Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add profile for Plank and kstart. Some KDE and containerd updates. #190

Merged
merged 4 commits into from
Nov 29, 2023
Merged

Add profile for Plank and kstart. Some KDE and containerd updates. #190

merged 4 commits into from
Nov 29, 2023

Conversation

Jeroen0494
Copy link
Contributor

Add profile for Plank and kstart. Some KDE and containerd updates.

This will basically push all of the AVC messages generated by kglobalaccel5 to the kstart profile for now, but the AVC messages should be easier to read.

I'm currently unable to write apparmor profiles more detailed due to some illness in my family, so you'll have to provide the following fixes yourself:

ALLOWED kstart open /usr/share/hwdata/pnp.ids comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.config/kdedefaults/kdeglobals comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.config/kdeglobals comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart file_receive /dev/dri/card0 comm=QXcbEventQueue requested_mask=wr denied_mask=wr class=file
ALLOWED kstart open /usr/share/drirc.d/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /usr/share/drirc.d/00-amber-defaults.conf comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /usr/share/drirc.d/00-mesa-defaults.conf comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /usr/share/drirc.d/00-radv-defaults.conf comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /etc/drirc comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /dev/dri/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /sys/devices/pci0000:00/0000:00:02.0/uevent comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /sys/devices/pci0000:00/0000:00:02.0/vendor comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /sys/devices/pci0000:00/0000:00:02.0/device comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /sys/devices/pci0000:00/0000:00:02.0/subsystem_device comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /sys/devices/pci0000:00/0000:00:02.0/revision comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.cache/mesa_shader_cache/index comm=kstart5 requested_mask=wrc denied_mask=wrc class=file
ALLOWED kstart open /proc/sys/dev/i915/perf_stream_paranoid comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /usr/share/qt5/translations/qt_en.qm comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /proc/sys/kernel/core_pattern comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.config/kdedefaults/kwinrc comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.config/kwinrc comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /dev/tty comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.cache/ksycoca5_en_gM6oOm2bgj9mYywnHo1C38VVdWk comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /etc/xdg/menus/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /etc/xdg/menus/applications-merged/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.config/menus/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.local/share/kservices5/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.local/share/kservices5/ServiceMenus/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.local/share/mime/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.local/share/mime/packages/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.local/share/mime/application/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /home/jeroen/.local/share/mime/video/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /usr/share/kservices5/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /usr/share/kservices5/qimageioplugins/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /usr/share/kservices5/searchproviders/ comm=kstart5 requested_mask=r denied_mask=r class=file
ALLOWED kstart open /usr/share/kservices5/ServiceMenus/ comm=kstart5 requested_mask=r denied_mask=r class=file

@Jeroen0494
Copy link
Contributor Author

Thank you for updating the PR. Ready for merge now.

roddhjav
roddhjav reviewed Sep 5, 2023
View reviewed changes
apparmor.d/groups/kde/kstart Outdated
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>

unix (connect, send, receive) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Include: <abstractions/X-strict> instead.

roddhjav
roddhjav reviewed Sep 5, 2023
View reviewed changes
apparmor.d/groups/kde/kstart Outdated
/{usr/,}bin/** rPUx,
/{usr/,}bin/konsole rUx,

owner @{HOME}/.Xauthority r,
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
owner @{HOME}/.Xauthority r,

Useless, once you have X-strict.

roddhjav
roddhjav reviewed Sep 5, 2023
View reviewed changes
apparmor.d/groups/kde/kstart
unix (connect, send, receive) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

@{exec_path} mr,
/{usr/,}bin/** rPUx,
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use abstractions/app-launcher-user instead

roddhjav
roddhjav reviewed Sep 5, 2023
View reviewed changes
apparmor.d/profiles-m-r/plank

@{exec_path} rm,

unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use X-strict

@Jeroen0494
containerd and KDE updates
90e98b6 
Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
@Jeroen0494
Plank profile
eaf9bdb 
Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
@Jeroen0494
Add kstart, XDG KDE updates
c5998d3 
Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
@Jeroen0494
signal to socket
d042526 
Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
@roddhjav roddhjav merged commit f06f01a into roddhjav:main Nov 29, 2023
1 of 2 checks passed
@roddhjav
Copy link
Owner

I fixed some issue and merged it. These profiles are useful as they can allow other not supported DE to boot.

Please expect issue as these are still pretty much work in progress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roddhjav roddhjav roddhjav left review comments

@nobody43 nobody43 nobody43 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Jeroen0494 @roddhjav @nobody43