From 2b2c42d23c9dc89757f977e7e1db6a2a80cbb5b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Jul 2023 14:59:53 +0100 Subject: [PATCH] refactor(profiles): use @{bin} and @{lib} in profiles (7) --- apparmor.d/profiles-s-z/s3fs | 6 +- apparmor.d/profiles-s-z/sanoid | 6 +- apparmor.d/profiles-s-z/sbctl | 6 +- apparmor.d/profiles-s-z/scrcpy | 4 +- apparmor.d/profiles-s-z/scrot | 6 +- apparmor.d/profiles-s-z/sdcv | 2 +- apparmor.d/profiles-s-z/sensors | 2 +- apparmor.d/profiles-s-z/sensors-detect | 12 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/sfdisk | 2 +- apparmor.d/profiles-s-z/sgdisk | 2 +- apparmor.d/profiles-s-z/slirp4netns | 2 +- apparmor.d/profiles-s-z/smartctl | 2 +- apparmor.d/profiles-s-z/smartd | 14 +-- apparmor.d/profiles-s-z/smplayer | 12 +- apparmor.d/profiles-s-z/smtube | 30 ++--- apparmor.d/profiles-s-z/snap | 14 +-- apparmor.d/profiles-s-z/snap-device-helper | 2 +- apparmor.d/profiles-s-z/snapd | 44 +++---- apparmor.d/profiles-s-z/spacefm | 2 +- apparmor.d/profiles-s-z/spacefm-auth | 4 +- .../profiles-s-z/spectre-meltdown-checker | 111 +++++++++--------- apparmor.d/profiles-s-z/speedtest | 10 +- .../spice-client-glib-usb-acl-helper | 4 +- apparmor.d/profiles-s-z/spice-vdagent | 2 +- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- apparmor.d/profiles-s-z/start-pulseaudio-x11 | 6 +- apparmor.d/profiles-s-z/startx | 28 ++--- apparmor.d/profiles-s-z/steam | 84 ++++++------- apparmor.d/profiles-s-z/steam-game | 38 +++--- apparmor.d/profiles-s-z/strawberry | 20 ++-- apparmor.d/profiles-s-z/strawberry-tagreader | 2 +- apparmor.d/profiles-s-z/su | 8 +- apparmor.d/profiles-s-z/sudo | 14 +-- apparmor.d/profiles-s-z/suid3num | 8 +- apparmor.d/profiles-s-z/sulogin | 4 +- apparmor.d/profiles-s-z/swaplabel | 2 +- apparmor.d/profiles-s-z/swapoff | 2 +- apparmor.d/profiles-s-z/swapon | 2 +- apparmor.d/profiles-s-z/switcheroo-control | 2 +- apparmor.d/profiles-s-z/swtpm | 2 +- apparmor.d/profiles-s-z/swtpm_ioctl | 2 +- apparmor.d/profiles-s-z/swtpm_localca | 6 +- apparmor.d/profiles-s-z/swtpm_setup | 6 +- apparmor.d/profiles-s-z/syncoid | 12 +- apparmor.d/profiles-s-z/syncthing | 20 ++-- apparmor.d/profiles-s-z/sysctl | 2 +- apparmor.d/profiles-s-z/system-config-printer | 8 +- .../profiles-s-z/system-config-printer-applet | 6 +- apparmor.d/profiles-s-z/tasksel | 34 +++--- apparmor.d/profiles-s-z/tftp | 2 +- apparmor.d/profiles-s-z/thermald | 2 +- apparmor.d/profiles-s-z/thinkfan | 2 +- apparmor.d/profiles-s-z/tint2 | 4 +- apparmor.d/profiles-s-z/tint2conf | 6 +- apparmor.d/profiles-s-z/top | 2 +- apparmor.d/profiles-s-z/torify | 4 +- apparmor.d/profiles-s-z/torsocks | 4 +- apparmor.d/profiles-s-z/tpacpi-bat | 10 +- apparmor.d/profiles-s-z/transmission-qt | 2 +- apparmor.d/profiles-s-z/tune2fs | 2 +- apparmor.d/profiles-s-z/ucf | 66 +++++------ apparmor.d/profiles-s-z/udiskie | 24 ++-- apparmor.d/profiles-s-z/udiskie-info | 4 +- apparmor.d/profiles-s-z/udiskie-mount | 4 +- apparmor.d/profiles-s-z/udiskie-umount | 4 +- apparmor.d/profiles-s-z/udisksctl | 10 +- apparmor.d/profiles-s-z/udisksd | 38 +++--- apparmor.d/profiles-s-z/umount | 6 +- apparmor.d/profiles-s-z/umount.udisks2 | 2 +- apparmor.d/profiles-s-z/uname | 2 +- apparmor.d/profiles-s-z/unhide-linux | 6 +- apparmor.d/profiles-s-z/unhide-posix | 10 +- apparmor.d/profiles-s-z/unhide-rb | 2 +- apparmor.d/profiles-s-z/unhide-tcp | 12 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 +- apparmor.d/profiles-s-z/unmkinitramfs | 37 +++--- apparmor.d/profiles-s-z/update-alternatives | 10 +- .../profiles-s-z/update-ca-certificates | 60 +++++----- apparmor.d/profiles-s-z/update-ca-trust | 10 +- .../profiles-s-z/update-command-not-found | 12 +- apparmor.d/profiles-s-z/update-cracklib | 22 ++-- apparmor.d/profiles-s-z/update-dlocatedb | 22 ++-- apparmor.d/profiles-s-z/update-initramfs | 32 ++--- apparmor.d/profiles-s-z/update-pciids | 46 ++++---- .../profiles-s-z/update-secureboot-policy | 20 ++-- apparmor.d/profiles-s-z/update-smart-drivedb | 50 ++++---- apparmor.d/profiles-s-z/updatedb-mlocate | 4 +- apparmor.d/profiles-s-z/updatedb.plocate | 2 +- apparmor.d/profiles-s-z/uptime | 2 +- apparmor.d/profiles-s-z/uptimed | 2 +- apparmor.d/profiles-s-z/usb-devices | 14 +-- apparmor.d/profiles-s-z/usbguard | 2 +- apparmor.d/profiles-s-z/usbguard-applet-qt | 2 +- apparmor.d/profiles-s-z/usbguard-daemon | 2 +- apparmor.d/profiles-s-z/usbguard-dbus | 2 +- apparmor.d/profiles-s-z/usbguard-notifier | 2 +- apparmor.d/profiles-s-z/uscan | 34 +++--- apparmor.d/profiles-s-z/useradd | 8 +- apparmor.d/profiles-s-z/userdel | 2 +- apparmor.d/profiles-s-z/usermod | 4 +- apparmor.d/profiles-s-z/users | 2 +- apparmor.d/profiles-s-z/utmpdump | 2 +- apparmor.d/profiles-s-z/utox | 18 +-- apparmor.d/profiles-s-z/uupdate | 50 ++++---- apparmor.d/profiles-s-z/vcsi | 10 +- apparmor.d/profiles-s-z/vidcutter | 18 +-- apparmor.d/profiles-s-z/vipw-vigr | 16 +-- apparmor.d/profiles-s-z/virt-manager | 26 ++-- apparmor.d/profiles-s-z/vlc-cache-gen | 4 +- apparmor.d/profiles-s-z/vnstat | 2 +- apparmor.d/profiles-s-z/vnstatd | 2 +- apparmor.d/profiles-s-z/volumeicon | 8 +- apparmor.d/profiles-s-z/vsftpd | 2 +- apparmor.d/profiles-s-z/w | 2 +- apparmor.d/profiles-s-z/warzone2100 | 6 +- apparmor.d/profiles-s-z/wavemon | 2 +- apparmor.d/profiles-s-z/wget | 2 +- apparmor.d/profiles-s-z/whdd | 12 +- apparmor.d/profiles-s-z/whereis | 7 +- apparmor.d/profiles-s-z/which | 6 +- apparmor.d/profiles-s-z/whiptail | 2 +- apparmor.d/profiles-s-z/who | 2 +- apparmor.d/profiles-s-z/whoami | 2 +- apparmor.d/profiles-s-z/wireplumber | 2 +- apparmor.d/profiles-s-z/wireshark | 24 ++-- apparmor.d/profiles-s-z/wl-copy | 8 +- apparmor.d/profiles-s-z/wmctrl | 2 +- apparmor.d/profiles-s-z/wpa-action | 22 ++-- apparmor.d/profiles-s-z/wpa-cli | 2 +- apparmor.d/profiles-s-z/wpa-gui | 2 +- apparmor.d/profiles-s-z/wpa-supplicant | 2 +- apparmor.d/profiles-s-z/wrmsr | 2 +- apparmor.d/profiles-s-z/x11-xsession | 64 +++++----- apparmor.d/profiles-s-z/xarchiver | 60 +++++----- apparmor.d/profiles-s-z/xauth | 2 +- apparmor.d/profiles-s-z/xautolock | 14 +-- apparmor.d/profiles-s-z/xbacklight | 2 +- apparmor.d/profiles-s-z/xbrlapi | 2 +- apparmor.d/profiles-s-z/xclip | 2 +- apparmor.d/profiles-s-z/xdpyinfo | 2 +- apparmor.d/profiles-s-z/xfce4-notifyd | 2 +- apparmor.d/profiles-s-z/xfconfd | 4 +- apparmor.d/profiles-s-z/xinit | 68 +++++------ apparmor.d/profiles-s-z/xinput | 2 +- apparmor.d/profiles-s-z/xsel | 2 +- apparmor.d/profiles-s-z/youtube-dl | 22 ++-- apparmor.d/profiles-s-z/youtube-viewer | 22 ++-- apparmor.d/profiles-s-z/yt-dlp | 12 +- apparmor.d/profiles-s-z/ytdl | 10 +- apparmor.d/profiles-s-z/zed | 30 ++--- apparmor.d/profiles-s-z/zenmap | 6 +- apparmor.d/profiles-s-z/zpool | 2 +- .../profiles-s-z/zsys-system-autosnapshot | 15 +-- apparmor.d/profiles-s-z/zsysd | 4 +- 155 files changed, 938 insertions(+), 938 deletions(-) diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index f9e6a6d3..e9c60aea 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/s3fs +@{exec_path} = @{bin}/s3fs profile s3fs @{exec_path} { include include @@ -24,7 +24,7 @@ profile s3fs @{exec_path} { @{exec_path} mr, - /{usr/,}bin/fusermount{,3} rCx -> fusermount, + @{bin}/fusermount{,3} rCx -> fusermount, /etc/mime.types r, /etc/passwd-s3fs r, @@ -53,7 +53,7 @@ profile s3fs @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, - /{usr/,}bin/fusermount{,3} mr, + @{bin}/fusermount{,3} mr, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index 949c9ebe..4fd51e72 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -12,9 +12,9 @@ profile sanoid @{exec_path} flags=(complain) { include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/ps rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/perl rix, + @{bin}/ps rPx, /{usr/,}{local/,}{s,}bin/zfs rPx, /etc/sanoid/{*,} r, diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index e2ecd42f..1a63f09d 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/sbctl +@{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include @@ -15,14 +15,14 @@ profile sbctl @{exec_path} { @{exec_path} mr, - /{usr/,}bin/lsblk rPx, + @{bin}/lsblk rPx, /usr/share/secureboot/{,**} rw, /{boot,efi}/{,**} r, /{boot,efi}/EFI/{,**} rw, /{boot,efi}/vmlinuz-linux* rw, - /{usr/,}lib/fwupd/efi/{,**} rw, + @{lib}/fwupd/efi/{,**} rw, @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index af7d5588..2b5fe8de 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/scrcpy +@{exec_path} = @{bin}/scrcpy profile scrcpy @{exec_path} { include include @@ -22,7 +22,7 @@ profile scrcpy @{exec_path} { @{exec_path} mr, - /{usr/,}bin/adb rPx, + @{bin}/adb rPx, /usr/share/scrcpy/{,*} r, /usr/share/icons/{,**} r, diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index ff81a458..397360ea 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/scrot +@{exec_path} = @{bin}/scrot profile scrot @{exec_path} { include include @@ -14,8 +14,8 @@ profile scrot @{exec_path} { @{exec_path} mr, # "mv" is needed to change the image dir - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mv rix, + @{bin}/{,ba,da}sh rix, + @{bin}/mv rix, # The image dir owner @{HOME}/*.png rw, diff --git a/apparmor.d/profiles-s-z/sdcv b/apparmor.d/profiles-s-z/sdcv index 941175f6..1e996dd5 100644 --- a/apparmor.d/profiles-s-z/sdcv +++ b/apparmor.d/profiles-s-z/sdcv @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/sdcv +@{exec_path} = @{bin}/sdcv profile sdcv @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 65d7f078..4670bf5c 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/sensors +@{exec_path} = @{bin}/sensors profile sensors @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 27b738a8..4d85d3c7 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/sensors-detect +@{exec_path} = @{bin}/sensors-detect profile sensors-detect @{exec_path} { include include @@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} { capability syslog, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, /usr/bin/uname rix, @@ -48,7 +48,7 @@ profile sensors-detect @{exec_path} { ptrace (read), - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, @@ -62,12 +62,12 @@ profile sensors-detect @{exec_path} { profile kmod { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, @{PROC}/cmdline r, - /{usr/,}lib/modprobe.d/ r, - /{usr/,}lib/modprobe.d/*.conf r, + @{lib}/modprobe.d/ r, + @{lib}/modprobe.d/*.conf r, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index a1e592fd..f644b0cc 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/setpci +@{exec_path} = @{bin}/setpci profile setpci @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 22a9a85b..834776d3 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/sfdisk +@{exec_path} = @{bin}/sfdisk profile sfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index fb00ea2c..cb4086e8 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/sgdisk +@{exec_path} = @{bin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index 90cb3f35..705a6e09 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/slirp4netns +@{exec_path} = @{bin}/slirp4netns profile slirp4netns @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 5e4826fb..f38249f0 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/smartctl +@{exec_path} = @{bin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index c2ce5927..30f15c3b 