mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-30 23:05:11 +01:00
Alexandre Pujol
parent
edf32f923c
commit
f96e5a9713
28 changed files with 114 additions and 41 deletions
|
|
@ -17,6 +17,8 @@ profile firefox-pingsender @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ include <tunables/global>
|
|||
profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,11 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/grep rix,
|
||||
@{bin}/plymouth rPx,
|
||||
|
||||
/usr/share/plymouth/{,**} r,
|
||||
|
||||
/etc/plymouth/{,*} r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/plymouth-set-default-theme>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected)
|
|||
/etc/machine-id r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
|
|
|||
|
|
@ -10,8 +10,8 @@ include <tunables/global>
|
|||
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde
|
||||
profile xdg-desktop-portal-kde @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
network inet dgram,
|
||||
|
|
@ -22,12 +22,21 @@ profile xdg-desktop-portal-kde @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
#aa:exec kioworker
|
||||
|
||||
owner @{desktop_config_dirs}/user-dirs.dirs r,
|
||||
|
||||
owner @{user_cache_dirs}/*.kcache r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/autostart/org.kde.*.desktop r,
|
||||
owner @{user_config_dirs}/xdg-desktop-portal-kderc r,
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/kdeglobals{,.*} rwlk,
|
||||
owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk,
|
||||
|
||||
owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
|
||||
capability sys_admin,
|
||||
capability sys_nice,
|
||||
|
|
@ -40,6 +41,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
|
|||
/ r,
|
||||
owner /.flatpak-info r,
|
||||
|
||||
owner @{HOME}/*/{,**} r,
|
||||
|
||||
owner @{user_share_dirs}/flatpak/db/documents r,
|
||||
owner @{user_share_dirs}/Trash/files/** r,
|
||||
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ profile xrdb @{exec_path} {
|
|||
owner @{user_share_dirs}/sddm/wayland-session.log w,
|
||||
|
||||
owner /tmp/kcminit.* r,
|
||||
owner /tmp/kded{5,6}.@{rand6} r,
|
||||
owner /tmp/plasma-apply-lookandfeel.* r,
|
||||
owner /tmp/runtime-*/xauth_@{rand6} r,
|
||||
owner /tmp/startplasma-x11.@{rand6} r,
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ profile DiscoverNotifier @{exec_path} {
|
|||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/@{int} rw,
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/PlasmaDiscoverUpdates rw,
|
||||
owner @{user_config_dirs}/PlasmaDiscoverUpdates.@{rand6} rwl -> @{user_config_dirs}/@{int},
|
||||
owner @{user_config_dirs}/PlasmaDiscoverUpdates.lock rwk,
|
||||
|
|
|
|||
|
|
@ -59,7 +59,6 @@ profile dolphin @{exec_path} {
|
|||
owner @{user_share_dirs}/dolphin/ rw,
|
||||
owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int},
|
||||
owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk,
|
||||
owner @{user_share_dirs}/recently-used.xbel.@{rand6} lk -> @{user_share_dirs}/#@{int},
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int},
|
||||
|
|
|
|||
|
|
@ -13,7 +13,8 @@ profile drkonqi-coredump-cleanup @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{user_cache_dirs}/kcrash-metadata/ r,
|
||||
@{user_cache_dirs}/kcrash-metadata/ r,
|
||||
owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w,
|
||||
|
||||
include if exists <local/drkonqi-coredump-cleanup>
|
||||
}
|
||||
|
|
@ -20,10 +20,7 @@ profile drkonqi-coredump-processor @{exec_path} {
|
|||
|
||||
/{run,var}/log/journal/ r,
|
||||
/{run,var}/log/journal/@{hex32}/ r,
|
||||
/{run,var}/log/journal/@{hex32}/system.journal r,
|
||||
/{run,var}/log/journal/@{hex32}/system@@{hex}.journal r,
|
||||
/{run,var}/log/journal/@{hex32}/user-@{uid}.journal r,
|
||||
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}.journal r,
|
||||
/{run,var}/log/journal/@{hex32}/*@{hex}.journal* r,
