feat(profile): general update.

2025-01-18 00:48:10 +01:00 · 2024-01-25 22:46:22 +00:00 · 2024-01-25 22:46:22 +00:00 · 1a1daeae07
commit 1a1daeae07
parent 55ae6d2b75
23 changed files with 118 additions and 100 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -93,6 +93,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  # Ubuntu specificities
  @{lib}/ubuntu-advantage/apt-esm-hook                  rPx,
  @{lib}/ubuntu-advantage/apt-esm-json-hook             rPx,
+  @{lib}/ubuntu-release-upgrader/do-partial-upgrade     rPx,
  @{lib}/update-notifier/update-motd-updates-available  rPx,
  /usr/share/command-not-found/cnf-update-db            rPx,
  /usr/share/language-tools/language-options            rPx,
--- a/apparmor.d/groups/bus/dbus-broker-launch
+++ b/apparmor.d/groups/bus/dbus-broker-launch
@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/dbus-broker-launch
-profile dbus-broker-launch @{exec_path} {
+profile dbus-broker-launch @{exec_path} flags=(attach_disconnected)  {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

@ -19,13 +19,16 @@ profile dbus-broker-launch @{exec_path} {

  @{bin}/dbus-broker rPUx,

-  @{system_share_dirs}/dbus-1/{,**} r,
-  @{system_share_dirs}/dbus-1/services/{,**} r,
  /usr/share/dbus-1/{,**} r,
  /usr/share/defaults/**.conf r,

+  # Extra rules for Flatpak
+  @{system_share_dirs}/dbus-1/{,**} r,
+
  /etc/machine-id r,

+  @{run}/user/@{uid}/dbus-1/{,**} r,
+
  @{PROC}/sys/kernel/random/boot_id r,

  include if exists <local/dbus-broker-launch>
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -91,10 +91,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  /var/lib/snapd/dbus-1/services/{,**} r,
  /var/lib/snapd/dbus-1/system-services/{,**} r,

-        @{user_share_dirs}/icc/{,edid-*} r,
+        @{user_share_dirs}/icc/ r,
+        @{user_share_dirs}/icc/edid-*.icc r,
  owner @{user_share_dirs}/dbus-1/{,**} r,

-        @{run}/systemd/inhibit/[0-9]*.ref rw,
+        @{run}/systemd/inhibit/*.ref rw,
        @{run}/systemd/notify w,
        @{run}/systemd/sessions/*.ref rw,
        @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -63,12 +63,15 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  / r,
  /.flatpak-info r,

+  /usr/share/dconf/profile/gdm r,
  /usr/share/pipewire/client.conf r,
  /usr/share/xdg-desktop-portal/** r,

  /etc/pipewire/client.conf.d/ r,
  /etc/sysconfig/proxy r,

+  /var/lib/gdm{,3}/greeter-dconf-defaults r,
+
  /var/lib/flatpak/exports/share/mime/mime.cache r,
  /var/lib/flatpak/exports/share/applications/{**,} r,

@ -87,6 +90,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/status r,
  owner @{PROC}/@{pids}/cgroup r,

--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@ -11,7 +11,10 @@ profile gdm-generate-config @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

+  capability chown,
  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
  capability setgid,
  capability setuid,

@ -29,8 +32,8 @@ profile gdm-generate-config @{exec_path} {
  /usr/share/gdm/{,**} r,

  /var/lib/ r,
+  /var/lib/gdm{3,}/ rw,
  /var/lib/gdm{3,}/{,**} r,
-
  /var/lib/gdm{3,}/greeter-dconf-defaults rw,
  /var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,

--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -20,6 +20,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  @{bin}/gnome-terminal     rPUx,
  @{lib}/gio-launch-desktop  rix,

  owner @{HOME}/{,**} rw,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -19,6 +19,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
@ -59,7 +60,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-shell/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,

