,
|
||||||
/{usr/,}lib/kf5/kio_http_cache_cleaner rPUx, # TODO: rPx,
|
@{libexec}/kf5/kio_http_cache_cleaner rPx,
|
||||||
|
|
||||||
|
/etc/appstream.conf r,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
/etc/flatpak/remotes.d/{,**} r,
|
||||||
|
|
||||||
/var/tmp/flatpak-cache-*/ rw,
|
/var/tmp/flatpak-cache-*/ rw,
|
||||||
/var/tmp/flatpak-cache-*/** rwkl,
|
/var/tmp/flatpak-cache-*/** rwkl,
|
||||||
/var/tmp/#[0-9]* rw,
|
/var/tmp/#[0-9]* rw,
|
||||||
|
|
||||||
|
/var/cache/swcatalog/ rw,
|
||||||
|
|
||||||
|
/var/lib/flatpak/repo/{,**} r,
|
||||||
|
/var/lib/flatpak/appstream/{,**} r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/discover/{,**} rw,
|
||||||
|
owner @{user_cache_dirs}/appstream/*.xb r,
|
||||||
|
owner @{user_cache_dirs}/appstream/ r,
|
||||||
|
|
||||||
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
||||||
owner @{user_config_dirs}/discoverrc rwl,
|
owner @{user_config_dirs}/discoverrc rwl,
|
||||||
owner @{user_config_dirs}/#[0-9]* rwl,
|
owner @{user_config_dirs}/#[0-9]* rwl,
|
||||||
owner @{user_config_dirs}/discoverrc.lock rwk,
|
owner @{user_config_dirs}/discoverrc.lock rwk,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/flatpak/repo/{,**} rw,
|
||||||
|
|
||||||
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
|
|
||||||
include if exists <local/plasma-discover>
|
include if exists <local/plasma-discover>
|
||||||
}
|
}
|
||||||
|
|
@ -12,11 +12,14 @@ profile plasmashell @{exec_path} {
|
||||||
include <abstractions/app-launcher-user>
|
include <abstractions/app-launcher-user>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
include <abstractions/dri-common>
|
include <abstractions/dri-common>
|
||||||
|
include <abstractions/dri-enumerate>
|
||||||
|
include <abstractions/enchant>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
include <abstractions/mesa>
|
include <abstractions/mesa>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/qt5-shader-cache>
|
include <abstractions/qt5-shader-cache>
|
||||||
|
include <abstractions/qt5>
|
||||||
include <abstractions/user-tmp>
|
include <abstractions/user-tmp>
|
||||||
include <abstractions/vulkan>
|
include <abstractions/vulkan>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
@ -29,16 +32,18 @@ profile plasmashell @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}bin/plasma-discover rPx,
|
@{libexec}/libheif/ r,
|
||||||
/{usr/,}lib/kf5/kioslave5 rPUx, # TODO: rPx,
|
@{libexec}/libheif/*.so* rm,
|
||||||
|
@{libexec}/kf5/kioslave5 rPx,
|
||||||
/{usr/,}bin/dolphin rPUx, # TODO: rPx,
|
/{usr/,}bin/dolphin rPUx, # TODO: rPx,
|
||||||
|
/{usr/,}bin/plasma-discover rPUx,
|
||||||
|
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
/usr/share/hwdata/*.ids r,
|
/usr/share/hwdata/*.ids r,
|
||||||
/usr/share/kservices5/{,**} r,
|
/usr/share/kservices5/{,**} r,
|
||||||
/usr/share/kservicetypes5/{,**} r,
|
/usr/share/kservicetypes5/{,**} r,
|
||||||
/usr/share/mime/{,**} r,
|
/usr/share/mime/{,**} r,
|
||||||
/usr/share/plasma/{,**} r,
|
/usr/share/plasma/{,**} r,
|
||||||
/usr/share/qt/translations/*.qm r,
|
|
||||||
/usr/share/solid/actions/{,**} r,
|
/usr/share/solid/actions/{,**} r,
|
||||||
