From e92226f3615c8eabe32004cce45e7fd06e1df3e5 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Wed, 23 Oct 2024 23:03:04 +0300 Subject: [PATCH 1/2] Added files in /tmp (nscopy.tmp and others) to the ThunderBird profile --- apparmor.d/profiles-s-z/thunderbird | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index f4fb49f8..997b81fb 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -52,7 +52,8 @@ profile thunderbird @{exec_path} { owner @{tmp}/MozillaMailnews/ rw, owner @{tmp}/MozillaMailnews/*.msf rw, - owner @{tmp}/nsemail.eml rw, + owner @{tmp}/nscopy.tmp rw, + owner @{tmp}/nsemail{,-@{int}}.eml rw, owner @{tmp}/nsma rw, owner @{tmp}/pid-@{pid}/{,**} w, From db6c94ba5ad97112bc577cb66c2e1fa66df83a29 Mon Sep 17 00:00:00 2001 From: Besanon Date: Wed, 23 Oct 2024 23:34:13 +0200 Subject: [PATCH 2/2] Add startlxqt (#574) --- apparmor.d/groups/lxqt/startlxqt | 82 ++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 apparmor.d/groups/lxqt/startlxqt diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt new file mode 100644 index 00000000..06967e69 --- /dev/null +++ b/apparmor.d/groups/lxqt/startlxqt @@ -0,0 +1,82 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/startlxqt +profile startlxqt @{exec_path} { + include + include + include + include + + signal (receive) set=(term) peer=sddm, + + @{exec_path} mr, + + @{bin}/xrdb rPx, + @{bin}/xsetroot rPx, + @{bin}/xprop rpx, + @{bin}/mkdir rix, + @{sh_path} rix, + @{bin}/lxqt-session rPx, + + @{bin}/systemctl rCx -> systemctl, + @{bin}/dbus-update-activation-environment rCx -> dbus, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/kservices5/{,**} r, + /usr/share/mime/{,**} r, + + /etc/machine-id r, + /etc/xdg/menus/{,**} r, + + @{HOME}/ r, + + owner @{user_cache_dirs}/#@{int} rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/lxqt/ rw, + owner @{user_config_dirs}/menus/{,**} r, + + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#@{int} rw, + owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, + + owner @{run}/user/@{uid}/ r, + + owner @{PROC}/@{pid}/maps r, + + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists + + profile systemctl flags=(attach_disconnected) { + include + include + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } +} + +# vim:syntax=apparmor