# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/kded5 @{bin}/kded6
@{att} = ""
profile kded /{{,usr/}bin/kded5,{,usr/}bin/kded6} flags=(complain) {
  include <abstractions/base-strict>

  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.ModemManager1>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.UDisks2>
  include <abstractions/bus/system/org.bluez>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/devices-usb>
  include <abstractions/graphics>
  include <abstractions/kde-globals-write>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/wutmp>

  capability sys_ptrace,

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink dgram,
  network netlink raw,

  ptrace read,

  signal send set=hup peer=xsettingsd,
  signal send set=term peer=kioworker,

  # Owned by KDE

  include <abstractions/bus/system/own>

  dbus bind bus=system name=com.redhat.NewPrinterNotification{,.*},
  dbus receive bus=system path=/com/redhat/NewPrinterNotification{,/**}
       interface=com.redhat.NewPrinterNotification{,.*}
       peer=(name="@{busname}"),
  dbus send bus=system path=/com/redhat/NewPrinterNotification{,/**}
       interface=com.redhat.NewPrinterNotification{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=system path=/com/redhat/NewPrinterNotification{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=system path=/com/redhat/NewPrinterNotification{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=system path=/com/redhat/NewPrinterNotification{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},com.redhat.NewPrinterNotification{,.*}}"),
  dbus send bus=system path=/com/redhat/NewPrinterNotification{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.gtk.Settings{,.*},
  dbus receive bus=session path=/org/gtk/Settings{,/**}
       interface=org.gtk.Settings{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/gtk/Settings{,/**}
       interface=org.gtk.Settings{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/gtk/Settings{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gtk/Settings{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/gtk/Settings{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gtk.Settings{,.*}}"),
  dbus send bus=session path=/org/gtk/Settings{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.DistroReleaseNotifier{,.*},
  dbus receive bus=session path=/org/kde/DistroReleaseNotifier{,/**}
       interface=org.kde.DistroReleaseNotifier{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/DistroReleaseNotifier{,/**}
       interface=org.kde.DistroReleaseNotifier{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/DistroReleaseNotifier{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/DistroReleaseNotifier{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/DistroReleaseNotifier{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.DistroReleaseNotifier{,.*}}"),
  dbus send bus=session path=/org/kde/DistroReleaseNotifier{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.GtkConfig{,.*},
  dbus receive bus=session path=/org/kde/GtkConfig{,/**}
       interface=org.kde.GtkConfig{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/GtkConfig{,/**}
       interface=org.kde.GtkConfig{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/GtkConfig{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/GtkConfig{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/GtkConfig{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.GtkConfig{,.*}}"),
  dbus send bus=session path=/org/kde/GtkConfig{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.kappmenu{,.*},
  dbus receive bus=session path=/org/kde/kappmenu{,/**}
       interface=org.kde.kappmenu{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/kappmenu{,/**}
       interface=org.kde.kappmenu{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/kappmenu{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/kappmenu{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/kappmenu{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.kappmenu{,.*}}"),
  dbus send bus=session path=/org/kde/kappmenu{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.kcookiejar5{,.*},
  dbus receive bus=session path=/org/kde/kcookiejar5{,/**}
       interface=org.kde.kcookiejar5{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/kcookiejar5{,/**}
       interface=org.kde.kcookiejar5{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/kcookiejar5{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/kcookiejar5{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/kcookiejar5{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.kcookiejar5{,.*}}"),
  dbus send bus=session path=/org/kde/kcookiejar5{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.kded5{,.*},
  dbus receive bus=session path=/org/kde/kded5{,/**}
       interface=org.kde.kded5{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/kded5{,/**}
       interface=org.kde.kded5{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/kded5{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/kded5{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/kded5{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.kded5{,.*}}"),
  dbus send bus=session path=/org/kde/kded5{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.keyboard{,.*},
  dbus receive bus=session path=/org/kde/keyboard{,/**}
       interface=org.kde.keyboard{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/keyboard{,/**}
       interface=org.kde.keyboard{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/keyboard{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/keyboard{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/keyboard{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.keyboard{,.*}}"),
  dbus send bus=session path=/org/kde/keyboard{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.KeyboardLayouts{,.*},
  dbus receive bus=session path=/org/kde/KeyboardLayouts{,/**}
       interface=org.kde.KeyboardLayouts{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/KeyboardLayouts{,/**}
       interface=org.kde.KeyboardLayouts{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/KeyboardLayouts{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/KeyboardLayouts{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/KeyboardLayouts{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.KeyboardLayouts{,.*}}"),
  dbus send bus=session path=/org/kde/KeyboardLayouts{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.plasmanetworkmanagement{,.*},
  dbus receive bus=session path=/org/kde/plasmanetworkmanagement{,/**}
       interface=org.kde.plasmanetworkmanagement{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/plasmanetworkmanagement{,/**}
       interface=org.kde.plasmanetworkmanagement{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/plasmanetworkmanagement{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/plasmanetworkmanagement{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/plasmanetworkmanagement{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.plasmanetworkmanagement{,.*}}"),
  dbus send bus=session path=/org/kde/plasmanetworkmanagement{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.plasmashell.accentColor{,.*},
  dbus receive bus=session path=/org/kde/plasmashell/accentColor{,/**}
       interface=org.kde.plasmashell.accentColor{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/plasmashell/accentColor{,/**}
       interface=org.kde.plasmashell.accentColor{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/plasmashell/accentColor{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/plasmashell/accentColor{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/plasmashell/accentColor{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.plasmashell.accentColor{,.*}}"),
  dbus send bus=session path=/org/kde/plasmashell/accentColor{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.StatusNotifierWatcher{,.*},
  dbus receive bus=session path=/org/kde/StatusNotifierWatcher{,/**}
       interface=org.kde.StatusNotifierWatcher{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/StatusNotifierWatcher{,/**}
       interface=org.kde.StatusNotifierWatcher{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/StatusNotifierWatcher{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/StatusNotifierWatcher{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/StatusNotifierWatcher{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.StatusNotifierWatcher{,.*}}"),
  dbus send bus=session path=/org/kde/StatusNotifierWatcher{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.Wacom{,.*},
  dbus receive bus=session path=/org/kde/Wacom{,/**}
       interface=org.kde.Wacom{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/Wacom{,/**}
       interface=org.kde.Wacom{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/Wacom{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/Wacom{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/Wacom{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.Wacom{,.*}}"),
  dbus send bus=session path=/org/kde/Wacom{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kubuntu.NotificationHelper{,.*},
  dbus receive bus=session path=/org/kubuntu/NotificationHelper{,/**}
       interface=org.kubuntu.NotificationHelper{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kubuntu/NotificationHelper{,/**}
       interface=org.kubuntu.NotificationHelper{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kubuntu/NotificationHelper{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kubuntu/NotificationHelper{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kubuntu/NotificationHelper{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kubuntu.NotificationHelper{,.*}}"),
  dbus send bus=session path=/org/kubuntu/NotificationHelper{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kubuntu.restrictedInstall{,.*},
  dbus receive bus=session path=/org/kubuntu/restrictedInstall{,/**}
       interface=org.kubuntu.restrictedInstall{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kubuntu/restrictedInstall{,/**}
       interface=org.kubuntu.restrictedInstall{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kubuntu/restrictedInstall{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kubuntu/restrictedInstall{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kubuntu/restrictedInstall{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kubuntu.restrictedInstall{,.*}}"),
  dbus send bus=session path=/org/kubuntu/restrictedInstall{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  # Talk with KDE