/usr/share/wallpapers/{,**} r,
|
/usr/share/wallpapers/{,**} r,
|
||||||
/usr/share/krunner/{,**} r,
|
/usr/share/krunner/{,**} r,
|
||||||
|
|
@ -46,53 +51,79 @@ profile plasmashell @{exec_path} {
|
||||||
/usr/share/akonadi/firstrun/{,*} r,
|
/usr/share/akonadi/firstrun/{,*} r,
|
||||||
|
|
||||||
/etc/appstream.conf r,
|
/etc/appstream.conf r,
|
||||||
/etc/pulse/client.conf r,
|
/etc/cups/client.conf r,
|
||||||
/etc/xdg/taskmanagerrulesrc r,
|
|
||||||
/etc/xdg/menus/ r,
|
|
||||||
/etc/machine-id r,
|
|
||||||
/etc/fstab r,
|
/etc/fstab r,
|
||||||
|
/etc/machine-id r,
|
||||||
|
/etc/pulse/client.conf r,
|
||||||
|
/etc/pulse/client.conf.d/ r,
|
||||||
|
/etc/xdg/baloofilerc r,
|
||||||
|
/etc/xdg/dolphinrc r,
|
||||||
|
/etc/xdg/kdeglobals r,
|
||||||
|
/etc/xdg/kioslaverc r,
|
||||||
|
/etc/xdg/krunnerrc r,
|
||||||
|
/etc/xdg/kwinrc r,
|
||||||
|
/etc/xdg/menus/ r,
|
||||||
|
/etc/xdg/menus/applications-merged/ r,
|
||||||
|
/etc/xdg/plasmanotifyrc r,
|
||||||
|
/etc/xdg/plasmarc r,
|
||||||
|
/etc/xdg/taskmanagerrulesrc r,
|
||||||
|
/etc/xdg/kshorturifilterrc r,
|
||||||
|
|
||||||
|
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||||
|
|
||||||
owner @{user_templates_dirs}/ r,
|
owner @{user_templates_dirs}/ r,
|
||||||
|
|
||||||
|
owner @{user_cache_dirs}/ r,
|
||||||
owner @{user_cache_dirs}/#[0-9]* rw,
|
owner @{user_cache_dirs}/#[0-9]* rw,
|
||||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||||
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
|
owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
|
||||||
|
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||||
|
owner @{user_cache_dirs}/plasma-svgelements.?????? rwlk,
|
||||||
|
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||||
owner @{user_cache_dirs}/plasma-svgelements* rwl,
|
owner @{user_cache_dirs}/plasma-svgelements* rwl,
|
||||||
owner @{user_cache_dirs}/plasma_theme_default_v*.kcache rw,
|
|
||||||
owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
|
owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
|
||||||
|
|
||||||
owner @{user_config_dirs}/*kde*.desktop* r,
|
owner @{user_config_dirs}/*kde*.desktop* r,
|
||||||
owner @{user_config_dirs}/#[0-9]* rw,
|
owner @{user_config_dirs}/#[0-9]* rw,
|
||||||
|
owner @{user_config_dirs}/akonadi-firstrunrc r,
|
||||||
|
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
|
||||||
owner @{user_config_dirs}/baloofilerc r,
|
owner @{user_config_dirs}/baloofilerc r,
|
||||||
owner @{user_config_dirs}/dolphinrc r,
|
owner @{user_config_dirs}/dolphinrc r,
|
||||||
|
owner @{user_config_dirs}/kactivitymanagerd-statsrc r,
|
||||||
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
owner @{user_config_dirs}/kde.org/{,**} rwlk,
|
||||||
owner @{user_config_dirs}/KDE/{,**} r,
|
owner @{user_config_dirs}/KDE/{,**} r,
|
||||||
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
|
||||||
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
owner @{user_config_dirs}/kdedefaults/kwinrc r,
|
||||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||||
owner @{user_config_dirs}/krunnerrc r,
|
|
||||||
owner @{user_config_dirs}/kdeglobals r,
|
owner @{user_config_dirs}/kdeglobals r,
