From 3b56d3ff0ff59b05fc4aeca928b093faa25b8925 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 3 Sep 2022 14:43:34 +0100 Subject: [PATCH] feat(profiles): use the new hex variable. --- apparmor.d/abstractions/mesa.d/complete | 4 ++-- apparmor.d/abstractions/qt5-shader-cache | 4 ++-- apparmor.d/groups/apps/atom | 2 +- apparmor.d/groups/apps/calibre | 4 ++-- apparmor.d/groups/apps/code | 4 ++-- apparmor.d/groups/apps/flameshot | 2 +- apparmor.d/groups/apps/geany | 4 ++-- apparmor.d/groups/apps/okular | 2 +- apparmor.d/groups/apps/spotify | 2 +- apparmor.d/groups/apps/telegram-desktop | 4 ++-- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/browsers/firefox-crashreporter | 6 +++--- .../groups/browsers/firefox-minidump-analyzer | 4 ++-- apparmor.d/groups/bus/ibus-dconf | 8 ++++---- apparmor.d/groups/bus/ibus-engine-simple | 4 ++-- apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-portal | 2 +- apparmor.d/groups/bus/ibus-x11 | 6 +++--- apparmor.d/groups/freedesktop/xdg-mime | 2 +- apparmor.d/groups/freedesktop/xdg-open | 2 +- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/gnome/gnome-shell | 6 +++--- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/gpg/gpg-agent | 16 ++++++++-------- apparmor.d/groups/gpg/gpg-connect-agent | 6 +++--- apparmor.d/groups/systemd/bootctl | 8 ++++---- apparmor.d/groups/systemd/coredumpctl | 10 +++++----- apparmor.d/groups/systemd/journalctl | 12 ++++++------ apparmor.d/groups/systemd/networkctl | 8 ++++---- apparmor.d/groups/systemd/systemd-journald | 10 +++++----- apparmor.d/groups/virt/containerd | 4 ++-- apparmor.d/groups/virt/containerd-shim-runc-v2 | 14 +++++++------- apparmor.d/groups/virt/k3s | 4 ++-- apparmor.d/profiles-a-f/aa-log | 6 +++--- apparmor.d/profiles-a-f/anki | 4 ++-- apparmor.d/profiles-a-f/claws-mail | 4 ++-- apparmor.d/profiles-a-f/deltachat-desktop | 8 ++++---- apparmor.d/profiles-g-l/gpo | 2 +- apparmor.d/profiles-g-l/gpodder | 2 +- apparmor.d/profiles-g-l/gsmartcontrol | 2 +- apparmor.d/profiles-g-l/hw-probe | 8 ++++---- apparmor.d/profiles-g-l/jdownloader | 2 +- apparmor.d/profiles-g-l/jdownloader-install | 2 +- apparmor.d/profiles-g-l/kscreenlocker-greet | 4 ++-- apparmor.d/profiles-g-l/linssid | 2 +- apparmor.d/profiles-g-l/lxappearance | 2 +- apparmor.d/profiles-m-r/minitube | 4 ++-- apparmor.d/profiles-m-r/mkvtoolnix-gui | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/qbittorrent | 2 +- apparmor.d/profiles-m-r/qnapi | 2 +- apparmor.d/profiles-m-r/qpdfview | 2 +- apparmor.d/profiles-m-r/qtox | 2 +- apparmor.d/profiles-m-r/rpi-imager | 4 ++-- apparmor.d/profiles-s-z/scrcpy | 2 +- apparmor.d/profiles-s-z/sddm | 8 ++++---- apparmor.d/profiles-s-z/steam | 2 +- apparmor.d/profiles-s-z/steam-game | 2 +- apparmor.d/profiles-s-z/steam-gameoverlayui | 2 +- apparmor.d/profiles-s-z/steam-reaper | 2 +- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/tint2 | 2 +- apparmor.d/profiles-s-z/tint2conf | 2 +- apparmor.d/profiles-s-z/update-ca-certificates | 2 +- apparmor.d/profiles-s-z/vidcutter | 6 +++--- apparmor.d/tunables/extend | 4 ++-- 70 files changed, 142 insertions(+), 142 deletions(-) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 4bef4f55..3307131d 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -7,8 +7,8 @@ /var/lib/gdm/.cache/mesa_shader_cache/ rw, /var/lib/gdm/.cache/mesa_shader_cache/index rw, /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, - /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, - /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, + /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, + /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, @{sys}/devices/pci[0-9]*/**/revision r, @{sys}/devices/pci[0-9]*/**/config r, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index d63dd0c5..b4f34d77 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -6,7 +6,7 @@ owner @{HOME}/.cache/qtshadercache/ rw, owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, - owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache/@{hex} rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw, owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index cea565a1..2733f1ec 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -129,7 +129,7 @@ profile atom @{exec_path} { # The irq file is needed to render pages. deny @{sys}/devices/pci[0-9]*/**/irq r, - owner /tmp/atom-[0-9a-f]*.sock rw, + owner /tmp/atom-@{hex}.sock rw, owner "/tmp/Atom Crashes/" rw, owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw, owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index 08767209..f851720e 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -91,9 +91,9 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index af1b4d05..a7ba9cb8 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -109,8 +109,8 @@ profile code @{exec_path} { owner "/tmp/VSCode Crashes/" rw, owner /tmp/vscode-typescript[0-9]*/ rw, - owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw, - owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw, + owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, + owner @{run}/user/@{uid}/vscode-git-askpass-@{hex}.sock rw, owner /tmp/vscode-ipc-@{uuid}.sock rw, # For installing extensions diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index 99ba7358..3c125dd3 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -54,7 +54,7 @@ profile flameshot @{exec_path} { owner /tmp/.