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/smartd +@{exec_path} = @{bin}/smartd profile smartd @{exec_path} { include include @@ -25,12 +25,12 @@ profile smartd @{exec_path} { deny capability net_admin, @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/mail rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/run-parts rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/hostname rix, + @{bin}/mail rix, + @{bin}/mktemp rix, + @{bin}/run-parts rix, /usr/share/smartmontools/{smartd-runner,smartd_warning.sh} rix, /etc/smartmontools/run.d/* rix, diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 6fe49eac..91f6b0ba 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/smplayer +@{exec_path} = @{bin}/smplayer profile smplayer @{exec_path} { include include @@ -40,11 +40,11 @@ profile smplayer @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/mpv rPx, - /{usr/,}bin/pacmd rPx, - /{usr/,}bin/smtube rPx, - /{usr/,}bin/youtube-dl rPx, - /{usr/,}bin/yt-dlp rPx, + @{bin}/mpv rPx, + @{bin}/pacmd rPx, + @{bin}/smtube rPx, + @{bin}/youtube-dl rPx, + @{bin}/yt-dlp rPx, /usr/share/qt5ct/** r, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index f9fe696d..4a8f1803 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/smtube +@{exec_path} = @{bin}/smtube profile smtube @{exec_path} { include include @@ -64,17 +64,17 @@ profile smtube @{exec_path} { deny @{PROC}/sys/kernel/random/boot_id r, # Players - /{usr/,}bin/mpv rPUx, - /{usr/,}bin/smplayer rPUx, - /{usr/,}bin/vlc rPUx, - /{usr/,}bin/cvlc rPUx, - /{usr/,}bin/youtube-dl rPUx, - /{usr/,}bin/yt-dlp rPUx, + @{bin}/mpv rPUx, + @{bin}/smplayer rPUx, + @{bin}/vlc rPUx, + @{bin}/cvlc rPUx, + @{bin}/youtube-dl rPUx, + @{bin}/yt-dlp rPUx, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -84,19 +84,19 @@ profile smtube @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index dd5e2bda..c9ddb14b 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -37,10 +37,10 @@ profile snap @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/mount rix, + @{bin}/mount rix, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/systemctl rPx -> child-systemctl, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/systemctl rPx -> child-systemctl, /snap/{,**} rw, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx, @@ -85,11 +85,11 @@ profile snap @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, - /{usr/,}bin/dirmngr rix, - /{usr/,}bin/gpg-agent rix, - /{usr/,}bin/gpg-connect-agent rix, + @{bin}/dirmngr rix, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, owner @{HOME}/.snap/gnupg/ rw, owner @{HOME}/.snap/gnupg/** rwkl, diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper index 76204523..6c81641f 100644 --- a/apparmor.d/profiles-s-z/snap-device-helper +++ b/apparmor.d/profiles-s-z/snap-device-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/snapd/snap-device-helper +@{exec_path} = @{lib}/snapd/snap-device-helper profile snap-device-helper @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 2f9da093..066ab505 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -60,29 +60,29 @@ profile snapd @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/adduser rPx, - /{usr/,}{s,}bin/groupadd rPx, - /{usr/,}{s,}bin/useradd rPx, - /{usr/,}bin/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope - /{usr/,}bin/hostnamectl rPx, - /{usr/,}bin/ssh-keygen rPx, + @{bin}/adduser rPx, + @{bin}/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope + @{bin}/groupadd rPx, + @{bin}/hostnamectl rPx, + @{bin}/ssh-keygen rPx, + @{bin}/useradd rPx, - /{usr/,}{s,}bin/apparmor_parser rPx, - /{usr/,}{s,}bin/runuser rCx -> runuser, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/journalctl rPx, - /{usr/,}bin/mount rix, - /{usr/,}bin/snap rPx, - /{usr/,}bin/sync rix, - /{usr/,}bin/systemctl rix, - /{usr/,}bin/systemd-detect-virt rPx, - /{usr/,}bin/tar rix, - /{usr/,}bin/udevadm rPx, - /{usr/,}bin/umount rix, - /{usr/,}bin/unsquashfs rix, - /{usr/,}bin/update-desktop-database rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/apparmor_parser rPx, + @{bin}/cp rix, + @{bin}/gzip rix, + @{bin}/journalctl rPx, + @{bin}/mount rix, + @{bin}/runuser rCx -> runuser, + @{bin}/snap rPx, + @{bin}/sync rix, + @{bin}/systemctl rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/tar rix, + @{bin}/udevadm rPx, + @{bin}/umount rix, + @{bin}/unsquashfs rix, + @{bin}/update-desktop-database rPx, /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* mr, /{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx, diff --git a/apparmor.d/profiles-s-z/spacefm b/apparmor.d/profiles-s-z/spacefm index c8cbfbb0..c7a82d06 100644 --- a/apparmor.d/profiles-s-z/spacefm +++ b/apparmor.d/profiles-s-z/spacefm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/spacefm +@{exec_path} = @{bin}/spacefm profile spacefm @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/spacefm-auth b/apparmor.d/profiles-s-z/spacefm-auth index aac4bad2..549b92aa 100644 --- a/apparmor.d/profiles-s-z/spacefm-auth +++ b/apparmor.d/profiles-s-z/spacefm-auth @@ -6,12 +6,12 @@ abi , include -@{exec_path} = /{usr/,}bin/spacefm-auth +@{exec_path} = @{bin}/spacefm-auth profile spacefm-auth @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, include if exists } diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index b45d6d25..66b4f8a5 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -22,57 +22,56 @@ profile spectre-meltdown-checker @{exec_path} { ptrace (read), @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/ r, - /{usr/,}bin/dirname rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/head rix, - /{usr/,}bin/{,g,m}awk rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/od rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/id rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/zstd rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/lzop rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/stat rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/base64 rix, - /{usr/,}bin/unzip rix, - /{usr/,}bin/{,@{multiarch}-}readelf rix, - /{usr/,}bin/{,@{multiarch}-}strings rix, - /{usr/,}bin/{,@{multiarch}-}objdump rix, - /{usr/,}{s,}bin/iucode_tool rix, - /{usr/,}{s,}bin/rdmsr rix, - /{usr/,}bin/dmesg rix, - /{usr/,}{s,}bin/mount rix, - /{usr/,}bin/find rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/nproc rix, - /{usr/,}bin/date rix, - - /{usr/,}bin/pgrep rCx -> pgrep, - /{usr/,}bin/ccache rCx -> ccache, - /{usr/,}bin/kmod rCx -> kmod, + @{bin}/ r, + @{bin}/{,@{multiarch}-}objdump rix, + @{bin}/{,@{multiarch}-}readelf rix, + @{bin}/{,@{multiarch}-}strings rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/base64 rix, + @{bin}/basename rix, + @{bin}/bunzip2 rix, + @{bin}/cat rix, + @{bin}/ccache rCx -> ccache, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/dd rix, + @{bin}/dirname rix, + @{bin}/dmesg rix, + @{bin}/find rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/iucode_tool rix, + @{bin}/kmod rCx -> kmod, + @{bin}/lzop rix, + @{bin}/mktemp rix, + @{bin}/mount rix, + @{bin}/nproc rix, + @{bin}/od rix, + @{bin}/perl rix, + @{bin}/pgrep rCx -> pgrep, + @{bin}/rdmsr rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/seq rix, + @{bin}/sort rix, + @{bin}/stat rix, + @{bin}/tail rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/unzip rix, + @{bin}/xargs rix, + @{bin}/xz rix, + @{bin}/zstd rix, # To fetch MCE.db from the MCExtractor project - /{usr/,}bin/wget rCx -> mcedb, - /{usr/,}bin/sqlite3 rCx -> mcedb, + @{bin}/wget rCx -> mcedb, + @{bin}/sqlite3 rCx -> mcedb, owner /tmp/mcedb-* rw, owner /tmp/smc-* rw, owner /tmp/{,smc-}intelfw-*/ rw, @@ -116,11 +115,11 @@ profile spectre-meltdown-checker @{exec_path} { profile ccache { include - /{usr/,}bin/ccache mr, + @{bin}/ccache mr, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, @@ -133,7 +132,7 @@ profile spectre-meltdown-checker @{exec_path} { include include - /{usr/,}bin/pgrep mr, + @{bin}/pgrep mr, # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. @{PROC}/ r, @@ -159,8 +158,8 @@ profile spectre-meltdown-checker @{exec_path} { network inet6 stream, network netlink raw, - /{usr/,}bin/wget mr, - /{usr/,}bin/sqlite3 mr, + @{bin}/wget mr, + @{bin}/sqlite3 mr, /etc/wgetrc r, owner @{HOME}/.wget-hsts rwk, @@ -184,7 +183,7 @@ profile spectre-meltdown-checker @{exec_path} { owner @{sys}/module/cpuid/** r, owner @{sys}/module/msr/** r, - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index 8208ddfd..03965d42 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/speedtest{,-cli} +@{exec_path} = @{bin}/speedtest{,-cli} profile speedtest @{exec_path} { include include @@ -20,11 +20,11 @@ profile speedtest @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/file rix, - /{usr/,}bin/uname rix, + @{bin}/ r, + @{bin}/file rix, + @{bin}/uname rix, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index 93c64cc7..2240db8e 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/spice-client-glib-usb-acl-helper +@{exec_path} = @{lib}/spice-client-glib-usb-acl-helper profile spice-client-glib-usb-acl-helper @{exec_path} { include @@ -17,7 +17,7 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { @{exec_path} mr, - /{usr/,}lib/gconv/gconv-modules r, + @{lib}/gconv/gconv-modules r, owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/cap_last_cap r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index d0fa7e8c..9af428ce 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/spice-vdagent +@{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 6a934c16..85e488cd 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/spice-vdagentd +@{exec_path} = @{bin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index de71e9f4..8c6e88e1 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}bin/start-pulseaudio-x11 +@{exec_path} = @{bin}/start-pulseaudio-x11 profile start-pulseaudio-x11 @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/pactl rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/pactl rPx, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 0e769738..5605a7e4 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -7,28 +7,28 @@ abi , include -@{exec_path} = /{usr/,}bin/startx +@{exec_path} = @{bin}/startx profile startx @{exec_path} flags=(attach_disconnected) { include include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/deallocvt rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/mcookie rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/uname rix, + @{bin}/{,e}grep rix, + @{bin}/deallocvt rix, + @{bin}/expr rix, + @{bin}/hostname rix, + @{bin}/mcookie rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/tty rix, + @{bin}/uname rix, - /{usr/,}bin/xauth rPx, - /{usr/,}bin/xinit rPx, + @{bin}/xauth rPx, + @{bin}/xinit rPx, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 76706d7f..76f6077a 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -43,46 +43,46 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/*sum rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/file rix, - /{usr/,}bin/find rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/head rix, - /{usr/,}bin/ldconfig rix, - /{usr/,}bin/ldd rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/lsof rix, - /{usr/,}bin/lspci rCx -> lspci, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/realpath rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/steam-runtime-urlopen rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/timeout rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/which rix, - /{usr/,}bin/xdg-icon-resource rPx, - /{usr/,}bin/xdg-user-dir rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/zenity rix, - /{usr/,}lib{32,64}/ld-linux.so* rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/*sum rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/file rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/grep rix, + @{bin}/head rix, + @{bin}/ldconfig rix, + @{bin}/ldd rix, + @{bin}/ln rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsof rix, + @{bin}/lspci rCx -> lspci, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/realpath rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/steam-runtime-urlopen rix, + @{bin}/tail rix, + @{bin}/tar rix, + @{bin}/timeout rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which rix, + @{bin}/xdg-icon-resource rPx, + @{bin}/xdg-user-dir rix, + @{bin}/xz rix, + @{bin}/zenity rix, + @{lib}/ld-linux.so* rix, @{steam_lib_dirs}/*.so* mr, @{steam_lib_dirs}/*driverquery rix, @@ -116,7 +116,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) / r, /{usr/,}{local/,} r, /{usr/,}{local/,}share/ r, - /{usr/,}lib{,32,64}/ r, + @{lib}/ r, /etc/ r, /home/ r, /run/ r, @@ -238,7 +238,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) include include - /{usr/,}bin/lspci mr, + @{bin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 94e3f0e1..75c9308b 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -64,26 +64,26 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bwrap rix, - /{usr/,}bin/env rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/localedef rix, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/steam-runtime-launcher-interface-* rix, - /{usr/,}bin/steam-runtime-system-info rix, - /{usr/,}bin/timeout rix, - /{usr/,}bin/true rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/xdg-open rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/bwrap rix, + @{bin}/env rix, + @{bin}/getopt rix, + @{bin}/gzip rix, + @{bin}/localedef rix, + @{bin}/python3.[0-9]* rix, + @{bin}/readlink rix, + @{bin}/steam-runtime-launcher-interface-* rix, + @{bin}/steam-runtime-system-info rix, + @{bin}/timeout rix, + @{bin}/true rix, + @{bin}/uname rix, + @{bin}/xdg-open rPx, - /{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-adverb rix, - /{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix, - /{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix, - /{usr/,}lib/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix, - /{usr/,}libexec/steam-runtime-tools*/* mrix, + @{lib}/pressure-vessel/from-host/bin/pressure-vessel-adverb rix, + @{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix, + @{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix, + @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix, + @{lib}exec/steam-runtime-tools*/* mrix, @{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix, @{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index ea6393f7..20667d12 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/strawberry +@{exec_path} = @{bin}/strawberry profile strawberry @{exec_path} { include include @@ -39,9 +39,9 @@ profile strawberry @{exec_path} { @{exec_path} mr, - /{usr/,}bin/strawberry-tagreader rPx, + @{bin}/strawberry-tagreader rPx, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # Media library owner @{user_music_dirs}/ r, @@ -97,7 +97,7 @@ profile strawberry @{exec_path} { /usr/share/hwdata/pnp.ids r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -108,19 +108,19 @@ profile strawberry @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 6b88c2bd..2b23d8ed 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/strawberry-tagreader +@{exec_path} = @{bin}/strawberry-tagreader profile strawberry-tagreader @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index ceb56a7e..0985699f 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/su +@{exec_path} = @{bin}/su profile su @{exec_path} { include include @@ -43,9 +43,9 @@ profile su @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,b,d,rb}ash rUx, - /{usr/,}bin/{c,k,tc,z}sh rUx, - /{usr/,}{s,}bin/nologin rPx, + @{bin}/{,b,d,rb}ash rUx, + @{bin}/{c,k,tc,z}sh rUx, + @{bin}/nologin rPx, @{etc_ro}/default/su r, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index b99e8ceb..db41f1e6 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/sudo +@{exec_path} = @{bin}/sudo profile sudo @{exec_path} { include include @@ -51,13 +51,13 @@ profile sudo @{exec_path} { @{exec_path} mr, - @{libexec}/sudo/** mr, + @{lib}/sudo/** mr, - /snap/snapd/[0-9]*/usr/bin/snap rPx, - /{usr/,}bin/{,b,d,rb}ash rUx, - /{usr/,}bin/{c,k,tc,z}sh rUx, - /{usr/,}lib/cockpit/cockpit-askpass rPx, - /{usr/,}lib/molly-guard/molly-guard rPx, + @{bin}/{,b,d,rb}ash rUx, + @{bin}/{c,k,tc,z}sh rUx, + @{lib}/cockpit/cockpit-askpass rPx, + @{lib}/molly-guard/molly-guard rPx, + /snap/snapd/[0-9]*/usr/bin/snap rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, diff --git a/apparmor.d/profiles-s-z/suid3num b/apparmor.d/profiles-s-z/suid3num index 9214d2c8..d15d6fb0 100644 --- a/apparmor.d/profiles-s-z/suid3num +++ b/apparmor.d/profiles-s-z/suid3num @@ -6,8 +6,8 @@ abi , include -@{exec_path} = /{usr/,}bin/suid3num -@{exec_path} += /{usr/,}bin/suid3num.py +@{exec_path} = @{bin}/suid3num +@{exec_path} += @{bin}/suid3num.py profile suid3num @{exec_path} { include include @@ -18,9 +18,9 @@ profile suid3num @{exec_path} { ptrace (read), @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /usr/bin/find rix, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin index dccd51f0..7b20324b 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/sulogin +@{exec_path} = @{bin}/sulogin profile sulogin @{exec_path} { include include @@ -15,7 +15,7 @@ profile sulogin @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rux, + @{bin}/{,ba,da}sh rux, /etc/shadow r, diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/profiles-s-z/swaplabel index 2351dd11..f56147a7 100644 --- a/apparmor.d/profiles-s-z/swaplabel +++ b/apparmor.d/profiles-s-z/swaplabel @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/swaplabel +@{exec_path} = @{bin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/swapoff b/apparmor.d/profiles-s-z/swapoff index 36c169b4..8478f278 100644 --- a/apparmor.d/profiles-s-z/swapoff +++ b/apparmor.d/profiles-s-z/swapoff @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/swapoff +@{exec_path} = @{bin}/swapoff profile swapoff @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/profiles-s-z/swapon index 5ffeac7c..fc12943a 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/profiles-s-z/swapon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/swapon +@{exec_path} = @{bin}/swapon profile swapon @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index e736fd7d..454f0214 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/switcheroo-control +@{exec_path} = @{lib}/switcheroo-control profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 529dd7e8..95b1f8f9 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/swtpm +@{exec_path} = @{bin}/swtpm profile swtpm @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl index 75660e85..917a978e 100644 --- a/apparmor.d/profiles-s-z/swtpm_ioctl +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/swtpm_ioctl +@{exec_path} = @{bin}/swtpm_ioctl profile swtpm_ioctl @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/swtpm_localca b/apparmor.d/profiles-s-z/swtpm_localca index 59fae73c..aed34bc0 100644 --- a/apparmor.d/profiles-s-z/swtpm_localca +++ b/apparmor.d/profiles-s-z/swtpm_localca @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}bin/swtpm_localca +@{exec_path} = @{bin}/swtpm_localca profile swtpm_localca @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/certtool rix, - /{usr/,}bin/swtpm_cert rix, + @{bin}/certtool rix, + @{bin}/swtpm_cert rix, /etc/swtpm-localca.conf r, /etc/swtpm-localca.options r, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index ea2d98de..940b5bcf 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}bin/swtpm_setup +@{exec_path} = @{bin}/swtpm_setup profile swtpm_setup @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/swtpm rPx, - /{usr/,}bin/swtpm_localca rPx, + @{bin}/swtpm rPx, + @{bin}/swtpm_localca rPx, /etc/swtpm_setup.conf r, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 4cc4f0d9..b3dd29a8 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -13,12 +13,12 @@ profile syncoid @{exec_path} flags=(complain) { include @{exec_path} mr, - /{usr/,}bin/grep rix, - /{usr/,}bin/mbuffer rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/ps rPx, - /{usr/,}bin/pv rix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, + @{bin}/grep rix, + @{bin}/mbuffer rix, + @{bin}/perl rix, + @{bin}/ps rPx, + @{bin}/pv rix, /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 02f84919..241e925e 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/syncthing +@{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include include @@ -21,8 +21,8 @@ profile syncthing @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/ip rix, + @{bin}/xdg-open rCx -> open, + @{bin}/ip rix, /usr/share/mime/{,*} r, @@ -45,19 +45,19 @@ profile syncthing @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}bin/firefox rPx, - /{usr/,}lib/firefox/firefox rPx, + @{bin}/firefox rPx, + @{lib}/firefox/firefox rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 24cb4ddc..9fcdb05c 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -8,7 +8,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/sysctl +@{exec_path} = @{bin}/sysctl profile sysctl @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 20b2cb7f..ef8c338e 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/system-config-printer +@{exec_path} = @{bin}/system-config-printer @{exec_path} += /usr/share/system-config-printer/system-config-printer.py profile system-config-printer @{exec_path} flags=(complain) { include @@ -41,9 +41,9 @@ profile system-config-printer @{exec_path} flags=(complain) { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/python3.[0-9]* r, - /{usr/,}lib/cups/*/* rPUx, + @{bin}/{,ba,da}sh rix, + @{bin}/python3.[0-9]* r, + @{lib}/cups/*/* rPUx, /usr/share/hplip/query.py rPUx, /usr/share/cups/data/testprint r, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 14e68733..927bbe91 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/system-config-printer-applet /usr/share/system-config-printer/applet.py +@{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include include @@ -18,8 +18,8 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/{,ba,da}sh rix, + @{bin}/python3.