-  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
--- a/apparmor.d/groups/gnome/gnome-calculator-search-provider
+++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider
@ -13,6 +13,7 @@ profile gnome-calculator-search-provider @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>

  signal (send) set=kill peer=unconfined,

--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -12,7 +12,8 @@ profile gnome-initial-setup @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>

  network netlink raw,

@ -22,11 +23,19 @@ profile gnome-initial-setup @{exec_path} {

  @{bin}/df      rPx,
  @{bin}/dpkg    rPx -> child-dpkg,
+  @{bin}/locale  rix,
  @{bin}/lscpu   rPx,
  @{bin}/lspci   rPx,
  @{bin}/xrandr  rPx,

  @{lib}/gnome-initial-setup-goa-helper rix,

+  /usr/share/dconf/profile/gdm r,
+
+  /var/lib/gdm{,3}/greeter-dconf-defaults r,
+
+  owner @{user_config_dirs}/ibus/bus/ r,
+  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+
  include if exists <local/gnome-initial-setup>
 }
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -28,6 +28,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,
  @{bin}/ r,
+  @{bin}/env r,
  @{bin}/python3.@{int} rix,
  @{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw,

@ -44,8 +45,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/grilo-plugins/ rwk,
  owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,

-  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
+  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,

  owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
  owner /var/tmp/etilqs_@{hex} rw,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -377,6 +377,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/input/event@{int} rw,
  /dev/media@{int} rw,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -104,6 +104,7 @@ profile gnome-software @{exec_path} {
        @{PROC}/sys/kernel/random/boot_id r,
        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/stat r,

  /dev/fuse rw,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -60,6 +60,8 @@ profile gnome-terminal-server @{exec_path} {
  owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,

  owner @{user_config_dirs}/*xdg-terminals.list* rw,
+  owner @{user_config_dirs}/ibus/bus/ r,
+  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  owner @{user_config_dirs}/pulse/cookie rk,

  owner @{run}/user/@{uid}/pulse/ r,
--- a/apparmor.d/groups/gnome/goa-daemon
+++ b/apparmor.d/groups/gnome/goa-daemon
@ -40,6 +40,9 @@ profile goa-daemon @{exec_path} {

  /var/lib/gdm{3,}/.config/dconf/user r,

+  owner /var/lib/gdm{3,}/.config/ w,
+  owner /var/lib/gdm{3,}/.config/goa-1.0/ w,
+
  owner @{user_config_dirs}/goa-1.0/ rw,
  owner @{user_config_dirs}/goa-1.0/accounts.conf* rw,

--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -16,6 +16,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
  include <abstractions/disks-read>
+  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
--- a/apparmor.d/groups/kde/ksplashqml
+++ b/apparmor.d/groups/kde/ksplashqml
@ -21,9 +21,11 @@ profile ksplashqml @{exec_path} {
  /usr/share/qt/translations/*.qm r,

  owner @{user_cache_dirs}/icon-cache.kcache rw, 
+  owner @{user_cache_dirs}/ksplash/ rw,
+  owner @{user_cache_dirs}/ksplash/qmlcache/ rw,
  owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
-  owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw,
  owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/ksplash/qmlcache/#@{int},
+  owner @{user_cache_dirs}/ksplash/qmlcache/#@{int} rw,
  owner @{user_config_dirs}/kdedefaults/* r,
  owner @{user_config_dirs}/kdeglobals r,

--- a/apparmor.d/groups/service/dmesg.service
+++ b/apparmor.d/groups/service/dmesg.service
@ -1,33 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Profile for a systemd service, it does not specify an attachment path because
-# it is intended to be used only via "Px -> *.service" exec transitions from systemd.service
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile dmesg.service {
-  include <abstractions/base>
-
-  @{bin}/savelog     mr,
-
-  @{bin}/basename   rix,
-  @{bin}/chmod      rix,
-  @{bin}/date       rix,
-  @{bin}/dirname    rix,
-  @{bin}/gzip       rix,
-  @{bin}/ln         rix,
-  @{bin}/mv         rix,
-  @{bin}/rm         rix,
-  @{bin}/touch      rix,
-
-  /var/log/ r,
-  /var/log/dmesg rw,
-  /var/log/dmesg.* rwl -> /var/log/dmesg,
-
-  include if exists <usr/dmesg.service.d>
-  include if exists <local/dmesg.service>
-}
--- a/apparmor.d/groups/service/init-exim4
+++ b/apparmor.d/groups/service/init-exim4
@ -9,6 +9,13 @@ include <tunables/global>
@{exec_path} = /etc/init.d/exim4
 profile init-exim4 @{exec_path} {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability chown,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability net_admin,