|
||||
|
||||
include if exists <local/drkonqi-coredump-processor>
|
||||
}
|
||||
|
|
@ -21,6 +21,7 @@ profile kaccess @{exec_path} {
|
|||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/kaccessrc r,
|
||||
|
||||
owner @{user_share_dirs}/mime/generic-icons r,
|
||||
|
|
|
|||
|
|
@ -10,10 +10,12 @@ include <tunables/global>
|
|||
@{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd
|
||||
profile kactivitymanagerd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/recent-documents-write>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/user-read-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
@ -30,15 +32,26 @@ profile kactivitymanagerd @{exec_path} {
|
|||
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/baloofilerc r,
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/dolphinrc r,
|
||||
owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
|
||||
owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/libreoffice/**.xcu r,
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
|
||||
owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
|
||||
owner @{user_share_dirs}/kservices{5,6}/{,**} r,
|
||||
owner @{user_share_dirs}/recently-used.xbel r,
|
||||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/*@{rand6}.*.socket rwl -> @{run}/user/@{uid}/#@{int},
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
/dev/tty r,
|
||||
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
|||
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/powerdevilrc.lock rwk,
|
||||
owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
|
||||
|
|
@ -55,20 +56,26 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
|||
@{sys}/class/i2c-dev/ r,
|
||||
@{sys}/class/usbmisc/ r,
|
||||
@{sys}/devices/ r,
|
||||
@{sys}/devices/@{pci}/card@{int}/*/dpms r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/**/dev r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/dpms r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
|
||||
@{sys}/devices/@{pci}/drm/card@{int}/*/status r,
|
||||
@{sys}/devices/@{pci}/drm/i2c-@{int}/**/dev r,
|
||||
@{sys}/devices/@{pci}/i2c-@{int}/name r,
|
||||
@{sys}/devices/**/ r,
|
||||
@{sys}/devices/i2c-@{int}/name r,
|
||||
@{sys}/devices/platform/**/i2c-@{int}/**/name r,
|
||||
@{sys}/devices/platform/*/i2c-@{int}/name r,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/i2c-@{int} rwk,
|
||||
/dev/rfkill r,
|
||||
/dev/tty rw,
|
||||
|
||||
include if exists <local/kde-powerdevil>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -66,12 +66,14 @@ profile kded @{exec_path} {
|
|||
@{bin}/python3.@{int} rix,
|
||||
@{bin}/setxkbmap rix,
|
||||
@{bin}/xrdb rPx,
|
||||
@{bin}/xsetroot rPx,
|
||||
@{bin}/xsettingsd rPx,
|
||||
@{lib}/drkonqi rPx,
|
||||
|
||||
#aa:exec utempter
|
||||
#aa:exec kconf_update
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/kconf_update/ r,
|
||||
/usr/share/kded{5,6}/{,**} r,
|
||||
/usr/share/kf{5,6}/kcookiejar/* r,
|
||||
|
|
@ -103,18 +105,23 @@ profile kded @{exec_path} {
|
|||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
|
||||
owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
|
||||
owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk,
|
||||
owner @{user_config_dirs}/gtkrc{,*} rwlk,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kconf_updaterc rw,
|
||||
owner @{user_config_dirs}/kconf_updaterc.lock rwk,
|
||||
owner @{user_config_dirs}/kdebugrc r,
|
||||
owner @{user_config_dirs}/kded{5,6}rc.lock rwk,
|
||||
owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/kdedefaults/{,**} r,
|
||||
owner @{user_config_dirs}/kdeglobals.lock rwk,
|
||||
owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/khotkeysrc.lock rwk,
|
||||
owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/ksmserverrc r,
|
||||
owner @{user_config_dirs}/ktimezonedrc.lock rwk,
|
||||
owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwalletrc r,
