diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index e58e876d..d6230d07 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -21,5 +22,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + /etc/** rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index df06bc93..3a1f2b4e 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -81,7 +81,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c235:[0-9]* r, @{run}/udev/data/c236:[0-9]* r, - @{run}/udev/data/c510:[0-9]* r, + @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/udev/data/n[0-9]* r, @{sys}/bus/ r, @@ -92,6 +92,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/**/uevent r, @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, owner @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/user@[0-9]*.service/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 624ffe33..749c5361 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -20,6 +20,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rix, + /{usr/,}bin/env rix, /{usr/,}bin/xdg-user-dirs-gtk-update rix, /{usr/,}lib/gnome-session-check-accelerated rix, /{usr/,}lib/gnome-session-check-accelerated-gl-helper rix, @@ -43,6 +44,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/icons/{,**} r, + /usr/share/X11/xkb/{,**} r, /var/lib/gdm/.config/gnome-session/ rw, /var/lib/gdm/.config/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 6674aa7f..a9b453e3 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/mkinitcpio -profile mkinitcpio @{exec_path} { +profile mkinitcpio @{exec_path} flags=(attach_disconnected) { include include include @@ -89,6 +89,7 @@ profile mkinitcpio @{exec_path} { deny @{HOME}/** r, deny network inet6 stream, deny network inet stream, + deny /apparmor/.null rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 393916fe..9b056e4e 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -45,6 +45,7 @@ profile pacman @{exec_path} { # Pacman hooks & install scripts /{usr/,}{s,}bin/ldconfig rix, /{usr/,}bin/{,ba}sh rix, + /{usr/,}bin/cat rix, /{usr/,}bin/dot rix, /{usr/,}bin/env rix, /{usr/,}bin/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 9be7037f..b748c39c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -10,6 +10,8 @@ include profile pacman-hook-gio @{exec_path} { include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/bash rix, @@ -19,6 +21,8 @@ profile pacman-hook-gio @{exec_path} { /{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, /{usr/,}lib/gtk-{3,4}.0/**/*/ rw, + /usr/lib/gio/modules/ rw, + /dev/tty rw, # Inherit Silencer diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 080136f3..ad243183 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -13,7 +13,7 @@ abi , include # Do not attach to /{usr/,}bin/systemctl by default -profile child-systemctl { +profile child-systemctl flags=(attach_disconnected) { include include include @@ -38,5 +38,7 @@ profile child-systemctl { /dev/kmsg w, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 06901e6d..51f4ff12 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/systemd-hwdb -profile systemd-hwdb @{exec_path} { +profile systemd-hwdb @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, @@ -19,5 +19,7 @@ profile systemd-hwdb @{exec_path} { owner @{PROC}/@{pid}/stat r, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 0bb21e61..6d6380e9 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -13,16 +13,14 @@ profile systemd-journald @{exec_path} { include include - capability syslog, - capability sys_ptrace, + capability audit_control, capability dac_read_search, capability kill, - capability sys_admin, - capability setuid, capability setgid, - - # For audit logs - capability audit_control, + capability setuid, + capability sys_admin, + capability sys_ptrace, + capability syslog, network netlink raw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index e25108d4..cb307604 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/systemd-sysusers -profile systemd-sysusers @{exec_path} { +profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, @@ -37,5 +37,7 @@ profile systemd-sysusers @{exec_path} { owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/random/boot_id r, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 7ea1d562..4def3405 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/systemd-tmpfiles -profile systemd-tmpfiles @{exec_path} { +profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { include include include @@ -50,5 +50,7 @@ profile systemd-tmpfiles @{exec_path} { @{PROC}/@{pid}/net/unix r, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 92354530..51b36a82 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -97,5 +97,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { # file_inherit owner @{HOME}/.xsession-errors w, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 94326a14..ffbc9bed 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -84,22 +84,20 