diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index ff2af363..f473a1ca 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -43,9 +43,9 @@ /sys/bus/usb/devices/ r, /sys/devices/**/usb[0-9]*/** r, # libusb needs udev data about usb devices (~equal to content of lsusb -v) - /run/udev/data/+usb* r, - /run/udev/data/c16[6,7]* r, - /run/udev/data/c18[0,8,9]* r, + @{run}/udev/data/+usb* r, + @{run}/udev/data/c16[6,7]* r, + @{run}/udev/data/c18[0,8,9]* r, # WARNING: this gives the guest direct access to host hardware and specific # portions of shared memory. This is required for sound using ALSA with kvm, @@ -233,7 +233,7 @@ # silence refusals to open lttng files (see LP: #1432644) deny /dev/shm/lttng-ust-wait-* r, - deny /run/shm/lttng-ust-wait-* r, + deny @{run}/shm/lttng-ust-wait-* r, # for vfio hotplug on systems without static vfio (LP: #1775777) /dev/vfio/vfio rw, diff --git a/apparmor.d/abstractions/lightdm b/apparmor.d/abstractions/lightdm index a8ed92dd..e9fe5ec3 100644 --- a/apparmor.d/abstractions/lightdm +++ b/apparmor.d/abstractions/lightdm @@ -82,7 +82,7 @@ /{,var/}run/shm/** wl, /{,var/}run/uuidd/request w, # libpam-xdg-support/logind - owner /{,var/}run/user/*/** rw, + owner /{,var/}run/user/@{uid}/** rw, capability ipc_lock, diff --git a/apparmor.d/abstractions/totem b/apparmor.d/abstractions/totem index 546ab8bd..7606a1cd 100644 --- a/apparmor.d/abstractions/totem +++ b/apparmor.d/abstractions/totem @@ -46,9 +46,9 @@ owner @{PROC}/@{pid}/{mountinfo,status} r, - /run/udev/data/c* r, - /run/udev/data/+drm:card* r, - /run/udev/data/+usb* r, + @{run}/udev/data/c* r, + @{run}/udev/data/+drm:card* r, + @{run}/udev/data/+usb* r, /sys/devices/system/node/*/meminfo r, diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index d60eb2e3..762c08c0 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -211,9 +211,9 @@ profile android-studio @{exec_path} { owner /tmp/** rwk, owner /tmp/native-platform[0-9]*dir/*.so rwm, - owner /{var,}run/user/[0-9]*/avd/ rw, - owner /{var,}run/user/[0-9]*/avd/running/ rw, - owner /{var,}run/user/[0-9]*/avd/running/pid_@{pid}.ini rw, + owner /{var,}run/user/@{uid}/avd/ rw, + owner /{var,}run/user/@{uid}/avd/running/ rw, + owner /{var,}run/user/@{uid}/avd/running/pid_@{pid}.ini rw, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/groups/apps/geany b/apparmor.d/groups/apps/geany index 57dd1455..1378c03b 100644 --- a/apparmor.d/groups/apps/geany +++ b/apparmor.d/groups/apps/geany @@ -51,7 +51,7 @@ profile geany @{exec_path} { owner @{user_config_dirs}/geany/{,**} rw, - owner /{run/,}user/[0-9]*/geany/geany_socket.[0-9a-f]* rw, + owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw, # To read/write files in the system. The read permission is granted for all files, the write # permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in @@ -84,9 +84,9 @@ profile geany @{exec_path} { /root/ r, /root/** r, owner /root/** rw, - /run/ r, - /run/** r, - owner /run/** rw, + @{run}/ r, + @{run}/** r, + owner @{run}/** rw, /srv/ r, /srv/** r, owner /srv/** rw, diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash b/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash index 5d169691..3bd6df6f 100644 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash +++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash @@ -22,7 +22,7 @@ profile libreoffice-oosplash /usr/lib/libreoffice/program/oosplash flags=(compla /etc/libreoffice/** r, /etc/passwd r, /etc/nsswitch.conf r, - /run/nscd/passwd r, + @{run}/nscd/passwd r, /sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c /usr/lib{,32,64}/ure/bin/javaldx rmpux, /usr/share/libreoffice/program/* r, diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin index 7c12426c..b6557b74 100644 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin +++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin @@ -126,7 +126,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp owner @{user_cache_dirs}/fontconfig/** rw, owner @{user_config_dirs}/gtk-???