|
||||
|
|
@ -128,6 +135,8 @@ profile kded @{exec_path} {
|
|||
owner @{user_config_dirs}/plasma-nm r,
|
||||
owner @{user_config_dirs}/plasma-welcomerc r,
|
||||
owner @{user_config_dirs}/touchpadrc r,
|
||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
||||
owner @{user_config_dirs}/xsettingsd/{,**} rw,
|
||||
|
||||
@{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
|
||||
|
|
@ -147,6 +156,8 @@ profile kded @{exec_path} {
|
|||
owner @{run}/user/@{uid}/#@{int} rw,
|
||||
owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl,
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/kded6.@{rand6} rwl -> /tmp/#@{int},
|
||||
owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ include <tunables/global>
|
|||
profile kioworker @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
@ -35,6 +36,8 @@ profile kioworker @{exec_path} {
|
|||
@{lib}/libheif/ r,
|
||||
@{lib}/libheif/*.so* rm,
|
||||
|
||||
@{bin}/wrestool rPUx,
|
||||
|
||||
#aa:exec kio_http_cache_cleaner
|
||||
|
||||
/usr/share/kio_desktop/directory.desktop r,
|
||||
|
|
|
|||
|
|
@ -36,29 +36,34 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
/usr/share/sounds/** r,
|
||||
|
||||
/etc/xdg/konsolerc r,
|
||||
/etc/xdg/menus/{,**} r,
|
||||
/etc/xdg/ui/ui_standards.rc r,
|
||||
|
||||
owner @{HOME}/@{XDG_SSH_DIR}/config r,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rwl,
|
||||
owner @{user_config_dirs}/konsolerc rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/konsolerc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/konsolerc.lock rwk,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
|
||||
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/konsolerc{,*} rwlk,
|
||||
owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/konsolesshconfig.lock rwk,
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_share_dirs}/color-schemes/{,**} r,
|
||||
owner @{user_share_dirs}/konsole/ rw,
|
||||
owner @{user_share_dirs}/konsole/** rwlk,
|
||||
owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r,
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/konsole.@{rand6} rw,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -64,6 +64,8 @@ profile kscreenlocker_greet @{exec_path} {
|
|||
/etc/xdg/kscreenlockerrc r,
|
||||
/etc/xdg/plasmarc r,
|
||||
|
||||
/var/lib/AccountsService/icons/* r,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
owner @{HOME}/.face.icon r,
|
||||
|
|
@ -73,7 +75,7 @@ profile kscreenlocker_greet @{exec_path} {
|
|||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kscreenlocker_greet/ w,
|
||||
owner @{user_cache_dirs}/kscreenlocker_greet/** rwl,
|
||||
owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk,
|
||||
owner @{user_cache_dirs}/ksvg-elements r,
|
||||
owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
|
||||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
|
|
|
|||
|
|
@ -9,8 +9,9 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/ksmserver
|
||||
profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/bus/org.freedesktop.login1.Session>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
|
|
|||
|
|
@ -29,6 +29,8 @@ profile ksplashqml @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/kdedefaults/ksplashrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
owner @{user_config_dirs}/ksplashrc r,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ profile kwalletd @{exec_path} {
|
|||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/kwalletrc r,
|
||||
owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/kwalletrc.lock rwk,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
include <abstractions/qt5-shader-cache>
|
||||
|
||||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
|
|
@ -68,6 +69,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
|
||||
owner @{user_cache_dirs}/ r,
|
||||
owner @{user_cache_dirs}/#@{int} rw,
|
||||
owner @{user_cache_dirs}/ksvg-elements r,
