diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 52802e55..38b43ad9 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -27,12 +27,12 @@ #owner /tmp/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, - @{run}/udev/data/+drm:* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs + @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c189:@{int} r, # For USB serial converters - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c189:@{int} r, # For USB serial converters + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/media/devices/ r, diff --git a/apparmor.d/abstractions/kde5-plasma5 b/apparmor.d/abstractions/kde5-plasma5 index 5c592178..0a4c3539 100644 --- a/apparmor.d/abstractions/kde5-plasma5 +++ b/apparmor.d/abstractions/kde5-plasma5 @@ -51,7 +51,7 @@ #deny @{sys}/bus/usb/devices/ r, #deny @{sys}/class/ r, #deny @{run}/udev/data/b8:[0-9]* r, # for /dev/sda1 , etc. - #deny @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc. + #deny @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/001/001 , etc. #deny @{run}/udev/data/+usb:* r, # #/etc/exports r, #/etc/xdg/menus/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index a5e240d9..bdebbdb0 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -229,8 +229,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 674fab78..ab83a7ff 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -79,6 +79,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, + @{run}/udev/data/c81:@{int} r, # For video4linux + @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index aceb5cc3..4e4d74ac 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -14,12 +14,12 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform* r, - @{run}/udev/data/+input* r, - @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, @{sys}/bus/ r, @{sys}/bus/iio/devices/ r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 94e325f9..7655dc22 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -65,13 +65,13 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner /tmp/librnnoise-[0-9]*.so rm, owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk, - @{run}/udev/data/c81:[0-9]* r, # For video4linux - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, @{sys}/bus/ r, @{sys}/bus/media/devices/ r, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 8af8079f..9d425fa2 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -58,8 +58,8 @@ profile pipewire-media-session @{exec_path} { owner @{run}/user/@{uid}/pipewire-[0-9]* rw, - @{run}/udev/data/+sound:card[0-9]* r, # For sound - @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/+sound:card@{int} r, # For sound + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 355c34ce..e7d586c6 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -38,9 +38,9 @@ profile plymouthd @{exec_path} { @{run}/plymouth/{,**} rw, - @{run}/udev/data/+drm:* r, - @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c29:* r, # For /dev/fb[0-9]* + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 3ff764f7..0505f336 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -173,12 +173,12 @@ profile pulseaudio @{exec_path} { @{run}/systemd/users/@{uid} r, - @{run}/udev/data/+pci* r, - @{run}/udev/data/+sound:card[0-9]* r, # For sound - @{run}/udev/data/c116:[0-9]* r, # for ALSA - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+sound:card@{int} r, # For sound + @{run}/udev/data/c116:@{int} r, # for ALSA + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, @{sys}/class/sound/ r, @{sys}/devices/**/sound/**/{uevent,pcm_class} r, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index dd79608d..59b9eddd 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -48,16 +48,16 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/history-*.dat{,.*} rw, @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+hid* r, - @{run}/udev/data/+input* r, - @{run}/udev/data/+pci* r, - @{run}/udev/data/+platform* r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform:* r, @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+sound:card[0-9]* r, # for sound - @{run}/udev/data/c10:[0-9]* r, # for non-serial mice, misc features - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/+sound:card@{int} r, # for sound + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 0a11954c..6a868324 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -117,22 +117,22 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/ r, @{sys}/module/i915/{,**} r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+dmi* r, # for ? + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform* r, # for ? - @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs - @{run}/udev/data/+dmi* r, # for ? - @{run}/udev/data/+acpi* r, # for ? - @{run}/udev/data/+hid* r, # for HID-Compliant Keyboard - @{run}/udev/data/+pci* r, # for VGA compatible controller - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+serio* r, # for touchpad? - @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c10:[0-9]* r, # for non-serial mice, misc features - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci:* r, # for VGA compatible controller + @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+serio:* r, # for touchpad? + @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{PROC}/@{pids}/cmdline r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 8163a06e..3c618a6c 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -97,9 +97,10 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref r, @{run}/systemd/users/@{uid} r, - @{run}/udev/data/+drm:card[0-9]-* r, - @{run}/udev/data/+pci* r, - @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+pci:* r, + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/tags/master-of-seat/ r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b16a8145..a53b26b1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -164,16 +164,16 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/systemd/users/@{uid} r, @{run}/udev/data/+dmi:* r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+pci* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci:* r, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/n@{int} r, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 499bdf1a..490d40b1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -598,20 +598,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/seat/ r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+platform:* r, @{run}/udev/data/+dmi:id r, @{run}/udev/data/+acpi* r, - @{run}/udev/data/+pci* r, # for VGA compatible controller - @{run}/udev/data/+sound:card* r, # for sound - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+pci:* r, # for VGA compatible controller + @{run}/udev/data/+sound:card@{int} r, # for sound + @{run}/udev/data/+usb* r, # for USB mouse and keyboard @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid* r, # for HID-Compliant Keyboard - @{run}/udev/data/c10:[0-9]* r, # for non-serial mice, misc features - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** - @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/+hid:* r , # for HID-Compliant Keyboard + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/n@{int} r, @{sys}/**/uevent r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 4c03b968..d1313ae3 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -187,9 +187,9 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, - @{run}/udev/data/+sound:card[0-9]* r, # For sound - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c189:[0-9]* r, # For /dev/bus/usb/** + @{run}/udev/data/+sound:card@{int} r, # For sound + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** @{sys}/devices/**/usb[0-9]/{,**} r, @{sys}/devices/pci[0-9]*/**/sound/**/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index f178d95c..e185fc2d 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -88,7 +88,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/misc/rfkill/uevent r, - @{run}/udev/data/c10:[0-9]* r, # for non-serial mice, misc features + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 919a9ba7..026ead9e 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -53,13 +53,13 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform* r, + @{run}/udev/data/+platform:* r, @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:[0-9]* r, # USB modems - @{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters - @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/c16[6,7]:[0-9]* r, # USB modems + @{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/n@{int} r, @{run}/systemd/inhibit/*.ref rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index ee4ccd2c..d0f57d0e 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -139,10 +139,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/nscd/db* rwl, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, - @{run}/udev/data/+pci* r, - @{run}/udev/data/+platform* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform:* r, @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/n@{int} r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/net/{,**} r, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 0ff1b769..62a5d44e 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -54,7 +54,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/hook-state/resolv.conf/ rw, @{run}/dhcpcd/unpriv.sock w, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/n@{int} r, @{sys}/devices/pci[0-9]*/**/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 5ab8aa7b..9da6f06e 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -20,8 +20,8 @@ profile nmcli @{exec_path} { owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, - @{run}/udev/data/+pci* r, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/n@{int} r, @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 1f537f6b..ce0f2efa 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -41,24 +41,25 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+acpi:* r, @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+hid:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform* r, + @{run}/udev/data/+platform:* r, @{run}/udev/data/+scsi:* r, @{run}/udev/data/+sdio:* r, @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, - @{run}/udev/data/c1:[0-9]* r, # For RAM disk - @{run}/udev/data/c4:[0-9]* r, # For TTY devices - @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features - @{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters - @{run}/udev/data/c29:[0-9]* r, # For CD-ROM - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters + @{run}/udev/data/c29:[0-9]* r, # For CD-ROM + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, @{sys}/devices/**/uevent r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 8c998a1d..137c9127 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -68,7 +68,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { owner @{run}/systemd/netif/lldp/ rw, owner @{run}/systemd/netif/state rw, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/n@{int} r, @{sys}/devices/**/net/** r, @{sys}/devices/pci[0-9]*/**/ r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 11fdc78f..b57c825a 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -57,27 +57,27 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/+acpi:* r, @{run}/udev/data/+dmi* r, @{run}/udev/data/+drm* r, - @{run}/udev/data/+input* r, # For mouse, keyboard, touchpad + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci* r, - @{run}/udev/data/+platform* r, - @{run}/udev/data/+sound:card* r, # For sound + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+sound:card@{int} r, # For sound - @{run}/udev/data/c1:[0-9]* r, # For RAM disk - @{run}/udev/data/c4:[0-9]* r, # For TTY devices - @{run}/udev/data/c5:[0-9]* r, # For /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:[0-9]* r, # For Virtual console capture devices - @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features - @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* - @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:[0-9]* r, # For I2C bus interface - @{run}/udev/data/c108:[0-9]* r, # For /dev/ppp - @{run}/udev/data/c116:[0-9]* r, # For ALSA - @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card* - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # For /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:[0-9]* r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:[0-9]* r, # For I2C bus interface + @{run}/udev/data/c108:@{int} r, # For /dev/ppp + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/n@{int} r, @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index f9830424..1b5564c0 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -162,35 +162,36 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+backlight:* r, @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+dmi:id r, - @{run}/udev/data/+drm:* r, + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs @{run}/udev/data/+hid:* r, - @{run}/udev/data/+input* r, # For mouse, keyboard, touchpad + @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci* r, - @{run}/udev/data/+platform* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform:* r, @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card* r, # For sound + @{run}/udev/data/+sound:card@{int} r, # For sound @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/c1:[0-9]* r, # For RAM disk - @{run}/udev/data/c6:[0-9]* r, # For parallel printer devices /dev/lp* - @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features - @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* - @{run}/udev/data/c21:[0-9]* r, # Generic SCSI access - @{run}/udev/data/c29:* r, # For /dev/fb[0-9]* - @{run}/udev/data/c90:[0-9]* r, # For RAM, ROM, Flash - @{run}/udev/data/c99:[0-9]* r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c108:[0-9]* r, # For /dev/ppp - @{run}/udev/data/c116:[0-9]* r, # For ALSA - @{run}/udev/data/c202:[0-9]* r, # CPU model-specific registers - @{run}/udev/data/c203:[0-9]* r, # CPU CPUID information - @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c21:@{int} r, # Generic SCSI access + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash + @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* + @{run}/udev/data/c108:@{int} r, # For /dev/ppp + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/n@{int} r, @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 8eb0c13b..38b3a068 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -48,31 +48,31 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+backlight:* r, @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+dmi:id r, - @{run}/udev/data/+drm:* r, # For screen outputs - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci* r, - @{run}/udev/data/+platform* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:* r, @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/c1:[0-9]* r, # For RAM disk - @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features - @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* - @{run}/udev/data/c21:[0-9]* r, # Generic SCSI access - @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* - @{run}/udev/data/c90:[0-9]* r, # For RAM, ROM, Flash - @{run}/udev/data/c116:[0-9]* r, # For ALSA - @{run}/udev/data/c202:[0-9]* r, # CPU model-specific registers - @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c21:@{int} r, # Generic SCSI access + @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* + @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, + @{run}/udev/data/n@{int} r, @{sys}/**/ r, @{sys}/devices/@{pci}/vpd r, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index 020ba32e..22cbe93d 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -30,7 +30,7 @@ profile bluetoothd @{exec_path} { /var/lib/bluetooth/{,**} rw, @{run}/sdp rw, - @{run}/udev/data/+hid:* r, + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{sys}/devices/pci[0-9]*/**/rfkill[0-9]*/name r, @{sys}/devices/pci[0-9]*/**/bluetooth/**/{uevent,name} r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index dd34d5be..a7c999c4 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -41,9 +41,9 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/journal/socket rw, @{run}/systemd/inhibit/*.ref w, - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, @{sys}/class/hidraw/ r, @{sys}/devices/pci[0-9]*/**/hidraw/hidraw[0-9]*/uevent r, diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index a0a3ac66..49324b0c 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -59,9 +59,9 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c4:[0-9]* r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:[0-9]* r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]* + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:[0-9]* r, # for /dev/ttyACM[0-9]* /dev/ttyS[0-9]* rw, /dev/ttyACM[0-9]* rw, diff --git a/apparmor.d/profiles-g-l/gzdoom b/apparmor.d/profiles-g-l/gzdoom index 7512852f..7ebe6f87 100644 --- a/apparmor.d/profiles-g-l/gzdoom +++ b/apparmor.d/profiles-g-l/gzdoom @@ -87,11 +87,11 @@ profile gzdoom @{exec_path} { @{run}/udev/data/+sound:* r, @{run}/udev/data/+input:* r, - @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* - @{run}/udev/data/c116:[0-9]* r, # For ALSA - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, include if exists } diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 345e0035..b4aaff6c 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -44,16 +44,16 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform* r, # for ? - @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs - @{run}/udev/data/+acpi* r, # for ? - @{run}/udev/data/+hid* r, # for HID-Compliant Keyboard - @{run}/udev/data/+pci* r, # for VGA compatible controller - @{run}/udev/data/+sound:card* r, # for sound - @{run}/udev/data/+serio* r, # for touchpad? - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+pci:* r, # for VGA compatible controller + @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+serio:* r, # for touchpad? + @{run}/udev/data/+sound:card@{int} r, # for sound + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{run}/systemd/sessions/* r, @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index c737b6d9..ccb67507 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -69,10 +69,10 @@ profile mpv @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/ r, - @{run}/udev/data/+input:input[0-9]* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound:* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c116:@{int} r, # for ALSA @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 1a359116..56fdddab 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -27,12 +27,12 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/nvtop/{,**} rw, @{run}/systemd/inhibit/*.ref r, - @{run}/udev/data/+drm:* r, - @{run}/udev/data/+pci* r, - @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card* - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/+drm:card[0-9]-* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/profiles-m-r/obexautofs index acdc741d..c2de0ca2 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/profiles-m-r/obexautofs @@ -34,7 +34,7 @@ profile obexautofs @{exec_path} { @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{uevent,busnum,devnum,speed,descriptors} r, @{run}/udev/data/+usb:* r, - @{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters + @{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters /dev/bus/usb/ r, /dev/fuse rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 793a4ab3..5056edb1 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -162,16 +162,16 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) owner /tmp/sh-thd.* rw, owner /tmp/steam_chrome_shmem_uid@{uid}_spid@{int} rw, - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound* r, - @{run}/udev/data/+pci* r, + @{run}/udev/data/+pci:* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - @{run}/udev/data/c116:[0-9]* r, # for ALSA - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c116:@{int} r, # for ALSA + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/n@{int} r, @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 454f0214..829cdcc4 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -28,10 +28,10 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+drm:* r, + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs @{run}/udev/data/+pci:* r, - @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d3ae841d..1f9d352e 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -90,9 +90,9 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, @{run}/mount/utab r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/pci[0-9]*/**/drm/ r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 982b3d7f..b0f710d8 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -37,16 +37,16 @@ profile wireplumber @{exec_path} { @{run}/systemd/users/@{uid} r, - @{run}/udev/data/+sound:card[0-9]* r, # For sound - @{run}/udev/data/c14:[0-9]* r, # Open Sound System (OSS) - @{run}/udev/data/c81:[0-9]* r, # For video4linux - @{run}/udev/data/c116:[0-9]* r, # For ALSA - @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 - @{run}/udev/data/c24[0-9]:[0-9]* r, - @{run}/udev/data/c25[0-4]:[0-9]* r, - @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511 - @{run}/udev/data/c4[0-9]*:[0-9]* r, - @{run}/udev/data/c5[0-9]*:[0-9]* r, + @{run}/udev/data/+sound:card@{int} r, # For sound + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c23[4-9]:@{int} r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:@{int} r, + @{run}/udev/data/c25[0-4]:@{int} r, + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, @{sys}/bus/ r, @{sys}/bus/media/devices/ r,