feat(profile): improve kde profiles.

apparmor.d/abstractions/app/chromium

@@ -46,6 +46,7 @@
   ptrace (read) peer=gnome-browser-connector-host,
   ptrace (read) peer=keepassxc-proxy,
   ptrace (read) peer=lsb_release,
+  ptrace (read) peer=plasma-browser-integration-host,
   ptrace (read) peer=xdg-settings,
   ptrace (trace) peer=@{profile_name},
 

apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk

@@ -64,10 +64,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
 
   owner @{tmp}/runtime-*/xauth_@{rand6} r,
 
-        @{run}/mount/utab r,
-        @{run}/user/@{uid}/xauth_@{rand6} rl,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
 

apparmor.d/groups/gnome/gnome-software

@@ -121,6 +121,7 @@ profile gnome-software @{exec_path} {
 
     @{HOME}/@{XDG_GPG_DIR}/*.conf r,
 
+          @{tmp}/ r,
     owner @{tmp}/ostree-gpg-*/ r,
     owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
 

apparmor.d/groups/gnome/tracker-miner

@@ -66,6 +66,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   owner @{gdm_share_dirs}/applications/ r,
 
   owner /var/tmp/etilqs_@{hex} rw,
+  owner @{tmp}/etilqs_@{hex} rw,
 
   # Allow to search user files
   owner @{HOME}/{,**} r,

apparmor.d/groups/kde/DiscoverNotifier

@@ -13,14 +13,22 @@ profile DiscoverNotifier @{exec_path} {
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   network inet dgram,
+  network inet stream,
   network inet6 dgram,
+  network inet6 stream,
   network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
-  @{bin}/apt-config rPx,
+  @{bin}/apt-config          rPx,
+
+  @{bin}/gpg{,2}             rCx -> gpg,
+  @{bin}/gpgconf             rCx -> gpg,
+  @{bin}/gpgsm               rCx -> gpg,
 
   /usr/share/knotifications{5,6}/{,**} r,
   /usr/share/metainfo/{,**} r,
@@ -28,7 +36,7 @@ profile DiscoverNotifier @{exec_path} {
   /etc/machine-id r,
   /etc/flatpak/remotes.d/{,**} r,
 
-  /var/lib/flatpak/repo/{,**} r,
+  /var/lib/flatpak/{,**} r,
 
   /var/cache/swcatalog/cache/ w,
 
@@ -45,9 +53,29 @@ profile DiscoverNotifier @{exec_path} {
 
   owner @{user_share_dirs}/flatpak/{,**} rw,
 
+  owner @{tmp}/ostree-gpg-*/ rw,
+
   @{PROC}/sys/kernel/core_pattern r,
 
   /dev/tty r,
 
+  profile gpg {
+    include <abstractions/base>
+
+    @{bin}/gpg{,2}  mr,
+    @{bin}/gpgconf  mr,
+    @{bin}/gpgsm    mr,
+
+    @{HOME}/@{XDG_GPG_DIR}/*.conf r,
+
+          @{tmp}/ r,
+    owner @{tmp}/ostree-gpg-*/ r,
+    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+
+    owner @{run}/user/@{uid}/gnupg/ w,
+
+    include if exists <local/DiscoverNotifier_gpg>
+  }
+
   include if exists <local/DiscoverNotifier>
 }

apparmor.d/groups/kde/baloorunner

@@ -28,6 +28,39 @@ profile baloorunner @{exec_path} {
 
   /tmp/ r,
 
+  @{run}/udev/data/+acpi:* r,             # for acpi
+  @{run}/udev/data/+bluetooth:* r,
+  @{run}/udev/data/+dmi* r,               # for motherboard info
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+i2c:* r,
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+leds:* r,
+  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/+platform:* r,
+  @{run}/udev/data/+power_supply* r,
+  @{run}/udev/data/+rfkill:* r,
+  @{run}/udev/data/+sound:card@{int} r,   # for sound card
+
+  @{run}/udev/data/c1:@{int}    r,        # For RAM disk
+  @{run}/udev/data/c4:@{int} r,           # For TTY devices
+  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
+  @{run}/udev/data/c7:@{int} r,           # For Virtual console capture devices
+  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
+  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
+  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
+  @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
+  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
+  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
+  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+
+  @{sys}/bus/ r,
+  @{sys}/bus/*/devices/ r,
+  @{sys}/class/*/ r,
+  @{sys}/devices/**/uevent r,
+
   @{PROC}/sys/kernel/core_pattern r,
 