  @{exec_path} mr,

@ -23,6 +30,7 @@ profile init-exim4 @{exec_path} {
  @{bin}/install            rix,
  @{bin}/mv                 rix,
  @{bin}/plymouth           rPx,
+  @{bin}/rm                 rix,
  @{bin}/run-parts          rix,
  @{bin}/sed                rix,
  @{bin}/start-stop-daemon  rix,
@ -31,7 +39,13 @@ profile init-exim4 @{exec_path} {
  @{bin}/tr                 rix,
  @{bin}/update-exim4.conf  rix,

-  /var/lib/exim4/config.autogenerated.tmp rw,
+  /etc/default/exim4 r,
+  /etc/exim4/* r,
+  /etc/mailname r,
+
+  /var/lib/exim4/* rw,
+
+  owner @{run}/exim4/{,**} rw,

  include if exists <local/init-exim4>
 }
--- a/apparmor.d/groups/service/systemd.service
+++ b/apparmor.d/groups/service/systemd.service
@ -15,24 +15,20 @@ profile systemd.service @{exec_path} flags=(attach_disconnected)  {

  capability sys_admin,

-  @{bin}/{,ba,da}sh     rm,
+  # TODO:
+  mount -> @{sys}/fs/fuse/connections/, 
+  mount -> @{sys}/kernel/*/,
+  mount -> /dev/*/,
+  mount -> /efi/, 
+  mount -> /tmp/, 

-  @{bin}/cp            rix,
-  @{bin}/find          rix,
-  @{bin}/grep          rix,
-  @{bin}/install       rix,
-  @{bin}/mkdir         rix,
-  @{bin}/mount         rix,
-  @{bin}/rm            rix,
+  @{bin}/mount         rix, # TODO: maybe, keep it in systemed
  @{bin}/systemctl     rix,
+  @{coreutils_path}    rix,
+  @{shells_path}      rmix,

  @{bin}/grub-editenv  rPx,
  @{bin}/ibus-daemon   rPx,
-
-  @{bin}/chgrp         rPx -> dmesg.service,
-  @{bin}/chmod         rPx -> dmesg.service,
-  @{bin}/savelog       rPx -> dmesg.service,
-
  @{bin}/ldconfig      rPx -> ldconfig.service,

  @{lib}/ r,
@ -43,6 +39,10 @@ profile systemd.service @{exec_path} flags=(attach_disconnected)  {
  /boot/grub/grubenv rw,
  /boot/grub/ w,

+  /var/log/ r,
+  /var/log/dmesg rw,
+  /var/log/dmesg.* rwl -> /var/log/dmesg,
+
  # snapd.system-shutdown.service
  @{run}/initramfs/shutdown rw,
  @{run}/initramfs/ rw,
@ -50,5 +50,6 @@ profile systemd.service @{exec_path} flags=(attach_disconnected)  {
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,

+  include if exists <usr/systemd.service.d>
  include if exists <local/systemd.service>
 }
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -42,6 +42,7 @@ profile systemd-journald @{exec_path} {
  owner @{run}/systemd/notify rw,

  @{run}/host/container-manager r,
+  @{run}/utmp rk,

  @{run}/udev/data/+acpi:*      r,
  @{run}/udev/data/+bluetooth:* r,
--- a/apparmor.d/profiles-a-f/dleyna-server-service
+++ b/apparmor.d/profiles-a-f/dleyna-server-service
@ -19,7 +19,10 @@ profile dleyna-server-service @{exec_path} {

  @{exec_path} mr,

+  /etc/dleyna-server-service.conf r,
+
        @{user_config_dirs}/dleyna-server-service.conf r,
+  owner @{user_config_dirs}/dleyna-server-service.conf w,

  include if exists <local/dleyna-server-service>
 }
--- a/apparmor.d/profiles-s-z/top
+++ b/apparmor.d/profiles-s-z/top
@ -1,13 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-# When any of the "ns*" fields is displayed, the following error will be printed:
-#  "Failed name lookup - disconnected path" error=-13 profile="top" name="".
@{exec_path} = @{bin}/top
 profile top @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
@ -15,62 +14,57 @@ profile top @{exec_path} flags=(attach_disconnected) {
  include <abstractions/wutmp>
  include <abstractions/nameservice-strict>

