feat(profile): improve kde integration

See #208
roddhjav · Oct 9, 2023 · f5e3c86 · f5e3c86
1 parent 1cfe802
commit f5e3c86
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 6 deletions.
diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest
@@ -25,13 +25,14 @@ profile firefox-vaapitest @{exec_path} {
   /etc/igfx_user_feature{,_next}.txt w,
   /etc/libva.conf r,
 
-  deny owner @{config_dirs}/firefox/*/.parentlock rw,
-  deny owner @{config_dirs}/firefox/*/startupCache/** r,
-  deny owner @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
-
   owner /tmp/firefox/.parentlock rw,
 
-  @{sys}/devices/pci[0-9]*/**/{irq,revision,resource} r,
+  @{sys}/devices/@{pci}/{irq,revision,resource} r,
+  @{sys}/devices/@{pci}/config r,
+
+  deny @{config_dirs}/firefox/*/.parentlock rw,
+  deny @{config_dirs}/firefox/*/startupCache/** r,
+  deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
 
   include if exists <local/firefox-vaapitest>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -123,10 +123,13 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   /usr/share/xdg-desktop-portal/** r,
 
   /etc/pipewire/client.conf.d/ r,
+  /etc/sysconfig/proxy r,
 
   /var/lib/flatpak/exports/share/mime/mime.cache r,
   /var/lib/flatpak/exports/share/applications/{**,} r,
 
+  @{user_config_dirs}/kioslaverc r,
+
   owner /tmp/icon* rw,
 
   owner @{run}/user/@{uid}/.flatpak/{,*/*} r,

diff --git a/apparmor.d/groups/kde/kwalletd5 b/apparmor.d/groups/kde/kwalletd5
@@ -12,6 +12,7 @@ profile kwalletd5 @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/consoles>
+  include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/fonts>

diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
@@ -92,6 +92,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   /etc/sensors.d/ r,
   /etc/xdg/** r,
 
+        @{HOME}/ r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
 
   owner @{user_templates_dirs}/ r,

diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher
@@ -18,6 +18,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   capability sys_nice,
   capability sys_ptrace,
 
+  ptrace (read) peer=unconfined,
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName},

diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11
@@ -18,6 +18,8 @@ profile start-pulseaudio-x11 @{exec_path} {
   @{bin}/plasmashell rPx,
   @{bin}/sed         rix,
 
+  /etc/sysconfig/sound r,
+
   /dev/tty rw,
 
   include if exists <local/start-pulseaudio-x11>

diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest
@@ -28,7 +28,8 @@ profile thunderbird-vaapitest @{exec_path} {
 
   owner /tmp/thunderbird/.parentlock rw,
 
-  @{sys}/devices/@{pci}/{irq,resource,revision} r,
+  @{sys}/devices/@{pci}/{irq,revision,resource} r,
+  @{sys}/devices/@{pci}/config r,
 
   deny @{cache_dirs}/*/startupCache/** r,
   deny @{config_dirs}/*/.parentlock rw,