From f1773f4083b4fbcf04bb8c7fc59bf83af9f6b1f2 Mon Sep 17 00:00:00 2001
From: nl6720 <devnull@nl6720.me>
Date: Tue, 24 Jun 2025 11:11:52 +0300
Subject: [PATCH] profiles: add QtWebEngineProcess path used by Arch Linux and
 other distros
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.

Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.

openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.

Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
---
 profiles/apparmor.d/QtWebEngineProcess | 2 +-
 profiles/apparmor.d/plasmashell        | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/profiles/apparmor.d/QtWebEngineProcess b/profiles/apparmor.d/QtWebEngineProcess
index 39cb07911..d04e90184 100644
--- a/profiles/apparmor.d/QtWebEngineProcess
+++ b/profiles/apparmor.d/QtWebEngineProcess
@@ -4,7 +4,7 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile QtWebEngineProcess /usr/lib/@{multiarch}/qt{5,6}/libexec/QtWebEngineProcess flags=(unconfined) {
+profile QtWebEngineProcess /usr/lib{,64,exec}/{,@{multiarch}/}qt{,5,6}/{,libexec/}QtWebEngineProcess flags=(unconfined) {
   userns,
   @{exec_path} mr,
 
diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell
index ea663d67e..c40d4f690 100644
--- a/profiles/apparmor.d/plasmashell
+++ b/profiles/apparmor.d/plasmashell
@@ -18,9 +18,7 @@ profile plasmashell /usr/bin/plasmashell {
   ptrace,
 
   # allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues)
-  /usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
-  /usr/libexec/qt[56]/QtWebEngineProcess                      cx -> &plasmashell//QtWebEngineProcess,
-  /usr/lib/qt6/libexec/QtWebEngineProcess                     cx -> &plasmashell//QtWebEngineProcess,
+  priority=1 /usr/lib{,64,exec}/{,@{multiarch}/}qt{,5,6}/{,libexec/}QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
 
   # allow to execute all other programs under their own profile, or to run unconfined
   /** pux,