diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 7476fc7c..c1066bdf 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -17,6 +17,8 @@ profile firefox-pingsender @{exec_path} { include include + network inet dgram, + network inet6 dgram, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index f151a00a..ea61658a 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -14,6 +14,7 @@ include profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index de2c37b2..c1b78c1a 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -18,7 +18,11 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{bin}/grep rix, @{bin}/plymouth rPx, + /usr/share/plymouth/{,**} r, + /etc/plymouth/{,*} r, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 98c13948..eb76d509 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -35,6 +35,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected) /etc/machine-id r, /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_cache_dirs}/icon-cache.kcache rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 019e6d0b..c724c0aa 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -10,8 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include - include include + include include network inet dgram, @@ -22,12 +22,21 @@ profile xdg-desktop-portal-kde @{exec_path} { @{exec_path} mr, + #aa:exec kioworker + + owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_cache_dirs}/*.kcache r, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/autostart/org.kde.*.desktop r, - owner @{user_config_dirs}/xdg-desktop-portal-kderc r, + owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kdeglobals{,.*} rwlk, + owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + + owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 13cb4b52..2715d971 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -11,6 +11,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_admin, capability sys_nice, @@ -40,6 +41,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { / r, owner /.flatpak-info r, + owner @{HOME}/*/{,**} r, + owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 800a3a79..50b79e33 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -38,6 +38,7 @@ profile xrdb @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log w, owner /tmp/kcminit.* r, + owner /tmp/kded{5,6}.@{rand6} r, owner /tmp/plasma-apply-lookandfeel.* r, owner /tmp/runtime-*/xauth_@{rand6} r, owner /tmp/startplasma-x11.@{rand6} r, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index b7becb2b..59965425 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -38,6 +38,7 @@ profile DiscoverNotifier @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/@{int} rw, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/PlasmaDiscoverUpdates rw, owner @{user_config_dirs}/PlasmaDiscoverUpdates.@{rand6} rwl -> @{user_config_dirs}/@{int}, owner @{user_config_dirs}/PlasmaDiscoverUpdates.lock rwk, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index dabc8cb4..5e5381da 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -59,7 +59,6 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} lk -> @{user_share_dirs}/#@{int}, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index bdc6a422..f6adfc8e 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -13,7 +13,8 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, - @{user_cache_dirs}/kcrash-metadata/ r, + @{user_cache_dirs}/kcrash-metadata/ r, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 17ae76f4..4b1841b1 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -20,10 +20,7 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}.journal r, + /{run,var}/log/journal/@{hex32}/*@{hex}.journal* r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 02a095c8..53bc4cd6 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -21,6 +21,7 @@ profile kaccess @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, owner @{user_share_dirs}/mime/generic-icons r, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 7516555b..23ae41a5 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -10,10 +10,12 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include include include include + include include @{exec_path} mr, @@ -30,15 +32,26 @@ profile kactivitymanagerd @{exec_path} { owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk, owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/libreoffice/**.xcu r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/trashrc r, owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/recently-used.xbel r, + owner @{user_share_dirs}/user-places.xbel r, - @{PROC}/sys/kernel/core_pattern r, + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/*@{rand6}.*.socket rwl -> @{run}/user/@{uid}/#@{int}, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index faf9146a..35d5e2cd 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -39,6 +39,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/powerdevilrc.lock rwk, owner @{user_config_dirs}/powerdevilrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, @@ -55,20 +56,26 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/class/i2c-dev/ r, @{sys}/class/usbmisc/ r, @{sys}/devices/ r, + @{sys}/devices/@{pci}/card@{int}/*/dpms r, + @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, + @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, + @{sys}/devices/@{pci}/drm/i2c-@{int}/**/dev r, @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/ r, @{sys}/devices/i2c-@{int}/name r, + @{sys}/devices/platform/**/i2c-@{int}/**/name r, @{sys}/devices/platform/*/i2c-@{int}/name r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/core_pattern r, - /dev/tty rw, + /dev/i2c-@{int} rwk, /dev/rfkill r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 204c9499..76330e00 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -66,12 +66,14 @@ profile kded @{exec_path} { @{bin}/python3.