  unix type=stream addr=none peer=(label=NetworkManager, addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.NetworkManager{,.*}
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  dbus (send receive) bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  unix type=stream addr=none peer=(label=boltd, addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.bolt{,.*}
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  dbus (send receive) bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  dbus send bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  dbus send bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  dbus receive bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),

  unix type=stream addr=none peer=(label="{kwin_wayland,kwin_x11}", addr=none),

  dbus (send receive) bus=session path=/ColorCorrect
       interface=org.kde.NightColor{,.*}
       peer=(name="{@{busname},org.kde.NightColor{,.*}}", label="{kwin_wayland,kwin_x11}"),
  dbus (send receive) bus=session path=/ColorCorrect
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.kde.NightColor{,.*}}", label="{kwin_wayland,kwin_x11}"),
  dbus send bus=session path=/ColorCorrect
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.kde.NightColor{,.*}}", label="{kwin_wayland,kwin_x11}"),
  dbus send bus=session path=/ColorCorrect
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.NightColor{,.*}}", label="{kwin_wayland,kwin_x11}"),
  dbus receive bus=session path=/ColorCorrect
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.kde.NightColor{,.*}}", label="{kwin_wayland,kwin_x11}"),
  unix type=stream addr=none peer=(label="{kglobalacceld,kwin_wayland}", addr=none),

  dbus (send receive) bus=session path=/
       interface=org.kde.KGlobalAccel{,.*}
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label="{kglobalacceld,kwin_wayland}"),
  dbus (send receive) bus=session path=/
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label="{kglobalacceld,kwin_wayland}"),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label="{kglobalacceld,kwin_wayland}"),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label="{kglobalacceld,kwin_wayland}"),
  dbus receive bus=session path=/
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label="{kglobalacceld,kwin_wayland}"),

  dbus receive bus=system path=/
       interface=org.kde.kf5auth
       member=remoteSignal
       peer=(name=@{busname}, label=kauth-kded-smart-helper),

  dbus send bus=system path=/
       interface=org.kde.kf5auth
       member=performAction
       peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper),

