# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/kded5 @{bin}/kded6
profile kded /{{,usr/}{,s}bin/kded5,{,usr/}{,s}bin/kded6} flags=(complain) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-system>
  include <abstractions/bus/org.bluez>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/bus/org.bluez>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/graphics>
  include <abstractions/gtk>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>

  capability sys_ptrace,

  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  network netlink dgram,

  ptrace (read),

  signal (send) set=hup peer=xsettingsd,

  dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent
       interface=org.freedesktop.NetworkManager.SecretAgent
       member=CancelGetSecrets
       peer=(label=NetworkManager),

  dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent
       interface=org.freedesktop.NetworkManager.SecretAgent
       member=CancelGetSecrets
       peer=(label=NetworkManager),

  dbus receive bus=system path=/org/freedesktop/NetworkManager/AccessPoint/@{int}
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
       peer=(label=NetworkManager),

  dbus receive bus=system path=/org/freedesktop/NetworkManager/Devices/@{int}
       interface=org.freedesktop.DBus.Properties
       member={PropertiesChanged,AccessPointAdded,AccessPointRemoved}
       peer=(label=NetworkManager),

  dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
       interface=org.freedesktop.NetworkManager.AgentManager
       peer=(label=NetworkManager),

  @{exec_path} mrix,

  @{bin}/kcminit            rPx,
  @{bin}/pgrep              rCx -> pgrep,
  @{bin}/plasma-welcome    rPUx,
  @{bin}/python3.@{int}     rix,
  @{bin}/setxkbmap          rix,
  @{bin}/xrdb               rPx,
  @{bin}/xsettingsd         rPx,
  @{lib}/drkonqi            rPx,

  @{lib}/{,@{multiarch}/}utempter/utempter Px,
  @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kconf_update Px,
  @{lib}/kf{5,6}/kconf_update Px,

  /usr/share/kconf_update/ r,
  /usr/share/kded{5,6}/{,**} r,
  /usr/share/kf{5,6}/kcookiejar/* r,
  /usr/share/khotkeys/{,**} r,
  /usr/share/knotifications{5,6}/{,**} r,
  /usr/share/kservices{5,6}/{,**} r,
  /usr/share/kservicetypes5/{,**} r,

  /etc/fstab r,
  /etc/xdg/accept-languages.codes r,
  /etc/xdg/kcminputrc r,
  /etc/xdg/kde* r,
  /etc/xdg/kioslaverc r,
  /etc/xdg/menus/{,**} r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  owner @{HOME}/.gtkrc-2.0 rw,

        @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
  owner @{user_cache_dirs}/#@{int} rw,
  owner @{user_cache_dirs}/icon-cache.kcache rw,
  owner @{user_cache_dirs}/plasmashell/ rw,
  owner @{user_cache_dirs}/plasmashell/** rwlk ->  @{user_cache_dirs}/plasmashell/**,

        @{user_config_dirs}/kcookiejarrc.lock rwk,
        @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
  owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
  owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk,
  owner @{user_config_dirs}/kcminputrc r,
  owner @{user_config_dirs}/kconf_updaterc rw,
  owner @{user_config_dirs}/kconf_updaterc.lock rwk,
  owner @{user_config_dirs}/kdebugrc r,
  owner @{user_config_dirs}/kded{5,6}rc.lock rwk,
  owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kdedefaults/{,**} r,
  owner @{user_config_dirs}/khotkeysrc.lock rwk,
  owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/ktimezonedrc.lock rwk,
  owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kwalletrc r,
  owner @{user_config_dirs}/kwinrc.lock rwk,
  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kxkbrc r,
  owner @{user_config_dirs}/libaccounts-glib/ rw,
  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
  owner @{user_config_dirs}/menus/{,**} r,
  owner @{user_config_dirs}/networkmanagement.notifyrc r,
  owner @{user_config_dirs}/plasma-nm r,
  owner @{user_config_dirs}/plasma-welcomerc r,
  owner @{user_config_dirs}/touchpadrc r,
  owner @{user_config_dirs}/xsettingsd/{,**} rw,

        @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
  owner @{user_share_dirs}/icc/{,edid-*} r,
  owner @{user_share_dirs}/kcookiejar/#@{int} rw,
  owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
  owner @{user_share_dirs}/kded{5,6}/{,**} rw,
  owner @{user_share_dirs}/kscreen/{,**} rwl,
  owner @{user_share_dirs}/kservices{5,6}/{,**} r,
  owner @{user_share_dirs}/ktp/cache.db rwk,
  owner @{user_share_dirs}/remoteview/ r,
  owner @{user_share_dirs}/services5/{,**} r,

        @{run}/mount/utab r,
        @{run}/udev/data/c189:@{int} r,                # for /dev/bus/usb/**
        @{run}/user/@{uid}/gvfs/ r,
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl,

  owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,

        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline/ r,
        @{PROC}/@{pids}/fd/ r,
        @{PROC}/@{pids}/fdinfo/@{int} r,
        @{PROC}/@{pids}/fd/info/@{int} r,
        @{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
        @{PROC}/sys/kernel/core_pattern r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/disk/by-label/ r,
  /dev/ptmx rw,
  /dev/rfkill rw,

  profile pgrep flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>

    capability sys_ptrace,

    ptrace (read),

    @{bin}/pgrep mr,

    @{sys}/devices/system/node/ r,
    @{sys}/devices/system/node/node@{int}/meminfo r,

    @{PROC}/ r,
    @{PROC}/@{pids}/cgroup r,
    @{PROC}/@{pids}/cmdline r,
    @{PROC}/@{pids}/stat r,
    @{PROC}/sys/kernel/osrelease r,
    @{PROC}/tty/drivers r,
    @{PROC}/uptime r,

    include if exists <local/kded_pgrep>
  }

  include if exists <local/kded>
}