*/{,s} rw, owner /tmp/*= rw, - owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw, + owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, deny owner @{PROC}/@{pid}/cmdline r, deny @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/apps/geany b/apparmor.d/groups/apps/geany index 1378c03b..4fec00d4 100644 --- a/apparmor.d/groups/apps/geany +++ b/apparmor.d/groups/apps/geany @@ -51,7 +51,7 @@ profile geany @{exec_path} { owner @{user_config_dirs}/geany/{,**} rw, - owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw, + owner /{run/,}user/@{uid}/geany/geany_socket.@{hex} rw, # To read/write files in the system. The read permission is granted for all files, the write # permission only for the owner. Also, dirs like /dev/, /proc/, /sys/ are not included in @@ -110,7 +110,7 @@ profile geany @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/groups/apps/okular b/apparmor.d/groups/apps/okular index 96abdb7e..f65c6f56 100644 --- a/apparmor.d/groups/apps/okular +++ b/apparmor.d/groups/apps/okular @@ -85,7 +85,7 @@ profile okular @{exec_path} { # Print to pdf /{usr/,}bin/ps2pdf rPUx, - owner /tmp/[0-9a-f]* rw, + owner /tmp/@{hex} rw, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9], diff --git a/apparmor.d/groups/apps/spotify b/apparmor.d/groups/apps/spotify index 7ddec0ec..1259e0f5 100644 --- a/apparmor.d/groups/apps/spotify +++ b/apparmor.d/groups/apps/spotify @@ -67,7 +67,7 @@ profile spotify @{exec_path} { /usr/share/X11/XErrorDB r, - owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + owner /tmp/@{hex}-@{hex}-@{hex}-@{hex} rw, # What's this for? #owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 00fa0bcd..d20ff118 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -59,8 +59,8 @@ profile telegram-desktop @{exec_path} { # Autostart owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - owner /tmp/[0-9a-f]*-* rwk, - owner @{run}/user/@{uid}/[0-9a-f]*-* rwk, + owner /tmp/@{hex}-* rwk, + owner @{run}/user/@{uid}/@{hex}-* rwk, /dev/shm/#[0-9]*[0-9] rw, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 867c7679..7fc6a53a 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix (receive, send) type=stream peer=(label=apt-esm-json-hook), - dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*} + dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}} interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}}, dbus send bus=system path=/org/freedesktop/PackageKit diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 42e20413..57d7e1b0 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -170,7 +170,7 @@ profile synaptic @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 766539bf..3d90db6e 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -118,7 +118,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 1359d53f..683f27a9 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -39,8 +39,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/[0-9a-f]*" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/@{hex}" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw, owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw, @@ -53,7 +53,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/[0-9a-f]*.{dmp,extra} rw, + owner /tmp/@{hex}.{dmp,extra} rw, owner /tmp/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 497c22fe..77963126 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -22,14 +22,14 @@ profile firefox-minidump-analyzer @{exec_path} { owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw, owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r, - owner /tmp/[0-9a-f]*.{dmp,extra} rw, + owner /tmp/@{hex}.{dmp,extra} rw, owner /tmp/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 9e3ebd25..1ee1bdb0 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -24,10 +24,10 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /etc/dconf/db/ibus r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r, - /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, + owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r, + /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, + /var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9]* r, /var/lib/gdm/.cache/dconf/ w, /var/lib/gdm/.cache/dconf/user rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index eacefcd1..f03a11dc 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -19,8 +19,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, + /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, + /var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9] r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 29c689e9..74283f55 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} { /etc/machine-id r, /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 2438a72a..c3d8437d 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -26,7 +26,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /var/lib/gdm/.config/ibus/bus/ r, - /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, + /var/lib/gdm/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, /dev/null rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index ee1c9726..b9e927d2 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -23,10 +23,10 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index bbc1eee6..139a0969 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -69,7 +69,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-daemon rPx, @{HOME}/.Xauthority r, - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, } diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index d6ddceae..9d96d6b0 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -61,7 +61,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/dbus-daemon rPx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index c2ea3fc3..1ee88592 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -64,7 +64,7 @@ profile xdg-settings @{exec_path} { /{usr/,}bin/dbus-daemon rPx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 3a8d278b..1ff379b4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -150,13 +150,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/ w, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw, - /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, /var/lib/gdm{3,}/.config/pulse/ r, /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rwk, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index ce6051e1..4102052d 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -41,7 +41,7 @@ profile tracker-miner @{exec_path} { /var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk, /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 4bf35cbd..31a90ffc 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -25,53 +25,53 @@ profile gpg-agent @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{user_projects_dirs}/**/{.,}gnupg/ rw, owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, - owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw, owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, - owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw, owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw, - owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw, owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/sshcontrol r, owner /tmp/tmp.*/gnupg/ rw, owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, - owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, owner /tmp/tmp.*/gnupg/sshcontrol r, diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index fc3b7da5..81b02003 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -21,9 +21,9 @@ profile gpg-connect-agent @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid} rw, - owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw, + owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, include if exists } diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index f754f9fa..ff1aa886 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -24,11 +24,11 @@ profile bootctl @{exec_path} { /{boot,efi}/ r, /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw, + /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw, + /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw, + /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, /{boot,efi}/loader/.#entries.srel* w, /{boot,efi}/loader/{,**} r, /{boot,efi}/loader/entries.srel w, @@ -47,7 +47,7 @@ profile bootctl @{exec_path} { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 7fadbcf7..5bf16d3b 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -26,13 +26,13 @@ profile coredumpctl @{exec_path} flags=(complain) { owner /var/tmp/coredump-* rw, - /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r, + /var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex}/system.journal* r, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, owner @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 1768c1af..a8527160 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -34,12 +34,12 @@ profile journalctl @{exec_path} { /var/lib/systemd/catalog/.#database* rw, /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/system.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, - owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*, - owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/system.journal* r, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*, + owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw, owner /var/tmp/#[0-9]* rw, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 40fcb4c8..7006a77f 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) { # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system.journal* r, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex}/system.journal* r, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, @{run}/systemd/netif/links/[0-9]* r, @{run}/systemd/netif/state r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 26efae51..71d8cb14 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -30,11 +30,11 @@ profile systemd-journald @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/[0-9a-f]*/ rw, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/fss rw, + /{run,var}/log/journal/@{hex}/ rw, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/system.journal* rw, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/fss rw, owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index bfdcd25e..971dda22 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -31,12 +31,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/, mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, mount -> /tmp/ctd-volume[0-9]*/, mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid}, - umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/, + umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/, umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/, umount /tmp/ctd-volume[0-9]*/, umount @{run}/netns/cni-@{uuid}, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 75778688..3fbe0542 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -22,8 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=containerd, ptrace (read) peer=unconfined, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/, + mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, @@ -34,12 +34,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { /tmp/pty[0-9]*/pty.sock rw, @{run}/containerd/{,containerd.sock.ttrpc} rw, - @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw, - @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw, - @{run}/containerd/s/{,[0-9a-f]*} rw, + @{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/[0-9]*/@{hex}-{stdin,stdout,stderr} rw, + @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/@{hex}/{,*} rw, + @{run}/containerd/s/{,@{hex}} rw, - @{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw, - @{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw, + @{run}/docker/containerd/@{hex}/@{hex}-{stdin,stdout,stderr} rw, + @{run}/docker/containerd/@{hex}/init-{stdin,stdout,stderr} rw, @{run}/docker/containerd/daemon/io.containerd.*/{,**} rw, @{run}/secrets/kubernetes.io/serviceaccount/*/token w, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 1a5e667e..097aa2ec 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -61,7 +61,7 @@ profile k3s @{exec_path} { /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft, @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, - /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix, + /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r, /usr/share/mime/globs2 r, @@ -145,7 +145,7 @@ profile k3s @{exec_path} { @{sys}/devices/virtual/block/*/** r, @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r, + @{sys}/devices/virtual/net/cali@{hex}/{address,mtu,speed} r, @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r, @{sys}/fs/cgroup/{,*,*/} r, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 103c4ed9..1f8b7f01 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -29,9 +29,9 @@ profile aa-log @{exec_path} { /etc/machine-id r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/[0-9a-f]*/ r, - /{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r, - /{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r, + /{run,var}/log/journal/@{hex}/user-@{uid}.journal r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/cap_last_cap r, diff --git a/apparmor.d/profiles-a-f/anki b/apparmor.d/profiles-a-f/anki index ad78d0a0..43497f36 100644 --- a/apparmor.d/profiles-a-f/anki +++ b/apparmor.d/profiles-a-f/anki @@ -55,9 +55,9 @@ profile anki @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], /usr/share/anki/{,**} r, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index df4b007b..ab8f5d95 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -43,8 +43,8 @@ profile claws-mail @{exec_path} flags=(complain) { owner @{HOME}/.claws-mail/** rwl -> @{HOME}/.claws-mail/**, owner /tmp/claws-mail-[0-9]*/ rw, - owner /tmp/claws-mail-[0-9]*/[0-9a-f]* rw, - owner /tmp/claws-mail-[0-9]*/[0-9a-f]*.lock rwk, + owner /tmp/claws-mail-[0-9]*/@{hex} rw, + owner /tmp/claws-mail-[0-9]*/@{hex}.lock rwk, owner /var/mail/* rwk, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index e63a799a..a0771b1e 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -49,10 +49,10 @@ profile deltachat-desktop @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner /tmp/[0-9a-f]*/ rw, - owner /tmp/[0-9a-f]*/db.sqlite-blobs/ rw, - owner /tmp/[0-9a-f]*/db.sqlite rwk, - owner /tmp/[0-9a-f]*/db.sqlite-journal rw, + owner /tmp/@{hex}/ rw, + owner /tmp/@{hex}/db.sqlite-blobs/ rw, + owner /tmp/@{hex}/db.sqlite rwk, + owner /tmp/@{hex}/db.sqlite-journal rw, @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index a8008aff..aad4a3c0 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -40,7 +40,7 @@ profile gpo @{exec_path} { /etc/inputrc r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index ccfad166..6a8a65ee 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -46,7 +46,7 @@ profile gpodder @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, /etc/mime.types r, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 8adee824..cdb3c20c 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -76,7 +76,7 @@ profile gsmartcontrol @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index d4f74177..71dc7ece 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -132,10 +132,10 @@ profile