@{int} rix, @{bin}/setxkbmap rix, @{bin}/xrdb rPx, + @{bin}/xsetroot rPx, @{bin}/xsettingsd rPx, @{lib}/drkonqi rPx, #aa:exec utempter #aa:exec kconf_update + /usr/share/color-schemes/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, @@ -103,18 +105,23 @@ profile kded @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk, + owner @{user_config_dirs}/gtkrc{,*} rwlk, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kconf_updaterc rw, owner @{user_config_dirs}/kconf_updaterc.lock rwk, owner @{user_config_dirs}/kdebugrc r, owner @{user_config_dirs}/kded{5,6}rc.lock rwk, - owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl, owner @{user_config_dirs}/kdedefaults/{,**} r, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl, owner @{user_config_dirs}/khotkeysrc.lock rwk, owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/ktimezonedrc.lock rwk, owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc r, @@ -128,6 +135,8 @@ profile kded @{exec_path} { owner @{user_config_dirs}/plasma-nm r, owner @{user_config_dirs}/plasma-welcomerc r, owner @{user_config_dirs}/touchpadrc r, + owner @{user_config_dirs}/Trolltech.conf.lock rwk, + owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, @@ -147,6 +156,8 @@ profile kded @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl, + owner /tmp/#@{int} rw, + owner /tmp/kded6.@{rand6} rwl -> /tmp/#@{int}, owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw, @{PROC}/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index f78f33cb..4df7beae 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -11,6 +11,7 @@ include profile kioworker @{exec_path} { include include + include include include include @@ -35,6 +36,8 @@ profile kioworker @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + @{bin}/wrestool rPUx, + #aa:exec kio_http_cache_cleaner /usr/share/kio_desktop/directory.desktop r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index f3294a17..b3c2853f 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -36,29 +36,34 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/sounds/** r, /etc/xdg/konsolerc r, + /etc/xdg/menus/{,**} r, /etc/xdg/ui/ui_standards.rc r, owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{user_config_dirs}/#@{int} rwl, - owner @{user_config_dirs}/konsolerc rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/konsolerc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/konsolerc.lock rwk, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, + + owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, + owner @{user_config_dirs}/menus/{,**} r, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, owner @{user_share_dirs}/konsole/** rwlk, + owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r, owner /tmp/#@{int} rw, owner /tmp/konsole.@{rand6} rw, - @{PROC}/sys/kernel/core_pattern r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 58a81659..ece0f142 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -64,6 +64,8 @@ profile kscreenlocker_greet @{exec_path} { /etc/xdg/kscreenlockerrc r, /etc/xdg/plasmarc r, + /var/lib/AccountsService/icons/* r, + /var/lib/dbus/machine-id r, owner @{HOME}/.face.icon r, @@ -73,7 +75,7 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kscreenlocker_greet/ w, - owner @{user_cache_dirs}/kscreenlocker_greet/** rwl, + owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk, owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 374eacaa..4ae409ec 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/ksmserver profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include + include + include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index ebf98abb..59d90b35 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -29,6 +29,8 @@ profile ksplashqml @{exec_path} { owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/ksplashrc r, + owner @{user_config_dirs}/plasmarc r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index bc552a13..2b1b7f11 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -36,6 +36,7 @@ profile kwalletd @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kwalletrc r, owner @{user_config_dirs}/kwalletrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 80fbaa96..c730307b 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -17,6 +17,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include capability sys_nice, + capability sys_ptrace, ptrace (read), @@ -68,6 +69,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, @@ -79,10 +81,12 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_config_dirs}/#@{int} rwl, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, @@ -90,6 +94,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/menus/{,applications-merged/} r, + owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, owner @{user_share_dirs}/kscreen/* r, @@ -112,6 +117,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/+usb:* r, + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 