[0-9]* r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 72537f61..414bcd26 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -6,19 +6,19 @@ abi , include -@{exec_path} = /{usr/,}bin/tasksel +@{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/tempfile rix, - /{usr/,}lib/tasksel/tasksel-debconf rix, + @{bin}/{,ba,da}sh rix, + @{bin}/tempfile rix, + @{lib}/tasksel/tasksel-debconf rix, - /{usr/,}lib/tasksel/tests/* rCx -> tasksel-tests, + @{lib}/tasksel/tests/* rCx -> tasksel-tests, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -27,11 +27,11 @@ profile tasksel @{exec_path} flags=(complain) { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, # - /{usr/,}bin/apt-cache rPx, + @{bin}/apt-cache rPx, - /{usr/,}bin/debconf-apt-progress rPx, + @{bin}/debconf-apt-progress rPx, /usr/share/tasksel/** r, @@ -43,8 +43,8 @@ profile tasksel @{exec_path} flags=(complain) { profile tasksel-tests flags=(complain) { include - /{usr/,}lib/tasksel/tests/* r, - /{usr/,}bin/{,ba,da}sh rix, + @{lib}/tasksel/tests/* r, + @{bin}/{,ba,da}sh rix, } @@ -55,16 +55,16 @@ profile tasksel @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/tasksel rPx, + @{bin}/tasksel rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. - /{usr/,}bin/whiptail rPx, + @{bin}/whiptail rPx, owner /tmp/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 21fee858..50805e76 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/tftp +@{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 0348a6a0..860c08e1 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/thermald +@{exec_path} = @{bin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/thinkfan b/apparmor.d/profiles-s-z/thinkfan index 6a9e5237..01db8a49 100644 --- a/apparmor.d/profiles-s-z/thinkfan +++ b/apparmor.d/profiles-s-z/thinkfan @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/thinkfan +@{exec_path} = @{bin}/thinkfan profile thinkfan @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index b2c3960f..92c44b09 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/tint2 +@{exec_path} = @{bin}/tint2 profile tint2 @{exec_path} { include include @@ -35,7 +35,7 @@ profile tint2 @{exec_path} { owner @{user_config_dirs}/launchers/{,*.desktop} r, owner @{user_config_dirs}/launchers/icons/{,*.png} r, - /{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr, + @{lib}/@{multiarch}/imlib2/loaders/*.so mr, # Some missing icons /usr/share/**.png r, diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index e5716a99..58303b84 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/tint2conf +@{exec_path} = @{bin}/tint2conf profile tint2conf @{exec_path} { include include @@ -16,9 +16,9 @@ profile tint2conf @{exec_path} { @{exec_path} mr, - /{usr/,}bin/tint2 rPx, + @{bin}/tint2 rPx, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /usr/share/tint2/{,*} r, diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index 0b403aed..cc954cc5 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -8,7 +8,7 @@ include # When any of the "ns*" fields is displayed, the following error will be printed: # "Failed name lookup - disconnected path" error=-13 profile="top" name="". -@{exec_path} = /{usr/,}bin/top +@{exec_path} = @{bin}/top profile top @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/torify b/apparmor.d/profiles-s-z/torify index ac213d21..2e6b230a 100644 --- a/apparmor.d/profiles-s-z/torify +++ b/apparmor.d/profiles-s-z/torify @@ -6,12 +6,12 @@ abi , include -@{exec_path} = /{usr/,}bin/torify +@{exec_path} = @{bin}/torify profile torify @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, include if exists } diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index 5b163827..aee5edbe 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -6,12 +6,12 @@ abi , include -@{exec_path} = /{usr/,}bin/torsocks +@{exec_path} = @{bin}/torsocks profile torsocks @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, include if exists } diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index 637ad3a4..4dbbb087 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -6,19 +6,19 @@ abi , include -@{exec_path} = /{usr/,}bin/tpacpi-bat +@{exec_path} = @{bin}/tpacpi-bat profile tpacpi-bat @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, # To load the acpi_call module - /{usr/,}bin/kmod rPx, + @{bin}/kmod rPx, @{PROC}/acpi/call rw, diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index 37637812..20597848 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/transmission-qt +@{exec_path} = @{bin}/transmission-qt profile transmission-qt @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index d886b8ec..c5e2dc9e 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/{tune2fs,e2label} +@{exec_path} = @{bin}/{tune2fs,e2label} profile tune2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index fdf79a68..338529c5 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -7,42 +7,42 @@ abi , include -@{exec_path} = /{usr/,}bin/ucf +@{exec_path} = @{bin}/ucf profile ucf @{exec_path} flags=(complain) { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/id rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/stat rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/{m,g,}awk rix, + @{bin}/getopt rix, + @{bin}/id rix, + @{bin}/md5sum rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/perl rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/seq rix, + @{bin}/stat rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, # - /{usr/,}bin/dpkg-divert rPx, + @{bin}/dpkg-divert rPx, - /{usr/,}bin/sensible-pager rCx -> pager, + @{bin}/sensible-pager rCx -> pager, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -73,8 +73,8 @@ profile ucf @{exec_path} flags=(complain) { include include - /{usr/,}bin/ r, - /{usr/,}bin/sensible-pager mr, + @{bin}/ r, + @{bin}/sensible-pager mr, # For shell pwd /root/ r, @@ -88,13 +88,13 @@ profile ucf @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/ucf rPx, + @{bin}/ucf rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, @@ -105,8 +105,8 @@ profile ucf @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index ce7f1a55..4a103341 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/udiskie +@{exec_path} = @{bin}/udiskie profile udiskie @{exec_path} { include include @@ -22,10 +22,10 @@ profile udiskie @{exec_path} { include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/ r, + @{bin}/xdg-open rCx -> open, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, @@ -37,28 +37,28 @@ profile udiskie @{exec_path} { /etc/fstab r, # Allowed apps to open - /{usr/,}bin/spacefm rPx, + @{bin}/spacefm rPx, # Silencer - deny /{usr/,}lib/** w, + deny @{lib}/** w, profile open { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}bin/spacefm rPx, + @{bin}/spacefm rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/profiles-s-z/udiskie-info index 9e1e52d1..f1190dae 100644 --- a/apparmor.d/profiles-s-z/udiskie-info +++ b/apparmor.d/profiles-s-z/udiskie-info @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/udiskie-info +@{exec_path} = @{bin}/udiskie-info profile udiskie-info @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, /usr/bin/ r, diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/profiles-s-z/udiskie-mount index c5bd22be..b76d4be5 100644 --- a/apparmor.d/profiles-s-z/udiskie-mount +++ b/apparmor.d/profiles-s-z/udiskie-mount @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/udiskie-mount +@{exec_path} = @{bin}/udiskie-mount profile udiskie-mount @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, /usr/bin/ r, diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/profiles-s-z/udiskie-umount index d04e6856..fd4c752a 100644 --- a/apparmor.d/profiles-s-z/udiskie-umount +++ b/apparmor.d/profiles-s-z/udiskie-umount @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/udiskie-umount +@{exec_path} = @{bin}/udiskie-umount profile udiskie-umount @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, /usr/bin/ r, diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl index 58fca3ce..f1d9f2b9 100644 --- a/apparmor.d/profiles-s-z/udisksctl +++ b/apparmor.d/profiles-s-z/udisksctl @@ -7,17 +7,17 @@ abi , include -@{exec_path} = /{usr/,}bin/udisksctl +@{exec_path} = @{bin}/udisksctl profile udisksctl @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 08d712e1..b479f466 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{libexec}/{,udisks2/}udisksd +@{exec_path} = @{lib}/{,udisks2/}udisksd profile udisksd @{exec_path} flags=(attach_disconnected) { include include @@ -95,25 +95,25 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/umount rix, + @{bin}/{,ba,da}sh rix, + @{bin}/umount rix, - /{usr/,}{s,}bin/dmidecode rPx, - /{usr/,}{s,}bin/dumpe2fs rPx, - /{usr/,}{s,}bin/fsck.fat rPx, - /{usr/,}{s,}bin/lvm rPUx, - /{usr/,}{s,}bin/mke2fs rPx, - /{usr/,}{s,}bin/mkfs.btrfs rPx, - /{usr/,}{s,}bin/mkfs.ext{2,3,4} rPx, - /{usr/,}{s,}bin/mkfs.fat rPx, - /{usr/,}{s,}bin/sfdisk rPx, - /{usr/,}{s,}bin/sgdisk rPx, - /{usr/,}bin/eject rPx, - /{usr/,}bin/mount.exfat-fuse rPUx, - /{usr/,}bin/ntfs-3g rPx, - /{usr/,}bin/ntfsfix rPx, - /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/systemd-escape rPx, + @{bin}/dmidecode rPx, + @{bin}/dumpe2fs rPx, + @{bin}/eject rPx, + @{bin}/fsck.fat rPx, + @{bin}/lvm rPUx, + @{bin}/mke2fs rPx, + @{bin}/mkfs.btrfs rPx, + @{bin}/mkfs.ext{2,3,4} rPx, + @{bin}/mkfs.fat rPx, + @{bin}/mount.exfat-fuse rPUx, + @{bin}/ntfs-3g rPx, + @{bin}/ntfsfix rPx, + @{bin}/sfdisk rPx, + @{bin}/sgdisk rPx, + @{bin}/systemctl rPx -> child-systemctl, + @{bin}/systemd-escape rPx, /etc/udisks2/{,**} r, /etc/libblockdev/{,**} r, diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index e2278001..12c8efd8 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/umount +@{exec_path} = @{bin}/umount profile umount @{exec_path} { include include @@ -27,8 +27,8 @@ profile umount @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/umount.* rPx, - /{usr/,}{s,}bin/mount.* rPx, + @{bin}/umount.* rPx, + @{bin}/mount.* rPx, # Mount points @{HOME}/ r, diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/profiles-s-z/umount.udisks2 index 5be3ed14..aa385a97 100644 --- a/apparmor.d/profiles-s-z/umount.udisks2 +++ b/apparmor.d/profiles-s-z/umount.udisks2 @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/umount.udisks2 +@{exec_path} = @{bin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 86980440..66782ec7 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/uname +@{exec_path} = @{bin}/uname profile uname @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/unhide-linux b/apparmor.d/profiles-s-z/unhide-linux index 1900eae4..ee8d3cbf 100644 --- a/apparmor.d/profiles-s-z/unhide-linux +++ b/apparmor.d/profiles-s-z/unhide-linux @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/unhide{,-linux} +@{exec_path} = @{bin}/unhide{,-linux} profile unhide-linux @{exec_path} { include @@ -17,8 +17,8 @@ profile unhide-linux @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/ps rix, + @{bin}/{,ba,da}sh rix, + @{bin}/ps rix, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/profiles-s-z/unhide-posix b/apparmor.d/profiles-s-z/unhide-posix index ff6c2e07..0a3bf4ab 100644 --- a/apparmor.d/profiles-s-z/unhide-posix +++ b/apparmor.d/profiles-s-z/unhide-posix @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/unhide-posix +@{exec_path} = @{bin}/unhide-posix profile unhide-posix @{exec_path} { include include @@ -17,10 +17,10 @@ profile unhide-posix @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/ps rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/{,e}grep rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/ps rix, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/profiles-s-z/unhide-rb b/apparmor.d/profiles-s-z/unhide-rb index 96939aa7..211b95b4 100644 --- a/apparmor.d/profiles-s-z/unhide-rb +++ b/apparmor.d/profiles-s-z/unhide-rb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/unhide_rb +@{exec_path} = @{bin}/unhide_rb profile unhide-rb @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index 28e83048..e315fffe 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/unhide-tcp +@{exec_path} = @{bin}/unhide-tcp profile unhide-tcp @{exec_path} { include @@ -17,11 +17,11 @@ profile unhide-tcp @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/ss rix, - /{usr/,}bin/netstat rix, - /{usr/,}bin/fuser rix, + @{bin}/{,ba,da}sh rix, + @{bin}/fuser rix, + @{bin}/netstat rix, + @{bin}/sed rix, + @{bin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index c0082d3e..d30da5c0 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/unix_chkpwd +@{exec_path} = @{bin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index a8340cea..f4c77d08 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/unmkinitramfs +@{exec_path} = @{bin}/unmkinitramfs profile unmkinitramfs @{exec_path} { include @@ -15,25 +15,24 @@ profile unmkinitramfs @{exec_path} { capability mknod, @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/xzcat rix, - /{usr/,}bin/lz4cat rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, - - /{usr/,}bin/cpio rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/lzma rix, - /{usr/,}bin/lzop rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/zstd rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/bzip2 rix, + @{bin}/cat rix, + @{bin}/cpio rix, + @{bin}/dd rix, + @{bin}/getopt rix, + @{bin}/gzip rix, + @{bin}/lz4cat rix, + @{bin}/lzma rix, + @{bin}/lzop rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/xz rix, + @{bin}/xzcat rix, + @{bin}/zstd rix, /boot/ r, owner /boot/initrd.img-* r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index ef7a31f1..c9007679 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include @@ -20,11 +20,11 @@ profile update-alternatives @{exec_path} { /var/lib/dpkg/alternatives/ r, /var/lib/dpkg/alternatives/* rw, - /{usr/,}bin/* w, - /{usr/,}bin/*.dpkg-tmp rw, + @{bin}/* w, + @{bin}/*.dpkg-tmp rw, - /{usr/,}sbin/* w, - /{usr/,}sbin/*.dpkg-tmp rw, + @{bin}/* w, + @{bin}/*.dpkg-tmp rw, /usr/** rw, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 9c08bed7..3d3a99ce 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/update-ca-certificates +@{exec_path} = @{bin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include @@ -15,28 +15,28 @@ profile update-ca-certificates @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/find rix, - /{usr/,}bin/flock rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/test rix, - /{usr/,}bin/wc rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/find rix, + @{bin}/flock rix, + @{bin}/ln rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/test rix, + @{bin}/wc rix, - /{usr/,}bin/openssl rix, + @{bin}/openssl rix, /etc/ca-certificates/update.d/ r, /etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore, - /{usr/,}bin/run-parts rCx -> run-parts, + @{bin}/run-parts rCx -> run-parts, /etc/ r, /etc/ca-certificates.conf r, @@ -44,7 +44,7 @@ profile update-ca-certificates @{exec_path} { /etc/ssl/certs/*.pem rw, /etc/ssl/certs/@{hex}.[0-9] rw, - /{usr/,}lib/locale/locale-archive r, + @{lib}/locale/locale-archive r, /tmp/ r, owner /tmp/ca-certificates{,.crt}.tmp.* rw, @@ -57,7 +57,7 @@ profile update-ca-certificates @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, /etc/ca-certificates/update.d/ r, @@ -74,21 +74,21 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates/update.d/jks-keystore mr, - /{usr/,}lib/ r, - /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix, - /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix, - /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, + @{lib}/ r, + @{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix, + @{lib}/jvm/java-[0-9]*-openjdk-*/bin/java rix, + @{lib}/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/head rix, - /{usr/,}bin/mountpoint rix, + @{bin}/{,ba,da}sh rix, + @{bin}/sed rix, + @{bin}/head rix, + @{bin}/mountpoint rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, # - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, /usr/share/ca-certificates-java/ca-certificates-java.jar r, /usr/share/java/java-atk-wrapper.jar r, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index caa578b8..a624539a 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/update-ca-trust +@{exec_path} = @{bin}/update-ca-trust profile update-ca-trust @{exec_path} { include include @@ -15,10 +15,10 @@ profile update-ca-trust @{exec_path} { @{exec_path} mr, - /{usr/,}bin/bash rix, - /{usr/,}bin/find rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/trust rix, + @{bin}/bash rix, + @{bin}/find rix, + @{bin}/ln rix, + @{bin}/trust rix, / r, /usr/share/p11-kit/modules/{,*} r, diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index e61a956d..4074fd58 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -8,8 +8,8 @@ abi , include @{exec_path} = /usr/share/command-not-found/cnf-update-db -@{exec_path} += /{usr/,}{s,}bin/update-command-not-found -@{exec_path} += /{usr/,}lib/cnf-update-db +@{exec_path} += @{bin}/update-command-not-found +@{exec_path} += @{lib}/cnf-update-db profile update-command-not-found @{exec_path} { include include @@ -20,11 +20,11 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, - /{usr/,}lib/ r, + @{bin}/python3.[0-9]* r, + @{lib}/ r, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}lib/apt/apt-helper rix, + @{bin}/dpkg rPx -> child-dpkg, + @{lib}/apt/apt-helper rix, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index b6e41459..eab60047 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -6,23 +6,23 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/update-cracklib +@{exec_path} = @{bin}/update-cracklib profile update-cracklib @{exec_path} { include include @{exec_path} mr, - /{usr/,}{s,}bin/cracklib-format rix, - /{usr/,}{s,}bin/cracklib-packer rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/env rix, - /{usr/,}bin/file rix, - /{usr/,}bin/find rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/tr rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cracklib-format rix, + @{bin}/cracklib-packer rPx, + @{bin}/env rix, + @{bin}/file rix, + @{bin}/find rix, + @{bin}/grep rix, + @{bin}/gzip rix, + @{bin}/sort rix, + @{bin}/tr rix, / r, /usr/share/dict/{,*} r, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index e924df1f..ed5ee443 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -6,24 +6,24 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/update-dlocatedb +@{exec_path} = @{bin}/update-dlocatedb profile update-dlocatedb @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/uniq rix, + @{bin}/cat rix, + @{bin}/uname rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/uniq rix, - /{usr/,}bin/ionice rix, + @{bin}/ionice rix, /usr/share/dlocate/updatedb rCx -> updatedb, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, owner @{PROC}/@{pid}/fd/2 w, @@ -38,7 +38,7 @@ profile update-dlocatedb @{exec_path} { include /usr/share/dlocate/updatedb r, - /{usr/,}bin/perl r, + @{bin}/perl r, /etc/default/dlocate r, @@ -54,7 +54,7 @@ profile update-dlocatedb @{exec_path} { /var/lib/dpkg/info/*.list r, # For compression - /{usr/,}bin/gzip rix, + @{bin}/gzip rix, /var/lib/dlocate/dlocatedb.gz rw, } diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index bc5827be..7fa2217c 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/update-initramfs +@{exec_path} = @{bin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -15,24 +15,24 @@ profile update-initramfs @{exec_path} { ptrace (read) peer=unconfined, @{exec_path} rix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}sbin/ r, + @{bin}/ r, - /{usr/,}bin/cat rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sha1sum rix, - /{usr/,}bin/sync rix, - /{usr/,}bin/uname rix, + @{bin}/cat rix, + @{bin}/{m,g,}awk rix, + @{bin}/getopt rix, + @{bin}/ischroot rix, + @{bin}/ln rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sha1sum rix, + @{bin}/sync rix, + @{bin}/uname rix, - /{usr/,}bin/dpkg-trigger rPx, - /{usr/,}bin/linux-version rPx, - /{usr/,}sbin/mkinitramfs rPx, + @{bin}/dpkg-trigger rPx, + @{bin}/linux-version rPx, + @{bin}/mkinitramfs rPx, /var/lib/initramfs-tools/* w, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index d8da4679..1bb47790 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -6,33 +6,33 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/update-pciids +@{exec_path} = @{bin}/update-pciids profile update-pciids @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/zgrep rix, + @{bin}/touch rix, + @{bin}/rm rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/chown rix, + @{bin}/chmod rix, + @{bin}/echo rix, + @{bin}/cat rix, + @{bin}/which{,.debianutils} rix, + @{bin}/bunzip2 rix, + @{bin}/bzip2 rix, + @{bin}/gzip rix, + @{bin}/ln rix, + @{bin}/zgrep rix, - /{usr/,}bin/wget rCx -> browse, - /{usr/,}bin/curl rCx -> browse, - /{usr/,}bin/lynx rCx -> browse, + @{bin}/wget rCx -> browse, + @{bin}/curl rCx -> browse, + @{bin}/lynx rCx -> browse, /usr/share/misc/ r, /usr/share/misc/* rwl -> /usr/share/misc/*, @@ -52,9 +52,9 @@ profile update-pciids @{exec_path} { network inet stream, network inet6 stream, - /{usr/,}bin/wget mr, - /{usr/,}bin/curl mr, - /{usr/,}bin/lynx mr, + @{bin}/wget mr, + @{bin}/curl mr, + @{bin}/lynx mr, /etc/wgetrc r, owner @{HOME}/.wget-hsts rwk, diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 4b8def9d..56273ac4 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -7,22 +7,22 @@ abi , include -@{exec_path} = /{usr/,}{,s}bin/update-secureboot-policy +@{exec_path} = @{bin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include include @{exec_path} rm, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,m,g}awk rix, - /{usr/,}bin/dpkg-trigger rPx, - /{usr/,}bin/find rix, - /{usr/,}bin/id rix, - /{usr/,}bin/od rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/wc rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,m,g}awk rix, + @{bin}/dpkg-trigger rPx, + @{bin}/find rix, + @{bin}/id rix, + @{bin}/od rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/wc rix, /usr/share/debconf/frontend rPx, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 1e9ee8ae..2c889459 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -6,33 +6,33 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/update-smart-drivedb +@{exec_path} = @{bin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cmp rix, + @{bin}/cat rix, + @{bin}/dirname rix, + @{bin}/sed rix, + @{bin}/rm rix, + @{bin}/dd rix, + @{bin}/wc rix, + @{bin}/touch rix, + @{bin}/mkdir rix, + @{bin}/chmod rix, + @{bin}/mv rix, + @{bin}/cmp rix, - /{usr/,}{s,}bin/ r, - /{usr/,}{s,}bin/smartctl rPx, + @{bin}/ r, + @{bin}/smartctl rPx, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/wget rCx -> browse, - /{usr/,}bin/curl rCx -> browse, - /{usr/,}bin/lynx rCx -> browse, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/wget rCx -> browse, + @{bin}/curl rCx -> browse, + @{bin}/lynx rCx -> browse, /var/lib/smartmontools/drivedb/drivedb.h{,.