|
||||||
owner @{user_config_dirs}/klipperrc r,
|
owner @{user_config_dirs}/klipperrc r,
|
||||||
|
owner @{user_config_dirs}/krunnerrc r,
|
||||||
owner @{user_config_dirs}/ksmserverrc r,
|
owner @{user_config_dirs}/ksmserverrc r,
|
||||||
owner @{user_config_dirs}/kwinrc r,
|
owner @{user_config_dirs}/kwinrc r,
|
||||||
owner @{user_config_dirs}/menus/{,**} r,
|
owner @{user_config_dirs}/menus/{,**} r,
|
||||||
|
owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc.?????? rk,
|
||||||
|
owner @{user_config_dirs}/plasma-pk-updates r,
|
||||||
owner @{user_config_dirs}/plasma*desktop* rwlk,
|
owner @{user_config_dirs}/plasma*desktop* rwlk,
|
||||||
owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc.* rk,
|
|
||||||
owner @{user_config_dirs}/plasmanotifyrc r,
|
owner @{user_config_dirs}/plasmanotifyrc r,
|
||||||
owner @{user_config_dirs}/plasmaparc r,
|
owner @{user_config_dirs}/plasmaparc r,
|
||||||
owner @{user_config_dirs}/plasmashellrc r,
|
owner @{user_config_dirs}/plasmashellrc r,
|
||||||
owner @{user_config_dirs}/pulse/cookie rk,
|
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||||
owner @{user_config_dirs}/trashrc r,
|
owner @{user_config_dirs}/trashrc r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/#[0-9]* rw,
|
owner @{user_share_dirs}/#[0-9]* rw,
|
||||||
owner @{user_share_dirs}/akonadi/search_db/{,**} r,
|
owner @{user_share_dirs}/akonadi/search_db/{,**} r,
|
||||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database k,
|
owner @{user_share_dirs}/kactivitymanagerd/resources/database rk,
|
||||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
|
|
||||||
owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
|
owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
|
||||||
|
owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
|
||||||
owner @{user_share_dirs}/klipper/{,*} rwl,
|
owner @{user_share_dirs}/klipper/{,*} rwl,
|
||||||
|
owner @{user_share_dirs}/konsole/ r,
|
||||||
|
owner @{user_share_dirs}/kpeople/persondb rwk,
|
||||||
|
owner @{user_share_dirs}/kpeoplevcard/ r,
|
||||||
|
owner @{user_share_dirs}/krunnerstaterc rwl,
|
||||||
|
owner @{user_share_dirs}/krunnerstaterc.?????? rwl,
|
||||||
owner @{user_share_dirs}/krunnerstaterc.lock rwk,
|
owner @{user_share_dirs}/krunnerstaterc.lock rwk,
|
||||||
owner @{user_share_dirs}/krunnerstaterc* rwk,
|
owner @{user_share_dirs}/ktp/cache.db rwk,
|
||||||
owner @{user_share_dirs}/plasma_icons/*.desktop r,
|
owner @{user_share_dirs}/plasma_icons/*.desktop r,
|
||||||
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
|
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
|
||||||
owner @{user_share_dirs}/user-places.xbel r,
|
owner @{user_share_dirs}/user-places.xbel r,
|
||||||
|
|
@ -100,16 +131,20 @@ profile plasmashell @{exec_path} {
|
||||||
owner @{run}/user/@{uid}/#[0-9]* rw,
|
owner @{run}/user/@{uid}/#[0-9]* rw,
|
||||||
owner @{run}/user/@{uid}/plasmashell??????.[0-9].kioworker.socket rwl,
|
owner @{run}/user/@{uid}/plasmashell??????.[0-9].kioworker.socket rwl,
|
||||||
owner @{run}/user/@{uid}/gvfs/ r,
|
owner @{run}/user/@{uid}/gvfs/ r,
|
||||||
owner @{run}/user/@{uid}/pulse/ r,
|
owner @{run}/user/@{uid}/pulse/ rw,