   /dev/tty r,

apparmor.d/groups/kde/drkonqi-coredump-processor

@@ -12,6 +12,9 @@ profile drkonqi-coredump-processor @{exec_path} {
   include <abstractions/base>
   include <abstractions/qt5>
 
+  capability dac_override,
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   /etc/machine-id r,
@@ -20,7 +23,11 @@ profile drkonqi-coredump-processor @{exec_path} {
 
   /{run,var}/log/journal/ r,
   /{run,var}/log/journal/@{hex32}/ r,
-  /{run,var}/log/journal/@{hex32}/*@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/system.journal r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal r,
+  /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r,
+  /{run,var}/log/journal/@{hex32}/user-1000@@{hex32}-@{hex}-@{hex}.journal r,
+  /{run,var}/log/journal/remote/ r,
 
   include if exists <local/drkonqi-coredump-processor>
 }

apparmor.d/groups/kde/kde-powerdevil

@@ -62,7 +62,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   @{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/status r,
-  @{sys}/devices/@{pci}/drm/i2c-@{int}/**/dev r,
+  @{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
   @{sys}/devices/@{pci}/i2c-@{int}/name r,
   @{sys}/devices/**/ r,
   @{sys}/devices/i2c-@{int}/name r,

apparmor.d/groups/kde/kded

@@ -92,6 +92,8 @@ profile kded @{exec_path} {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
+  / r,
+
   owner @{HOME}/.gtkrc-2.0 rw,
 
         @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},

apparmor.d/groups/kde/plasma-browser-integration-host

@@ -34,6 +34,7 @@ profile plasma-browser-integration-host @{exec_path} {
   owner @{user_cache_dirs}/ksycoca{5,6}_* r,
 
   owner @{user_config_dirs}/menus/ r,
+  owner @{user_config_dirs}/menus/applications-merged/ r,
 
   owner @{user_share_dirs}/kservices{5,6}/ r,
   owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,

apparmor.d/groups/kde/plasma-emojier

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/plasma-emojier
+profile plasma-emojier @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/graphics>
+  include <abstractions/kde-strict>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  owner @{user_cache_dirs}/plasma.emojier/{,**} rw,
+
+  owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/plasma.emojierrc rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/plasma.emojierrc.lock rwk,
+
+  include if exists <local/plasma-emojier>
+}

apparmor.d/groups/kde/plasma_waitforname

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/plasma_waitforname
 profile plasma_waitforname @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/groups/kde/plasmashell

@@ -68,6 +68,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   /usr/share/metainfo/{,**} r,
   /usr/share/plasma/{,**} r,
   /usr/share/plasma5support/** r,
+  /usr/share/rider/{,**} r,
   /usr/share/solid/actions/{,**} r,
   /usr/share/swcatalog/{,**} r,
   /usr/share/templates/{,*.desktop} r,

apparmor.d/groups/kde/startplasma

@@ -53,6 +53,7 @@ profile startplasma @{exec_path} {
   owner @{user_config_dirs}/ksplashrc r,
   owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
   owner @{user_config_dirs}/menus/{,**} r,
+  owner @{user_config_dirs}/plasma_workspace.notifyrc r,
   owner @{user_config_dirs}/plasma-localerc rwl,
   owner @{user_config_dirs}/plasma-localerc.lock rwk,
   owner @{user_config_dirs}/plasma-workspace/env/ r,
@@ -60,6 +61,7 @@ profile startplasma @{exec_path} {
   owner @{user_config_dirs}/Trolltech.conf.lock rwk,
   owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
 
+  owner @{user_share_dirs}/color-schemes/{,**} r,
   owner @{user_share_dirs}/kservices{5,6}/{,**} r,
   owner @{user_share_dirs}/sddm/wayland-session.log rw,
   owner @{user_share_dirs}/sddm/xorg-session.log rw,