  @{exec_path} mrix,

  @{python_path}            rix,
  @{bin}/dpkg               rpx -> child-dpkg,
  @{bin}/flatpak            rpx,
  @{bin}/kcminit            rpx,
  @{bin}/lsb_release        rpx,
  @{bin}/pgrep              rcx -> pgrep,
  @{bin}/plasma-welcome    rpux,
  @{bin}/setxkbmap          rix,
  @{bin}/xmodmap           rpux,
  @{bin}/xrdb               rpx,
  @{bin}/xsetroot           rpx,
  @{bin}/xsettingsd         rpx,
  @{lib}/drkonqi            rpx,

  @{lib}/{,@{multiarch}/}utempter/utempter rpx,
  /{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}kf{5,6}/kconf_update Px,
  /{,usr/}lib{,exec,32,64}/kf{5,6}/kconf_update Px,

  /usr/share/color-schemes/{,**} r,
  /usr/share/distro-info/{,**} r,
  /usr/share/distro-release-notifier/{,**} r,
  /usr/share/kconf_update/ r,
  /usr/share/kded{5,6}/{,**} r,
  /usr/share/kf{5,6}/kcookiejar/* r,
  /usr/share/khotkeys/{,**} r,
  /usr/share/kservices{5,6}/{,**} r,
  /usr/share/kservicetypes5/{,**} r,
  /usr/share/ubuntu-release-upgrader/{,*} r,

  /etc/fstab r,
  /etc/xdg/accept-languages.codes r,
  /etc/xdg/kde* r,
  /etc/xdg/kioslaverc r,
  /etc/xdg/menus/{,**} r,
  /etc/update-manager/{,**} r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  / r,
  @{efi}/ r,

  owner /var/lib/update-manager/meta-release-lts rw,

  owner @{HOME}/ r,
  owner @{HOME}/.gtkrc-2.0 rw,

  owner @{HOME}/.var/ w,
  owner @{HOME}/.var/app/ w,
  owner @{HOME}/.var/app/org.mozilla.firefox/**/ w,
  owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w,
  owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w,

        @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
  owner @{user_cache_dirs}/plasmashell/ rw,
  owner @{user_cache_dirs}/plasmashell/** rwlk ->  @{user_cache_dirs}/plasmashell/**,
  owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw,

        @{user_config_dirs}/kcookiejarrc.lock rwk,
        @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/*rc.lock rwk,
  owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
  owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk,
  owner @{user_config_dirs}/kdedefaults/{,**} r,
  owner @{user_config_dirs}/libaccounts-glib/ rw,
  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
  owner @{user_config_dirs}/menus/{,**} r,
  owner @{user_config_dirs}/plasma* r,
  owner @{user_config_dirs}/Trolltech.conf.lock rwk,
  owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
  owner @{user_config_dirs}/xsettingsd/{,**} rw,

  owner @{user_share_dirs}/icc/{,edid-*} r,
  owner @{user_share_dirs}/kcookiejar/#@{int} rw,
  owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
  owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl,
  owner @{user_share_dirs}/kded{5,6}/{,**} rw,
  owner @{user_share_dirs}/kscreen/{,**} rwl,
  owner @{user_share_dirs}/kservices{5,6}/{,**} r,
  owner @{user_share_dirs}/ktp/cache.db rwk,
  owner @{user_share_dirs}/remoteview/ r,
  owner @{user_share_dirs}/services5/{,**} r,
  owner @{user_share_dirs}/user-places.xbel r,

  owner @{user_state_dirs}/#@{int} rw,
  owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk,

        @{run}/mount/utab r,
        @{run}/udev/data/c189:@{int} r,                # for /dev/bus/usb/**
        @{run}/user/@{uid}/gvfs/ r,
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl,

  owner @{tmp}/#@{int} rw,
  owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
  owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,

  @{sys}/class/leds/ r,

  @{run}/udev/data/b8:@{int} r,       # for /dev/sd*
  @{run}/udev/data/b259:@{int} r,     # Block Extended Major

        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline/ r,
        @{PROC}/@{pids}/fd/ r,
        @{PROC}/@{pids}/fdinfo/@{int} r,
        @{PROC}/@{pids}/fd/info/@{int} r,
        @{PROC}/sys/fs/inotify/max_user_{instances,watches} r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/disk/by-label/ r,
  /dev/ptmx rw,
  /dev/rfkill rw,

  profile pgrep flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/app/pgrep>

    include if exists <local/kded_pgrep>
  }

  include if exists <local/kded>
}

# vim:syntax=apparmor
