New @{uuid} variable.

2025-01-18 08:58:15 +01:00 · 2022-02-22 13:14:46 +00:00 · 2022-02-22 13:14:46 +00:00 · 0ee2e4f7ad
commit 0ee2e4f7ad
parent 773741c85e
24 changed files with 47 additions and 44 deletions
--- a/apparmor.d/abstractions/systemd-common
+++ b/apparmor.d/abstractions/systemd-common
@ -16,6 +16,6 @@

  /dev/kmsg w,

-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

  include if exists <abstractions/systemd-common.d>
--- a/apparmor.d/groups/apps/android-studio
+++ b/apparmor.d/groups/apps/android-studio
@ -257,7 +257,7 @@ profile android-studio @{exec_path} {
    /usr/share/distro-info/*.csv r,

    owner /tmp/android-*/emulator-* w,
-    owner /tmp/android-*/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/opengl_* w,
+    owner /tmp/android-*/@{uuid}/opengl_* w,

    # file_inherit
    owner @{HOME}/.android/avd/** r,
--- a/apparmor.d/groups/apps/code
+++ b/apparmor.d/groups/apps/code
@ -128,9 +128,9 @@ profile code @{exec_path} {
  owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
  owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw,

-  owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw,
+  owner /tmp/vscode-ipc-@{uuid}.sock rw,
  # For installing extensions
-  owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  owner /tmp/@{uuid} rw,

  # file_inherit
  owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/groups/apps/thunderbird
+++ b/apparmor.d/groups/apps/thunderbird
@ -149,7 +149,7 @@ profile thunderbird @{exec_path} {
  owner /tmp/mozilla_*/* rw,
  owner /tmp/MozillaMailnews/ rw,
  owner /tmp/MozillaMailnews/*.msf rw,
-  owner /tmp/Temp-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*/ rw,
+  owner /tmp/Temp-@{uuid}/ rw,

   deny /dev/ r,
        /dev/urandom w,
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@ -43,10 +43,10 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,

  owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/{,**} rw,
-  owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.{dmp,extra} rw,
+  owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw,

  owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw,
-  owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/events/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/events/@{uuid} rw,

        /tmp/ r,
  owner /tmp/[0-9a-f]*.{dmp,extra} rw,
--- a/apparmor.d/groups/browsers/firefox-minidump-analyzer
+++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer
@ -27,7 +27,7 @@ profile firefox-minidump-analyzer @{exec_path} {
  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,

  owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw,
-  owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.{dmp,extra} rw,
+  owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw,

  owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,

--- a/apparmor.d/groups/browsers/firefox-pingsender
+++ b/apparmor.d/groups/browsers/firefox-pingsender
@ -22,7 +22,7 @@ profile firefox-pingsender @{exec_path} {

  @{exec_path} mr,

-  owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/@{uuid} rw,

  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@ -25,7 +25,7 @@ profile nm-openvpn-service @{exec_path} {
  /{usr/,}bin/kmod rPx,

  @{run}/systemd/userdb/ r,
-  @{run}/NetworkManager/nm-openvpn-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  @{run}/NetworkManager/nm-openvpn-@{uuid} rw,

  /dev/net/tun rw,
  /dev/tty rw,
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@ -62,7 +62,7 @@ profile openvpn @{exec_path} {
  /var/log/openvpn/*.log w,

  @{run}/openvpn/*.{pid,status} rw,
-  @{run}/NetworkManager/nm-openvpn-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  @{run}/NetworkManager/nm-openvpn-@{uuid} rw,

  /{usr/,}bin/ip                                rix,
  /{usr/,}bin/systemd-ask-password              rPx,
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@ -42,20 +42,20 @@ profile bootctl @{exec_path} {

  @{sys}/firmware/dmi/entries/*/raw r,
  @{sys}/firmware/efi/efivars/ r,
-  @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/BootOrder-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderEntries-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderFeatures-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderFirmwareType-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderImageIdentifier-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderInfo-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderSystemToken-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/OsIndications-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/OsIndicationsSupported-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/SetupMode-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
+  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r,
+  @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
+  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
+  @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,

 owner @{PROC}/@{pid}/cgroup r,
       @{PROC}/sys/kernel/random/poolsize r,
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@ -36,7 +36,7 @@ profile child-systemctl flags=(attach_disconnected) {
        @{PROC}/1/sched r,
        @{PROC}/cmdline r,

-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

  /dev/kmsg w,

--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -57,8 +57,8 @@ profile systemd-analyze @{exec_path} {
  /etc/default/locale r,
  /etc/locale.conf r,

