/run -> @{run}, [0-9]* -> @{uid}.

apparmor.d/abstractions/libvirt-qemu

@@ -43,9 +43,9 @@
   /sys/bus/usb/devices/ r,
   /sys/devices/**/usb[0-9]*/** r,
   # libusb needs udev data about usb devices (~equal to content of lsusb -v)
-  /run/udev/data/+usb* r,
-  /run/udev/data/c16[6,7]* r,
-  /run/udev/data/c18[0,8,9]* r,
+  @{run}/udev/data/+usb* r,
+  @{run}/udev/data/c16[6,7]* r,
+  @{run}/udev/data/c18[0,8,9]* r,
 
   # WARNING: this gives the guest direct access to host hardware and specific
   # portions of shared memory. This is required for sound using ALSA with kvm,
@@ -233,7 +233,7 @@
 
   # silence refusals to open lttng files (see LP: #1432644)
   deny /dev/shm/lttng-ust-wait-* r,
-  deny /run/shm/lttng-ust-wait-* r,
+  deny @{run}/shm/lttng-ust-wait-* r,
 
   # for vfio hotplug on systems without static vfio (LP: #1775777)
   /dev/vfio/vfio rw,

apparmor.d/abstractions/lightdm

@@ -82,7 +82,7 @@
   /{,var/}run/shm/** wl,
   /{,var/}run/uuidd/request w,
   # libpam-xdg-support/logind
-  owner /{,var/}run/user/*/** rw,
+  owner /{,var/}run/user/@{uid}/** rw,
 
   capability ipc_lock,
 

apparmor.d/abstractions/totem

@@ -46,9 +46,9 @@
 
   owner @{PROC}/@{pid}/{mountinfo,status} r,
 
-  /run/udev/data/c* r,
-  /run/udev/data/+drm:card* r,
-  /run/udev/data/+usb* r,
+  @{run}/udev/data/c* r,
+  @{run}/udev/data/+drm:card* r,
+  @{run}/udev/data/+usb* r,
 
   /sys/devices/system/node/*/meminfo r,
 

apparmor.d/groups/apps/android-studio

@@ -211,9 +211,9 @@ profile android-studio @{exec_path} {
   owner /tmp/** rwk,
   owner /tmp/native-platform[0-9]*dir/*.so rwm,
 
-  owner /{var,}run/user/[0-9]*/avd/ rw,
-  owner /{var,}run/user/[0-9]*/avd/running/ rw,
-  owner /{var,}run/user/[0-9]*/avd/running/pid_@{pid}.ini rw,
+  owner /{var,}run/user/@{uid}/avd/ rw,
+  owner /{var,}run/user/@{uid}/avd/running/ rw,
+  owner /{var,}run/user/@{uid}/avd/running/pid_@{pid}.ini rw,
 
   /usr/share/hwdata/pnp.ids r,
 

apparmor.d/groups/apps/geany

@@ -51,7 +51,7 @@ profile geany @{exec_path} {
 
   owner @{user_config_dirs}/geany/{,**} rw,
 
-  owner /{run/,}user/[0-9]*/geany/geany_socket.[0-9a-f]* rw,
+  owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw,
 
   # To read/write files in the system. The read permission is granted for all files, the write
   # permission only for the owner. Also, dirs like /dev/, /proc/, /sys/  are not included in
@@ -84,9 +84,9 @@ profile geany @{exec_path} {
         /root/    r,
         /root/**  r,
   owner /root/**  rw,
-        /run/     r,
-        /run/**   r,
-  owner /run/**   rw,
+        @{run}/   r,
+        @{run}/** r,
+  owner @{run}/** rw,
         /srv/     r,
         /srv/**   r,
   owner /srv/**   rw,

apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash

@@ -22,7 +22,7 @@ profile libreoffice-oosplash /usr/lib/libreoffice/program/oosplash flags=(compla
   /etc/libreoffice/**                   r,
   /etc/passwd                           r,
   /etc/nsswitch.conf                    r,
-  /run/nscd/passwd                      r,
+  @{run}/nscd/passwd                      r,
   /sys/devices/{virtual,pci[0-9]*}/**/queue/rotational  r, # for isRotational() in desktop/unx/source/pagein.c
   /usr/lib{,32,64}/ure/bin/javaldx      rmpux,
   /usr/share/libreoffice/program/*      r,

apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin

@@ -126,7 +126,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   owner @{user_cache_dirs}/fontconfig/**    rw,
   owner @{user_config_dirs}/gtk-???/bookmarks r,  #Make bookmarks work
 
-  owner /{,var/}run/user/*/dconf/user   rw,
+  owner /{,var/}run/user/@{uid}/dconf/user   rw,
   owner @{user_config_dirs}/dconf/user      r,
 