|
||||||
|
|
||||||
|
@{sys}/bus/ r,
|
||||||
|
@{sys}/bus/usb/devices/ r,
|
||||||
|
@{sys}/class/ r,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
@{PROC}/sys/kernel/random/boot_id r,
|
@{PROC}/sys/kernel/random/boot_id r,
|
||||||
owner @{PROC}/@{pid}/{environ,mounts,mountinfo} r,
|
owner @{PROC}/@{pid}/environ r,
|
||||||
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
@{sys}/bus/{,**} r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
@{sys}/class/ r,
|
|
||||||
@{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
|
|
||||||
|
|
||||||
|
/dev/shm/ r,
|
||||||
|
/dev/tty r,
|
||||||
|
|
||||||
include if exists <local/plasmashell>
|
include if exists <local/plasmashell>
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -43,21 +43,22 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
/{usr/,}lib/@{multiarch}/sddm/sddm-helper rix,
|
/{usr/,}lib/@{multiarch}/sddm/sddm-helper rix,
|
||||||
/{usr/,}lib/plasma-dbus-run-session-if-needed rix,
|
/{usr/,}lib/plasma-dbus-run-session-if-needed rix,
|
||||||
|
|
||||||
/{usr/,}bin/{,ba,da}sh rix,
|
|
||||||
/{usr/,}bin/tr rix,
|
|
||||||
/{usr/,}bin/cat rix,
|
|
||||||
/{usr/,}bin/tty rix,
|
|
||||||
/{usr/,}bin/xmodmap rix,
|
|
||||||
/{usr/,}{s,}bin/checkproc rix,
|
/{usr/,}{s,}bin/checkproc rix,
|
||||||
|
/{usr/,}bin/{,ba,da}sh rix,
|
||||||
|
/{usr/,}bin/cat rix,
|
||||||
|
/{usr/,}bin/tr rix,
|
||||||
|
/{usr/,}bin/tty rix,
|
||||||
|
/{usr/,}bin/xdm r,
|
||||||
|
/{usr/,}bin/xmodmap rix,
|
||||||
|
|
||||||
/{usr/,}bin/sddm-greeter rPx,
|
/{usr/,}bin/sddm-greeter rPx,
|
||||||
/etc/sddm/Xsession rPx,
|
|
||||||
/{usr/,}bin/Xorg rPx,
|
/{usr/,}bin/Xorg rPx,
|
||||||
|
/etc/sddm/Xsession rPx,
|
||||||
|
|
||||||
|
/{usr/,}bin/flatpak rPUx,
|
||||||
|
/{usr/,}bin/sway rPUx,
|
||||||
/{usr/,}bin/xauth rCx -> xauth,
|
/{usr/,}bin/xauth rCx -> xauth,
|
||||||
/{usr/,}bin/xsetroot rPx,
|
/{usr/,}bin/xsetroot rPx,
|
||||||
/{usr/,}bin/sway rPUx,
|
|
||||||
/{usr/,}bin/flatpak rPUx,
|
|
||||||
|
|
||||||
@{etc_ro}/X11/xdm/Xsession rPx,
|
@{etc_ro}/X11/xdm/Xsession rPx,
|
||||||
/{usr/,}bin/dbus-update-activation-environment rCx -> dbus,
|
/{usr/,}bin/dbus-update-activation-environment rCx -> dbus,
|
||||||
|
|
@ -69,26 +70,25 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
/{usr/,}bin/xset rPx,
|
/{usr/,}bin/xset rPx,
|
||||||
|
|
||||||
/usr/etc/X11/xdm/Xsetup rix,
|
/usr/etc/X11/xdm/Xsetup rix,
|
||||||
/usr/share/sddm/scripts/Xsetup rix,
|
|
||||||
/usr/share/sddm/scripts/Xstop rix,
|
|
||||||
/usr/share/sddm/scripts/wayland-session rix,
|
/usr/share/sddm/scripts/wayland-session rix,
|
||||||
/usr/share/sddm/scripts/Xsession rix,
|
/usr/share/sddm/scripts/Xsession rix,
|
||||||
|
/usr/share/sddm/scripts/Xsetup rix,
|
||||||
|
/usr/share/sddm/scripts/Xstop rix,
|
||||||
|
|
||||||
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
|
/usr/share/desktop-base/softwaves-theme/login/*.svg r,
|
||||||
|
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||||
/usr/share/plasma/desktoptheme/** r,
|
/usr/share/plasma/desktoptheme/** r,
|
||||||
/usr/share/sddm/faces/.*.icon r,
|
/usr/share/sddm/faces/.*.icon r,
|
||||||
/usr/share/sddm/themes/** r,