-  @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r,

  /dev/tty rw,
  /dev/pts/1 rw,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -58,7 +58,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r,

  @{sys}/devices/**/uevent r,
-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/module/printk/parameters/time r,

  @{PROC}/@{pids}/comm r,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -84,10 +84,10 @@ profile systemd-logind @{exec_path} flags=(complain) {
  @{sys}/class/drm/ r,
  @{sys}/power/{state,resume_offset,resume,disk} r,

-  @{sys}/firmware/efi/efivars/OsIndicationsSupported-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/OsIndications-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderEntries-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderFeatures-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
+  @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,

  @{PROC}/@{pid}/cgroup r,
  @{PROC}/@{pid}/comm r,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -44,5 +44,5 @@ profile systemd-resolved @{exec_path} {
  @{PROC}/sys/kernel/random/boot_id r,

  # System access
-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
 }
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -72,7 +72,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  signal (send) set=(term) peer=libvirtd//qemu_bridge_helper,

  # allow connect with openGraphicsFD, direction reversed in newer versions
-  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+  unix (send, receive) type=stream addr=none peer=(label=libvirt-@{uuid}),
  # unconfined also required if guests run without security module
  unix (send, receive) type=stream addr=none peer=(label=unconfined),

@ -113,7 +113,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  /etc/xen/scripts/** rmix,

  # allow changing to our UUID-based named profiles
-  change_profile -> libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+  change_profile -> libvirt-@{uuid},

  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
  # child profile for bridge helper process
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@ -29,8 +29,8 @@ profile btrfs @{exec_path} {

  # For scrub
  /var/lib/btrfs/ rw,
-  /var/lib/btrfs/scrub.progress.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-  /var/lib/btrfs/scrub.status.[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*{,_tmp} rwk,
+  /var/lib/btrfs/scrub.progress.@{uuid} rw,
+  /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk,

  # Saved metadata
  @{MOUNTS}/*/ r,
--- a/apparmor.d/profiles-a-f/f3fix
+++ b/apparmor.d/profiles-a-f/f3fix
@ -51,7 +51,7 @@ profile f3fix @{exec_path} {
          @{PROC}/sys/kernel/osrelease r,
          @{PROC}/sys/kernel/random/boot_id r,

-    @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+    @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

    # file_inherit
    /dev/sd[a-z]* rw,
--- a/apparmor.d/profiles-a-f/fatresize
+++ b/apparmor.d/profiles-a-f/fatresize
@ -50,7 +50,7 @@ profile fatresize @{exec_path} {
          @{PROC}/sys/kernel/osrelease r,
          @{PROC}/sys/kernel/random/boot_id r,

-    @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+    @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

    # file_inherit
    /dev/{s,v}d[a-z]* rw,
--- a/apparmor.d/profiles-g-l/lightdm-gtk-greeter
+++ b/apparmor.d/profiles-g-l/lightdm-gtk-greeter
@ -67,7 +67,7 @@ profile lightdm-gtk-greeter @{exec_path} {
          @{PROC}/cmdline r,
          @{PROC}/sys/kernel/osrelease r,

-    @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+    @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

    # file_inherit
    /var/log/lightdm/seat[0-9]*-greeter.log w,
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -63,7 +63,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
  #  logrotate[]: error: could not change directory to '.'
  / r,

-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

  profile systemctl flags=(attach_disconnected, complain) {
    include <abstractions/base>
--- a/apparmor.d/profiles-s-z/x11-xsession
+++ b/apparmor.d/profiles-s-z/x11-xsession
@ -110,7 +110,7 @@ profile x11-xsession @{exec_path} {
          @{PROC}/1/environ r,
          @{PROC}/sys/kernel/osrelease r,

-    @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+    @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

    @{sys}/bus/ r,
    @{sys}/bus/*/devices/ r,
--- a/apparmor.d/profiles-s-z/xinit
+++ b/apparmor.d/profiles-s-z/xinit
@ -118,7 +118,7 @@ profile xinit @{exec_path} {
          @{PROC}/1/environ r,
          @{PROC}/sys/kernel/osrelease r,

-    @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+    @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

    @{sys}/bus/ r,
    @{sys}/bus/*/devices/ r,
--- a/apparmor.d/tunables/extend
+++ b/apparmor.d/tunables/extend
@ -6,6 +6,9 @@
 # To allow extended personalisation without breaking everything.
 # All apparmor profiles should always use the variables defined here.

+# Universally unique identifier
+@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
+
 # Common mountpoints
@{MOUNTS}=/media/ @{run}/media /mnt