   # allow schema to be read
@@ -201,9 +201,9 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
 
   #To avoid "Unable to create io-slave." for file dialog
-  owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
+  owner /{,var/}run/user/@{uid}/#[0-9]* rw,
   #For KIO IO::Slave::createSlave()
-  owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl ->  /{,var/}run/user/[0-9]*/#[0-9]*,
+  owner /{,var/}run/user/@{uid}/soffice.bin*.slave-socket wl ->  /{,var/}run/user/@{uid}/#[0-9]*,
 
   owner @{HOME}/.mozilla/firefox/profiles.ini r,
   owner @{HOME}/.mozilla/firefox/*/secmod.db r,

apparmor.d/groups/browsers/torbrowser.Browser.firefox

@@ -108,7 +108,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
 
   # Should use abstractions/gstreamer instead once merged upstream
   /etc/udev/udev.conf r,
-  /run/udev/data/+pci:* r,
+  @{run}/udev/data/+pci:* r,
   /sys/devices/pci[0-9]*/**/uevent r,
   owner /{dev,run}/shm/shmfd-* rw,
 
@@ -132,7 +132,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   deny @{PROC}/@{pid}/net/route r,
   deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-  deny /run/user/[0-9]*/dconf/user rw,
+  deny @{run}/user/@{uid}/dconf/user rw,
   deny /usr/bin/lsb_release x,
 
   # Silence denial logs about PulseAudio
@@ -150,7 +150,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   /sys/class/ r,
   /sys/bus/ r,
   /sys/class/hidraw/ r,
-  /run/udev/data/c24{5,7,9}:* r,
+  @{run}/udev/data/c24{5,7,9}:* r,
   /dev/hidraw* rw,
   # Yubikey NEO also needs this:
   /sys/devices/**/hidraw/hidraw*/uevent r,

apparmor.d/groups/browsers/torbrowser.Browser.plugin-container

@@ -79,7 +79,7 @@ profile torbrowser_plugin_container {
 
   # Should use abstractions/gstreamer instead once merged upstream
   /etc/udev/udev.conf r,
-  /run/udev/data/+pci:* r,
+  @{run}/udev/data/+pci:* r,
   /sys/devices/pci[0-9]*/**/uevent r,
   owner /{dev,run}/shm/shmfd-* rw,
 

apparmor.d/groups/systemd/systemd-sysusers

@@ -20,7 +20,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   # Where the users can be created,
   /home/{,*} rw,
   /var/{,**} rw,
-  /run/{,**} rw,
+  @{run}/{,**} rw,
 
   /etc/ r,
   /etc/nsswitch.conf r,

apparmor.d/profiles-m-r/nemo

@@ -65,9 +65,9 @@ profile nemo @{exec_path} {
         /root/    r,
         /root/**  r,
   owner /root/**  rw,
-        /run/     r,
-        /run/**   r,
-  owner /run/**   rw,
+        @{run}/   r,
+        @{run}/** r,
+  owner @{run}/** rw,
         /srv/     r,
         /srv/**   r,
   owner /srv/**   rw,

apparmor.d/profiles-s-z/spacefm

@@ -77,9 +77,9 @@ profile spacefm @{exec_path} {
         /root/    r,
         /root/**  r,
   owner /root/**  rw,
-        /run/     r,
-        /run/**   r,
-  owner /run/**   rw,
+        @{run}/   r,
+        @{run}/** r,
+  owner @{run}/** rw,
         /srv/     r,
         /srv/**   r,
   owner /srv/**   rw,

apparmor.d/profiles-s-z/usr.bin.pidgin

@@ -48,7 +48,7 @@ include <tunables/global>
   # Uncomment the two following lines if you want to allow Pidgin to update
   # any DConf setting:
   # owner @{HOME}/.{cache,config}/dconf/user rw,
-  # owner /{,var/}run/user/[0-9]*/dconf/user rwk,
+  # owner /{,var/}run/user/@{uid}/dconf/user rwk,
 
   /{usr/,}bin/dash rix,
   /{usr/,}bin/which rix,

apparmor.d/profiles-s-z/usr.bin.totem

@@ -47,9 +47,9 @@
   # Allow usage of openat with O_TMPFILE
   owner @{HOME}/#[0-9]*[0-9] m,
 
-  owner /{,var/}run/user/*/dconf/user w,
-  owner /{,var/}run/user/*/at-spi2-*/   rw,
-  owner /{,var/}run/user/*/at-spi2-*/** rw,
+  owner /{,var/}run/user/@{uid}/dconf/user w,
+  owner /{,var/}run/user/@{uid}/at-spi2-*/   rw,
+  owner /{,var/}run/user/@{uid}/at-spi2-*/** rw,
 
   /sys/devices/pci[0-9]*/**/config r,
   /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,

apparmor.d/profiles-s-z/usr.sbin.cupsd

@@ -50,7 +50,7 @@
   # CUPS is of systemd service type "notify" now, meaning that cupsd notifies
   # systemd when it is up and running, give CUPS access to systemd's
   # notification socket
-  /run/systemd/notify w,
+  @{run}/systemd/notify w,
 
   /{usr/,}bin/bash ixr,
   /{usr/,}bin/dash ixr,