/bookmarks r, #Make bookmarks work - owner /{,var/}run/user/*/dconf/user rw, + owner /{,var/}run/user/@{uid}/dconf/user rw, owner @{user_config_dirs}/dconf/user r, # allow schema to be read @@ -201,9 +201,9 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId() #To avoid "Unable to create io-slave." for file dialog - owner /{,var/}run/user/[0-9]*/#[0-9]* rw, + owner /{,var/}run/user/@{uid}/#[0-9]* rw, #For KIO IO::Slave::createSlave() - owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl -> /{,var/}run/user/[0-9]*/#[0-9]*, + owner /{,var/}run/user/@{uid}/soffice.bin*.slave-socket wl -> /{,var/}run/user/@{uid}/#[0-9]*, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.mozilla/firefox/*/secmod.db r, diff --git a/apparmor.d/groups/browsers/torbrowser.Browser.firefox b/apparmor.d/groups/browsers/torbrowser.Browser.firefox index 0201f10f..5ae6a9a2 100644 --- a/apparmor.d/groups/browsers/torbrowser.Browser.firefox +++ b/apparmor.d/groups/browsers/torbrowser.Browser.firefox @@ -108,7 +108,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { # Should use abstractions/gstreamer instead once merged upstream /etc/udev/udev.conf r, - /run/udev/data/+pci:* r, + @{run}/udev/data/+pci:* r, /sys/devices/pci[0-9]*/**/uevent r, owner /{dev,run}/shm/shmfd-* rw, @@ -132,7 +132,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { deny @{PROC}/@{pid}/net/route r, deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, - deny /run/user/[0-9]*/dconf/user rw, + deny @{run}/user/@{uid}/dconf/user rw, deny /usr/bin/lsb_release x, # Silence denial logs about PulseAudio @@ -150,7 +150,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { /sys/class/ r, /sys/bus/ r, /sys/class/hidraw/ r, - /run/udev/data/c24{5,7,9}:* r, + @{run}/udev/data/c24{5,7,9}:* r, /dev/hidraw* rw, # Yubikey NEO also needs this: /sys/devices/**/hidraw/hidraw*/uevent r, diff --git a/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container b/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container index a94d0130..4602b39c 100644 --- a/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container +++ b/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container @@ -79,7 +79,7 @@ profile torbrowser_plugin_container { # Should use abstractions/gstreamer instead once merged upstream /etc/udev/udev.conf r, - /run/udev/data/+pci:* r, + @{run}/udev/data/+pci:* r, /sys/devices/pci[0-9]*/**/uevent r, owner /{dev,run}/shm/shmfd-* rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index cb307604..f8035046 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -20,7 +20,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { # Where the users can be created, /home/{,*} rw, /var/{,**} rw, - /run/{,**} rw, + @{run}/{,**} rw, /etc/ r, /etc/nsswitch.conf r, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index 2042f84b..dd3cf979 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -65,9 +65,9 @@ profile nemo @{exec_path} { /root/ r, /root/** r, owner /root/** rw, - /run/ r, - /run/** r, - owner /run/** rw, + @{run}/ r, + @{run}/** r, + owner @{run}/** rw, /srv/ r, /srv/** r, owner /srv/** rw, diff --git a/apparmor.d/profiles-s-z/spacefm b/apparmor.d/profiles-s-z/spacefm index fce6f6f6..c8cbfbb0 100644 --- a/apparmor.d/profiles-s-z/spacefm +++ b/apparmor.d/profiles-s-z/spacefm @@ -77,9 +77,9 @@ profile spacefm @{exec_path} { /root/ r, /root/** r, owner /root/** rw, - /run/ r, - /run/** r, - owner /run/** rw, + @{run}/ r, + @{run}/** r, + owner @{run}/** rw, /srv/ r, /srv/** r, owner /srv/** rw, diff --git a/apparmor.d/profiles-s-z/usr.bin.pidgin b/apparmor.d/profiles-s-z/usr.bin.pidgin index 716b1560..83075390 100644 --- a/apparmor.d/profiles-s-z/usr.bin.pidgin +++ b/apparmor.d/profiles-s-z/usr.bin.pidgin @@ -48,7 +48,7 @@ include # Uncomment the two following lines if you want to allow Pidgin to update # any DConf setting: # owner @{HOME}/.{cache,config}/dconf/user rw, - # owner /{,var/}run/user/[0-9]*/dconf/user rwk, + # owner /{,var/}run/user/@{uid}/dconf/user rwk, /{usr/,}bin/dash rix, /{usr/,}bin/which rix, diff --git a/apparmor.d/profiles-s-z/usr.bin.totem b/apparmor.d/profiles-s-z/usr.bin.totem index 2adec6a6..53e4ee27 100644 --- a/apparmor.d/profiles-s-z/usr.bin.totem +++ b/apparmor.d/profiles-s-z/usr.bin.totem @@ -47,9 +47,9 @@ # Allow usage of openat with O_TMPFILE owner @{HOME}/#[0-9]*[0-9] m, - owner /{,var/}run/user/*/dconf/user w, - owner /{,var/}run/user/*/at-spi2-*/ rw, - owner /{,var/}run/user/*/at-spi2-*/** rw, + owner /{,var/}run/user/@{uid}/dconf/user w, + owner /{,var/}run/user/@{uid}/at-spi2-*/ rw, + owner /{,var/}run/user/@{uid}/at-spi2-*/** rw, /sys/devices/pci[0-9]*/**/config r, /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r, diff --git a/apparmor.d/profiles-s-z/usr.sbin.cupsd b/apparmor.d/profiles-s-z/usr.sbin.cupsd index c49c3c60..ef8c1af5 100644 --- a/apparmor.d/profiles-s-z/usr.sbin.cupsd +++ b/apparmor.d/profiles-s-z/usr.sbin.cupsd @@ -50,7 +50,7 @@ # CUPS is of systemd service type "notify" now, meaning that cupsd notifies # systemd when it is up and running, give CUPS access to systemd's # notification socket - /run/systemd/notify w, + @{run}/systemd/notify w, /{usr/,}bin/bash ixr, /{usr/,}bin/dash ixr,