diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common index 18f47b4b..6f6ce8b5 100644 --- a/apparmor.d/abstractions/systemd-common +++ b/apparmor.d/abstractions/systemd-common @@ -16,6 +16,6 @@ /dev/kmsg w, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, include if exists \ No newline at end of file diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index f6f0bf7d..e7fe3d21 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -257,7 +257,7 @@ profile android-studio @{exec_path} { /usr/share/distro-info/*.csv r, owner /tmp/android-*/emulator-* w, - owner /tmp/android-*/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/opengl_* w, + owner /tmp/android-*/@{uuid}/opengl_* w, # file_inherit owner @{HOME}/.android/avd/** r, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index deacf0eb..dec9e093 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -128,9 +128,9 @@ profile code @{exec_path} { owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw, owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw, - owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw, + owner /tmp/vscode-ipc-@{uuid}.sock rw, # For installing extensions - owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + owner /tmp/@{uuid} rw, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index 46d3d62e..a712abeb 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -149,7 +149,7 @@ profile thunderbird @{exec_path} { owner /tmp/mozilla_*/* rw, owner /tmp/MozillaMailnews/ rw, owner /tmp/MozillaMailnews/*.msf rw, - owner /tmp/Temp-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/ rw, + owner /tmp/Temp-@{uuid}/ rw, deny /dev/ r, /dev/urandom w, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index e6e76de2..3f57d1d3 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -43,10 +43,10 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/{,**} rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.{dmp,extra} rw, + owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/events/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/events/@{uuid} rw, /tmp/ r, owner /tmp/[0-9a-f]*.{dmp,extra} rw, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index bb1b040b..a34727fd 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -27,7 +27,7 @@ profile firefox-minidump-analyzer @{exec_path} { owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.{dmp,extra} rw, + owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index c65079ba..53dc072e 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -22,7 +22,7 @@ profile firefox-pingsender @{exec_path} { @{exec_path} mr, - owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/@{uuid} rw, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 4f948c5f..79b30c5a 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -25,7 +25,7 @@ profile nm-openvpn-service @{exec_path} { /{usr/,}bin/kmod rPx, @{run}/systemd/userdb/ r, - @{run}/NetworkManager/nm-openvpn-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + @{run}/NetworkManager/nm-openvpn-@{uuid} rw, /dev/net/tun rw, /dev/tty rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 89ea4775..c0345acc 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -62,7 +62,7 @@ profile openvpn @{exec_path} { /var/log/openvpn/*.log w, @{run}/openvpn/*.{pid,status} rw, - @{run}/NetworkManager/nm-openvpn-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + @{run}/NetworkManager/nm-openvpn-@{uuid} rw, /{usr/,}bin/ip rix, /{usr/,}bin/systemd-ask-password rPx, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 19947004..1da11fc0 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -42,20 +42,20 @@ profile bootctl @{exec_path} { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, - @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/BootOrder-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderEntries-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderFeatures-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderFirmwareType-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderImageIdentifier-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderInfo-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/OsIndications-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/OsIndicationsSupported-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/SetupMode-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, owner @{PROC}/@{pid}/cgroup r, @{PROC}/sys/kernel/random/poolsize r, diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 53696bf7..6919dd66 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -36,7 +36,7 @@ profile child-systemctl flags=(attach_disconnected) { @{PROC}/1/sched r, @{PROC}/cmdline r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, /dev/kmsg w, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 804633ad..a070b1e8 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -57,8 +57,8 @@ profile systemd-analyze @{exec_path} { /etc/default/locale r, /etc/locale.conf r, - @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, /dev/tty rw, /dev/pts/1 rw, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 2ee2fec6..6ee54dfd 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -58,7 +58,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r, @{sys}/devices/**/uevent r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/module/printk/parameters/time r, @{PROC}/@{pids}/comm r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 83883120..7b1d374c 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -84,10 +84,10 @@ profile systemd-logind @{exec_path} flags=(complain) { @{sys}/class/drm/ r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{sys}/firmware/efi/efivars/OsIndicationsSupported-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/OsIndications-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderEntries-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, - @{sys}/firmware/efi/efivars/LoaderFeatures-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 4818ed59..50ceea93 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -44,5 +44,5 @@ profile systemd-resolved @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, # System access - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 1ab0c2c2..38c8540b 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -72,7 +72,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=libvirtd//qemu_bridge_helper, # allow connect with openGraphicsFD, direction reversed in newer versions - unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + unix (send, receive) type=stream addr=none peer=(label=libvirt-@{uuid}), # unconfined also required if guests run without security module unix (send, receive) type=stream addr=none peer=(label=unconfined), @@ -113,7 +113,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xen/scripts/** rmix, # allow changing to our UUID-based named profiles - change_profile -> libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + change_profile -> libvirt-@{uuid}, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index 81a70995..b691e0d2 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -29,8 +29,8 @@ profile btrfs @{exec_path} { # For scrub /var/lib/btrfs/ rw, - /var/lib/btrfs/scrub.progress.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, - /var/lib/btrfs/scrub.status.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*{,_tmp} rwk, + /var/lib/btrfs/scrub.progress.@{uuid} rw, + /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, # Saved metadata @{MOUNTS}/*/ r, diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index b72f2558..40749712 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -51,7 +51,7 @@ profile f3fix @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, # file_inherit /dev/sd[a-z]* rw, diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 4b0cae05..d9bbbf0d 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -50,7 +50,7 @@ profile fatresize @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, # file_inherit /dev/{s,v}d[a-z]* rw, diff --git a/apparmor.d/profiles-g-l/lightdm-gtk-greeter b/apparmor.d/profiles-g-l/lightdm-gtk-greeter index acb27d8c..5cfb8fed 100644 --- a/apparmor.d/profiles-g-l/lightdm-gtk-greeter +++ b/apparmor.d/profiles-g-l/lightdm-gtk-greeter @@ -67,7 +67,7 @@ profile lightdm-gtk-greeter @{exec_path} { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, # file_inherit /var/log/lightdm/seat[0-9]*-greeter.log w, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index b4fc3fa1..5f1cd693 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -63,7 +63,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { # logrotate[]: error: could not change directory to '.' / r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, profile systemctl flags=(attach_disconnected, complain) { include diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession index 5b483ec1..03a41ba9 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/profiles-s-z/x11-xsession @@ -110,7 +110,7 @@ profile x11-xsession @{exec_path} { @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 2d841bcf..1710570f 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -118,7 +118,7 @@ profile xinit @{exec_path} { @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index b7abc97b..5ec4c97f 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -6,6 +6,9 @@ # To allow extended personalisation without breaking everything. # All apparmor profiles should always use the variables defined here. +# Universally unique identifier +@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* + # Common mountpoints @{MOUNTS}=/media/ @{run}/media /mnt