From 90e98b6b56c5ceb5ee40fa6bf15c2f1fc7dfb609 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 6 Aug 2023 16:50:49 +0200
Subject: [PATCH 1/4] containerd and KDE updates

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/kde/ksmserver                | 1 +
 apparmor.d/groups/virt/containerd              | 3 ++-
 apparmor.d/groups/virt/containerd-shim-runc-v2 | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index 3e086655..1c110db6 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -20,6 +20,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/X-strict>
 
   signal (send) set=(usr1,term) peer=kscreenlocker-greet,
+  signal (connect, send, receive, accept) peer=(addr=@/tmp/.ICE-unix/[0-9]*),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index e83afcbf..f4b4929b 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -42,7 +42,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/netns/cni-@{uuid},
 
   signal (receive) set=term peer={dockerd,k3s},
-  signal (send) set=kill peer=cni-calico,
+  signal (send) set=kill peer={containerd-shim-runc-v2,cni-calico},
 
   @{exec_path} mr,
 
@@ -91,6 +91,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
         /tmp/cri-containerd.apparmor.d[0-9]* rwl,
         /tmp/ctd-volume[0-9]*/{,**} rw,
 
+  @{sys}/fs/cgroup/kubepods/** r,
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,
   @{sys}/module/apparmor/parameters/enabled r,
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
index c9f3ce12..dd5fb263 100644
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -23,6 +23,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=unconfined,
 
   signal (send) set=kill peer=cri-containerd.apparmor.d,
+  signal (receive) set=kill peer=containerd,
 
   mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
   umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,

From eaf9bdb32bc0285670b13de0c4db58f5bc7ab13c Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 6 Aug 2023 16:50:58 +0200
Subject: [PATCH 2/4] Plank profile

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/profiles-m-r/plank | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 apparmor.d/profiles-m-r/plank

diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank
new file mode 100644
index 00000000..239b0bda
--- /dev/null
+++ b/apparmor.d/profiles-m-r/plank
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/plank
+profile plank @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/gtk>
+
+  @{exec_path} rm,
+
+  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
+
+  @{user_config_dirs}/plank/{,**} rw,
+  /usr/{,local/}share/plank/{,**} r,
+
+  /usr/{,local/}share/mime/mime.cache r,
+  /var/lib/flatpak/exports/share/icons/{,**} r,
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
+
+  include if exists <local/plank>
+}

From c5998d37a2c89e01181cfa6cf499e9b0bf02e04e Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 6 Aug 2023 17:02:04 +0200
Subject: [PATCH 3/4] Add kstart, XDG KDE updates

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/freedesktop/xdg-mime     |  1 +
 apparmor.d/groups/freedesktop/xdg-settings |  1 +
 apparmor.d/groups/kde/kglobalaccel5        |  2 +-
 apparmor.d/groups/kde/kstart               | 25 ++++++++++++++++++++++
 4 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/groups/kde/kstart

diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index 364c6a8b..ef0e156f 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -21,6 +21,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{bin}/cut        rix,
   @{bin}/file       rix,
   @{bin}/head       rix,
+  @{bin}/ktraderclient5 rPUx,
   @{bin}/mv         rix,
   @{bin}/readlink   rix,
   @{bin}/sed        rix,
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index 4153c11e..9bb6558f 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -19,6 +19,7 @@ profile xdg-settings @{exec_path} {
   @{bin}/basename   rix,
   @{bin}/cat        rix,
   @{bin}/cut        rix,
+  @{bin}/kreadconfig5 rPx,
   @{bin}/mktemp     rix,
   @{bin}/mv         rix,
   @{bin}/readlink   rix,
diff --git a/apparmor.d/groups/kde/kglobalaccel5 b/apparmor.d/groups/kde/kglobalaccel5
index dd19481d..d2b00315 100644
--- a/apparmor.d/groups/kde/kglobalaccel5
+++ b/apparmor.d/groups/kde/kglobalaccel5
@@ -15,7 +15,7 @@ profile kglobalaccel5 @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/kstart rPUx,
+  @{bin}/kstart rPx,
 
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart
new file mode 100644
index 00000000..47ee7a9b
--- /dev/null
+++ b/apparmor.d/groups/kde/kstart
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/kstart
+profile kstart @{exec_path} flags=(complain,attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+
+  unix (connect, send, receive) type=stream peer=(addr="@/tmp/.ICE-unix/4979"),
+
+  @{exec_path} mr,
+  /{usr/,}bin/** rPUx,
+  /{usr/,}bin/konsole rUx,
+
+  @{HOME}.Xauthority r,
+
+  include if exists <local/kstart>
+}

From d042526ca45221f5378d18453e20e485a9660785 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 6 Aug 2023 17:24:27 +0200
Subject: [PATCH 4/4] signal to socket

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/kde/ksmserver | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index 1c110db6..7d78a486 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -20,7 +20,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/X-strict>
 
   signal (send) set=(usr1,term) peer=kscreenlocker-greet,
-  signal (connect, send, receive, accept) peer=(addr=@/tmp/.ICE-unix/[0-9]*),
+  
+  unix (connect, receive, send, accept)
+       type=stream
+       peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
 
   @{exec_path} mr,