hw-probe @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/[0-9a-f]*/ rw, - /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system.journal* rw, - /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw, + /{run,var}/log/journal/@{hex}/ rw, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/system.journal* rw, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index 06eb5fee..cafeb2da 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -51,7 +51,7 @@ profile jdownloader @{exec_path} { owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw, owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, - owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw, + owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw, owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw, owner @{HOME}/.java/fonts/[0-9]*/ rw, diff --git a/apparmor.d/profiles-g-l/jdownloader-install b/apparmor.d/profiles-g-l/jdownloader-install index 9bf9a3b2..f714676d 100644 --- a/apparmor.d/profiles-g-l/jdownloader-install +++ b/apparmor.d/profiles-g-l/jdownloader-install @@ -48,7 +48,7 @@ profile jdownloader-install @{exec_path} { owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/*.so mrw, owner @{JD_SH_PATH}/install4jError[0-9]*.log rw, - owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw, + owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw, owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw, owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw, diff --git a/apparmor.d/profiles-g-l/kscreenlocker-greet b/apparmor.d/profiles-g-l/kscreenlocker-greet index f3195cdf..39d5df21 100644 --- a/apparmor.d/profiles-g-l/kscreenlocker-greet +++ b/apparmor.d/profiles-g-l/kscreenlocker-greet @@ -43,9 +43,9 @@ profile kscreenlocker-greet @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_cache_dirs}/plasma-svgelements-default_v* r, diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid index e9ba32da..507e9c9f 100644 --- a/apparmor.d/profiles-g-l/linssid +++ b/apparmor.d/profiles-g-l/linssid @@ -103,7 +103,7 @@ profile linssid @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index 3c03b63f..1f8dd52e 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -59,7 +59,7 @@ profile lxappearance @{exec_path} { /{usr/,}bin/dbus-daemon rPUx, # for dbus-launch - owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @{HOME}/.Xauthority r, } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 5701e0c9..22bee6fb 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -60,9 +60,9 @@ profile minitube @{exec_path} { owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 48d55c09..b5ef4cf2 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -80,7 +80,7 @@ profile mkvtoolnix-gui @{exec_path} { owner @{user_cache_dirs}/bunkus.org/ rw, owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/ rw, owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw, - owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/[0-9a-f]* rw, + owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw, owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 05a758b9..f20a8e3d 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -35,7 +35,7 @@ profile openbox @{exec_path} { owner @{user_config_dirs}/openbox/ r, owner @{user_config_dirs}/openbox/* r, - owner @{user_config_dirs}/obmenu-generator/icons/[0-9a-f]*.png r, + owner @{user_config_dirs}/obmenu-generator/icons/@{hex}.png r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/openbox/ rw, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 372c5f83..f074e1b1 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -82,7 +82,7 @@ profile psi @{exec_path} { /etc/fstab r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9], diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 6834f197..1d6bb1e6 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -82,7 +82,7 @@ profile psi-plus @{exec_path} { /etc/fstab r, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9], diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 8c51e9c9..52fe391b 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -225,7 +225,7 @@ profile qbittorrent @{exec_path} { # file_inherit owner @{MOUNTS}/torrent/** r, - owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw, + owner @{MOUNTS}/torrent/**.@{hex}.parts rw, owner "@{MOUNTS}/torrent/**.!qB" rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 4bb66130..cf2b3acf 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -109,7 +109,7 @@ profile qnapi @{exec_path} { owner /tmp/#[0-9]*[0-9] rw, owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rw, owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/[0-9a-f]*.@{qnapi_txt_ext} rw, + owner /tmp/@{hex}.@{qnapi_txt_ext} rw, owner /tmp/*.