*} rw, @@ -46,9 +46,9 @@ profile update-smart-drivedb @{exec_path} { include include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, - /{usr/,}bin/gpg-agent rix, + @{bin}/gpg-agent rix, owner @{PROC}/@{pid}/fd/ r, @@ -71,11 +71,11 @@ profile update-smart-drivedb @{exec_path} { network inet stream, network inet6 stream, - /{usr/,}bin/wget mr, - /{usr/,}bin/curl mr, - /{usr/,}bin/lynx mr, + @{bin}/wget mr, + @{bin}/curl mr, + @{bin}/lynx mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /etc/mime.types r, /etc/mailcap r, diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index d045dc76..27efe331 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/updatedb.mlocate +@{exec_path} = @{bin}/updatedb.mlocate profile updatedb-mlocate @{exec_path} { include include @@ -18,7 +18,7 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/on_ac_power rPx, + @{bin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/profiles-s-z/updatedb.plocate b/apparmor.d/profiles-s-z/updatedb.plocate index 4a551ca3..31d9af29 100644 --- a/apparmor.d/profiles-s-z/updatedb.plocate +++ b/apparmor.d/profiles-s-z/updatedb.plocate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/updatedb.plocate +@{exec_path} = @{bin}/updatedb.plocate profile updatedb.plocate @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime index 32e1915a..8c4c1b17 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/uptime +@{exec_path} = @{bin}/uptime profile uptime @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/uptimed b/apparmor.d/profiles-s-z/uptimed index f96e0442..3432c70a 100644 --- a/apparmor.d/profiles-s-z/uptimed +++ b/apparmor.d/profiles-s-z/uptimed @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/uptimed +@{exec_path} = @{bin}/uptimed profile uptimed @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices index 271ebfb9..d4df4ebf 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/usb-devices +@{exec_path} = @{bin}/usb-devices profile usb-devices @{exec_path} { include include @@ -16,13 +16,13 @@ profile usb-devices @{exec_path} { deny capability dac_override, @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/readlink rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/readlink rix, # For shell pwd /root/ r, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard index 50828eec..0f4eca09 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/usbguard +@{exec_path} = @{bin}/usbguard profile usbguard @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt index 6654ef50..8189e705 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/profiles-s-z/usbguard-applet-qt @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/usbguard-applet-qt +@{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon index 2fa0c34e..560bb7e0 100644 --- a/apparmor.d/profiles-s-z/usbguard-daemon +++ b/apparmor.d/profiles-s-z/usbguard-daemon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/usbguard-daemon +@{exec_path} = @{bin}/usbguard-daemon profile usbguard-daemon @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/profiles-s-z/usbguard-dbus index 839ff5a5..53f2f238 100644 --- a/apparmor.d/profiles-s-z/usbguard-dbus +++ b/apparmor.d/profiles-s-z/usbguard-dbus @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/usbguard-dbus +@{exec_path} = @{bin}/usbguard-dbus profile usbguard-dbus @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/profiles-s-z/usbguard-notifier index 2df2494d..43305af3 100644 --- a/apparmor.d/profiles-s-z/usbguard-notifier +++ b/apparmor.d/profiles-s-z/usbguard-notifier @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/usbguard-notifier +@{exec_path} = @{bin}/usbguard-notifier profile usbguard-notifier @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/uscan b/apparmor.d/profiles-s-z/uscan index 25064a93..e2fd9e9a 100644 --- a/apparmor.d/profiles-s-z/uscan +++ b/apparmor.d/profiles-s-z/uscan @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/uscan +@{exec_path} = @{bin}/uscan profile uscan @{exec_path} { include include @@ -22,21 +22,21 @@ profile uscan @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/find rix, - /{usr/,}bin/file rix, - /{usr/,}bin/getconf rix, + @{bin}/{,ba,da}sh rix, + @{bin}/pwd rix, + @{bin}/find rix, + @{bin}/file rix, + @{bin}/getconf rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/xz rix, + @{bin}/tar rix, + @{bin}/gzip rix, + @{bin}/bzip2 rix, + @{bin}/gunzip rix, + @{bin}/xz rix, - /{usr/,}bin/uupdate rPUx, + @{bin}/uupdate rPUx, # To run custom maintainer scripts owner @{user_build_dirs}/**/debian/* rPUx, @@ -44,8 +44,8 @@ profile uscan @{exec_path} { /usr/share/*/debian/ r, /usr/share/*/debian/changelog r, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgv rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgv rCx -> gpg, /etc/dpkg/origins/debian r, @@ -62,8 +62,8 @@ profile uscan @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgv mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgv mr, owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{HOME}/@{XDG_GPG_DIR}/pubring.{gpg,kbx} r, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index c01b5339..d89bf6d8 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/useradd +@{exec_path} = @{bin}/useradd profile useradd @{exec_path} { include include @@ -24,9 +24,9 @@ profile useradd @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/usermod rPx, + @{bin}/usermod rPx, - /{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2, + @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, /etc/login.defs r, @@ -63,7 +63,7 @@ profile useradd @{exec_path} { capability audit_write, - /{usr/,}{s,}bin/pam_tally2 mr, + @{bin}/pam_tally2 mr, /var/log/tallylog rw, diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 5fc6b51c..7dd95453 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/userdel +@{exec_path} = @{bin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index 98a3d513..101e26a5 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/usermod +@{exec_path} = @{bin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include @@ -34,7 +34,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}{s,}bin/nscd rix, + @{bin}/nscd rix, /etc/login.defs r, diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/profiles-s-z/users index a62d14e7..684b489a 100644 --- a/apparmor.d/profiles-s-z/users +++ b/apparmor.d/profiles-s-z/users @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/users +@{exec_path} = @{bin}/users profile users @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/utmpdump b/apparmor.d/profiles-s-z/utmpdump index 2a3141a8..c396a9c0 100644 --- a/apparmor.d/profiles-s-z/utmpdump +++ b/apparmor.d/profiles-s-z/utmpdump @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/utmpdump +@{exec_path} = @{bin}/utmpdump profile utmpdump @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index 22d2969a..fe38d12b 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/utox +@{exec_path} = @{bin}/utox profile utox @{exec_path} { include include @@ -27,7 +27,7 @@ profile utox @{exec_path} { @{exec_path} mr, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, owner @{HOME}/ r, owner @{user_config_dirs}/tox/ rw, @@ -42,20 +42,20 @@ profile utox @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - /{usr/,}bin/viewnior rPUx, + @{lib}/firefox/firefox rPUx, + @{bin}/viewnior rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index f78736cf..fdc775a7 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/uupdate +@{exec_path} = @{bin}/uupdate profile uupdate @{exec_path} flags=(complain) { include include @@ -14,35 +14,35 @@ profile uupdate @{exec_path} flags=(complain) { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/expr rix, + @{bin}/basename rix, + @{bin}/which{,.debianutils} rix, + @{bin}/tr rix, + @{bin}/{,e}grep rix, + @{bin}/getopt rix, + @{bin}/cut rix, + @{bin}/mktemp rix, + @{bin}/ls rix, + @{bin}/wc rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/cp rix, + @{bin}/expr rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/md5sum rix, + @{bin}/perl rix, + @{bin}/chmod rix, + @{bin}/md5sum rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/xz rix, + @{bin}/tar rix, + @{bin}/bzip2 rix, + @{bin}/xz rix, # FIXME - /{usr/,}bin/debchange rPUx, - /{usr/,}bin/dpkg-vendor rPUx, - /{usr/,}bin/dpkg-parsechangelog rPUx, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/debchange rPUx, + @{bin}/dpkg-vendor rPUx, + @{bin}/dpkg-parsechangelog rPUx, + @{bin}/dpkg rPx -> child-dpkg, /etc/devscripts.conf r, diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index e3a17b8b..94868446 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/vcsi +@{exec_path} = @{bin}/vcsi profile vcsi @{exec_path} { include include @@ -15,11 +15,11 @@ profile vcsi @{exec_path} { include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/ffmpeg rPx, - /{usr/,}bin/ffprobe rPx, + @{bin}/ r, + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index cac419d7..0d61e62b 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/vidcutter +@{exec_path} = @{bin}/vidcutter profile vidcutter @{exec_path} { include include @@ -29,17 +29,17 @@ profile vidcutter @{exec_path} { include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}{s,}bin/ldconfig rix, + @{bin}/ r, + @{bin}/ldconfig rix, - /{usr/,}bin/ffmpeg rPx, - /{usr/,}bin/ffprobe rPx, - /{usr/,}bin/mediainfo rPx, + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, + @{bin}/mediainfo rPx, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{bin}/xdg-open rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, /usr/share/hwdata/pnp.ids r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index ebb282c2..600bee8e 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/vi{pw,gr} +@{exec_path} = @{bin}/vi{pw,gr} profile vipw-vigr @{exec_path} { include @@ -14,10 +14,10 @@ profile vipw-vigr @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/sensible-editor rCx -> editor, - /{usr/,}bin/vim.* rCx -> editor, + @{bin}/sensible-editor rCx -> editor, + @{bin}/vim.* rCx -> editor, /etc/login.defs r, @@ -43,10 +43,10 @@ profile vipw-vigr @{exec_path} { capability fsetid, - /{usr/,}bin/sensible-editor mr, - /{usr/,}bin/vim.* mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/sensible-editor mr, + @{bin}/vim.* mrix, + @{bin}/{,ba,da}sh rix, + @{bin}/which{,.debianutils} rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index fc45ac35..0b2d194d 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/virt-manager +@{exec_path} = @{bin}/virt-manager @{exec_path} += /usr/share/virt-manager/virt-manager profile virt-manager @{exec_path} flags=(attach_disconnected) { include @@ -36,21 +36,21 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{exec_path} rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/python3.[0-9]* r, - /{usr/,}lib/python3.[0-9]*/site-packages/__pycache__/guestfs.cpython-[0-9]*.pyc.[0-9]* w, + @{bin}/{,ba,da}sh rix, + @{bin}/python3.[0-9]* r, + @{lib}/python3.[0-9]*/site-packages/__pycache__/guestfs.cpython-[0-9]*.pyc.