feat(profile): improve kde integration

See #208
2024-11-14 23:43:56 +01:00 · 2023-10-09 21:13:40 +01:00 · 2023-10-09 21:13:40 +01:00 · f5e3c86c6c
commit f5e3c86c6c
parent 1cfe802172
7 changed files with 17 additions and 6 deletions
--- a/apparmor.d/groups/browsers/firefox-vaapitest
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@ -25,13 +25,14 @@ profile firefox-vaapitest @{exec_path} {
  /etc/igfx_user_feature{,_next}.txt w,
  /etc/libva.conf r,

-  deny owner @{config_dirs}/firefox/*/.parentlock rw,
-  deny owner @{config_dirs}/firefox/*/startupCache/** r,
-  deny owner @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
-
  owner /tmp/firefox/.parentlock rw,

-  @{sys}/devices/pci[0-9]*/**/{irq,revision,resource} r,
+  @{sys}/devices/@{pci}/{irq,revision,resource} r,
+  @{sys}/devices/@{pci}/config r,
+
+  deny @{config_dirs}/firefox/*/.parentlock rw,
+  deny @{config_dirs}/firefox/*/startupCache/** r,
+  deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,

  include if exists <local/firefox-vaapitest>
 }
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -123,10 +123,13 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  /usr/share/xdg-desktop-portal/** r,

  /etc/pipewire/client.conf.d/ r,
+  /etc/sysconfig/proxy r,

  /var/lib/flatpak/exports/share/mime/mime.cache r,
  /var/lib/flatpak/exports/share/applications/{**,} r,

+  @{user_config_dirs}/kioslaverc r,
+
  owner /tmp/icon* rw,

  owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
--- a/apparmor.d/groups/kde/kwalletd5
+++ b/apparmor.d/groups/kde/kwalletd5
@ -12,6 +12,7 @@ profile kwalletd5 @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/consoles>
+  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -92,6 +92,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  /etc/sensors.d/ r,
  /etc/xdg/** r,

+        @{HOME}/ r,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,

  owner @{user_templates_dirs}/ r,
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -18,6 +18,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  capability sys_nice,
  capability sys_ptrace,

+  ptrace (read) peer=unconfined,
+
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName},
--- a/apparmor.d/profiles-s-z/start-pulseaudio-x11
+++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11
@ -18,6 +18,8 @@ profile start-pulseaudio-x11 @{exec_path} {
  @{bin}/plasmashell rPx,
  @{bin}/sed         rix,

+  /etc/sysconfig/sound r,
+
  /dev/tty rw,

  include if exists <local/start-pulseaudio-x11>
--- a/apparmor.d/profiles-s-z/thunderbird-vaapitest
+++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest
@ -28,7 +28,8 @@ profile thunderbird-vaapitest @{exec_path} {

  owner /tmp/thunderbird/.parentlock rw,

-  @{sys}/devices/@{pci}/{irq,resource,revision} r,
+  @{sys}/devices/@{pci}/{irq,revision,resource} r,
+  @{sys}/devices/@{pci}/config r,

  deny @{cache_dirs}/*/startupCache/** r,
  deny @{config_dirs}/*/.parentlock rw,