@{qnapi_txt_ext} rw, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 451ae197..951a3db5 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -75,7 +75,7 @@ profile qpdfview @{exec_path} { /usr/share/hwdata/pnp.ids r, # Print - owner /tmp/[0-9a-f]* rw, + owner /tmp/@{hex} rw, # Save as owner /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index 34323ba8..5d654863 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -60,7 +60,7 @@ profile qtox @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw, + owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, @{sys}/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so @{sys}/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index fe08acab..417d6ecc 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -58,9 +58,9 @@ profile rpi-imager @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 78f2424e..6b055f71 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -29,7 +29,7 @@ profile scrcpy @{exec_path} { /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sddm b/apparmor.d/profiles-s-z/sddm index 6a600567..1f205589 100644 --- a/apparmor.d/profiles-s-z/sddm +++ b/apparmor.d/profiles-s-z/sddm @@ -193,10 +193,10 @@ profile sddm @{exec_path} { owner @{HOME}/.Xauthority-n rw, owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, - owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c w, - owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l wl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c, - owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw, - owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\} rwl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n, + owner @{run}/sddm/\{@{uuid}\}-c w, + owner @{run}/sddm/\{@{uuid}\}-l wl -> @{run}/sddm/\{@{uuid}\}-c, + owner @{run}/sddm/\{@{uuid}\}-n rw, + owner @{run}/sddm/\{@{uuid}\} rwl -> @{run}/sddm/\{@{uuid}\}-n, } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index e644260e..42bb3079 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -131,7 +131,7 @@ profile steam @{exec_path} { owner /dev/shm/#[0-9]* rw, owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw, - owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 65b78b49..e5885ce2 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -162,7 +162,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner /dev/shm/#[0-9]* rw, owner /dev/shm/mono.* rw, - owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/wine-*-fsync rw, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index c5984528..affe238d 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -41,7 +41,7 @@ profile steam-gameoverlayui @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, - owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/profiles-s-z/steam-reaper b/apparmor.d/profiles-s-z/steam-reaper index ec873fa6..30953a57 100644 --- a/apparmor.d/profiles-s-z/steam-reaper +++ b/apparmor.d/profiles-s-z/steam-reaper @@ -26,7 +26,7 @@ profile steam-reaper @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw, - owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, include if exists diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 9d04457b..a00d4bfc 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -89,7 +89,7 @@ profile strawberry @{exec_path} { owner /tmp/#[0-9]*[0-9] rw, owner /tmp/*= w, - owner /var/tmp/etilqs_[0-9a-f]* rw, + owner /var/tmp/etilqs_@{hex} rw, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index eff48ef0..b2c3960f 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -28,7 +28,7 @@ profile tint2 @{exec_path} { # Tint2 cache files owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/tint2/ rw, - owner @{user_cache_dirs}/tint2/[0-9a-f]*.png w, + owner @{user_cache_dirs}/tint2/@{hex}.png w, owner @{user_cache_dirs}/tint2/icon.cache rwk, # Launcher config files diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index ada94a64..e5716a99 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -28,7 +28,7 @@ profile tint2conf @{exec_path} { owner @{user_config_dirs}/tint2/ r, owner @{user_config_dirs}/tint2/* rw, - owner @{user_cache_dirs}/tint2/[0-9a-f]*.png r, + owner @{user_cache_dirs}/tint2/@{hex}.png r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 65764fb0..161876a4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -40,7 +40,7 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt{,.new} rw, /etc/ssl/certs/*.pem rw, - /etc/ssl/certs/[0-9a-f]*.[0-9] rw, + /etc/ssl/certs/@{hex}.[0-9] rw, /{usr/,}lib/locale/locale-archive r, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 377581d2..659a5833 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -88,9 +88,9 @@ profile vidcutter @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, @@ -107,7 +107,7 @@ profile vidcutter @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, - owner /tmp/vidcutter-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]*-[0-9A-F]* w, + owner /tmp/vidcutter-@{uuid} w, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9], owner /tmp/vidcutter/{,*} rw, diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index 5f4c09cf..dcb7759d 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -7,10 +7,10 @@ # All apparmor profiles should always use the variables defined here. # Universally unique identifier -@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* +@{uuid}=[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]* # Hexadecimal -@{hex}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f] +@{hex}=[0-9a-fA-F]* # @{MOUNTDIRS} is a space-separated list of where user mount directories # are stored, for programs that must enumerate all mount directories on a