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { / r, /** rwmkl, - /bin/* PUx, - /sbin/* PUx, - /usr/bin/* PUx, + /{usr/,}bin/* rPUx, + /{usr/,}sbin/* rPUx, /{usr/,}{,s}bin/virtlogd rPx, - /usr/sbin/* PUx, - /{usr/,}lib/udev/scsi_id PUx, - /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, - /usr/{lib,lib64}/xen/bin/* Ux, - @{libexec}/xen-*/bin/libxl-save-helper PUx, - @{libexec}/xen-*/bin/pygrub PUx, - /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, - /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, + /{usr/,}lib/udev/scsi_id rPUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack rPUx, + /usr/{lib,lib64}/xen/bin/* rUx, + @{libexec}/xen-*/bin/libxl-save-helper rPUx, + @{libexec}/xen-*/bin/pygrub rPUx, + /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd rPUx, # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to # read and run an ebtables script. - /var/lib/libvirt/virtd* ixr, + /var/lib/libvirt/virtd* rix, # force the use of virt-aa-helper audit deny /{usr/,}{s,}bin/apparmor_parser rwxl, @@ -108,7 +106,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { audit deny /sys/kernel/security/apparmor/matching rwxl, audit deny /sys/kernel/security/apparmor/.* rwxl, /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* PUxr, + /usr/lib/libvirt/* rPUx, /usr/lib/libvirt/libvirt_parthelper ix, /usr/lib/libvirt/libvirt_iohelper ix, /etc/libvirt/hooks/** rmix, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index b02d2356..77ea2a68 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/apparmor_parser -profile apparmor_parser @{exec_path} { +profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include capability mac_admin, @@ -26,5 +26,7 @@ profile apparmor_parser @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/kernel/osrelease r, + deny /apparmor/.null rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index 5ceef54c..b7d83b10 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/firecfg -profile firecfg @{exec_path} { +profile firecfg @{exec_path} flags=(attach_disconnected) { include include @@ -32,5 +32,7 @@ profile firecfg @{exec_path} { /dev/tty rw, + deny /apparmor/.null rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules index 9e5a12a3..d2a63e5f 100644 --- a/apparmor.d/profiles-g-l/gio-querymodules +++ b/apparmor.d/profiles-g-l/gio-querymodules @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/gio-querymodules -profile gio-querymodules @{exec_path} { +profile gio-querymodules @{exec_path} flags=(attach_disconnected) { include include @@ -16,5 +16,7 @@ profile gio-querymodules @{exec_path} { /{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w, /{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} w, + deny /apparmor/.null rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index 15631fe9..a7206ec4 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/gtk-update-icon-cache /{usr/,}bin/gtk4-update-icon-cache -profile gtk-update-icon-cache @{exec_path} { +profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include @@ -18,5 +18,7 @@ profile gtk-update-icon-cache @{exec_path} { /usr/share/icons/**/.icon-theme.cache rw, /usr/share/icons/**/icon-theme.cache rw, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 2edbd730..942deffd 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -9,7 +9,7 @@ include @{exec_path} = /{usr/,}bin/{kmod,lsmod} @{exec_path} += /{usr/,}{s,}bin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe} -profile kmod @{exec_path} { +profile kmod @{exec_path} flags=(attach_disconnected) { include include @@ -59,5 +59,7 @@ profile kmod @{exec_path} { owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/{,**/} r, owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/**/*.ko r, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/less b/apparmor.d/profiles-g-l/less index 6ccdcef0..8602c4c8 100644 --- a/apparmor.d/profiles-g-l/less +++ b/apparmor.d/profiles-g-l/less @@ -3,9 +3,8 @@ # 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-3.0-only -# Version of less profiled: 563 - abi , + include @{exec_path} = /{usr/,}bin/less @@ -13,19 +12,22 @@ profile less @{exec_path} { include include - # less can be used to view protected files capability dac_read_search, capability dac_override, @{exec_path} mr, - /{,**} r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/source-highlight rix, + /{usr/,}bin/src-hilite-lesspipe.sh rix, - # Source highlighting - /usr/bin/{bash,dash} mrix, - /usr/bin/source-highlight mrix, - /usr/bin/src-hilite-lesspipe.sh mrix, + @{system_share_dirs}/terminfo/{,**} r, - # Silence unnecessary permissions + @{user_cache_dirs}/lesshs* rw, + owner /root/.lesshs* rw, + + /{,**} r, deny /{,**} w, + + include if exists } diff --git a/apparmor.d/profiles-m-r/pipewire b/apparmor.d/profiles-m-r/pipewire index 2f29e141..56ada79d 100644 --- a/apparmor.d/profiles-m-r/pipewire +++ b/apparmor.d/profiles-m-r/pipewire @@ -48,6 +48,7 @@ profile pipewire @{exec_path} { / r, + /dev/snd/seq rw, /dev/video[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-m-r/pipewire-media-session b/apparmor.d/profiles-m-r/pipewire-media-session index 6a4966bc..a970cf0e 100644 --- a/apparmor.d/profiles-m-r/pipewire-media-session +++ b/apparmor.d/profiles-m-r/pipewire-media-session @@ -10,50 +10,51 @@ include @{exec_path} = /{usr/,}bin/pipewire-media-session profile pipewire-media-session @{exec_path} { include + include include + network bluetooth raw, + network bluetooth seqpacket, + network bluetooth stream, network netlink raw, @{exec_path} mr, - /usr/share/pipewire/media-session.d/{,**} r, - /etc/pipewire/media-session.d/*.conf r, - - owner @{user_config_dirs}/pipewire/ rw, - owner @{user_config_dirs}/pipewire/** rw, - - /dev/snd/controlC[0-9]* rw, - /dev/snd/pcmC[0-9]*D[0-9]*p rw, - /dev/snd/pcmC[0-9]*D[0-9]*c rw, - /usr/share/alsa-card-profile/{,**} r, /usr/share/alsa/{,**} r, - /etc/alsa/{,**} r, + /usr/share/pipewire/media-session.d/{,**} r, - /dev/shm/ r, - @{run}/shm/ r, + /etc/alsa/{,**} r, + /etc/pipewire/media-session.d/*.conf r, /etc/pulse/{,**} r, + + owner @{HOME}/.local/state/ rw, + owner @{HOME}/.local/state/pipewire/{,**} rw, + owner @{user_config_dirs}/pipewire/ rw, + owner @{user_config_dirs}/pipewire/** rw, owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/cookie rwk, owner @{run}/user/@{uid}/pulse/ rw, - @{sys}/bus/ r, - @{sys}/class/ r, + @{run}/shm/ r, + @{run}/udev/data/+sound:card[0-9]* r, # For sound + @{run}/udev/data/c116:[0-9]* r, # for ALSA + @{sys}/class/sound/ r, @{sys}/class/video4linux/ r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, - - @{run}/udev/data/+sound:card[0-9]* r, # For sound - @{run}/udev/data/c81:[0-9]* r, # For video4linux - @{run}/udev/data/c116:[0-9]* r, # For ALSA + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{sys}/devices/pci[0-9]*/**/modalias r, @{run}/systemd/users/@{uid} r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]*/meminfo r, - + /dev/shm/ r, + /dev/snd/controlC[0-9]* rw, + /dev/snd/pcmC[0-9]*D[0-9]*p rw, + /dev/snd/pcmC[0-9]*D[0-9]*c rw, /dev/video[0-9]* rw, include if exists diff --git a/apparmor.d/profiles-m-r/pipewire-pulse b/apparmor.d/profiles-m-r/pipewire-pulse index 1ccf3c33..533a75a9 100644 --- a/apparmor.d/profiles-m-r/pipewire-pulse +++ b/apparmor.d/profiles-m-r/pipewire-pulse @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -20,8 +21,9 @@ profile pipewire-pulse @{exec_path} { @{exec_path} mr, /etc/pipewire/client.conf r, - /etc/pipewire/pipewire-pulse.conf r, + /usr/share/pipewire/client.conf r, + /usr/share/pipewire/pipewire-pulse.conf r, owner @{run}/user/@{uid}/pulse/pid w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index d2d90848..2501f7c8 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -43,6 +43,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/setfacl rix, /{usr/,}{s,}bin/libvirtd rPx, + /{usr/,}lib/spice-client-glib-usb-acl-helper rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gtksourceview-4/{,**} r, diff --git a/apparmor.d/profiles-s-z/xdg-icon-resource b/apparmor.d/profiles-s-z/xdg-icon-resource index ec3dda5a..a1620d2b 100644 --- a/apparmor.d/profiles-s-z/xdg-icon-resource +++ b/apparmor.d/profiles-s-z/xdg-icon-resource @@ -26,7 +26,7 @@ profile xdg-icon-resource @{exec_path} flags=(complain) { /{usr/,}bin/readlink rix, /{usr/,}bin/touch rix, - /{usr/,}bin/gtk-update-icon-cache rPUx, + /{usr/,}bin/gtk-update-icon-cache rPx, /usr/share/icons/**.png rw, /usr/share/icons/*/.xdg-icon-resource-dummy rw, diff --git a/apparmor.d/profiles-s-z/xdg-mime b/apparmor.d/profiles-s-z/xdg-mime index 0bce78a3..5aab67b3 100644 --- a/apparmor.d/profiles-s-z/xdg-mime +++ b/apparmor.d/profiles-s-z/xdg-mime @@ -68,7 +68,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-launch mr, /{usr/,}bin/dbus-send mr, - /{usr/,}bin/dbus-daemon rPUx, + /{usr/,}bin/dbus-daemon rPx, # for dbus-launch owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, diff --git a/apparmor.d/profiles-s-z/xdg-open b/apparmor.d/profiles-s-z/xdg-open index 89c8b403..d6ddceae 100644 --- a/apparmor.d/profiles-s-z/xdg-open +++ b/apparmor.d/profiles-s-z/xdg-open @@ -58,7 +58,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-launch mr, /{usr/,}bin/dbus-send mr, - /{usr/,}bin/dbus-daemon rPUx, + /{usr/,}bin/dbus-daemon rPx, # for dbus-launch owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, diff --git a/apparmor.d/profiles-s-z/xdg-settings b/apparmor.d/profiles-s-z/xdg-settings index 2ff7fb80..373f310b 100644 --- a/apparmor.d/profiles-s-z/xdg-settings +++ b/apparmor.d/profiles-s-z/xdg-settings @@ -67,7 +67,7 @@ profile xdg-settings @{exec_path} { /{usr/,}bin/dbus-launch mr, /{usr/,}bin/dbus-send mr, - /{usr/,}bin/dbus-daemon rPUx, + /{usr/,}bin/dbus-daemon rPx, # for dbus-launch owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,