[Q]: Is there a way to confine a QT app in Plasma5/KDE environment?
In my current setup, which is based on X/Openbox, I'm able to confine any GUI app (QT/GTK) without any problem. But I recently wanted to see how the apps behave in Plasma5/KDE environment (for now I have only the minimal Plasma5 that can be installed on Debian), and I noticed that AppArmor can't really confine a QT apps here.
Basically when a user wants to save/open a file in the app's QT interface, the app has access to all files in any location no matter what restrictions are set in the app's AA profile. It's simply because of, I think, the Plasma5/KDE works. Here's the log from a terminal, when I want to open some file in the example app:
kdeinit5: Got EXEC_NEW '/usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kio/tags.so' from launcher. kdeinit5: preparing to launch '/usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kio/tags.so' kdeinit5: Got EXEC_NEW '/usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kio/file.so' from launcher. kdeinit5: preparing to launch '/usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kio/file.so' kf5.kio.kio_tags: tag fetch failed: "Failed to open the database" kf5.kio.kio_tags: "tags:/" list() invalid url kdeinit5: Got EXEC_NEW '/usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kio/file.so' from launcher. kdeinit5: preparing to launch '/usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kio/file.so' kdeinit5: PID 124411 terminated. qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 3287, resource id: 48242649, major code: 15 (QueryTree), minor code: 0 qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 9105, resource id: 50331859, major code: 15 (QueryTree), minor code: 0 kdeinit5: PID 124409 terminated. kdeinit5: PID 124410 terminated.
And as you can see
kdeinit5 (which I think can't be confined) execs
file.so whenever the QT app wants to save/load some file. If this behavior is denied (blocking some files in the AA app profile), then the app is unable to see any files and some errors occur:
When I allow the needed files in the app's AA profile, then the app starts to see files, but not only those limited by the profile policy, but all of them.
So how to handle Plasma5/KDE desktops?