-  # To be able to read the /proc/ files of all processes in the system.
  capability dac_read_search,
-
-  # To manage priorities.
-  capability sys_nice,
-
-  # To terminate other users' processes when top is started as root.
  capability kill,
-
+  capability sys_nice,
  capability sys_ptrace,

  signal (send),
+
  ptrace (read),

  @{exec_path} mr,

  /usr/share/terminfo/** r,

-  @{PROC}/ r,
-  @{PROC}/loadavg r,
-  @{PROC}/uptime r,
-  @{PROC}/tty/drivers r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/sys/kernel/pid_max r,
-
-  @{PROC}/@{pids}/cmdline r,
-  @{PROC}/@{pids}/stat r,
-  @{PROC}/@{pids}/statm r,
-  @{PROC}/@{pids}/environ r,
-  @{PROC}/@{pids}/oom_{,score_}adj r,
-  @{PROC}/@{pids}/oom_score r,
-  @{PROC}/@{pids}/cgroup r,
-  @{PROC}/@{pids}/wchan r,
-
-  @{PROC}/@{pids}/task/ r,
-  @{PROC}/@{pids}/task/@{tid}/cmdline r,
-  @{PROC}/@{pids}/task/@{tid}/stat r,
-  @{PROC}/@{pids}/task/@{tid}/statm r,
-  @{PROC}/@{pids}/task/@{tid}/environ r,
-  @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
-  @{PROC}/@{pids}/task/@{tid}/oom_score r,
-  @{PROC}/@{pids}/oom_{,score_}adj r,
-  @{PROC}/@{pids}/oom_score r,
-  @{PROC}/@{pids}/task/@{tid}/cgroup r,
-  @{PROC}/@{pids}/task/@{tid}/wchan r,
-  @{PROC}/@{pids}/task/@{tid}/status r,
-
  /etc/topdefaultrc r,
  /etc/toprc r,

+  owner @{user_config_dirs}/procps/ rw,
+  owner @{user_config_dirs}/procps/toprc rw,
+
+  @{run}/systemd/sessions/ r,
+
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
  @{sys}/devices/system/node/node@{int}/cpumap r,

-  owner @{user_config_dirs}/procps/ rw,
-  owner @{user_config_dirs}/procps/toprc rw,
+  @{PROC}/ r,
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/environ r,
+  @{PROC}/@{pids}/oom_{,score_}adj r,
+  @{PROC}/@{pids}/oom_{,score_}adj r,
+  @{PROC}/@{pids}/oom_score r,
+  @{PROC}/@{pids}/oom_score r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/statm r,
+  @{PROC}/@{pids}/task/ r,
+  @{PROC}/@{pids}/task/@{tid}/cgroup r,
+  @{PROC}/@{pids}/task/@{tid}/cmdline r,
+  @{PROC}/@{pids}/task/@{tid}/environ r,
+  @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
+  @{PROC}/@{pids}/task/@{tid}/oom_score r,
+  @{PROC}/@{pids}/task/@{tid}/stat r,
+  @{PROC}/@{pids}/task/@{tid}/statm r,
+  @{PROC}/@{pids}/task/@{tid}/status r,
+  @{PROC}/@{pids}/task/@{tid}/wchan r,
+  @{PROC}/@{pids}/wchan r,
+  @{PROC}/loadavg r,
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/sys/kernel/pid_max r,
+  @{PROC}/tty/drivers r,
+  @{PROC}/uptime r,

  include if exists <local/top>
 }
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -41,8 +41,11 @@ profile wireplumber @{exec_path} {

  /etc/machine-id r,

+  /var/lib/gdm{3,}/.local/state/ w,
+  /var/lib/gdm{3,}/.local/ w,
  /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,

+  owner @{HOME}/.local/ w,
  owner @{user_state_dirs}/ w,
  owner @{user_state_dirs}/wireplumber/{,**} rw,