|
/usr/share/sddm/themes/** r,
|
||||||
/usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
|
||||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||||
/usr/share/xsessions/{,*.desktop} r,
|
/usr/share/xsessions/{,*.desktop} r,
|
||||||
/var/lib/AccountsService/icons/*.icon r,
|
/var/lib/AccountsService/icons/*.icon r,
|
||||||
/usr/share/qt5/qtlogging.ini r,
|
|
||||||
|
|
||||||
/etc/X11/xinit/xinitrc.d/{,*} r,
|
/etc/X11/xinit/xinitrc.d/{,*} r,
|
||||||
|
|
||||||
@{etc_ro}/environment r,
|
/{usr/,}etc/environment r,
|
||||||
@{etc_ro}/security/limits.d/ r,
|
/{usr/,}etc/security/limits.d/{,*.conf} r,
|
||||||
@{etc_ro}/X11/Xmodmap r,
|
/{usr/,}etc/X11/Xmodmap r,
|
||||||
/etc/debuginfod/{,*} r,
|
/etc/debuginfod/{,*} r,
|
||||||
/etc/default/locale r,
|
/etc/default/locale r,
|
||||||
/etc/locale.conf r,
|
/etc/locale.conf r,
|
||||||
|
|
@ -100,10 +100,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
|
|
||||||
/ r,
|
/ r,
|
||||||
|
|
||||||
owner /var/lib/sddm/** rw,
|
/var/lib/lastlog/ r,
|
||||||
|
/var/lib/lastlog/* rwk,
|
||||||
|
|
||||||
|
/var/lib/sddm/state.conf rw,
|
||||||
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw,
|
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw,
|
||||||
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw,
|
owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw,
|
||||||
/var/lib/sddm/state.conf rw,
|
owner /var/lib/sddm/** rw,
|
||||||
|
|
||||||
owner @{HOME}/.local/ w,
|
owner @{HOME}/.local/ w,
|
||||||
owner @{HOME}/.Xauthority rw,
|
owner @{HOME}/.Xauthority rw,
|
||||||
|
|
@ -122,12 +125,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{run}/faillock/[a-zA-z0-9]* rwk,
|
@{run}/faillock/[a-zA-z0-9]* rwk,
|
||||||
@{run}/sddm.pid rw,
|
@{run}/sddm.pid rw,
|
||||||
@{run}/sddm/\{@{uuid}\} rw,
|
@{run}/sddm/\{@{uuid}\} rw,
|
||||||
# @{run}/sddm/* w,
|
|
||||||
@{run}/systemd/sessions/*.ref rw,
|
@{run}/systemd/sessions/*.ref rw,
|
||||||
|
@{run}/user/@{uid}/xauth_* rwl,
|
||||||
owner @{run}/sddm/ rw,
|
owner @{run}/sddm/ rw,
|
||||||
owner @{run}/user/@{uid}/kwallet5.socket rw,
|
|
||||||
@{run}/user/@{uid}/xauth_* rl,
|
|
||||||
owner @{run}/user/@{uid}/#[0-9]* rw,
|
owner @{run}/user/@{uid}/#[0-9]* rw,
|
||||||
|
owner @{run}/user/@{uid}/kwallet5.socket rw,
|
||||||
|
|
||||||
@{PROC}/sys/kernel/core_pattern r,
|
@{PROC}/sys/kernel/core_pattern r,
|
||||||
owner @{PROC}/@{pid}/loginuid rw,
|
owner @{PROC}/@{pid}/loginuid rw,
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile startplasma-x11 @{exec_path} {
|
profile startplasma-x11 @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/freedesktop.org>
|
include <abstractions/freedesktop.org>
|
||||||
|
include <abstractions/qt5>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
@ -27,10 +28,11 @@ profile startplasma-x11 @{exec_path} {
|
||||||
/usr/share/kservicetypes5/{,**} r,
|
/usr/share/kservicetypes5/{,**} r,
|
||||||
/usr/share/mime/{,**} r,
|
/usr/share/mime/{,**} r,
|
||||||
/usr/share/plasma/{,**} r,
|
/usr/share/plasma/{,**} r,
|
||||||
/usr/share/qt*/translations/*.qm r,
|
|
||||||
|
|
||||||
/etc/xdg/menus/{,*.menu} r,
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