9f54ff8b..f50ced75 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -29,6 +29,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { # userns, + capability sys_ptrace, + network inet dgram, network inet6 dgram, network inet stream, @@ -36,13 +38,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network netlink dgram, network netlink raw, - ptrace (read) peer=akonadi*, - ptrace (read) peer=kalendarac, - ptrace (read) peer=kded, - ptrace (read) peer=ksmserver-logout-greeter, - ptrace (read) peer=kwin_x11, - ptrace (read) peer=libreoffice*, - ptrace (read) peer=pinentry-qt, + ptrace (read), signal (send), @@ -58,21 +54,20 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker - /usr/share/akonadi/firstrun/{,*} r, - /usr/share/akonadi/plugins/serializer/{,*.desktop} r, + /usr/share/akonadi/{,**} r, /usr/share/desktop-base/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, - /usr/share/kf6/{,**} r, + /usr/share/kf{5,6}/{,**} r, /usr/share/kio/servicemenus/{,*.desktop} r, /usr/share/knotifications{5,6}/*.notifyrc r, - /usr/share/konsole/ r, /usr/share/krunner/{,**} r, /usr/share/kservices{5,6}/{,**} r, - /usr/share/kservicetypes5/{,**} r, + /usr/share/kservicetypes{5,6}/{,**} r, /usr/share/lshw/artwork/logo.svg r, /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, + /usr/share/plasma5support/** r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, @@ -87,8 +82,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/sensors.d/ r, /etc/xdg/** r, + /var/lib/AccountsService/icons/* r, + @{HOME}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_pictures_dirs}/{,**} r, owner @{user_templates_dirs}/ r, @@ -121,8 +119,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/akonadi* r, owner @{user_config_dirs}/akonadi/akonadi*rc r, + owner @{user_config_dirs}/arkrc r, owner @{user_config_dirs}/baloofileinformationrc r, owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/eventviewsrc r, owner @{user_config_dirs}/kactivitymanagerd* rwkl -> @{user_config_dirs}/#@{int}, @@ -130,6 +130,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, owner @{user_config_dirs}/korganizerrc r, @@ -156,12 +157,12 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/krunnerstaterc.lock rwk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/ktp/cache.db rwk, - owner @{user_share_dirs}/plasma_icons/*.desktop r, - owner @{user_share_dirs}/plasma/plasmoids/{,**} r, - owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, - owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/libkunitconversion/ rw, owner @{user_share_dirs}/libkunitconversion/** rwlk, + owner @{user_share_dirs}/plasma_icons/*.desktop r, + owner @{user_share_dirs}/plasma/{,**} r, + owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, + owner @{user_share_dirs}/user-places.xbel{,*} rwl, /tmp/.mount_nextcl@{rand6}/{,*} r, owner /tmp/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 682f1ab9..9a53cad7 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -41,7 +41,7 @@ profile sddm-greeter @{exec_path} { /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, - /var/lib/AccountsService/icons/*.icon r, + /var/lib/AccountsService/icons/* r, /var/lib/dbus/machine-id r, @{SDDM_HOME}/state.conf r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index a48227ff..6a95d46c 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/startplasma-wayland @{bin}/startplasma-x11 profile startplasma @{exec_path} { include + include include signal (receive) set=(hup) peer=@{p_systemd}, @@ -43,8 +44,7 @@ profile startplasma @{exec_path} { owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/gtkrc rl, - owner @{user_config_dirs}/gtkrc-2.0 rl, + owner @{user_config_dirs}/gtkrc{,*} rwlk, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ rw, owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**, @@ -57,8 +57,8 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/plasma-localerc.lock rwk, owner @{user_config_dirs}/plasma-workspace/env/ r, owner @{user_config_dirs}/startkderc r, - owner @{user_config_dirs}/Trolltech.conf rwl, owner @{user_config_dirs}/Trolltech.conf.lock rwk, + owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/sddm/wayland-session.log rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index e6876821..e71744bb 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -73,6 +73,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/static_node-tags/uaccess/ r, @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+drivers:* r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 8331f107..4d92f30b 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -24,8 +24,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { signal (send,receive) peer=cockpit-bridge, signal (send) peer=@{p_systemd}, - signal (send) set=(cont,hup) peer=su, - # signal (send) set=(winch), + signal (send) set=(cont,hup,winch) peer=su, signal (send) set=(winch) peer=child-pager, signal (send) set=(winch) peer=journalctl, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index fb8b3a84..cd665a11 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -31,6 +31,7 @@ profile syncthing @{exec_path} { owner @{HOME}/ r, owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, owner @{user_config_dirs}/syncthing/{,**} rwk, + owner @{user_state_dirs}/syncthing/{,**} rwk, /home/ r, @{user_sync_dirs}/{,**} rw,