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* r,
|
||||
owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
|
||||
|
|
@ -79,10 +81,12 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rwl,
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/* r,
|
||||
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
|
||||
owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/klaunchrc r,
|
||||
owner @{user_config_dirs}/kscreenlockerrc r,
|
||||
owner @{user_config_dirs}/kwinoutputconfig.json rw,
|
||||
owner @{user_config_dirs}/kwinrc.lock rwk,
|
||||
|
|
@ -90,6 +94,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
owner @{user_config_dirs}/kwinrulesrc r,
|
||||
owner @{user_config_dirs}/kxkbrc r,
|
||||
owner @{user_config_dirs}/menus/{,applications-merged/} r,
|
||||
owner @{user_config_dirs}/plasmarc r,
|
||||
owner @{user_config_dirs}/session/* r,
|
||||
|
||||
owner @{user_share_dirs}/kscreen/* r,
|
||||
|
|
@ -112,6 +117,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
|
|||
@{run}/udev/data/+sound:card@{int} r, # for sound card
|
||||
@{run}/udev/data/+usb:* r,
|
||||
|
||||
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
@{run}/udev/data/c226:@{int} r, # for /dev/dri/card*
|
||||
|
|
|
|||
|
|
@ -29,6 +29,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
|
||||
# userns,
|
||||
|
||||
capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
|
|
@ -36,13 +38,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
network netlink dgram,
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read) peer=akonadi*,
|
||||
ptrace (read) peer=kalendarac,
|
||||
ptrace (read) peer=kded,
|
||||
ptrace (read) peer=ksmserver-logout-greeter,
|
||||
ptrace (read) peer=kwin_x11,
|
||||
ptrace (read) peer=libreoffice*,
|
||||
ptrace (read) peer=pinentry-qt,
|
||||
ptrace (read),
|
||||
|
||||
signal (send),
|
||||
|
||||
|
|
@ -58,21 +54,20 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
|
||||
#aa:exec kioworker
|
||||
|
||||
/usr/share/akonadi/firstrun/{,*} r,
|
||||
/usr/share/akonadi/plugins/serializer/{,*.desktop} r,
|
||||
/usr/share/akonadi/{,**} r,
|
||||
/usr/share/desktop-base/{,**} r,
|
||||
/usr/share/desktop-directories/kf5-*.directory r,
|
||||
/usr/share/kf6/{,**} r,
|
||||
/usr/share/kf{5,6}/{,**} r,
|
||||
/usr/share/kio/servicemenus/{,*.desktop} r,
|
||||
/usr/share/knotifications{5,6}/*.notifyrc r,
|
||||
|
||||
/usr/share/konsole/ r,
|
||||
/usr/share/krunner/{,**} r,
|
||||
/usr/share/kservices{5,6}/{,**} r,
|
||||
/usr/share/kservicetypes5/{,**} r,
|
||||
/usr/share/kservicetypes{5,6}/{,**} r,
|
||||
/usr/share/lshw/artwork/logo.svg r,
|
||||
/usr/share/metainfo/{,**} r,
|
||||
/usr/share/plasma/{,**} r,
|
||||
/usr/share/plasma5support/** r,
|
||||
/usr/share/solid/actions/{,**} r,
|
||||
/usr/share/swcatalog/{,**} r,
|
||||
/usr/share/templates/{,*.desktop} r,
|
||||
|
|
@ -87,8 +82,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
/etc/sensors.d/ r,
|
||||
/etc/xdg/** r,
|
||||
|
||||
/var/lib/AccountsService/icons/* r,
|
||||
|
||||
@{HOME}/ r,
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
owner @{user_pictures_dirs}/{,**} r,
|
||||
|
||||
owner @{user_templates_dirs}/ r,
|
||||
|
|
@ -121,8 +119,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_config_dirs}/#@{int} rwk,
|
||||
owner @{user_config_dirs}/akonadi* r,
|
||||
owner @{user_config_dirs}/akonadi/akonadi*rc r,
|
||||
owner @{user_config_dirs}/arkrc r,
|
||||
owner @{user_config_dirs}/baloofileinformationrc r,
|
||||
owner @{user_config_dirs}/baloofilerc r,
|
||||
owner @{user_config_dirs}/breezerc r,
|
||||
owner @{user_config_dirs}/dolphinrc r,
|
||||
owner @{user_config_dirs}/eventviewsrc r,
|
||||
owner @{user_config_dirs}/kactivitymanagerd* rwkl -> @{user_config_dirs}/#@{int},
|
||||
|
|
@ -130,6 +130,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_config_dirs}/kdedefaults/plasmarc r,
|