[0-9]* w, - /{usr/,}bin/ r, - /{usr/,}bin/env rix, - /{usr/,}bin/getfacl rix, - /{usr/,}bin/setfacl rix, + @{bin}/ r, + @{bin}/env rix, + @{bin}/getfacl rix, + @{bin}/setfacl rix, - /{usr/,}{s,}bin/libvirtd rPx, - /{usr/,}bin/ssh rPx, - /{usr/,}lib/spice-client-glib-usb-acl-helper rPx, + @{bin}/libvirtd rPx, + @{bin}/ssh rPx, + @{lib}/spice-client-glib-usb-acl-helper rPx, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - /{usr/,}lib/gio-launch-desktop rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, /usr/share/egl/{,**} r, /usr/share/gtksourceview-4/{,**} r, diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index 52fa5c27..c65d199d 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}lib/vlc/vlc-cache-gen +@{exec_path} = @{lib}/vlc/vlc-cache-gen profile vlc-cache-gen @{exec_path} { include include @{exec_path} mr, - /{usr/,}lib/vlc/plugins/{,*} rw, + @{lib}/vlc/plugins/{,*} rw, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index a9bdfe12..22d095ee 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/vnstat +@{exec_path} = @{bin}/vnstat profile vnstat @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/vnstatd b/apparmor.d/profiles-s-z/vnstatd index eeb31801..c6da9fda 100644 --- a/apparmor.d/profiles-s-z/vnstatd +++ b/apparmor.d/profiles-s-z/vnstatd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/vnstatd +@{exec_path} = @{bin}/vnstatd profile vnstatd @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon index 07e5f262..241da201 100644 --- a/apparmor.d/profiles-s-z/volumeicon +++ b/apparmor.d/profiles-s-z/volumeicon @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/volumeicon +@{exec_path} = @{bin}/volumeicon profile volumeicon @{exec_path} { include include @@ -33,9 +33,9 @@ profile volumeicon @{exec_path} { /etc/machine-id r, # Start the PulseAudio sound mixer - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/pavucontrol rPUx, - /{usr/,}bin/pulseeffects rPUx, + @{bin}/{,ba,da}sh rix, + @{bin}/pavucontrol rPUx, + @{bin}/pulseeffects rPUx, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 06c40fdd..7ab0897b 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/vsftpd +@{exec_path} = @{bin}/vsftpd profile vsftpd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 9c12e5cf..9931e9e7 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/w +@{exec_path} = @{bin}/w profile w @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/warzone2100 b/apparmor.d/profiles-s-z/warzone2100 index 8d182e86..edaedf32 100644 --- a/apparmor.d/profiles-s-z/warzone2100 +++ b/apparmor.d/profiles-s-z/warzone2100 @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/warzone2100 +@{exec_path} = @{bin}/warzone2100 profile warzone2100 @{exec_path} { include include @@ -27,8 +27,8 @@ profile warzone2100 @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/which{,.debianutils} rix, owner @{user_share_dirs}/warzone2100-*/ rw, owner @{user_share_dirs}/warzone2100-*/** rw, diff --git a/apparmor.d/profiles-s-z/wavemon b/apparmor.d/profiles-s-z/wavemon index c7541f81..57091a44 100644 --- a/apparmor.d/profiles-s-z/wavemon +++ b/apparmor.d/profiles-s-z/wavemon @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/wavemon +@{exec_path} = @{bin}/wavemon profile wavemon @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/wget b/apparmor.d/profiles-s-z/wget index cbc56cc2..e213c6c3 100644 --- a/apparmor.d/profiles-s-z/wget +++ b/apparmor.d/profiles-s-z/wget @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/wget +@{exec_path} = @{bin}/wget profile wget @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index 660ac040..d0f56c6a 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/whdd +@{exec_path} = @{bin}/whdd profile whdd @{exec_path} { include @@ -18,13 +18,13 @@ profile whdd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/tr rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/tr rix, # To read SMART attributes - /{usr/,}{s,}bin/smartctl rPx, + @{bin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis index c4e1e4f0..b69fe2fc 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/whereis +@{exec_path} = @{bin}/whereis profile whereis @{exec_path} flags=(complain) { include include @@ -16,10 +16,9 @@ profile whereis @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/{,*/} r, /{usr/,}{local/,}games/ r, - /{usr/,}lib/go-*/bin/ r, + @{lib}/go-*/bin/ r, - @{libexec}/ r, - /{usr/,}lib{,32,64}/ r, + @{lib}/ r, /usr/{local/,}{,etc/,lib/} r, /usr/include/ r, /usr/share/ r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 4450e35b..b317fadd 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -6,17 +6,17 @@ abi , include -@{exec_path} = /{usr/,}bin/which{.debianutils,} +@{exec_path} = @{bin}/which{.debianutils,} profile which @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /{usr/,}{local/,}{s,}bin/ r, - /{usr/,}lib/go-*/bin/ r, + @{lib}/go-*/bin/ r, /{usr/,}{local/,}games/ r, /opt/cni/bin/ r, diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index c88f709d..7725ee3b 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/whiptail +@{exec_path} = @{bin}/whiptail profile whiptail @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/profiles-s-z/who index 04dcc1e5..7cc0a6d3 100644 --- a/apparmor.d/profiles-s-z/who +++ b/apparmor.d/profiles-s-z/who @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/who +@{exec_path} = @{bin}/who profile who @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami index 6dca3d67..de9936c1 100644 --- a/apparmor.d/profiles-s-z/whoami +++ b/apparmor.d/profiles-s-z/whoami @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/whoami +@{exec_path} = @{bin}/whoami profile whoami @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 9ae982d5..7f4d455d 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/wireplumber +@{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 9a7bd826..0113a597 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -10,7 +10,7 @@ include # pcap pcapng @{wireshark_ext} = [pP][cC][aA][pP]{,[nN][gG]} -@{exec_path} = /{usr/,}bin/wireshark +@{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include include @@ -34,8 +34,8 @@ profile wireshark @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dumpcap rPx, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/dumpcap rPx, + @{bin}/xdg-open rCx -> open, # For reading pcaps / r, @@ -49,8 +49,8 @@ profile wireshark @{exec_path} { # Wireshark files /usr/share/wireshark/** r, - /{usr/,}lib/@{multiarch}/wireshark/extcap/* rix, - /{usr/,}lib/@{multiarch}/wireshark/plugins/*/{codecs,epan,wiretap}/*.so mr, + @{lib}/@{multiarch}/wireshark/extcap/* rix, + @{lib}/@{multiarch}/wireshark/plugins/*/{codecs,epan,wiretap}/*.so mr, /etc/wireshark/init.lua r, # Wireshark home files @@ -81,7 +81,7 @@ profile wireshark @{exec_path} { owner /tmp/wireshark_extcap_ciscodump_[0-9]*_* rw, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -91,19 +91,19 @@ profile wireshark @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index 880d3dc1..2a2d5fa4 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -6,16 +6,16 @@ abi , include -@{exec_path} = /{usr/,}bin/wl-{copy,paste} +@{exec_path} = @{bin}/wl-{copy,paste} profile wl-copy @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/cat rix, - /{usr/,}bin/rm rix, + @{bin}/cat rix, + @{bin}/rm rix, - /{usr/,}bin/xdg-mime rPx, + @{bin}/xdg-mime rPx, owner /tmp/wl-copy-buffer-*/{,**} rw, diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl index 49be4bfe..62e59d14 100644 --- a/apparmor.d/profiles-s-z/wmctrl +++ b/apparmor.d/profiles-s-z/wmctrl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/wmctrl +@{exec_path} = @{bin}/wmctrl profile wmctrl @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 9ab5579c..aa894bed 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/wpa_action +@{exec_path} = @{bin}/wpa_action profile wpa-action @{exec_path} { include @@ -16,17 +16,17 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/wpa_cli rPx, + @{bin}/wpa_cli rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/date rix, - /{usr/,}bin/ip rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/logger rix, - /{usr/,}bin/rm rix, - /{usr/,}sbin/ifup rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/cat rix, + @{bin}/date rix, + @{bin}/ifup rix, + @{bin}/ip rix, + @{bin}/ln rix, + @{bin}/logger rix, + @{bin}/rm rix, /etc/wpa_supplicant/{,**} r, /etc/network/interfaces r, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index bb65f3f0..323b6fba 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/wpa_cli +@{exec_path} = @{bin}/wpa_cli profile wpa-cli @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index 7ec22127..d0fc1874 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/wpa_gui +@{exec_path} = @{bin}/wpa_gui profile wpa-gui @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index c457e8cb..d141223c 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/wpa_supplicant +@{exec_path} = @{bin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 94ed7608..909504a0 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/wrmsr +@{exec_path} = @{bin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession index b651106c..d57ff74f 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/profiles-s-z/x11-xsession @@ -12,39 +12,39 @@ profile x11-xsession @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/id rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/date rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/tempfile rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/head rix, - /{usr/,}bin/fold rix, + @{bin}/rm rix, + @{bin}/touch rix, + @{bin}/{,e}grep rix, + @{bin}/cat rix, + @{bin}/which{,.debianutils} rix, + @{bin}/id rix, + @{bin}/chmod rix, + @{bin}/date rix, + @{bin}/{m,g,}awk rix, + @{bin}/tempfile rix, + @{bin}/sed rix, + @{bin}/head rix, + @{bin}/fold rix, - /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, + @{bin}/dbus-update-activation-environment rCx -> dbus, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/udevadm rCx -> udevadm, + @{bin}/gpgconf rCx -> gpg, + @{bin}/run-parts rCx -> run-parts, + @{bin}/udevadm rCx -> udevadm, - /{usr/,}bin/flatpak rPUx, - /{usr/,}bin/xrdb rPx, - /{usr/,}bin/numlockx rPx, - /{usr/,}bin/xhost rPx, - /{usr/,}bin/glxinfo rPx, + @{bin}/flatpak rPUx, + @{bin}/xrdb rPx, + @{bin}/numlockx rPx, + @{bin}/xhost rPx, + @{bin}/glxinfo rPx, # Allowed GUI sessions to start - /{usr/,}bin/openbox-session rPx, - /{usr/,}bin/enlightenment_start rPUx, - /{usr/,}bin/sway rPUx, - /{usr/,}bin/ssh-agent rPx, + @{bin}/openbox-session rPx, + @{bin}/enlightenment_start rPUx, + @{bin}/sway rPUx, + @{bin}/ssh-agent rPx, owner /tmp/file* rw, @@ -61,7 +61,7 @@ profile x11-xsession @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, /etc/X11/Xsession.d/ r, /etc/X11/Xresources/ r, @@ -76,7 +76,7 @@ profile x11-xsession @{exec_path} { profile dbus { include - /{usr/,}bin/dbus-update-activation-environment mr, + @{bin}/dbus-update-activation-environment mr, # file_inherit owner @{HOME}/.xsession-errors w, @@ -86,9 +86,9 @@ profile x11-xsession @{exec_path} { profile gpg { include - /{usr/,}bin/gpgconf mr, + @{bin}/gpgconf mr, - /{usr/,}bin/gpg-agent rix, + @{bin}/gpg-agent rix, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -100,7 +100,7 @@ profile x11-xsession @{exec_path} { profile udevadm { include - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 0931fce2..2800b152 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xarchiver +@{exec_path} = @{bin}/xarchiver profile xarchiver @{exec_path} { include include @@ -20,28 +20,28 @@ profile xarchiver @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cp rix, + @{bin}/{,ba,da}sh rix, + @{bin}/ls rix, + @{bin}/rm rix, + @{bin}/mv rix, + @{bin}/cp rix, # Archivers - /{usr/,}bin/7z rix, - /{usr/,}lib/p7zip/7z rix, - /{usr/,}bin/unrar-nonfree rix, - /{usr/,}bin/zip rix, - /{usr/,}bin/unzip rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/cpio rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/zstd rix, + @{bin}/7z rix, + @{lib}/p7zip/7z rix, + @{bin}/unrar-nonfree rix, + @{bin}/zip rix, + @{bin}/unzip rix, + @{bin}/tar rix, + @{bin}/xz rix, + @{bin}/bzip2 rix, + @{bin}/cpio rix, + @{bin}/gzip rix, + @{bin}/zstd rix, # For deb packages - /{usr/,}bin/{,@{multiarch}-}ar rix, + @{bin}/{,@{multiarch}-}ar rix, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, owner @{user_config_dirs}/xarchiver/ rw, owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw, @@ -64,9 +64,9 @@ profile xarchiver @{exec_path} { /etc/fstab r, # Allowed apps to open - /{usr/,}bin/engrampa rPUx, - /{usr/,}bin/geany rPUx, - /{usr/,}bin/viewnior rPUx, + @{bin}/engrampa rPUx, + @{bin}/geany rPUx, + @{bin}/viewnior rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -76,21 +76,21 @@ profile xarchiver @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}bin/engrampa rPUx, - /{usr/,}bin/geany rPUx, - /{usr/,}bin/viewnior rPUx, + @{bin}/engrampa rPUx, + @{bin}/geany rPUx, + @{bin}/viewnior rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 36731ec9..73038486 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xauth +@{exec_path} = @{bin}/xauth profile xauth @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/xautolock b/apparmor.d/profiles-s-z/xautolock index 4eb0031d..57f28572 100644 --- a/apparmor.d/profiles-s-z/xautolock +++ b/apparmor.d/profiles-s-z/xautolock @@ -6,21 +6,21 @@ abi , include -@{exec_path} = /{usr/,}bin/xautolock +@{exec_path} = @{bin}/xautolock profile xautolock @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/env rix, + @{bin}/{,ba,da}sh rix, + @{bin}/env rix, # Locker apps to launch. - /{usr/,}bin/i3lock-fancy rPx, - /{usr/,}bin/light-locker rPx, - /{usr/,}bin/light-locker-command rPx, + @{bin}/i3lock-fancy rPx, + @{bin}/light-locker rPx, + @{bin}/light-locker-command rPx, - /{usr/,}bin/xset rPx, + @{bin}/xset rPx, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-s-z/xbacklight b/apparmor.d/profiles-s-z/xbacklight index 1e05fea4..0139b5e5 100644 --- a/apparmor.d/profiles-s-z/xbacklight +++ b/apparmor.d/profiles-s-z/xbacklight @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xbacklight +@{exec_path} = @{bin}/xbacklight profile xbacklight @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index d6140129..a64db6c6 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xbrlapi +@{exec_path} = @{bin}/xbrlapi profile xbrlapi @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 4691894a..c6224b77 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -8,7 +8,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xclip +@{exec_path} = @{bin}/xclip profile xclip @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/xdpyinfo b/apparmor.d/profiles-s-z/xdpyinfo index 00ac0b5c..4bdbdb26 100644 --- a/apparmor.d/profiles-s-z/xdpyinfo +++ b/apparmor.d/profiles-s-z/xdpyinfo @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xdpyinfo +@{exec_path} = @{bin}/xdpyinfo profile xdpyinfo @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/xfce4-notifyd b/apparmor.d/profiles-s-z/xfce4-notifyd index 70584efd..3ddd0a13 100644 --- a/apparmor.d/profiles-s-z/xfce4-notifyd +++ b/apparmor.d/profiles-s-z/xfce4-notifyd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/@{multiarch}/xfce4/notifyd/xfce4-notifyd +@{exec_path} = @{lib}/@{multiarch}/xfce4/notifyd/xfce4-notifyd profile xfce4-notifyd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/xfconfd b/apparmor.d/profiles-s-z/xfconfd index d01c43ad..c61297c3 100644 --- a/apparmor.d/profiles-s-z/xfconfd +++ b/apparmor.d/profiles-s-z/xfconfd @@ -7,8 +7,8 @@ abi , include -@{exec_path} = @{libexec}/xfce[0-9]/xfconf/xfconfd -@{exec_path} += /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd +@{exec_path} = @{lib}/xfce[0-9]/xfconf/xfconfd +@{exec_path} += @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd profile xfconfd @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 10134205..498dc4d8 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xinit +@{exec_path} = @{bin}/xinit profile xinit @{exec_path} { include include @@ -19,44 +19,44 @@ profile xinit @{exec_path} { signal (send) set=(term, kill) peer=xorg, signal (send) set=(hup), - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/date rix, - /{usr/,}bin/head rix, - /{usr/,}bin/id rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/tempfile rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/date rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/tail rix, + @{bin}/tempfile rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, - /{usr/,}bin/dbus-update-activation-environment rix, + @{bin}/dbus-update-activation-environment rix, - /{usr/,}bin/gpgconf rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/udevadm rCx -> udevadm, + @{bin}/gpgconf rPx, + @{bin}/run-parts rCx -> run-parts, + @{bin}/udevadm rCx -> udevadm, - /{usr/,}bin/flatpak rPUx, - /{usr/,}bin/glxinfo rPx, - /{usr/,}bin/numlockx rPx, - /{usr/,}bin/X rPx, - /{usr/,}bin/xhost rPx, - /{usr/,}bin/Xorg rPx, - /{usr/,}bin/xrdb rPx, + @{bin}/flatpak rPUx, + @{bin}/glxinfo rPx, + @{bin}/numlockx rPx, + @{bin}/X rPx, + @{bin}/xhost rPx, + @{bin}/Xorg rPx, + @{bin}/xrdb rPx, # Allowed GUI sessions to start - /{usr/,}bin/openbox-session rPx, - /{usr/,}bin/enlightenment_start rPUx, - /{usr/,}bin/sway rPUx, - /{usr/,}bin/ssh-agent rPx, + @{bin}/openbox-session rPx, + @{bin}/enlightenment_start rPUx, + @{bin}/sway rPUx, + @{bin}/ssh-agent rPx, /etc/X11/{,**} r, /etc/default/{,*} r, @@ -74,7 +74,7 @@ profile xinit @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, /etc/X11/Xsession.d/ r, /etc/X11/Xresources/ r, @@ -88,7 +88,7 @@ profile xinit @{exec_path} { profile udevadm { include - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-s-z/xinput b/apparmor.d/profiles-s-z/xinput index 6109a90c..ac0917aa 100644 --- a/apparmor.d/profiles-s-z/xinput +++ b/apparmor.d/profiles-s-z/xinput @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xinput +@{exec_path} = @{bin}/xinput profile xinput @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 2711a8e7..d69656c6 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/xsel +@{exec_path} = @{bin}/xsel profile xsel @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 66ee598f..e8de978d 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/youtube-dl +@{exec_path} = @{bin}/youtube-dl profile youtube-dl @{exec_path} { include include @@ -31,18 +31,18 @@ profile youtube-dl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ffmpeg rPx, - /{usr/,}bin/ffprobe rPx, + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, - /{usr/,}bin/ r, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/rtmpdump rix, - /{usr/,}bin/git rix, + @{bin}/ r, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/git rix, + @{bin}/ldconfig rix, + @{bin}/rtmpdump rix, + @{bin}/uname rix, + @{lib}/llvm-[0-9]*/bin/clang rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 8de23f04..f42e916f 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/youtube-viewer +@{exec_path} = @{bin}/youtube-viewer profile youtube-viewer @{exec_path} { include include @@ -24,13 +24,13 @@ profile youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/infocmp rix, - /{usr/,}bin/stty rix, + @{bin}/{,ba,da}sh rix, + @{bin}/infocmp rix, + @{bin}/stty rix, - /{usr/,}bin/wget rCx -> wget, + @{bin}/wget rCx -> wget, owner @{user_config_dirs}/youtube-viewer/{,*} rw, owner @{user_cache_dirs}/youtube-viewer/{,*} rw, @@ -39,11 +39,11 @@ profile youtube-viewer @{exec_path} { /etc/inputrc r, # Players - /{usr/,}bin/mpv rPUx, - /{usr/,}bin/vlc rPUx, - /{usr/,}bin/smplayer rPUx, + @{bin}/mpv rPUx, + @{bin}/vlc rPUx, + @{bin}/smplayer rPUx, - /{usr/,}bin/ffmpeg rPUx, + @{bin}/ffmpeg rPUx, profile wget { @@ -55,7 +55,7 @@ profile youtube-viewer @{exec_path} { signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm, - /{usr/,}bin/wget mr, + @{bin}/wget mr, /etc/wgetrc r, diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index 028f1590..48b3337f 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/yt-dlp +@{exec_path} = @{bin}/yt-dlp profile yt-dlp @{exec_path} { include include @@ -24,13 +24,13 @@ profile yt-dlp @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/file rix, + @{bin}/ r, + @{bin}/file rix, - /{usr/,}bin/ffmpeg rPx, - /{usr/,}bin/ffprobe rPx, + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, /etc/magic r, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index e586443f..bd3f6bac 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ytdl +@{exec_path} = @{bin}/ytdl profile ytdl @{exec_path} { include include @@ -25,11 +25,11 @@ profile ytdl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/uname rix, + @{bin}/ r, + @{bin}/ldconfig rix, + @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index ad26f34e..e9251686 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -16,20 +16,22 @@ profile zed @{exec_path} { network netlink raw, @{exec_path} mr, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/diff rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/flock rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/logger rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/realpath rix, - /{usr/,}bin/sort rix, + + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/diff rix, + @{bin}/expr rix, + @{bin}/flock rix, + @{bin}/grep rix, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mktemp rix, + @{bin}/realpath rix, + @{bin}/rm rix, + @{bin}/sort rix, + /{usr/,}{local/,}{s,}bin/zpool rPx, /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}lib/zfs-linux/zed.d/*.sh rix, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index e764163a..b6d659d4 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/{zenmap,nmapfe} +@{exec_path} = @{bin}/{zenmap,nmapfe} profile zenmap @{exec_path} { include include @@ -19,9 +19,9 @@ profile zenmap @{exec_path} { signal (send) set=(term, kill) peer=nmap, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/nmap rPx, + @{bin}/nmap rPx, owner @{HOME}/ r, owner @{HOME}/.zenmap/ rw, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index f1ae419f..bd2cd296 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -15,7 +15,7 @@ profile zpool @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, /etc/hostid r, diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot index d4d22740..f42046a4 100644 --- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -6,19 +6,20 @@ abi , include -@{exec_path} = @{libexec}/zsys-system-autosnapshot +@{exec_path} = @{lib}/zsys-system-autosnapshot profile zsys-system-autosnapshot @{exec_path} flags=(complain) { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}{s,}bin/zsysctl rPx, - /{usr/,}{s,}bin/zsysd rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/rm rix, + @{bin}/zsysctl rPx, + @{bin}/zsysd rPx, + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/zsys-bootmenu.unattended-upgrades rw, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index d8a6c451..56d1283c 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/zsysd /{usr/,}{s,}bin/zsysctl +@{exec_path} = @{bin}/zsysd @{bin}/zsysctl profile zsysd @{exec_path} flags=(complain) { include include @@ -23,7 +23,7 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - /{usr/,}{s,}bin/update-grub rPx, + @{bin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r,