diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index cb258cc9..fb06fabe 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -29,6 +29,7 @@ include include include + include capability setgid, capability setuid, @@ -132,8 +133,6 @@ # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, # owner @{HOME}/.mozilla/firefox/*/logins.json r, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, - /tmp/ r, /var/tmp/ r, owner /tmp/.@{chromium_domain}.* rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 3300187b..8000f6c4 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -10,14 +10,15 @@ include @{exec_path} += @{libexec}/ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include + include include include include include include include + include signal (receive) set=term peer=ibus-daemon, @@ -74,7 +75,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9] rw, /var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r, /var/lib/gdm{3,}/.config/dconf/user r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 36db492f..0e1618b5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -22,6 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -124,8 +125,6 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{user_share_dirs}/ r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 30abb79e..e50493ae 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -24,6 +24,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { include include include + include unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), @@ -169,8 +170,6 @@ profile xdg-desktop-portal-gtk @{exec_path} { @{run}/user/@{uid}/xauth_* rl, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index a09e2f40..e3d63ac5 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -21,6 +21,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -99,9 +100,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 2a2f65fe..59223da9 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -17,6 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} { include include include + include signal (send) set=kill peer=unconfined, @@ -28,7 +29,6 @@ profile gnome-calculator-search-provider @{exec_path} { /usr/share/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index 648e83f5..488c8954 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -9,8 +9,9 @@ include @{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService profile gnome-characters-backgroudservice @{exec_path} { include - include include + include + include @{exec_path} mr, @@ -24,8 +25,6 @@ profile gnome-characters-backgroudservice @{exec_path} { /etc/gtk-3.0/settings.ini r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 4b07ee94..4bf642f5 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,8 +9,8 @@ include @{exec_path} = @{libexec}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include + include include include include @@ -20,6 +20,7 @@ profile gnome-control-center-print-renderer @{exec_path} { include include include + include dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus @@ -44,7 +45,6 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{user_share_dirs}/icons/{,**} r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 5b515a08..1de8082b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -18,6 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} { include include include + include @{exec_path} mr, @@ -26,7 +27,6 @@ profile gnome-control-center-search-provider @{exec_path} { /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f20249b6..6a1f6465 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,17 +9,18 @@ include @{exec_path} = @{libexec}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include - include include include include include include include - include include + include + include include network inet stream, @@ -230,7 +231,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, owner @{run}/user/@{uid}/systemd/notify w, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{sys}/devices/**/{vendor,device} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 297b429f..731dbc03 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -32,6 +32,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_nice, @@ -589,7 +590,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, - owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index d4b6b7d5..5141bbd4 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -15,6 +15,7 @@ profile gnome-terminal-server @{exec_path} { include include include + include signal (send) set=(term hup kill) peer=unconfined, ptrace (read) peer=unconfined, @@ -47,8 +48,6 @@ profile gnome-terminal-server @{exec_path} { owner @{user_config_dirs}/*xdg-terminals.list* rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner /tmp/#[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index f7bc3a01..670566c9 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -17,6 +17,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -134,8 +135,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/edid-*.icc rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9] rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index a3519116..860cb278 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -17,6 +17,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -108,8 +109,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9] rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3906e6dc..032c2625 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -19,6 +19,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -183,8 +184,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 299de5cd..3a5c8175 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -183,8 +184,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/greeter-dconf-defaults r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9] rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, @{run}/udev/data/+backlight:* r, @{run}/udev/data/+leds:*backlight* r, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index b8508e47..3ccb5aad 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,13 +9,14 @@ include @{exec_path} = @{libexec}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include - include include + include include include include include + include + include signal (receive) set=(term, hup) peer=gdm*, @@ -107,8 +108,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9] rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index c0a29be6..14581715 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -20,6 +20,7 @@ profile gsd-xsettings @{exec_path} { include include include + include network inet stream, network inet6 stream, @@ -143,8 +144,6 @@ profile gsd-xsettings @{exec_path} { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 5c517599..52849f6c 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -18,6 +18,7 @@ profile apport-gtk @{exec_path} { include include include + include capability fowner, capability sys_ptrace, @@ -76,7 +77,6 @@ profile apport-gtk @{exec_path} { /var/log/installer/media-info r, @{run}/snapd.socket rw, - owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{run}/user/.mutter-Xwaylandauth.* rw, /tmp/[a-z0-9]* rw, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 0b95a73d..3d804216 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -18,6 +18,7 @@ profile check-new-release-gtk @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -53,8 +54,6 @@ profile check-new-release-gtk @{exec_path} { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - owner @{run}/user/@{uid}/wayland-[0-9] rw, - @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index cdbd7e90..3529ad13 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -12,6 +12,7 @@ profile livepatch-notification @{exec_path} { include include include + include @{exec_path} mr, @@ -21,7 +22,6 @@ profile livepatch-notification @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 842e50a3..4815a1ba 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -17,6 +17,7 @@ profile software-properties-gtk @{exec_path} { include include include + include dbus (send,receive) bus=system path=/com/canonical/UbuntuAdvantage/{,**} interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 5096582a..f125c704 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -12,6 +12,7 @@ profile ubuntu-advantage-notification @{exec_path} { include include include + include @{exec_path} mr, @@ -19,7 +20,5 @@ profile ubuntu-advantage-notification @{exec_path} { /usr/share/icons/{,**} r, /usr/share/X11/xkb/{,**} r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d820d7ca..9af0533b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -21,6 +21,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -85,8 +86,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - @{run}/systemd/inhibit/*.ref w, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 1d6fdc79..89e68cb4 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -19,6 +19,7 @@ profile update-notifier @{exec_path} { include include include + include dbus receive bus=session path=/org/ayatana/NotificationItem{,/**} interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties} @@ -69,7 +70,6 @@ profile update-notifier @{exec_path} { owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/update-notifier.pid rwk, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner /tmp/#[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 620cae5e..11c8d32e 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -20,6 +20,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network inet6 stream, @@ -58,7 +59,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/obexd/* rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 14301316..b86446f0 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -14,6 +14,7 @@ profile file-roller @{exec_path} { include include include + include @{exec_path} mr, @@ -35,7 +36,5 @@ profile file-roller @{exec_path} { /etc/gtk-3.0/settings.ini r, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 1b198bee..20b2cb7f 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -21,6 +21,7 @@ profile system-config-printer @{exec_path} flags=(complain) { include include include + include network inet stream, network inet6 stream, @@ -59,7 +60,6 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/gvfsd/socket-* rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 85ba9578..fc45ac35 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -28,6 +28,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network inet6 stream, @@ -86,7 +87,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, - owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, @{run}/mount/utab r, @{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511