||||
owner @{user_config_dirs}/kdiff3fileitemactionrc r,
|
||||
owner @{user_config_dirs}/kioslaverc r,
|
||||
owner @{user_config_dirs}/klaunchrc r,
|
||||
owner @{user_config_dirs}/klipperrc r,
|
||||
owner @{user_config_dirs}/kmail2.notifyrc r,
|
||||
owner @{user_config_dirs}/korganizerrc r,
|
||||
|
|
@ -156,12 +157,12 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_share_dirs}/krunnerstaterc.lock rwk,
|
||||
owner @{user_share_dirs}/kservices{5,6}/{,**} r,
|
||||
owner @{user_share_dirs}/ktp/cache.db rwk,
|
||||
owner @{user_share_dirs}/plasma_icons/*.desktop r,
|
||||
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
|
||||
owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**,
|
||||
owner @{user_share_dirs}/user-places.xbel{,*} rwl,
|
||||
owner @{user_share_dirs}/libkunitconversion/ rw,
|
||||
owner @{user_share_dirs}/libkunitconversion/** rwlk,
|
||||
owner @{user_share_dirs}/plasma_icons/*.desktop r,
|
||||
owner @{user_share_dirs}/plasma/{,**} r,
|
||||
owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**,
|
||||
owner @{user_share_dirs}/user-places.xbel{,*} rwl,
|
||||
|
||||
/tmp/.mount_nextcl@{rand6}/{,*} r,
|
||||
owner /tmp/#@{int} rw,
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ profile sddm-greeter @{exec_path} {
|
|||
/etc/sddm.conf r,
|
||||
/etc/sddm.conf.d/{,*} r,
|
||||
/etc/xdg/plasmarc r,
|
||||
/var/lib/AccountsService/icons/*.icon r,
|
||||
/var/lib/AccountsService/icons/* r,
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
||||
@{SDDM_HOME}/state.conf r,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/startplasma-wayland @{bin}/startplasma-x11
|
||||
profile startplasma @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio-client>
|
||||
include <abstractions/kde-strict>
|
||||
|
||||
signal (receive) set=(hup) peer=@{p_systemd},
|
||||
|
|
@ -43,8 +44,7 @@ profile startplasma @{exec_path} {
|
|||
owner @{user_cache_dirs}/plasma-svgelements rw,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/gtkrc rl,
|
||||
owner @{user_config_dirs}/gtkrc-2.0 rl,
|
||||
owner @{user_config_dirs}/gtkrc{,*} rwlk,
|
||||
owner @{user_config_dirs}/kcminputrc r,
|
||||
owner @{user_config_dirs}/kdedefaults/ rw,
|
||||
owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**,
|
||||
|
|
@ -57,8 +57,8 @@ profile startplasma @{exec_path} {
|
|||
owner @{user_config_dirs}/plasma-localerc.lock rwk,
|
||||
owner @{user_config_dirs}/plasma-workspace/env/ r,
|
||||
owner @{user_config_dirs}/startkderc r,
|
||||
owner @{user_config_dirs}/Trolltech.conf rwl,
|
||||
owner @{user_config_dirs}/Trolltech.conf.lock rwk,
|
||||
owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
|
||||
|
||||
owner @{user_share_dirs}/kservices{5,6}/{,**} r,
|
||||
owner @{user_share_dirs}/sddm/wayland-session.log rw,
|
||||
|
|
|
|||
|
|
@ -73,6 +73,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/static_node-tags/uaccess/ r,
|
||||
|
||||
@{run}/udev/data/+backlight:* r,
|
||||
@{run}/udev/data/+drivers:* r,
|
||||
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
||||
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
|
||||
|
|
|
|||
|
|
@ -24,8 +24,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal (send,receive) peer=cockpit-bridge,
|
||||
signal (send) peer=@{p_systemd},
|
||||
signal (send) set=(cont,hup) peer=su,
|
||||
# signal (send) set=(winch),
|
||||
signal (send) set=(cont,hup,winch) peer=su,
|
||||
signal (send) set=(winch) peer=child-pager,
|
||||
signal (send) set=(winch) peer=journalctl,
|
||||
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ profile syncthing @{exec_path} {
|
|||
owner @{HOME}/ r,
|
||||
owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk,
|
||||
owner @{user_config_dirs}/syncthing/{,**} rwk,
|
||||
owner @{user_state_dirs}/syncthing/{,**} rwk,
|
||||
|
||||
/home/ r,
|
||||
@{user_sync_dirs}/{,**} rw,
|
||||
|
|
|
|||
Loading…
Reference in a new issue