/etc/xdg/kcminputrc r,
|
||||||
|
/etc/xdg/kdeglobals r,
|
||||||
|
/etc/xdg/menus/{,**} r,
|
||||||
|
|
||||||
owner @{HOME}/.Xauthority r,
|
owner @{HOME}/.Xauthority r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,7 @@ profile xdm-xsession @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bash>
|
include <abstractions/bash>
|
||||||
include <abstractions/dconf-write>
|
include <abstractions/dconf-write>
|
||||||
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/openssl>
|
include <abstractions/openssl>
|
||||||
include <abstractions/X-strict>
|
include <abstractions/X-strict>
|
||||||
|
|
||||||
|
|
@ -56,22 +57,25 @@ profile xdm-xsession @{exec_path} {
|
||||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||||
/usr/share/bash-completion/{,**} r,
|
/usr/share/bash-completion/{,**} r,
|
||||||
|
|
||||||
|
@{etc_ro}/profile.d/{,*} r,
|
||||||
@{etc_ro}/X11/xdm/scripts/{,*} r,
|
@{etc_ro}/X11/xdm/scripts/{,*} r,
|
||||||
@{etc_ro}/X11/xinit/xinitrc.common r,
|
|
||||||
@{etc_ro}/X11/xinit/xinitrc.d/{,*} r,
|
|
||||||
@{etc_ro}/X11/xim r,
|
@{etc_ro}/X11/xim r,
|
||||||
@{etc_ro}/X11/xim.d/none r,
|
@{etc_ro}/X11/xim.d/none r,
|
||||||
@{etc_ro}/profile.d/{,*} r,
|
@{etc_ro}/X11/xinit/xinitrc.common r,
|
||||||
|
@{etc_ro}/X11/xinit/xinitrc.d/{,*} r,
|
||||||
|
/etc/debuginfod/{,*} r,
|
||||||
/etc/gcrypt/hwf.deny r,
|
/etc/gcrypt/hwf.deny r,
|
||||||
/etc/locale.conf r,
|
/etc/locale.conf r,
|
||||||
/etc/manpath.config r,
|
/etc/manpath.config r,
|
||||||
/etc/sysconfig/* r,
|
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
/etc/sysconfig/* r,
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
owner @{HOME}/ r,
|
||||||
owner @{HOME}/.alias r,
|
owner @{HOME}/.alias r,
|
||||||
owner @{HOME}/.i18n r,
|
owner @{HOME}/.i18n r,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/gnupg/ rw,
|
owner @{run}/user/@{uid}/gnupg/ rw,
|
||||||
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
|
owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
|
||||||
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
|
owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
|
||||||
|
|
@ -94,6 +98,8 @@ profile xdm-xsession @{exec_path} {
|
||||||
|
|
||||||
/{usr/,}bin/dbus-update-activation-environment mr,
|
/{usr/,}bin/dbus-update-activation-environment mr,
|
||||||
|
|
||||||
|
owner @{user_share_dirs}/sddm/xorg-session.log rw,
|
||||||
|
|
||||||
owner @{run}/user/@{uid}/bus rw,
|
owner @{run}/user/@{uid}/bus rw,
|
||||||
|
|
||||||
include if exists <local/xdm-xsession_dbus>
|
include if exists <local/xdm-xsession_dbus>
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,8 @@ include <tunables/global>
|
||||||
profile xsettingsd @{exec_path} {
|
profile xsettingsd @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
|
||||||
|
signal (receive) set=hup peer=kded5,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ root/usr/lib/initcpio
|
||||||
root/usr/lib/systemd/
|
root/usr/lib/systemd/
|
||||||
|
|
||||||
apparmor.d/groups/apps
|
apparmor.d/groups/apps
|
||||||
|
plasma-discover
|
||||||
|
|
||||||
anki
|
anki
|
||||||
man
|
man
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue