From 3f69b9fec417f4d2b945f9d88ef772d44885d441 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 2 May 2024 22:12:02 +0100 Subject: [PATCH] feat(profile): use the new @{tmp} variable. It is only used with the owner statement. --- apparmor.d/abstractions/X-strict | 2 +- apparmor.d/abstractions/app/chromium | 18 +++---- apparmor.d/abstractions/bus-session | 4 +- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/common/apt | 5 +- apparmor.d/abstractions/common/bwrap | 4 +- apparmor.d/abstractions/common/chromium | 12 ++--- apparmor.d/abstractions/common/electron | 16 +++---- apparmor.d/groups/_full/default | 2 +- .../groups/akonadi/akonadi_mailfilter_agent | 4 +- apparmor.d/groups/apps/calibre | 10 ++-- apparmor.d/groups/apps/discord | 6 +-- apparmor.d/groups/apps/dropbox | 16 +++---- apparmor.d/groups/apps/filezilla | 6 +-- apparmor.d/groups/apps/flameshot | 6 +-- apparmor.d/groups/apps/telegram-desktop | 2 +- apparmor.d/groups/apps/zathura | 2 +- apparmor.d/groups/apt/apt | 14 +++--- apparmor.d/groups/apt/apt-config | 2 +- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/apt-key | 8 ++-- .../groups/apt/apt-listbugs-migratepins | 6 +-- apparmor.d/groups/apt/apt-listchanges | 22 ++++----- apparmor.d/groups/apt/apt-methods-gpgv | 6 +-- apparmor.d/groups/apt/apt-methods-http | 4 +- apparmor.d/groups/apt/apt-methods-store | 2 +- apparmor.d/groups/apt/aptitude | 20 ++++---- .../groups/apt/aptitude-run-state-bundle | 2 +- apparmor.d/groups/apt/debsign | 8 ++-- apparmor.d/groups/apt/dpkg | 2 +- apparmor.d/groups/apt/dpkg-architecture | 2 +- apparmor.d/groups/apt/dpkg-deb | 8 ++-- apparmor.d/groups/apt/dpkg-preconfigure | 4 +- apparmor.d/groups/apt/reportbug | 6 +-- apparmor.d/groups/apt/synaptic | 4 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/browsers/brave | 6 +-- apparmor.d/groups/browsers/chromium-wrapper | 6 +-- apparmor.d/groups/browsers/firefox | 47 +++++++++---------- .../groups/browsers/firefox-crashreporter | 4 +- apparmor.d/groups/browsers/firefox-glxtest | 2 +- .../groups/browsers/firefox-minidump-analyzer | 4 +- apparmor.d/groups/browsers/firefox-vaapitest | 2 +- apparmor.d/groups/browsers/msedge | 4 +- apparmor.d/groups/cron/cron | 4 +- apparmor.d/groups/cron/cron-apt | 16 +++---- .../groups/cron/cron-popularity-contest | 16 +++---- apparmor.d/groups/cron/crontab | 4 +- .../groups/display-manager/x11-xsession | 9 ++-- .../groups/display-manager/xdm-xsession | 4 +- apparmor.d/groups/freedesktop/accounts-daemon | 2 +- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pipewire-pulse | 2 +- .../polkit-kde-authentication-agent | 4 +- .../groups/freedesktop/xdg-desktop-portal | 2 +- .../freedesktop/xdg-desktop-portal-gnome | 4 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- .../groups/freedesktop/xdg-icon-resource | 2 +- apparmor.d/groups/freedesktop/xdg-screensaver | 2 +- apparmor.d/groups/freedesktop/xkbcomp | 2 +- apparmor.d/groups/freedesktop/xorg | 8 ++-- apparmor.d/groups/freedesktop/xrdb | 12 ++--- apparmor.d/groups/freedesktop/xsetroot | 2 +- apparmor.d/groups/freedesktop/xwayland | 2 +- .../groups/gnome/epiphany-search-provider | 4 +- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gio-launch-desktop | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- .../groups/gnome/gnome-desktop-thumbnailers | 8 ++-- .../groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-music | 2 +- apparmor.d/groups/gnome/gnome-shell | 4 +- apparmor.d/groups/gnome/gnome-software | 10 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/kgx | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/tracker-extract | 4 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/gpg/gpg | 6 +-- apparmor.d/groups/gpg/gpg-agent | 10 ++-- apparmor.d/groups/gpg/gpg-connect-agent | 6 +-- apparmor.d/groups/grub/grub-check-signatures | 2 +- apparmor.d/groups/kde/baloo | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/kcminit | 8 ++-- apparmor.d/groups/kde/kconf_update | 6 +-- apparmor.d/groups/kde/kded | 6 +-- apparmor.d/groups/kde/kioworker | 4 +- apparmor.d/groups/kde/konsole | 4 +- apparmor.d/groups/kde/kscreenlocker_greet | 2 +- apparmor.d/groups/kde/ksmserver | 2 +- apparmor.d/groups/kde/kwalletd | 2 +- apparmor.d/groups/kde/kwin_x11 | 4 +- apparmor.d/groups/kde/okular | 4 +- apparmor.d/groups/kde/plasma-discover | 14 +++--- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 6 +-- apparmor.d/groups/kde/sddm-greeter | 4 +- apparmor.d/groups/kde/sddm-xsession | 4 +- apparmor.d/groups/kde/startplasma | 4 +- apparmor.d/groups/kde/xembedsniproxy | 2 +- apparmor.d/groups/kde/xsettingsd | 2 +- apparmor.d/groups/network/mullvad-daemon | 4 +- apparmor.d/groups/network/mullvad-gui | 2 +- apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/pacman/mkinitcpio | 4 +- apparmor.d/groups/pacman/pacman | 6 +-- apparmor.d/groups/ssh/ssh | 2 +- apparmor.d/groups/ssh/ssh-agent | 4 +- apparmor.d/groups/systemd/coredumpctl | 4 +- apparmor.d/groups/systemd/systemd-analyze | 2 +- apparmor.d/groups/systemd/systemd-dissect | 2 +- .../groups/ubuntu/software-properties-dbus | 6 +-- .../groups/ubuntu/software-properties-gtk | 6 +-- apparmor.d/groups/ubuntu/ubuntu-advantage | 6 +-- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/groups/virt/containerd | 2 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/groups/whonix/sdwdate-start | 2 +- apparmor.d/groups/whonix/torbrowser | 24 +++++----- apparmor.d/groups/whonix/torbrowser-glxtest | 2 +- .../whonix/torbrowser-updater-permission-fix | 2 +- apparmor.d/groups/whonix/torbrowser-vaapitest | 2 +- apparmor.d/groups/whonix/torbrowser-wrapper | 3 +- apparmor.d/groups/xfce/thunar | 2 +- apparmor.d/groups/xfce/xfce-session | 3 +- apparmor.d/groups/xfce/xfce-terminal | 2 +- apparmor.d/profiles-a-f/aa-notify | 4 +- apparmor.d/profiles-a-f/adb | 2 +- apparmor.d/profiles-a-f/anacron | 4 +- apparmor.d/profiles-a-f/anyremote | 10 ++-- apparmor.d/profiles-a-f/apparmor_parser | 2 +- apparmor.d/profiles-a-f/appstreamcli | 6 +-- apparmor.d/profiles-a-f/arduino | 24 +++++----- apparmor.d/profiles-a-f/arduino-builder | 8 ++-- apparmor.d/profiles-a-f/arduino-ctags | 4 +- apparmor.d/profiles-a-f/atril | 8 ++-- apparmor.d/profiles-a-f/augenrules | 2 +- apparmor.d/profiles-a-f/birdtray | 2 +- apparmor.d/profiles-a-f/borg | 12 ++--- apparmor.d/profiles-a-f/browserpass | 2 +- apparmor.d/profiles-a-f/btrfs | 2 +- apparmor.d/profiles-a-f/check-support-status | 4 +- .../profiles-a-f/check-support-status-hook | 8 ++-- apparmor.d/profiles-a-f/claws-mail | 6 +-- apparmor.d/profiles-a-f/code | 6 +-- .../profiles-a-f/code-extension-git-askpass | 2 +- apparmor.d/profiles-a-f/conky | 2 +- apparmor.d/profiles-a-f/cpuid | 2 +- apparmor.d/profiles-a-f/cups-notifier-dbus | 2 +- .../profiles-a-f/cups-pk-helper-mechanism | 2 +- apparmor.d/profiles-a-f/cupsd | 2 +- apparmor.d/profiles-a-f/deltachat-desktop | 8 ++-- apparmor.d/profiles-a-f/dhclient-script | 4 +- apparmor.d/profiles-a-f/dkms | 12 ++--- apparmor.d/profiles-a-f/dlocate | 2 +- apparmor.d/profiles-a-f/dmidecode | 2 +- apparmor.d/profiles-a-f/downloadhelper | 2 +- apparmor.d/profiles-a-f/dumpcap | 4 +- apparmor.d/profiles-a-f/engrampa | 2 +- apparmor.d/profiles-a-f/etckeeper | 2 +- apparmor.d/profiles-a-f/evince | 6 +-- apparmor.d/profiles-a-f/evince-thumbnailer | 4 +- apparmor.d/profiles-a-f/ffmpeg | 4 +- apparmor.d/profiles-a-f/flatpak | 6 +-- apparmor.d/profiles-a-f/flatpak-system-helper | 6 +-- apparmor.d/profiles-a-f/frontend | 4 +- apparmor.d/profiles-g-l/gajim | 6 +-- apparmor.d/profiles-g-l/git | 26 +++++----- apparmor.d/profiles-g-l/gpa | 2 +- apparmor.d/profiles-g-l/gpartedbin | 2 +- apparmor.d/profiles-g-l/hardinfo | 6 +-- apparmor.d/profiles-g-l/hugo | 4 +- apparmor.d/profiles-g-l/hw-probe | 4 +- apparmor.d/profiles-g-l/hwinfo | 6 +-- apparmor.d/profiles-g-l/i3lock | 2 +- apparmor.d/profiles-g-l/i3lock-fancy | 8 ++-- apparmor.d/profiles-g-l/jdownloader | 16 +++---- apparmor.d/profiles-g-l/jmtpfs | 4 +- apparmor.d/profiles-g-l/keepassxc | 16 +++---- apparmor.d/profiles-g-l/kernel-install | 2 +- apparmor.d/profiles-g-l/kmod | 6 +-- apparmor.d/profiles-g-l/linssid | 6 +-- apparmor.d/profiles-g-l/linux-check-removal | 2 +- apparmor.d/profiles-g-l/lynx | 4 +- apparmor.d/profiles-m-r/man | 2 +- apparmor.d/profiles-m-r/merkaartor | 4 +- apparmor.d/profiles-m-r/minitube | 8 ++-- apparmor.d/profiles-m-r/mkvmerge | 4 +- apparmor.d/profiles-m-r/mkvtoolnix-gui | 10 ++-- apparmor.d/profiles-m-r/modprobed-db | 4 +- apparmor.d/profiles-m-r/mono-sgen | 4 +- apparmor.d/profiles-m-r/mpsyt | 6 +-- apparmor.d/profiles-m-r/mpv | 10 ++-- apparmor.d/profiles-m-r/nmap | 4 +- apparmor.d/profiles-m-r/ntfsdecrypt | 2 +- apparmor.d/profiles-m-r/ntfsundelete | 4 +- apparmor.d/profiles-m-r/ntfsusermap | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/packagekitd | 6 +-- apparmor.d/profiles-m-r/pam-tmpdir-helper | 4 +- apparmor.d/profiles-m-r/pass | 4 +- apparmor.d/profiles-m-r/pass-import | 2 +- apparmor.d/profiles-m-r/pinentry-qt | 2 +- apparmor.d/profiles-m-r/popularity-contest | 2 +- apparmor.d/profiles-m-r/psi | 4 +- apparmor.d/profiles-m-r/psi-plus | 4 +- apparmor.d/profiles-m-r/qbittorrent | 22 ++++----- apparmor.d/profiles-m-r/qbittorrent-nox | 14 +++--- apparmor.d/profiles-m-r/qnapi | 18 +++---- apparmor.d/profiles-m-r/qpdfview | 6 +-- apparmor.d/profiles-m-r/qtox | 2 +- apparmor.d/profiles-m-r/quiterss | 4 +- apparmor.d/profiles-m-r/repo | 6 +-- apparmor.d/profiles-m-r/run-parts | 6 +-- apparmor.d/profiles-m-r/runuser | 2 +- apparmor.d/profiles-s-z/YACReaderLibrary | 2 +- apparmor.d/profiles-s-z/s3fs | 4 +- apparmor.d/profiles-s-z/sanoid | 2 +- apparmor.d/profiles-s-z/smplayer | 10 ++-- apparmor.d/profiles-s-z/snap | 2 +- apparmor.d/profiles-s-z/snap-update-ns | 2 +- .../profiles-s-z/spectre-meltdown-checker | 18 +++---- apparmor.d/profiles-s-z/ss | 2 +- apparmor.d/profiles-s-z/startx | 2 +- apparmor.d/profiles-s-z/steam | 14 +++--- apparmor.d/profiles-s-z/steam-game | 8 ++-- apparmor.d/profiles-s-z/steam-gameoverlayui | 6 +-- apparmor.d/profiles-s-z/strawberry | 14 +++--- apparmor.d/profiles-s-z/swtpm_setup | 6 +-- apparmor.d/profiles-s-z/syncoid | 2 +- apparmor.d/profiles-s-z/system-config-printer | 2 +- apparmor.d/profiles-s-z/tasksel | 4 +- apparmor.d/profiles-s-z/terminator | 2 +- apparmor.d/profiles-s-z/thunderbird | 16 +++---- apparmor.d/profiles-s-z/thunderbird-glxtest | 2 +- apparmor.d/profiles-s-z/thunderbird-vaapitest | 2 +- apparmor.d/profiles-s-z/tint2 | 2 +- apparmor.d/profiles-s-z/transmission-qt | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/unmkinitramfs | 4 +- .../profiles-s-z/update-ca-certificates | 2 +- apparmor.d/profiles-s-z/update-cracklib | 2 +- apparmor.d/profiles-s-z/vcsi | 2 +- apparmor.d/profiles-s-z/vidcutter | 8 ++-- apparmor.d/profiles-s-z/whiptail | 2 +- apparmor.d/profiles-s-z/wireshark | 2 +- apparmor.d/profiles-s-z/wl-copy | 2 +- apparmor.d/profiles-s-z/wpa-cli | 2 +- apparmor.d/profiles-s-z/wpa-gui | 2 +- apparmor.d/profiles-s-z/xarchiver | 2 +- apparmor.d/profiles-s-z/xauth | 16 +++---- apparmor.d/profiles-s-z/xclip | 4 +- apparmor.d/profiles-s-z/xinit | 4 +- apparmor.d/profiles-s-z/xsel | 2 +- apparmor.d/profiles-s-z/zed | 2 +- apparmor.d/profiles-s-z/zenmap | 4 +- 257 files changed, 668 insertions(+), 685 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 4ab629d7..b33ba0b4 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -19,7 +19,7 @@ /tmp/.ICE-unix/* rw, /tmp/.X@{int}-lock rw, /tmp/.X11-unix/* rw, - owner /tmp/xauth_@{rand6} rl -> /tmp/#@{int}, + owner @{tmp}/xauth_@{rand6} rl -> /tmp/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index fc5ef673..3b106c6e 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -151,17 +151,13 @@ /tmp/ r, /var/tmp/ r, - owner /tmp/.@{domain}.* rw, - owner /tmp/.@{domain}*/{,**} rw, - owner /tmp/@{name}-crashlog-@{int}-@{int}.txt rw, - owner /tmp/scoped_dir*/{,**} rw, - owner /tmp/tmp.* rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, - - # libpam-tmpdir support - owner /tmp/user/@{uid}/ rw, - owner /tmp/user/@{uid}/** rwk, + owner @{tmp}/.@{domain}.* rw, + owner @{tmp}/.@{domain}*/{,**} rw, + owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, + owner @{tmp}/scoped_dir*/{,**} rw, + owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/** rwk, /dev/shm/ r, owner /dev/shm/.@{domain}* rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 7507dee5..f8d6ba37 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -19,8 +19,8 @@ /etc/machine-id r, /var/lib/dbus/machine-id r, - owner /tmp/dbus-@{rand8} rw, - owner /tmp/dbus-@{rand10} rw, + owner @{tmp}/dbus-@{rand8} rw, + owner @{tmp}/dbus-@{rand10} rw, owner @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a1180f97..965f7146 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -53,7 +53,7 @@ owner @{user_share_dirs}/** rwkl, owner @{user_games_dirs}/{,**} rm, - owner /tmp/** rmwk, + owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, @{run}/cups/cups.sock rw, # Allow access to cups printing socket. diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index bfded36b..baa14757 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -25,8 +25,7 @@ /var/lib/dpkg/status r, /var/lib/ubuntu-advantage/apt-esm/{,**} r, - owner /tmp/#@{int} rw, - owner /tmp/clearsigned.message.* rw, - owner /tmp/user/@{uid}/#@{int} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/clearsigned.message.* rw, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f2e76bcd..858acb47 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -37,8 +37,8 @@ owner / r, owner /newroot/{,**} w, - owner /tmp/newroot/ w, - owner /tmp/oldroot/ w, + owner @{tmp}/newroot/ w, + owner @{tmp}/oldroot/ w, @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 27edc85f..1fc1d155 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -24,12 +24,12 @@ /tmp/ r, /var/tmp/ r, - owner /tmp/.org.chromium.Chromium.* rw, - owner /tmp/.org.chromium.Chromium.*/{,**} rw, - owner /tmp/scoped_dir*/ rw, - owner /tmp/scoped_dir*/SingletonCookie w, - owner /tmp/scoped_dir*/SingletonSocket w, - owner /tmp/scoped_dir*/SS w, + owner @{tmp}/.org.chromium.Chromium.* rw, + owner @{tmp}/.org.chromium.Chromium.*/{,**} rw, + owner @{tmp}/scoped_dir*/ rw, + owner @{tmp}/scoped_dir*/SingletonCookie w, + owner @{tmp}/scoped_dir*/SingletonSocket w, + owner @{tmp}/scoped_dir*/SS w, /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 3862765b..c8541282 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -50,14 +50,14 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner /tmp/.org.chromium.Chromium.@{rand6} rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/ rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner /tmp/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner /tmp/scoped_dir@{rand6}/ rw, - owner /tmp/scoped_dir@{rand6}/SingletonCookie w, - owner /tmp/scoped_dir@{rand6}/SingletonSocket w, - owner /tmp/scoped_dir@{rand6}/SS w, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/ rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/SS w, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default index a92304d1..0b6b72f1 100644 --- a/apparmor.d/groups/_full/default +++ b/apparmor.d/groups/_full/default @@ -72,7 +72,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/{,**} rw, owner @{user_config_dirs}/** rwkl, owner @{user_share_dirs}/** rwkl, - owner /tmp/{,**} rwk, + owner @{tmp}/{,**} rwk, owner @{run}/user/@{uid}/{,**} rw, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 53a6fc02..80594c6b 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -49,8 +49,8 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/kwinrc r, - owner /tmp/#@{int} rw, - owner /tmp/akonadi_mailfilter_agent.* rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/akonadi_mailfilter_agent.* rwl, owner @{user_config_dirs}/specialmailcollectionsrc r, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index bcc0cf92..fe3867af 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -95,12 +95,10 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/gstreamer-@{int}/ rw, owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, - owner /tmp/calibre_*_tmp_*/{,**} rw, - owner /tmp/calibre-*/{,**} rw, - owner /tmp/@{int}-*/ rw, - owner /tmp/@{int}-*/** rwl, -# owner /tmp/@{int}-*/** rwl -> /tmp/@{int}-*/**, # newer AA version - owner /tmp/* rw, + owner @{tmp}/calibre_*_tmp_*/{,**} rw, + owner @{tmp}/calibre-*/{,**} rw, + owner @{tmp}/@{int}-*/ rw, + owner @{tmp}/@{int}-*/** rwl, owner /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index e7eda5c3..c703ff35 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -34,9 +34,9 @@ profile discord @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - owner /tmp/net-export/ rw, - owner /tmp/discord.sock rw, - owner "/tmp/Discord Crashes/" rw, + owner @{tmp}/net-export/ rw, + owner @{tmp}/discord.sock rw, + owner "@{tmp}/Discord Crashes/" rw, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index 9853bd50..c960e62f 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -60,11 +60,11 @@ profile dropbox @{exec_path} { @{bin}/{,@{multiarch}-}objdump rix, # Needed for updating Dropbox - owner /tmp/.dropbox-dist-new-*/{,**} rw, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix, - owner /tmp/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw, + owner @{tmp}/.dropbox-dist-new-*/{,**} rw, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropboxd rix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropbox rwix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/dropboxd rwix, + owner @{tmp}/.dropbox-dist-new-*/.dropbox-dist/dropbox-lnx.*/*.so mrw, owner @{HOME}/.dropbox-dist-old*/{,**} rw, owner @{HOME}/.dropbox-dist-tmp-*/{,**} rw, @@ -105,9 +105,9 @@ profile dropbox @{exec_path} { @{PROC}/vmstat r, # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead - owner /tmp/dropbox-antifreeze-* rw, - owner /tmp/[a-zA-z0-9]* rw, - owner /tmp/#@{int} rw, + owner @{tmp}/dropbox-antifreeze-* rw, + owner @{tmp}/[a-zA-z0-9]* rw, + owner @{tmp}/#@{int} rw, owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla index 20f90561..cc099ce4 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -49,9 +49,9 @@ profile filezilla @{exec_path} { # Creating new files on FTP /tmp/ r, - owner /tmp/fz[0-9]temp-@{int}/ rw, - owner /tmp/fz[0-9]temp-@{int}/fz*-lockfile rwk, - owner /tmp/fz[0-9]temp-@{int}/empty_file_* rw, + owner @{tmp}/fz[0-9]temp-@{int}/ rw, + owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk, + owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw, # External apps @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index d55481cf..d4d16144 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -50,9 +50,9 @@ profile flameshot @{exec_path} { /usr/share/hwdata/pnp.ids r, - owner /tmp/.*/{,s} rw, - owner /tmp/*= rw, - owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner @{tmp}/.*/{,s} rw, + owner @{tmp}/*= rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, deny owner @{PROC}/@{pid}/cmdline r, deny @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index d2969426..6b9fbdf7 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -60,7 +60,7 @@ profile telegram-desktop @{exec_path} { # Autostart owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - owner /tmp/@{hex}-* rwk, + owner @{tmp}/@{hex}-* rwk, owner @{run}/user/@{uid}/@{hex}-* rwk, /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/apps/zathura b/apparmor.d/groups/apps/zathura index aaa939e5..0c86abde 100644 --- a/apparmor.d/groups/apps/zathura +++ b/apparmor.d/groups/apps/zathura @@ -25,7 +25,7 @@ profile zathura @{exec_path} { owner @{user_config_dirs}/zathura/** r, owner @{user_share_dirs}/zathura/** rwk, - owner /tmp/gtkprint* rw, + owner @{tmp}/gtkprint* rw, include if exists } diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 52afd575..f241df38 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -136,11 +136,11 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, - owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, - owner /tmp/apt.conf.* rw, - owner /tmp/apt.data.* rw, + owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/apt.conf.* rw, + owner @{tmp}/apt.data.* rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, @@ -187,8 +187,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.less* rw, - owner /tmp/apt-changelog-*/ r, - owner /tmp/apt-changelog-*/*.changelog r, + owner @{tmp}/apt-changelog-*/ r, + owner @{tmp}/apt-changelog-*/*.changelog r, include if exists } diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 0053232f..52227b9b 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -17,7 +17,7 @@ profile apt-config @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner /tmp/tmp*/apt.conf r, + owner @{tmp}/tmp*/apt.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index c93f890d..ad1f85de 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -27,7 +27,7 @@ profile apt-extracttemplates @{exec_path} { owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner /tmp/*.{config,template}.@{rand6} rw, + owner @{tmp}/*.{config,template}.@{rand6} rw, owner /var/cache/debconf/tmp.ci/*.{config,template}.@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 2334e30d..39ca7d4e 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -56,7 +56,7 @@ profile apt-key @{exec_path} { /etc/apt/trusted.gpg.d/{,*.gpg,*.asc} r, /tmp/ r, - owner /tmp/apt-key-gpghome.*/{,**} rw, + owner @{tmp}/apt-key-gpghome.*/{,**} rw, profile gpg { @@ -93,9 +93,9 @@ profile apt-key @{exec_path} { /etc/apt/trusted.gpg.d/*.gpg r, /etc/apt/trusted.gpg.d/*.gpg.lock rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}, - owner /tmp/apt-key-gpghome.*/ rw, - owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, - owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w, + owner @{tmp}/apt-key-gpghome.*/ rw, + owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index ffb2d4c8..92c97cc1 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -25,9 +25,9 @@ profile apt-listbugs-migratepins @{exec_path} { /etc/apt/preferences r, - owner /tmp/pin_migration_*-@{pid}-*/ w, - owner /tmp/pin_migration_*-@{pid}-*/preferences w, - owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w, + owner @{tmp}/pin_migration_*-@{pid}-*/ w, + owner @{tmp}/pin_migration_*-@{pid}-*/preferences w, + owner @{tmp}/pin_migration_*-@{pid}-*/apt-listbugs w, include if exists } diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index ba7038db..3f4890b3 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -53,16 +53,16 @@ profile apt-listchanges @{exec_path} { owner @{PROC}/@{pid}/fd/ r, /tmp/ r, - owner /tmp/* rw, - owner /tmp/apt-listchanges*/ rw, - owner /tmp/apt-listchanges*/**/ rw, - owner /tmp/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner /tmp/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, + owner @{tmp}/* rw, + owner @{tmp}/apt-listchanges*/ rw, + owner @{tmp}/apt-listchanges*/**/ rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, # The following is needed when apt-listchanges uses debcconf GUI frontends. include @@ -96,7 +96,7 @@ profile apt-listchanges @{exec_path} { /root/ r, /tmp/ r, - owner /tmp/apt-listchanges-tmp*.txt r, + owner @{tmp}/apt-listchanges-tmp*.txt r, } diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index e85ab0ae..94f51aa9 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -81,9 +81,9 @@ profile apt-methods-gpgv @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/apt-key-gpghome.*/ rw, - owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, - owner /tmp/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt-key-gpghome.*/ rw, + owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, + owner @{tmp}/apt.{conf,sig,data}.* rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7b27647a..1705e9dc 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -66,8 +66,8 @@ profile apt-methods-http @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/aptitude-root.*/aptitude-download-* rw, - owner /tmp/apt-changelog-*/*.changelog rw, + owner @{tmp}/aptitude-root.*/aptitude-download-* rw, + owner @{tmp}/apt-changelog-*/*.changelog rw, @{run}/ubuntu-advantage/aptnews.json rw, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index fe41d8ec..06f1bb10 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -53,7 +53,7 @@ profile apt-methods-store @{exec_path} { @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, - owner /tmp/apt-changelog-*/*.changelog{,.*} rw, + owner @{tmp}/apt-changelog-*/*.changelog{,.*} rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 09d3362f..6c204e63 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -98,9 +98,9 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt rPx, # For changelogs - owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, - owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, - owner /tmp/aptitude-*.@{pid}:*/parsedchangelog* w, + owner @{tmp}/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, + owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, + owner @{tmp}/aptitude-*.@{pid}:*/parsedchangelog* w, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, @@ -108,8 +108,8 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/sensible-pager rCx -> pager, # For aptitude-run-state-bundle - owner /tmp/aptitudebug.*/ r, - owner /tmp/aptitudebug.*/** rwk, + owner @{tmp}/aptitudebug.*/ r, + owner @{tmp}/aptitudebug.*/** rwk, /var/lib/apt-xapian-index/index r, /var/cache/apt-xapian-index/index.[0-9]/*.glass r, @@ -121,11 +121,11 @@ profile aptitude @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, /tmp/ r, - owner /tmp/aptitude-*.@{pid}:*/ rw, - owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw, /tmp/aptitude-*.@{pid}:*/pkgstates* r, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/aptitude-*.@{pid}:*/ rw, + owner @{tmp}/aptitude-*.@{pid}:*/{pkgstates,control}* rw, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, /var/cache/apt/ r, /var/cache/apt/** rwk, @@ -180,7 +180,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{HOME}/.less* rw, - owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, + owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, # For shell pwd /root/ r, diff --git a/apparmor.d/groups/apt/aptitude-run-state-bundle b/apparmor.d/groups/apt/aptitude-run-state-bundle index 7e9ac716..330af646 100644 --- a/apparmor.d/groups/apt/aptitude-run-state-bundle +++ b/apparmor.d/groups/apt/aptitude-run-state-bundle @@ -24,7 +24,7 @@ profile aptitude-run-state-bundle @{exec_path} { @{bin}/aptitude-curses rPx, - owner /tmp/aptitudebug.*/{,**} rw, + owner @{tmp}/aptitudebug.*/{,**} rw, include if exists } diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index d5dbe9bb..c15be86e 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -41,8 +41,8 @@ profile debsign @{exec_path} { owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - owner /tmp/debsign.*/ rw, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo}{,.asc} rw, + owner @{tmp}/debsign.*/ rw, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}{,.asc} rw, profile gpg { include @@ -52,8 +52,8 @@ profile debsign @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo} r, - owner /tmp/debsign.*/*.{dsc,changes,buildinfo}.asc rw, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r, + owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw, } diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 0f60c730..0402418d 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -67,7 +67,7 @@ profile dpkg @{exec_path} { /usr/** rwlk -> /usr/**, /var/** rwlk -> /var/**, - owner /tmp/apt-dpkg-install-*/ r, + owner @{tmp}/apt-dpkg-install-*/ r, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index 2ffaadc4..62351f92 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -29,7 +29,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, # file_inherit - owner /tmp/* rw, + owner @{tmp}/* rw, profile ccache { diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index b0ba38bf..a463d54e 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -25,13 +25,13 @@ profile dpkg-deb @{exec_path} { owner /var/lib/dpkg/tmp.ci/* w, # For creating deb packages - owner /tmp/dpkg-deb.* rw, + owner @{tmp}/dpkg-deb.* rw, - owner /tmp/dpkg-deb.*/ rw, - owner /tmp/dpkg-deb.*/* rw, + owner @{tmp}/dpkg-deb.*/ rw, + owner @{tmp}/dpkg-deb.*/* rw, # For extracting deb packages to /tmp/ - owner /tmp/** rw, + owner @{tmp}/** rw, /var/cache/apt/archives/*.deb r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 14ec46d7..9d8d3330 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -39,8 +39,8 @@ profile dpkg-preconfigure @{exec_path} { /etc/inputrc r, /etc/shadow r, - owner /tmp/*.template.* rw, - owner /tmp/*.config.* rwPUx, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index eb91add8..cc2a5e84 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -77,8 +77,8 @@ profile reportbug @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - owner /tmp/* rw, - owner /tmp/reportbug-*-@{int}-@{pid}-* rw, + owner @{tmp}/* rw, + owner @{tmp}/reportbug-*-@{int}-@{pid}-* rw, owner /var/tmp/*.bug{,~} rw, @{sys}/module/apparmor/parameters/enabled r, @@ -101,7 +101,7 @@ profile reportbug @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/reportbug-*-{signed,unsigned}-* rw, + owner @{tmp}/reportbug-*-{signed,unsigned}-* rw, owner @{HOME}/draftbugreports/reportbug-*-{signed,unsigned}-* rw, include if exists diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index fca72cb7..2423ff3d 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -132,8 +132,8 @@ profile synaptic @{exec_path} { /etc/machine-id r, /tmp/ r, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/@{int}-*.deb w, + owner @{tmp}/apt-dpkg-install-*/ rw, + owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, /var/cache/apt/ r, /var/cache/apt/** rwk, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index aa0b7bde..9ab8fc69 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -103,7 +103,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, - owner /tmp/apt-dpkg-install-*/{,*} rw, + owner @{tmp}/apt-dpkg-install-*/{,*} rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index af3ea866..b88df258 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -37,10 +37,10 @@ profile brave @{exec_path} { owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, owner @{cache_dirs}/BraveSoftware/ rw, - owner /tmp/net-export/ rw, # For brave://net-export/ + owner @{tmp}/net-export/ rw, # For brave://net-export/ - owner /tmp/.org.chromium.Chromium.* rwk, - owner /tmp/.org.chromium.Chromium*/{,**} rw, + owner @{tmp}/.org.chromium.Chromium.* rwk, + owner @{tmp}/.org.chromium.Chromium*/{,**} rw, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index f3037f5b..818c9dce 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -38,9 +38,9 @@ profile chromium-wrapper @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/chromiumargs.@{rand6} rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, + owner @{tmp}/chromiumargs.@{rand6} rw, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/** rwk, owner /dev/tty@{int} rw, /dev/dri/card[0-9] rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index d3521ac0..db6c2676 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -155,32 +155,27 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/.xfsm-ICE-@{rand6} rw, - owner /tmp/@{name}/ rw, - owner /tmp/@{name}/* rwk, - owner /tmp/@{rand6}.tmp r, - owner /tmp/@{rand8}.txt w, - owner /tmp/* w, # file downloads (to anywhere) - owner /tmp/firefox_*/ rw, - owner /tmp/firefox_*/* rwk, - owner /tmp/mozilla_*/ rw, - owner /tmp/mozilla_*/* rw, - owner /tmp/mozilla-temp-@{int} rw, - owner /tmp/Mozilla@{uuid}-cachePurge-??????????????? rwk, - owner /tmp/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, - owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, - owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, - owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk, - owner /tmp/Temp-@{uuid}/{**,} rw, - owner /tmp/tmp-???.xpi rw, - owner /tmp/tmpaddon r, - owner /tmp/tmpaddon-@{int} r, - owner /tmp/user/@{uid}/ rw, - owner /tmp/user/@{uid}/@{name}/ rw, - owner /tmp/user/@{uid}/@{name}/* rwk, - owner /tmp/user/@{uid}/* rwk, - owner /tmp/user/@{uid}/Temp-@{uuid}/ rw, - owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk, + owner @{tmp}/.xfsm-ICE-@{rand6} rw, + owner @{tmp}/@{name}/ rw, + owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp r, + owner @{tmp}/@{rand8}.txt w, + owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/firefox_*/ rw, + owner @{tmp}/firefox_*/* rwk, + owner @{tmp}/mozilla_*/ rw, + owner @{tmp}/mozilla_*/* rw, + owner @{tmp}/mozilla-temp-@{int} rw, + owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, + owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, + owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, + owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, + owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/Temp-@{uuid}/** rwk, + owner @{tmp}/tmp-???.xpi rw, + owner @{tmp}/tmpaddon r, + owner @{tmp}/tmpaddon-@{int} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 2ba1f1f9..e6f8f6b6 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -46,8 +46,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/@{hex}.{dmp,extra} rw, - owner /tmp/firefox/.parentlock w, + owner @{tmp}/@{hex}.{dmp,extra} rw, + owner @{tmp}/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index b86b72a1..62338ee2 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -21,7 +21,7 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/firefox/*/.parentlock rw, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index e0634430..7c436755 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -34,8 +34,8 @@ profile firefox-minidump-analyzer @{exec_path} { owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r, - owner /tmp/@{hex}.{dmp,extra} rw, - owner /tmp/firefox/.parentlock w, + owner @{tmp}/@{hex}.{dmp,extra} rw, + owner @{tmp}/firefox/.parentlock w, owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index ea61658a..deb2735c 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -20,7 +20,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, deny @{config_dirs}/firefox/*/.parentlock rw, deny @{config_dirs}/firefox/*/startupCache/** r, diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index bab7a965..d129fc19 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -34,8 +34,8 @@ profile msedge @{exec_path} { owner @{user_cache_dirs}/Microsoft/ rw, owner @{user_cache_dirs}/Microsoft/** rwk, - owner /tmp/.ses rw, - owner /tmp/cv_debug.log rw, + owner @{tmp}/.ses rw, + owner @{tmp}/cv_debug.log rw, include if exists } diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 118e951e..5e8733b9 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -55,7 +55,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, @@ -71,7 +71,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { /etc/cron.*/ r, /etc/cron.*/* rPUx, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index c2d80609..4b0e1c57 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -75,16 +75,16 @@ profile cron-apt @{exec_path} { # TMP /tmp/ r, - owner /tmp/cron-apt.*/ rw, - owner /tmp/cron-apt.*/difftemp rw, - owner /tmp/cron-apt.*/lockfile rw, - owner /tmp/cron-apt.*/initlog rw, - owner /tmp/cron-apt.*/status rw, - owner /tmp/cron-apt.*/run{log,error,mail,syslog} rw, - owner /tmp/cron-apt.*/action{log,error,mail,syslog} rw, + owner @{tmp}/cron-apt.*/ rw, + owner @{tmp}/cron-apt.*/difftemp rw, + owner @{tmp}/cron-apt.*/lockfile rw, + owner @{tmp}/cron-apt.*/initlog rw, + owner @{tmp}/cron-apt.*/status rw, + owner @{tmp}/cron-apt.*/run{log,error,mail,syslog} rw, + owner @{tmp}/cron-apt.*/action{log,error,mail,syslog} rw, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 0a0d2840..aadae9bf 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -54,11 +54,11 @@ profile cron-popularity-contest @{exec_path} { /var/lib/popularity-contest/ rw, /var/lib/popularity-contest/lastsub rw, - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/random_seed w, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/random_seed w, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, profile savelog { @@ -83,7 +83,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest rw, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -107,7 +107,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.new w, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -124,10 +124,10 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.@{int} r, /var/log/popularity-contest.@{int}.gpg rw, - owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**, + owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } @@ -152,7 +152,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.@{int}.gpg r, # file_inherit - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, } diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 28f90614..86e19b93 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -30,7 +30,7 @@ profile crontab @{exec_path} { /var/spool/cron/crontabs/ rw, owner /var/spool/cron/crontabs/* rw, - owner /tmp/crontab.*/{,crontab} rw, + owner @{tmp}/crontab.*/{,crontab} rw, profile editor { @@ -51,7 +51,7 @@ profile crontab @{exec_path} { owner @{HOME}/.viminfo{,.tmp} rw, /tmp/ r, - owner /tmp/crontab.*/crontab rw, + owner @{tmp}/crontab.*/crontab rw, # file_inherit /etc/cron.{allow,deny} r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 37d2d980..ad98cdef 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -65,9 +65,8 @@ profile x11-xsession @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/file* rw, - owner /tmp/tmp.@{rand10} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/file* rw, + owner @{tmp}/tmp.@{rand10} rw, profile ssh-agent { include @@ -88,8 +87,8 @@ profile x11-xsession @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, include if exists } diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 53cab22f..11f829df 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -75,8 +75,8 @@ profile xdm-xsession @{exec_path} { @{run}/user/@{uid}/xauth_@{rand6} rl, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index e36b4b21..616d7a1f 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -75,7 +75,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { # wtmp.d ? /var/log/wtmp r, - owner /tmp/gnome-control-center-user-icon-@{rand6} rw, + owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 25785b33..29a8f790 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -49,7 +49,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/pipewire/{,**} r, - owner /tmp/librnnoise-@{int}.so rm, + owner @{tmp}/librnnoise-@{int}.so rm, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 13331e33..dc4d6822 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -32,7 +32,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /.flatpak-info r, owner @{run}/user/@{uid}/pulse/pid w, - owner /tmp/librnnoise-@{int}.so rm, + owner @{tmp}/librnnoise-@{int}.so rm, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 3e8f651c..82bc555d 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -37,8 +37,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected) owner @{user_cache_dirs}/icon-cache.kcache rw, - owner /tmp/#@{int} rw, - owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ceea47f3..ade5d9f9 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -83,7 +83,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/kioslaverc r, - owner /tmp/icon* rw, + owner @{tmp}/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 1084a534..a8ff71d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -72,8 +72,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{HOME}/*/{,**} rw, - owner /tmp/.goutputstream-@{rand6} rw, - owner /tmp/@{rand6} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/@{rand6} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 03d3bb35..2a2e07ca 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -62,7 +62,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/.icons/{,**} r, owner @{HOME}/@{XDG_DATA_DIR}/ r, - owner /tmp/runtime-*/xauth_@{rand6} r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, @{run}/mount/utab r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 912c1835..7959a4ea 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -33,7 +33,7 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { /usr/share/icons/*/.xdg-icon-resource-dummy rw, /usr/share/terminfo/** r, - owner /tmp/.com.google.Chrome.*/chrome-*.png r, + owner @{tmp}/.com.google.Chrome.*/chrome-*.png r, owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw, owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw, diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index af03c344..9b655a40 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -36,7 +36,7 @@ profile xdg-screensaver @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.Xauthority r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 2296787d..d55a3ac9 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -31,7 +31,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/server-@{int}.xkm rwk, - owner /tmp/server-@{int}.xkm rwk, + owner @{tmp}/server-@{int}.xkm rwk, /dev/dri/card@{int} rw, /dev/fb@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 7d9536f9..6de7b493 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -83,10 +83,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/server-@{int}.xkm rw, - owner /tmp/.tX@{int}-lock rwk, - owner /tmp/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock, - owner /tmp/server-* rwk, - owner /tmp/serverauth.* r, + owner @{tmp}/.tX@{int}-lock rwk, + owner @{tmp}/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock, + owner @{tmp}/server-* rwk, + owner @{tmp}/serverauth.* r, @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 50b79e33..0947721d 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -37,12 +37,12 @@ profile xrdb @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log w, - owner /tmp/kcminit.* r, - owner /tmp/kded{5,6}.@{rand6} r, - owner /tmp/plasma-apply-lookandfeel.* r, - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/startplasma-x11.@{rand6} r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/kcminit.* r, + owner @{tmp}/kded{5,6}.@{rand6} r, + owner @{tmp}/plasma-apply-lookandfeel.* r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, + owner @{tmp}/startplasma-x11.@{rand6} r, + owner @{tmp}/xauth-@{int}-_[0-9] r, @{run}/sddm/\{@{uuid}\} r, @{run}/sddm/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 31851f76..4564617e 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -29,7 +29,7 @@ profile xsetroot @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, @{run}/sddm/\{@{uuid}\} r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index fd25c221..9d457e88 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -26,7 +26,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, - owner /tmp/server-@{int}.xkm rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index a67dc3c5..7b840bd7 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -31,8 +31,8 @@ profile epiphany-search-provider @{exec_path} { owner @{user_cache_dirs}/epiphany/{,**} rwk, owner @{user_share_dirs}/epiphany/{,**} rwk, - owner /tmp/ContentRuleList@{rand6} rw, - owner /tmp/Serialized* rw, + owner @{tmp}/ContentRuleList@{rand6} rw, + owner @{tmp}/Serialized* rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 174fda70..5c26437a 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -59,7 +59,7 @@ profile gdm-xsession @{exec_path} { /etc/default/im-config r, /etc/X11/{,**} r, - owner /tmp/gdm{3,}-config-err-@{rand6} rw, + owner @{tmp}/gdm{3,}-config-err-@{rand6} rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 41a84cbc..ee5adbae 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -26,7 +26,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { owner @{HOME}/{,**} rw, - owner /tmp/wl-copy-buffer-@{rand6}/stdin r, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 6897a11d..531a3273 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -127,7 +127,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/icc/{,edid-*} r, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 6c3b0b15..dbb14921 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -22,10 +22,10 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, - owner /tmp/flatpak-seccomp-@{rand6} rw, - owner /tmp/gnome-desktop-file-to-thumbnail.* r, - owner /tmp/gnome-desktop-thumbnailer.png w, - owner /tmp/gsf-thumbnailer-@{rand6} rw, + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-file-to-thumbnail.* r, + owner @{tmp}/gnome-desktop-thumbnailer.png w, + owner @{tmp}/gsf-thumbnailer-@{rand6} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index c30712f9..94be9636 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -18,7 +18,7 @@ profile gnome-disk-image-mounter @{exec_path} { # Allow to mount user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index bdf96a84..f22cde87 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -47,7 +47,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, - owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw, + owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, owner /var/tmp/etilqs_@{hex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8c69b6ac..cf93ebae 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -285,8 +285,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, - owner /tmp/@{rand6}.shell-extension.zip rw, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/@{rand6}.shell-extension.zip rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 362d1171..7029d834 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -86,9 +86,9 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, owner @{user_share_dirs}/gnome-software/{,**} rw, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/#@{int} rw, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, @@ -121,8 +121,8 @@ profile gnome-software @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 67d9d7c8..4ef3dcfd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -56,7 +56,7 @@ profile gnome-terminal-server @{exec_path} { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 82dfac0d..e8c7b0f8 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -32,7 +32,7 @@ profile kgx @{exec_path} { @{open_path} rPx -> child-open-help, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 0e9ace3b..8d9c643e 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -92,7 +92,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 92a22c60..d9bd673b 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -63,13 +63,13 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_cache_dirs}/tracker3/ w, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, owner @{user_share_dirs}/gvfs-metadata/** r, - owner /tmp/tracker-extract-3-files.*/{,*} rw, + owner @{tmp}/tracker-extract-3-files.*/{,*} rw, @{run}/blkid/blkid.tab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d78217b3..c6fd38ed 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -70,7 +70,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_cache_dirs}/tracker3/ rw, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 2be51ff5..35fce836 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -55,10 +55,10 @@ profile gpg @{exec_path} { owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, #aa:exclude ubuntu - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/tmp.[a-zA-Z0-9]* rw, + owner @{tmp}/tmp.[a-zA-Z0-9]* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index d600d3c1..109395ee 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -75,11 +75,11 @@ profile gpg-agent @{exec_path} { owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/@{hex}.key rw, owner /var/tmp/zypp.*/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner /tmp/tmp.*/gnupg/ rw, - owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, - owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, - owner /tmp/tmp.*/gnupg/sshcontrol r, + owner @{tmp}/tmp.*/gnupg/ rw, + owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/ rw, + owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, + owner @{tmp}/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, + owner @{tmp}/tmp.*/gnupg/sshcontrol r, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index 4582af93..ed938177 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -22,9 +22,9 @@ profile gpg-connect-agent @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw, - owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, - owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, + owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, include if exists } diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index f34135c8..a88c075e 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -22,7 +22,7 @@ profile grub-check-signatures @{exec_path} { /usr/share/debconf/confmodule r, - owner /tmp/tmp.*/ rw, + owner @{tmp}/tmp.*/ rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 2f3d0ea8..81cb07fb 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -33,7 +33,7 @@ profile baloo @{exec_path} { # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, - owner /tmp/*/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 7883ee7c..b22386b5 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -54,7 +54,7 @@ profile dolphin @{exec_path} { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 0977dbe4..bec3e445 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -32,11 +32,11 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, - owner /tmp/#@{int} rw, - owner /tmp/kcminit.@{rand6} rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kcminit.@{rand6} rwl, - owner /tmp/.touchpaddefaults wl, - owner /tmp/.touchpaddefaults.lock rwk, + owner @{tmp}/.touchpaddefaults wl, + owner @{tmp}/.touchpaddefaults.lock rwk, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 0d12ba6c..3294b1c5 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -91,9 +91,9 @@ profile kconf_update @{exec_path} { owner @{user_share_dirs}/krunnerstaterc.lock rwk, owner @{user_share_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/kconf_update.@{rand6}.lock rwk, - owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kconf_update.@{rand6}.lock rwk, + owner @{tmp}/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int}, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 76330e00..9da20954 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -156,9 +156,9 @@ profile kded @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl, - owner /tmp/#@{int} rw, - owner /tmp/kded6.@{rand6} rwl -> /tmp/#@{int}, - owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, + owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 4df7beae..3e8d2a59 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -60,7 +60,7 @@ profile kioworker @{exec_path} { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, @@ -86,7 +86,7 @@ profile kioworker @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 1e1043cf..45cb52cf 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -59,8 +59,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/konsole/** rwlk, owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r, - owner /tmp/#@{int} rw, - owner /tmp/konsole.@{rand6} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/konsole.@{rand6} rw, @{PROC}/sys/kernel/core_pattern r, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index b2fe6006..17eaa8e8 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -91,7 +91,7 @@ profile kscreenlocker_greet @{exec_path} { deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - owner /tmp/*-cover-*.{jpg,png} r, + owner @{tmp}/*-cover-*.{jpg,png} r, @{run}/faillock/[a-zA-z0-9]* rwk, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 4ae409ec..cdceeb39 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -62,7 +62,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, - owner /tmp/@{rand6} rw, + owner @{tmp}/@{rand6} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index eb36bd8a..5aa42fb3 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -41,7 +41,7 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner /tmp/kwalletd5.* rw, + owner @{tmp}/kwalletd5.* rw, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index d7db0a64..cd43b074 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -56,8 +56,8 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/#@{int} rw, - owner /tmp/#@{int} rw, - owner /tmp/kwin.@{rand6} rwl, + owner @{tmp}/#@{int} rw, + owner @{tmp}/kwin.@{rand6} rwl, owner @{run}/user/@{uid}/kcrash_@{int} rw, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index fa00bcc1..71a982ca 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -45,8 +45,8 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, - owner /tmp/#@{int} rw, - owner /tmp/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index c06c3c18..6b8269b4 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -83,11 +83,11 @@ profile plasma-discover @{exec_path} { owner @{user_share_dirs}/kwin/ rw, owner @{user_share_dirs}/kwin/** rwlk -> @{user_share_dirs}/kwin/**, - owner /tmp/*.kwinscript rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/discover-@{rand6}/{,**} rw, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/discover-@{rand6}/{,**} rw, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/{,**} rw, @@ -109,8 +109,8 @@ profile plasma-discover @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index b4847565..b67f69f6 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -166,7 +166,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/user-places.xbel{,*} rwl, /tmp/.mount_nextcl@{rand6}/{,*} r, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 3a297730..3939eeb9 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -168,9 +168,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/sddm-* rw, /tmp/xauth_@{rand6} rwl -> /tmp/#@{int}, - owner /tmp/*/{,s} rw, - owner /tmp/#@{int} rw, - owner /tmp/sddm-auth* rw, + owner @{tmp}/*/{,s} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/sddm-auth* rw, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 1944a52f..eb894313 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -63,8 +63,8 @@ profile sddm-greeter @{exec_path} { deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - owner /tmp/runtime-sddm/ rw, - owner /tmp/sddm-:@{int}-@{rand6} rw, + owner @{tmp}/runtime-sddm/ rw, + owner @{tmp}/sddm-:@{int}-@{rand6} rw, owner @{run}/sddm/{,*} rw, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b02f3f5b..000799fa 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -61,8 +61,8 @@ profile sddm-xsession @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log w, - owner /tmp/xsess-env-* rw, - owner /tmp/file* rw, + owner @{tmp}/xsess-env-* rw, + owner @{tmp}/file* rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 6a95d46c..8dfc1a22 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -64,8 +64,8 @@ profile startplasma @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log rw, owner @{user_share_dirs}/sddm/xorg-session.log rw, - owner /tmp/#@{int} rw, - owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int}, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index cc96b067..b7db4114 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -18,7 +18,7 @@ profile xembedsniproxy @{exec_path} { /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index c8cf1d5d..9c84c2bc 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -16,7 +16,7 @@ profile xsettingsd @{exec_path} { owner @{user_config_dirs}/xsettingsd/{,**} rw, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, owner @{run}/user/@{uid}/xauth_@{rand6} rl, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 83721600..7ba42ab0 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -57,8 +57,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner /tmp/@{uuid} rw, - owner /tmp/talpid-openvpn-@{uuid} rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 86f11b55..2ba5ee9a 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -30,7 +30,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/dconf/user rw, - owner /tmp/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, @{run}/systemd/inhibit/*.ref rw, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 511d7604..1a3a6ec4 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -55,7 +55,7 @@ profile aurpublish @{exec_path} { owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, owner @{PROC}/@{pid}/maps r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 960b8779..ba8f69d4 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -107,8 +107,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Temp files owner @{run}/initramfs/{,**} rw, owner @{run}/mkinitcpio.@{rand6}/{,**} rw, - owner /tmp/mkinitcpio.@{rand6} rw, - owner /tmp/mkinitcpio.@{rand6}/{,**} rw, + owner @{tmp}/mkinitcpio.@{rand6} rw, + owner @{tmp}/mkinitcpio.@{rand6}/{,**} rw, @{sys}/class/block/ r, @{sys}/devices/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 04e2dacc..79387790 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -126,9 +126,9 @@ profile pacman @{exec_path} { @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, owner /var/lib/pacman/{,**} rwl, - owner /tmp/alpm_*/{,**} rw, - owner /tmp/checkup-db-@{int}/sync/{,*.db*} rw, - owner /tmp/checkup-db-@{int}/db.lck rw, + owner @{tmp}/alpm_*/{,**} rw, + owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, + owner @{tmp}/checkup-db-@{int}/db.lck rw, @{run}/utmp rk, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0ea99782..bc60b577 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -42,7 +42,7 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner /tmp/ssh-*/{,agent.@{int}} rwkl, + owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/keyring/ssh rw, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 84da0a5f..a3e29d9d 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{user_projects_dirs}/**/ssh/{,*} r, - owner /tmp/ssh-*/ rw, - owner /tmp/ssh-*/agent.* rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, owner @{run}/user/@{uid}/keyring/.ssh rw, owner @{run}/user/@{uid}/openssh_agent rw, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 39315e7c..ac9c4771 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -37,8 +37,8 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, - owner /tmp/*.coredump w, - owner /tmp/core.* w, + owner @{tmp}/*.coredump w, + owner @{tmp}/core.* w, owner /var/tmp/coredump-* rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 9c06aa64..95ce9f2e 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -40,7 +40,7 @@ profile systemd-analyze @{exec_path} { /etc/locale.conf r, /etc/systemd/** r, - owner /tmp/systemd-temporary-*/ rw, + owner @{tmp}/systemd-temporary-*/ rw, @{run}/systemd/generator/ r, @{run}/systemd/private rw, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 5490b0da..6ba2ee8e 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -35,7 +35,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{user_projects_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - owner /tmp/dissect-@{rand6}/{,**} rw, + owner @{tmp}/dissect-@{rand6}/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/{,**} r, @{sys}/kernel/uevent_seqnum r, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index ad3a2d56..662645f1 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -39,9 +39,9 @@ profile software-properties-dbus @{exec_path} { /usr/share/distro-info/*.csv r, /usr/share/xml/iso-codes/{,**} r, - owner /tmp/???????? rw, # unconventional '_' tail - owner /tmp/tmp????????/ w, # change to 'c' - owner /tmp/tmp????????/apt.conf w, + owner @{tmp}/???????? rw, # unconventional '_' tail + owner @{tmp}/tmp????????/ w, # change to 'c' + owner @{tmp}/tmp????????/apt.conf w, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index d1c8bcdd..7d965795 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -73,9 +73,9 @@ profile software-properties-gtk @{exec_path} { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/ubuntu-advantage/status.json r, - owner /tmp/???????? rw, - owner /tmp/tmp????????/ rw, # change to 'c' - owner /tmp/tmp????????/apt.conf rw, + owner @{tmp}/???????? rw, + owner @{tmp}/tmp????????/ rw, # change to 'c' + owner @{tmp}/tmp????????/apt.conf rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index be70afcb..6307745c 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -53,9 +53,9 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, - owner /tmp/tmp[0-9a-z]*/apt.conf r, - owner /tmp/[0-9a-z]*{,/} rw, - owner /tmp/[0-9a-z]*/apt-helper-output rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, + owner @{tmp}/[0-9a-z]*{,/} rw, + owner @{tmp}/[0-9a-z]*/apt-helper-output rw, @{run}/ubuntu-advantage/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 54b347b3..0e1568e8 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -80,7 +80,7 @@ profile update-notifier @{exec_path} { owner @{run}/user/@{uid}/update-notifier.pid rwk, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f52e19d4..c9898374 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -88,7 +88,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /tmp/cri-containerd.apparmor.d@{int} rwl, /tmp/ctd-volume@{int}/{,**} rw, - owner /tmp/** rwkl, + owner @{tmp}/** rwkl, owner /var/tmp/** rwkl, @{sys}/fs/cgroup/kubepods/** r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index f8cc5b7f..145a095f 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -98,7 +98,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{run}/xtables.lock rwk, owner /var/tmp/** rwkl, - owner /tmp/** rwkl, + owner @{tmp}/** rwkl, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/cpuset r, diff --git a/apparmor.d/groups/whonix/sdwdate-start b/apparmor.d/groups/whonix/sdwdate-start index 6f93ee27..bcca090f 100644 --- a/apparmor.d/groups/whonix/sdwdate-start +++ b/apparmor.d/groups/whonix/sdwdate-start @@ -20,7 +20,7 @@ profile sdwdate-start @{exec_path} { @{bin}/mkfifo rix, @{bin}/inotifywait rix, - owner /tmp/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/sdwdate/ rw, owner @{run}/sdwdate/status rw, diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser index b7672e06..760b3eda 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -82,18 +82,18 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { /tmp/ r, /var/tmp/ r, - owner /tmp/user/@{uid}/ rw, - owner /tmp/user/@{uid}/* rwk, - owner /tmp/user/@{uid}/Temp-@{uuid}/ rw, - owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk, - owner /tmp/user/@{uid}/firefox/ rw, - owner /tmp/user/@{uid}/firefox/* rwk, - owner /tmp/@{name}/ rw, - owner /tmp/@{name}/* rwk, - owner /tmp/Temp-@{uuid}/ rw, - owner "/tmp/Tor Project*/" rw, - owner "/tmp/Tor Project*/**" rwk, - owner "/tmp/Tor Project*" rwk, + owner @{tmp}/ rw, + owner @{tmp}/* w, + owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/Temp-@{uuid}/* rwk, + owner @{tmp}/firefox/ rw, + owner @{tmp}/firefox/* rwk, + owner @{tmp}/@{name}/ rw, + owner @{tmp}/@{name}/* rwk, + owner @{tmp}/Temp-@{uuid}/ rw, + owner "@{tmp}/Tor Project*/" rw, + owner "@{tmp}/Tor Project*/**" rwk, + owner "@{tmp}/Tor Project*" rwk, @{run}/mount/utab r, diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/whonix/torbrowser-glxtest index eb0b24a7..7a7295bf 100644 --- a/apparmor.d/groups/whonix/torbrowser-glxtest +++ b/apparmor.d/groups/whonix/torbrowser-glxtest @@ -23,7 +23,7 @@ profile torbrowser-glxtest @{exec_path} { owner @{config_dirs}/.parentlock rw, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix index d9348805..4dc8e792 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix +++ b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix @@ -30,7 +30,7 @@ profile torbrowser-updater-permission-fix @{exec_path} { /var/cache/tb-binary/{,**} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/whonix/torbrowser-vaapitest index 9217c5f6..5d284a93 100644 --- a/apparmor.d/groups/whonix/torbrowser-vaapitest +++ b/apparmor.d/groups/whonix/torbrowser-vaapitest @@ -21,7 +21,7 @@ profile torbrowser-vaapitest @{exec_path} { @{exec_path} mr, - owner /tmp/@{name}/.parentlock rw, + owner @{tmp}/@{name}/.parentlock rw, deny @{config_dirs}/.parentlock rw, deny @{config_dirs}/startupCache/** r, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index b3d9f446..8847bba3 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -43,8 +43,7 @@ profile torbrowser-wrapper @{exec_path} { owner @{HOME}/.tb/{,**} rw, owner /var/cache/tb-binary/{,**} rw, - owner /tmp/tmp.@{rand10} rw, - owner /tmp/user/@{uid}/tmp.@{rand10} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/mount/utab r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index b668553b..3a53fc06 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -38,7 +38,7 @@ profile thunar @{exec_path} { @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, owner @{run}/user/@{uid}/{,**} rw, - owner /tmp/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data deny /boot/{,**} r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index eff39f18..705fb9aa 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -45,8 +45,7 @@ profile xfce-session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - owner /tmp/.xfsm-ICE-@{rand6} rw, - owner /tmp/user/@{uid}/.xfsm-ICE-@{rand6} rw, + owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 2adeb97c..92d8d083 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -36,7 +36,7 @@ profile xfce-terminal @{exec_path} { owner @{user_config_dirs}/xfce4/terminal/{,**} r, - owner /tmp/user/@{uid}/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 51835f9d..f2e63b8c 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -33,8 +33,8 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner /tmp/@{rand8} rw, - owner /tmp/apparmor-bugreport-*.txt rw, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-*.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index be97ad46..bbdc782a 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -24,7 +24,7 @@ profile adb @{exec_path} { /usr/share/scrcpy/scrcpy-server r, - owner /tmp/adb.@{int}.log rw, + owner @{tmp}/adb.@{int}.log rw, owner @{HOME}/.android/ rw, owner @{HOME}/.android/adb.@{int} rw, diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index 22854ae2..d813c2d6 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -35,8 +35,8 @@ profile anacron @{exec_path} { /etc/cron.*/ r, /etc/cron.*/* rPUx, - owner /tmp/#@{int} rw, - owner /tmp/file@{rand6} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/file@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index b24b6c13..44a86240 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -61,8 +61,8 @@ profile anyremote @{exec_path} { @{bin}/mpv rPx, @{bin}/strawberry rPx, - owner /tmp/amarok_covers/ rw, - owner /tmp/*.png rw, + owner @{tmp}/amarok_covers/ rw, + owner @{tmp}/*.png rw, # For shell pwd owner @{HOME}/ r, @@ -92,9 +92,9 @@ profile anyremote @{exec_path} { owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, /tmp/ r, - owner /tmp/*.png rw, - owner /tmp/amarok_covers/* rw, - owner /tmp/magick-* rw, + owner @{tmp}/*.png rw, + owner @{tmp}/amarok_covers/* rw, + owner @{tmp}/magick-* rw, } diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index a38d04e7..ee442861 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -36,7 +36,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /var/lib/snapd/apparmor/{,**} r, owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw, - owner /tmp/cri-containerd.apparmor.d@{int} r, + owner @{tmp}/cri-containerd.apparmor.d@{int} r, @{sys}/kernel/security/apparmor/{,**} r, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 03c56699..e280c705 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -52,9 +52,9 @@ profile appstreamcli @{exec_path} flags=(complain) { owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, - owner /tmp/appstream-cache-*.mdb rw, - owner /tmp/appstream/ rw, - owner /tmp/appstream/appcache-*.mdb rw, + owner @{tmp}/appstream-cache-*.mdb rw, + owner @{tmp}/appstream/ rw, + owner @{tmp}/appstream/appcache-*.mdb rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index 9317d403..16d4fcad 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -67,18 +67,18 @@ profile arduino @{exec_path} { owner @{HOME}/.Xauthority r, /tmp/ r, - owner /tmp/cc*.{s,res,c,o,ld,le} rw, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, - owner /tmp/untitled[0-9]*.tmp rw, - owner /tmp/untitled[0-9]*.tmp/{,**} rw, - owner /tmp/console[0-9]*.tmp rw, - owner /tmp/console[0-9]*.tmp/{,**} rw, - owner /tmp/build[0-9]*.tmp rw, - owner /tmp/build[0-9]*.tmp/{,**} rw, - owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, - owner /tmp/{library,package}_index.json*.tmp* rw, - owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, + owner @{tmp}/cc*.{s,res,c,o,ld,le} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, + owner @{tmp}/untitled[0-9]*.tmp rw, + owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, + owner @{tmp}/console[0-9]*.tmp rw, + owner @{tmp}/console[0-9]*.tmp/{,**} rw, + owner @{tmp}/build[0-9]*.tmp rw, + owner @{tmp}/build[0-9]*.tmp/{,**} rw, + owner @{tmp}/arduino_{build,cache}_[0-9]*/{,**} rw, + owner @{tmp}/{library,package}_index.json*.tmp* rw, + owner @{tmp}/arduino_modified_sketch_[0-9]*/{,**} rw, owner @{run}/lock/tmp* rw, owner @{run}/lock/LCK..ttyS[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 129737f7..0eb54afe 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -42,10 +42,10 @@ profile arduino-builder @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, /tmp/ r, - owner /tmp/cc* rw, - owner /tmp/untitled[0-9]*.tmp/{,**} rw, - owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, - owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, + owner @{tmp}/cc* rw, + owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, + owner @{tmp}/arduino_{build,cache}_[0-9]*/{,**} rw, + owner @{tmp}/arduino_modified_sketch_[0-9]*/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index 144783ca..c97b0096 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -13,9 +13,9 @@ profile arduino-ctags @{exec_path} { @{exec_path} mr, - owner /tmp/tags.* rw, + owner @{tmp}/tags.* rw, - owner /tmp/arduino_build_@{int}/** r, + owner @{tmp}/arduino_build_@{int}/** r, include if exists } diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 97903a49..a1caf6bc 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -60,10 +60,10 @@ profile atril @{exec_path} { owner @{user_share_dirs}/ r, - owner /tmp/gtkprint_* rw, - owner /tmp/settings*.ini rw, - owner /tmp/settings*.ini.* rw, - owner /tmp/atril-@{pid}/{,**} rw, + owner @{tmp}/gtkprint_* rw, + owner @{tmp}/settings*.ini rw, + owner @{tmp}/settings*.ini.* rw, + owner @{tmp}/atril-@{pid}/{,**} rw, @{sys}/firmware/acpi/pm_profile r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 3c20ab27..f5a83b69 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -28,7 +28,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { /etc/audit/audit.rules rw, /etc/audit/rules.d/{,*} r, - owner /tmp/aurules.@{rand8} rw, + owner @{tmp}/aurules.@{rand8} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 929a98ef..9104e400 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -41,7 +41,7 @@ profile birdtray @{exec_path} { owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, - owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w, + owner @{tmp}/birdtray.ulduzsoft.single.instance.server.socket w, # Thunderbird mail dirs owner @{HOME}/ r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 5d6e4301..9703dcb6 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -64,12 +64,12 @@ profile borg @{exec_path} { owner @{user_config_dirs}/borg/** rw, # If /tmp/ isn't accessible, then /var/tmp/ is used. - owner /tmp/* rw, - owner /tmp/borg-cache-*/ rw, - owner /tmp/borg-cache-*/* rw, - owner /tmp/tmp*/ rw, - owner /tmp/tmp*/file rw, - owner /tmp/tmp*/idx rw, + owner @{tmp}/* rw, + owner @{tmp}/borg-cache-*/ rw, + owner @{tmp}/borg-cache-*/* rw, + owner @{tmp}/tmp*/ rw, + owner @{tmp}/tmp*/file rw, + owner @{tmp}/tmp*/idx rw, owner /var/lib/libuuid/clock.txt w, owner /var/tmp/* rw, owner /var/tmp/tmp*/ rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 33f07a98..e616a941 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -23,7 +23,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, - owner /tmp/mozilla-temp-@{int} r, + owner @{tmp}/mozilla-temp-@{int} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index f67c3738..cb651e1c 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -37,7 +37,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { owner @{user_img_dirs}/{,**} rwk, # For fsck of the btrfs filesystem directly from gparted - owner /tmp/gparted-*/ rw, + owner @{tmp}/gparted-*/ rw, @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 89a2ca71..e6c6a2e0 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -55,7 +55,7 @@ profile check-support-status @{exec_path} { owner @{HOME}/ r, /tmp/ r, - owner /tmp/debian-security-support.*/{,**} rw, + owner @{tmp}/debian-security-support.*/{,**} rw, /tmp/debian-security-support.postinst.*/output w, /var/lib/debian-security-support/ r, @@ -73,7 +73,7 @@ profile check-support-status @{exec_path} { @{bin}/debconf-escape r, @{bin}/perl r, - owner /tmp/debian-security-support.postinst.*/output r, + owner @{tmp}/debian-security-support.postinst.*/output r, } diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index d2fb1f4c..d10245d4 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -40,8 +40,8 @@ profile check-support-status-hook @{exec_path} { /root/ r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/ rw, - owner /tmp/debian-security-support.postinst.*/output rw, + owner @{tmp}/debian-security-support.postinst.*/ rw, + owner @{tmp}/debian-security-support.postinst.*/output rw, /var/lib/ r, /var/lib/debian-security-support/ r, @@ -56,7 +56,7 @@ profile check-support-status-hook @{exec_path} { @{bin}/perl r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/output r, + owner @{tmp}/debian-security-support.postinst.*/output r, } @@ -123,7 +123,7 @@ profile check-support-status-hook @{exec_path} { @{etc_ro}/security/limits.d/ r, /tmp/ r, - owner /tmp/debian-security-support.postinst.*/output w, + owner @{tmp}/debian-security-support.postinst.*/output w, } include if exists diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index ad8da5cc..885d1602 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -48,9 +48,9 @@ profile claws-mail @{exec_path} flags=(complain) { owner @{user_mail_dirs}/ rw, owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**, - owner /tmp/claws-mail-@{int}/ rw, - owner /tmp/claws-mail-@{int}/@{hex} rw, - owner /tmp/claws-mail-@{int}/@{hex}.lock rwk, + owner @{tmp}/claws-mail-@{int}/ rw, + owner @{tmp}/claws-mail-@{int}/@{hex} rw, + owner @{tmp}/claws-mail-@{int}/@{hex}.lock rwk, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index 793bb8ea..8dcd847d 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -65,9 +65,9 @@ profile code flags=(attach_disconnected) { owner @{user_projects_dirs}/ r, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, - owner /tmp/@{uuid} rw, - owner /tmp/vscode-*/{,**} rw, - owner /tmp/vscode-ipc-@{uuid}.sock rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/vscode-*/{,**} rw, + owner @{tmp}/vscode-ipc-@{uuid}.sock rw, owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index a55b03a5..8b419658 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 2437212b..fa71598f 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -141,7 +141,7 @@ profile conky @{exec_path} { @{PROC}/@{pid}/net/route r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, /usr/share/X11/XErrorDB r, diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index 3ca866a6..3c4f797e 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -17,7 +17,7 @@ profile cpuid @{exec_path} { /dev/cpu/@{int}/cpuid r, - owner /tmp/cpuid* rw, + owner @{tmp}/cpuid* rw, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus index 0c21ef9e..04ede210 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -19,7 +19,7 @@ profile cups-notifier-dbus @{exec_path} { /etc/cups/client.conf r, - owner /tmp/cups-dbus-notifier-lockfile rwk, + owner @{tmp}/cups-dbus-notifier-lockfile rwk, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index 8bbc4e5d..e71c37fe 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner /tmp/[a-z0-9]* rw, + owner @{tmp}/[a-z0-9]* rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 785428b6..13bcc3b8 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -94,7 +94,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/mounts r, - owner /tmp/*_latest_print_info w, + owner @{tmp}/*_latest_print_info w, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 5d6aa5ce..1f554c4c 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -48,10 +48,10 @@ profile deltachat-desktop @{exec_path} { owner @{user_config_dirs}/DeltaChat/ rw, owner @{user_config_dirs}/DeltaChat/** rwk, - owner /tmp/@{hex}/ rw, - owner /tmp/@{hex}/db.sqlite-blobs/ rw, - owner /tmp/@{hex}/db.sqlite rwk, - owner /tmp/@{hex}/db.sqlite-journal rw, + owner @{tmp}/@{hex}/ rw, + owner @{tmp}/@{hex}/db.sqlite-blobs/ rw, + owner @{tmp}/@{hex}/db.sqlite rwk, + owner @{tmp}/@{hex}/db.sqlite-journal rw, @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 418caf38..45faf18a 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -56,8 +56,8 @@ profile dhclient-script @{exec_path} { /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, - owner /tmp/dhclient-script.debug rw, - owner /tmp/variables.txt w, + owner @{tmp}/dhclient-script.debug rw, + owner @{tmp}/variables.txt w, @{run}/chrony-dhcp/ rw, @{run}/systemd/netif/leases/ r, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 0e9d3aec..8ca83930 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -85,11 +85,11 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner /tmp/* rw, - owner /tmp/cc* rw, - owner /tmp/dkms.*/ rw, - owner /tmp/sh-thd.* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/* rw, + owner @{tmp}/cc* rw, + owner @{tmp}/dkms.*/ rw, + owner @{tmp}/sh-thd.* rw, + owner @{tmp}/tmp.* rw, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -109,7 +109,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner /boot/System.map-* r, - owner /tmp/tmp.* r, + owner @{tmp}/tmp.* r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 5fc06387..95ed3f08 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -42,7 +42,7 @@ profile dlocate @{exec_path} { /var/lib/dpkg/info/*.conffiles r, /var/lib/dpkg/info/*.md5sums r, - owner /tmp/sh-thd.* rw, + owner @{tmp}/sh-thd.* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/2 w, diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index fd0fc8e5..d2200c25 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -14,7 +14,7 @@ profile dmidecode @{exec_path} { @{exec_path} mr, - owner /tmp/dump.bin rw, + owner @{tmp}/dump.bin rw, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index 1be45ad5..af3bc6f9 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -33,7 +33,7 @@ profile downloadhelper @{exec_path} { owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r, owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google@{int}/goog-phish-proto-@{int}.vlpset rw, - owner /tmp/vdh-*.tmp rw, + owner @{tmp}/vdh-*.tmp rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index f88ff780..7013ff53 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -44,8 +44,8 @@ profile dumpcap @{exec_path} { /dev/ r, # Traffic log files - owner /tmp/wireshark_*.pcapng rw, - owner /tmp/*.pcap rw, + owner @{tmp}/wireshark_*.pcapng rw, + owner @{tmp}/*.pcap rw, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 5c73da5b..d76f5c1d 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -76,7 +76,7 @@ profile engrampa @{exec_path} { owner @{user_share_dirs}/ r, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index e4b25735..f96fe8f3 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -57,7 +57,7 @@ profile etckeeper @{exec_path} { owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner /tmp/etckeeper-git* rw, + owner @{tmp}/etckeeper-git* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index fdaf80dc..266a7566 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -52,9 +52,9 @@ profile evince @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, - owner /tmp/*.pdf r, - owner /tmp/evince-*/{,**} rw, - owner /tmp/gtkprint* rw, + owner @{tmp}/*.pdf r, + owner @{tmp}/evince-*/{,**} rw, + owner @{tmp}/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index ce85624f..6faf3009 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -15,8 +15,8 @@ profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, - owner /tmp/gnome-desktop-file-to-thumbnail.pdf r, - owner /tmp/gnome-desktop-thumbnailer.png w, + owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, + owner @{tmp}/gnome-desktop-thumbnailer.png w, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 6f331f2a..3bc1fecf 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -32,8 +32,8 @@ profile ffmpeg @{exec_path} { owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, - owner /tmp/*.{png,jpg} rw, # To generate thumbnails in some apps - owner /tmp/vidcutter/** rw, # TMP files for apps using ffmpeg + owner @{tmp}/*.{png,jpg} rw, # To generate thumbnails in some apps + owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]/meminfo r, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 29d56b63..81b60a20 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -70,7 +70,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /tmp/#@{int} rw, owner /dev/shm/flatpak*/{,**} rw, - owner /tmp/ostree-gpg-*/{,**} rw, + owner @{tmp}/ostree-gpg-*/{,**} rw, @{run}/.userns r, @{run}/user/@{uid}/.dbus-proxy/ w, @@ -107,8 +107,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 5bf664b8..cb49cd9d 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -45,7 +45,7 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/#@{int} rw, owner /{var/,}tmp/ostree-gpg-*/ rw, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, @@ -62,8 +62,8 @@ profile flatpak-system-helper @{exec_path} { @{lib}/{,gnupg/}scdaemon rix, @{bin}/gpg-agent rix, - owner /tmp/ostree-gpg-*/ r, - owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index fa376f98..664b43b4 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -74,7 +74,7 @@ profile frontend @{exec_path} flags=(complain) { /etc/inputrc r, /etc/shadow r, - owner /tmp/file* w, + owner @{tmp}/file* w, owner /var/cache/debconf/* rwk, @{HOME}/.Xauthority r, @@ -119,7 +119,7 @@ profile frontend @{exec_path} flags=(complain) { @{run}/ r, @{run}/** rw, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, } diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 048fcbcf..361f6c7c 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -82,7 +82,7 @@ profile gajim @{exec_path} { # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/) /var/tmp/ r, /tmp/ r, - owner /tmp/* rw, + owner @{tmp}/* rw, # Silencer deny /usr/share/gajim/** w, @@ -100,8 +100,8 @@ profile gajim @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{lib}/gcc/@{multiarch}/@{int}/collect2 rix, - owner /tmp/cc* rw, - owner /tmp/tmp* rw, + owner @{tmp}/cc* rw, + owner @{tmp}/tmp* rw, /media/ccache/*/** rw, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index a0641dbc..58459416 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -89,21 +89,21 @@ profile git @{exec_path} { owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, - owner /tmp/** rwkl -> /tmp/**, - owner /tmp/**/bin/* rCx -> exec, + owner @{tmp}/** rwkl -> /tmp/**, + owner @{tmp}/**/bin/* rCx -> exec, owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner /tmp/git-difftool.*/ rw, # For diffs - owner /tmp/git-difftool.*/right/{,**} rw, - owner /tmp/git-difftool.*/left/{,**} rw, - owner /tmp/* rw, - owner /tmp/tmp*/ rw, # For TWRP-device-tree-generator - owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner /tmp/git-commit-msg-.txt rw, # For android studio + owner @{tmp}/git-difftool.*/ rw, # For diffs + owner @{tmp}/git-difftool.*/right/{,**} rw, + owner @{tmp}/git-difftool.*/left/{,**} rw, + owner @{tmp}/* rw, + owner @{tmp}/tmp*/ rw, # For TWRP-device-tree-generator + owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/git-commit-msg-.txt rw, # For android studio deny @{user_share_dirs}/gvfs-metadata/* r, deny /dev/shm/.org.chromium.Chromium* rw, @@ -119,7 +119,7 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /tmp/.git_vtag_tmp@{rand6} r, + owner @{tmp}/.git_vtag_tmp@{rand6} r, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -145,8 +145,8 @@ profile git @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, - owner /tmp/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, - owner /tmp/ssh-*/agent.@{int} rw, + owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, + owner @{tmp}/ssh-*/agent.@{int} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 5f3fbdb0..566bd781 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -43,7 +43,7 @@ profile gpa @{exec_path} { # Files to verify owner /**.tar.gz r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, # External apps @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 04cb2849..ede60499 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -72,7 +72,7 @@ profile gpartedbin @{exec_path} { @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, - owner /tmp/gparted-*/ rw, + owner @{tmp}/gparted-*/ rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 807c703d..8e727c75 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -109,7 +109,7 @@ profile hardinfo @{exec_path} { owner @{HOME}/.hardinfo/ rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, @@ -154,8 +154,8 @@ profile hardinfo @{exec_path} { @{sys}/fs/cgroup/{,**} r, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, } diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 78fc78f9..b3222265 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -37,8 +37,8 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, - owner /tmp/hugo_cache/{,**} rwkl, - owner /tmp/go-codehost-@{int} rw, + owner @{tmp}/hugo_cache/{,**} rwkl, + owner @{tmp}/go-codehost-@{int} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2aa80f90..8c179e0d 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -91,8 +91,8 @@ profile hw-probe @{exec_path} { owner /root/HW_PROBE/{,**} rw, - owner /tmp/*/ rw, - owner /tmp/*/cpu_perf rw, + owner @{tmp}/*/ rw, + owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 599f8939..277ce6e7 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -71,7 +71,7 @@ profile hwinfo @{exec_path} { /var/lib/hardware/udi/ r, # For a log file - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, profile kmod { @@ -85,7 +85,7 @@ profile hwinfo @{exec_path} { # file_inherit /dev/ttyS@{int} r, - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, } @@ -107,7 +107,7 @@ profile hwinfo @{exec_path} { @{run}/udev/data/* r, # file_inherit - owner /tmp/hwinfo*.txt rw, + owner @{tmp}/hwinfo*.txt rw, } diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index a594c62c..4d3600a7 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -29,7 +29,7 @@ profile i3lock @{exec_path} { owner @{HOME}/*/*.png r, # When using also i3lock-fancy. - owner /tmp/tmp.*.png r, + owner @{tmp}/tmp.*.png r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index 1fdb6433..f0e0f35f 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -36,9 +36,9 @@ profile i3lock-fancy @{exec_path} { /usr/share/i3lock-fancy/{,*} r, - owner /tmp/tmp.*.png rw, - owner /tmp/tmp.* rw, - owner /tmp/sh-thd.* rw, + owner @{tmp}/tmp.*.png rw, + owner @{tmp}/tmp.* rw, + owner @{tmp}/sh-thd.* rw, # file_inherit owner /dev/tty@{int} rw, @@ -62,7 +62,7 @@ profile i3lock-fancy @{exec_path} { # For gray scale (doesn't seem to be required). It produces files like /home/*/PIHFhJ . deny owner @{HOME}/* rw, - owner /tmp/tmp.*.png rw, + owner @{tmp}/tmp.*.png rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index fa98950e..e65add8e 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -61,16 +61,16 @@ profile jdownloader @{exec_path} { owner @{HOME}/.install4j rw, - owner /tmp/hsperfdata_*/ rw, - owner /tmp/hsperfdata_*/@{pid} rw, + owner @{tmp}/hsperfdata_*/ rw, + owner @{tmp}/hsperfdata_*/@{pid} rw, # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead - owner /tmp/SevenZipJBinding-*/ rw, - owner /tmp/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, + owner @{tmp}/SevenZipJBinding-*/ rw, + owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, # For auto updates - owner /tmp/lastChanceSrc@{int}lch rw, - owner /tmp/lastChanceDst@{int}.jar rw, - owner /tmp/i4j_log_jd2_@{int}.log rw, - owner /tmp/install4jError@{int}.log rw, + owner @{tmp}/lastChanceSrc@{int}lch rw, + owner @{tmp}/lastChanceDst@{int}.jar rw, + owner @{tmp}/i4j_log_jd2_@{int}.log rw, + owner @{tmp}/install4jError@{int}.log rw, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index 68330c96..a90c7de8 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -18,8 +18,8 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - owner /tmp/tmp* rw, - owner /tmp/#@{int} rw, + owner @{tmp}/tmp* rw, + owner @{tmp}/#@{int} rw, # Mount points owner @{HOME}/*/ r, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index f07cc0ad..ad6fe04a 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -68,14 +68,14 @@ profile keepassxc @{exec_path} { owner @{user_share_dirs}/keepassxc/ rw, owner @{user_share_dirs}/keepassxc/* rwkl -> @{user_share_dirs}/keepassxc/#@{int}, - owner /tmp/.[a-zA-Z]*/{,s} rw, - owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int}, - owner /tmp/*.*.settings rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/keepassxc-*.lock{,.rmlock} rwk, - owner /tmp/keepassxc-*.socket rw, - owner /tmp/keepassxc.lock rw, - owner /tmp/keepassxc.socket rw, + owner @{tmp}/.[a-zA-Z]*/{,s} rw, + owner @{tmp}/*.*.gpgkey rwl -> /tmp/#@{int}, + owner @{tmp}/*.*.settings rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/keepassxc-*.lock{,.rmlock} rwk, + owner @{tmp}/keepassxc-*.socket rw, + owner @{tmp}/keepassxc.lock rw, + owner @{tmp}/keepassxc.socket rw, owner @{run}/user/@{pid}/app/ w, owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index ca70784b..e7e8cc8f 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -33,7 +33,7 @@ profile kernel-install @{exec_path} { /etc/kernel/install.d/ r, /etc/kernel/install.d/*.install rix, - owner /tmp/sh-thd.* rw, + owner @{tmp}/sh-thd.* rw, owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5872ac5d..0ae2ba62 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -47,11 +47,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/dracut.*/{,**} rw, owner /boot/System.map-* r, - owner /tmp/mkinitcpio.*/{,**} rw, + owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build - owner /tmp/depmod.*/lib/modules/*/ r, - owner /tmp/depmod.*/lib/modules/*/modules.* rw, + owner @{tmp}/depmod.*/lib/modules/*/ r, + owner @{tmp}/depmod.*/lib/modules/*/modules.* rw, owner @{user_build_dirs}/**/System.map r, owner @{user_build_dirs}/**/lib/modules/*/ r, owner @{user_build_dirs}/**/lib/modules/*/modules.* rw, diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid index 047faa5a..384fda9e 100644 --- a/apparmor.d/profiles-g-l/linssid +++ b/apparmor.d/profiles-g-l/linssid @@ -62,8 +62,8 @@ profile linssid @{exec_path} { owner @{PROC}/@{pid}/net/wireless r, owner @{PROC}/@{pid}/cmdline r, - owner /tmp/runtime-root/ rw, - owner /tmp/linssid_* rw, + owner @{tmp}/runtime-root/ rw, + owner @{tmp}/linssid_* rw, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -88,7 +88,7 @@ profile linssid @{exec_path} { # file_inherit owner @{HOME}/.linssid.prefs rw, owner @{HOME}/LinSSID.datalog rw, - owner /tmp/linssid_* rw, + owner @{tmp}/linssid_* rw, owner /dev/dri/card@{int} rw, } diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 5640cb43..a6fd4d8e 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -38,7 +38,7 @@ profile linux-check-removal @{exec_path} flags=(complain) { # The following is needed when debconf uses dialog/whiptail frontend. @{bin}/whiptail rPx, - owner /tmp/file* w, + owner @{tmp}/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index 6026b822..a9b3691d 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -30,8 +30,8 @@ profile lynx @{exec_path} { @{sh_path} rix, /etc/mailcap r, - owner /tmp/lynxXXXX*/ rw, - owner /tmp/lynxXXXX*/*TMP.html{,.gz} rw, + owner @{tmp}/lynxXXXX*/ rw, + owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, owner @{HOME}/ r, diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index e2f048bd..c85b5e1d 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -80,7 +80,7 @@ profile man_groff { /etc/papersize r, /tmp/groff* rw, - owner /tmp/* rw, + owner @{tmp}/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index 52bceb44..6cd06a01 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -49,8 +49,8 @@ profile merkaartor @{exec_path} { deny owner @{PROC}/@{pid}/cmdline r, - owner /tmp/qtsingleapp-merkaa-* rw, - owner /tmp/qtsingleapp-merkaa-*-lockfile rwk, + owner @{tmp}/qtsingleapp-merkaa-* rw, + owner @{tmp}/qtsingleapp-merkaa-*-lockfile rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 1c6bc72a..62fd0ab9 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -50,8 +50,8 @@ profile minitube @{exec_path} { # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - # owner /tmp/#@{int} mrw, - # owner /tmp/.glvnd* mrw, + # owner @{tmp}/#@{int} mrw, + # owner @{tmp}/.glvnd* mrw, # Cache owner @{user_cache_dirs}/ rw, @@ -74,8 +74,8 @@ profile minitube @{exec_path} { /usr/share/hwdata/pnp.ids r, # TMP - owner /tmp/qtsingleapp-minitu-* rw, - owner /tmp/qtsingleapp-minitu-*-lockfile rwk, + owner @{tmp}/qtsingleapp-minitu-* rw, + owner @{tmp}/qtsingleapp-minitu-*-lockfile rwk, @{bin}/xdg-open rCx -> open, diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index 61538790..7350d7b7 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -19,8 +19,8 @@ profile mkvmerge @{exec_path} { owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, - owner /tmp/MKVToolNix-process-*.json r, - owner /tmp/MKVToolNix-GUI-MuxJob-*.json r, + owner @{tmp}/MKVToolNix-process-*.json r, + owner @{tmp}/MKVToolNix-GUI-MuxJob-*.json r, # file_inherit /dev/dri/card@{int} rw, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index ee2c4155..63a978ba 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -50,11 +50,11 @@ profile mkvtoolnix-gui @{exec_path} { owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw, owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw, - owner /tmp/#@{int} rw, - owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int}, - owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-process-*.json rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int}, + owner @{tmp}/MKVToolNix-GUI-Instance-Communicator-* rw, owner /dev/shm/#@{int} rw, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index c7057aa4..9e84ee50 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -33,8 +33,8 @@ profile modprobed-db @{exec_path} { owner @{user_config_dirs}/modprobed-db.conf r, owner @{user_config_dirs}/modprobed.db rw, - owner /tmp/.inmem rw, - owner /tmp/.potential_new_db rw, + owner @{tmp}/.inmem rw, + owner @{tmp}/.potential_new_db rw, @{PROC}/modules r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 09ae2bcf..72891c7b 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -36,8 +36,8 @@ profile mono-sgen @{exec_path} { owner @{user_config_dirs}/openra/{,**} rw, owner @{user_config_dirs}/.mono/{,**} r, - owner /tmp/*.* rw, - owner /tmp/CASESENSITIVETEST* rw, + owner @{tmp}/*.* rw, + owner @{tmp}/CASESENSITIVETEST* rw, owner /dev/shm/mono.* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index a4aaf531..71f1e4cf 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -52,9 +52,9 @@ profile mpsyt @{exec_path} { owner @{PROC}/@{pid}/mounts r, /tmp/ r, - owner /tmp/[a-z0-9]* rw, - owner /tmp/mpsyt-input* rw, - owner /tmp/mpsyt-mpv*.sock rw, + owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/mpsyt-input* rw, + owner @{tmp}/mpsyt-mpv*.sock rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 8f667bb2..058135e8 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -53,11 +53,11 @@ profile mpv @{exec_path} { owner @{user_config_dirs}/mpv/{,**} rw, /tmp/ r, - owner /tmp/mpsyt-input* rw, - owner /tmp/mpsyt-mpv*.sock rw, - owner /tmp/smplayer-mpv-* rw, - owner /tmp/smplayer_preview/@{int}.{jpg,png} w, - owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w, + owner @{tmp}/mpsyt-input* rw, + owner @{tmp}/mpsyt-mpv*.sock rw, + owner @{tmp}/smplayer-mpv-* rw, + owner @{tmp}/smplayer_preview/@{int}.{jpg,png} w, + owner @{tmp}/smplayer_screenshots/cap_*.{jpg,png} w, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 8366426b..4a40f418 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -31,8 +31,8 @@ profile nmap @{exec_path} { /usr/share/nmap/** r, - owner /tmp/zenmap-stdout-* rw, - owner /tmp/zenmap-*.xml rw, + owner @{tmp}/zenmap-stdout-* rw, + owner @{tmp}/zenmap-*.xml rw, owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/if_inet6 r, diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt index 7402c6e4..4a9e437b 100644 --- a/apparmor.d/profiles-m-r/ntfsdecrypt +++ b/apparmor.d/profiles-m-r/ntfsdecrypt @@ -17,7 +17,7 @@ profile ntfsdecrypt @{exec_path} { @{exec_path} mr, # Common locations of the key - owner /tmp/*.key r, + owner @{tmp}/*.key r, owner @{HOME}/*.key r, include if exists diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete index c1db1526..5b066d3f 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -19,8 +19,8 @@ profile ntfsundelete @{exec_path} { owner @{PROC}/@{pid}/mounts r, # The recovery dir - owner /tmp/ntfs-recovery/ r, - owner /tmp/ntfs-recovery/* rw, + owner @{tmp}/ntfs-recovery/ r, + owner @{tmp}/ntfs-recovery/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap index b5ff0b05..056207cc 100644 --- a/apparmor.d/profiles-m-r/ntfsusermap +++ b/apparmor.d/profiles-m-r/ntfsusermap @@ -21,7 +21,7 @@ profile ntfsusermap @{exec_path} { # Where to save the UserMapping file owner /root/UserMapping w, - owner /tmp/UserMapping w, + owner @{tmp}/UserMapping w, include if exists } diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index c0bb8b6a..5333bc94 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -61,7 +61,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { /boot/{efi/,}EFI/ r, /boot/{efi/,}EFI/*/ r, - owner /tmp/os-prober.*/{,**} rw, + owner @{tmp}/os-prober.*/{,**} rw, @{sys}/block/ r, @{sys}/devices/@{pci}/block/*/ r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b769ecbb..972d4526 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -89,9 +89,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /tmp/apt-changelog-@{rand6}/ w, /tmp/apt-changelog-@{rand6}/*.changelog rw, - owner /tmp/alpm_*/{,**} rw, - owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, - owner /tmp/packagekit* rw, + owner @{tmp}/alpm_*/{,**} rw, + owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, + owner @{tmp}/packagekit* rw, @{run}/systemd/inhibit/*.ref rw, owner @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 436cdc71..5ca95200 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -15,8 +15,8 @@ profile pam-tmpdir-helper @{exec_path} { @{exec_path} mr, - owner /tmp/user/ rw, - owner /tmp/user/@{uid}/ rw, + owner @{tmp}/user/ rw, + owner @{tmp}/ rw, /dev/ptmx rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 4e19b6ad..342fe1b5 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -124,7 +124,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw, include if exists @@ -146,7 +146,7 @@ profile pass @{exec_path} { owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.*/{,*} rw, - owner /tmp/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index f14cf3a1..d2ad4fd9 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -33,7 +33,7 @@ profile pass-import @{exec_path} { owner @{user_password_store_dirs}/{,**} rw, - owner /tmp/[a-zA-Z0-9]* rw, + owner @{tmp}/[a-zA-Z0-9]* rw, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index eecb1364..ae157744 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -38,7 +38,7 @@ profile pinentry-qt @{exec_path} { owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, owner /dev/shm/#@{int} rw, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 5035c872..702ccbcd 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -45,7 +45,7 @@ profile popularity-contest @{exec_path} { /var/log/popularity-contest.[0-9]* w, /var/log/popularity-contest.new w, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 7e21a206..745f1f39 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -63,8 +63,8 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/ rw, owner @{user_share_dirs}/psi/** rwk, - owner /tmp/#@{int} rw, - owner /tmp/Psi.* rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index d28dc19c..2b619815 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -61,8 +61,8 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/ rw, owner @{user_share_dirs}/psi+/** rwk, - owner /tmp/#@{int} rw, - owner /tmp/Psi+.* rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index f8160340..e1eb03dd 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -100,16 +100,14 @@ profile qbittorrent @{exec_path} { owner @{user_torrents_dirs}/** rw, owner /dev/shm/#@{int} rw, - owner /tmp/.*/{,s} rw, - owner /tmp/.qBittorrent/ rw, - owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner /tmp/*.torrent rw, - owner /tmp/mozilla_*/*.torrent rw, - owner /tmp/qtsingleapp-qBitto-* rw, - owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, - owner /tmp/tmp* rw, - owner /tmp/user/@{uid}/.qBittorrent/ rw, - owner /tmp/user/@{uid}/.qBittorrent/** rw, + owner @{tmp}/.*/{,s} rw, + owner @{tmp}/.qBittorrent/ rw, + owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, + owner @{tmp}/*.torrent rw, + owner @{tmp}/mozilla_*/*.torrent rw, + owner @{tmp}/qtsingleapp-qBitto-* rw, + owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + owner @{tmp}/tmp* rw, owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/comm r, @@ -142,8 +140,8 @@ profile qbittorrent @{exec_path} { owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int}, # unconventional '_' tail owner /dev/shm/* rw, - owner /tmp/@{int} rw, - owner /tmp/tmp* rw, + owner @{tmp}/@{int} rw, + owner @{tmp}/tmp* rw, deny /dev/dri/card@{int} rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 7d820645..463715e1 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -57,13 +57,13 @@ profile qbittorrent-nox @{exec_path} { owner @{user_share_dirs}/mime/types r, # TMP - owner /tmp/qtsingleapp-qBitto-* rw, - owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, - owner /tmp/.qBittorrent/ rw, - owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner /tmp/mozilla_*/*.torrent rw, - owner /tmp/*.torrent rw, - owner /tmp/.*/{,s} rw, + owner @{tmp}/qtsingleapp-qBitto-* rw, + owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk, + owner @{tmp}/.qBittorrent/ rw, + owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, + owner @{tmp}/mozilla_*/*.torrent rw, + owner @{tmp}/*.torrent rw, + owner @{tmp}/.*/{,s} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 8905cd5d..61d6276b 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -63,15 +63,15 @@ profile qnapi @{exec_path} { owner @{user_cache_dirs}/ rw, /tmp/ r, - owner /tmp/@{hex}.* rw, - owner /tmp/** rw, - owner /tmp/#@{int} rw, - owner /tmp/QNapi-*-rc wl -> /tmp/#@{int}, - owner /tmp/QNapi-*-rc.lock rwk, - owner /tmp/QNapi.@{int}.tmp rw, - owner /tmp/QNapi.@{int}.tmp.* rw, - owner /tmp/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, - owner /tmp/QNapi.@{int} rw, + owner @{tmp}/@{hex}.* rw, + owner @{tmp}/** rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, + owner @{tmp}/QNapi-*-rc.lock rwk, + owner @{tmp}/QNapi.@{int}.tmp rw, + owner @{tmp}/QNapi.@{int}.tmp.* rw, + owner @{tmp}/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int}, + owner @{tmp}/QNapi.@{int} rw, owner /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 28ec6f84..fca31ff6 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -56,9 +56,9 @@ profile qpdfview @{exec_path} { owner @{user_share_dirs}/qpdfview/** rwk, owner /dev/shm/#@{int} rw, - owner /tmp/@{hex} rw, - owner /tmp/#@{int} rw, - owner /tmp/qpdfview.*.pdf rwl -> /tmp/#@{int}, + owner @{tmp}/@{hex} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/qpdfview.*.pdf rwl -> /tmp/#@{int}, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index 8b243e8f..a6013640 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -52,7 +52,7 @@ profile qtox @{exec_path} { owner @{PROC}/@{pid}/cmdline r, @{PROC}/sys/kernel/core_pattern r, # for KCrash::initialize() - owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw, /dev/ r, /dev/video@{int} rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index c1d7944c..a0463bb9 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -61,8 +61,8 @@ profile quiterss @{exec_path} { /dev/shm/#@{int} rw, - owner /tmp/qtsingleapp-quiter-@{int}-@{int} rw, - owner /tmp/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, owner /var/tmp/etilqs_@{hex} rw, # Allowed apps to open diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 38a3c0f6..56f1152e 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -50,8 +50,8 @@ profile repo @{exec_path} { /usr/share/git-core/{,**} r, - owner /tmp/.git_vtag_tmp@{rand6} rw, - owner /tmp/ssh-*/ rw, + owner @{tmp}/.git_vtag_tmp@{rand6} rw, + owner @{tmp}/ssh-*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -80,7 +80,7 @@ profile repo @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**, - owner /tmp/.git_vtag_tmp@{rand6} r, + owner @{tmp}/.git_vtag_tmp@{rand6} r, } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 4cd81889..726f6f64 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -135,9 +135,9 @@ profile run-parts @{exec_path} { /usr/share/landscape/landscape-sysinfo.wrapper rPUx, - owner /tmp/#@{int} rw, - owner /tmp/$anacron* rw, - owner /tmp/file@{rand6} ra, + owner @{tmp}/#@{int} rw, + owner @{tmp}/$anacron* rw, + owner @{tmp}/file@{rand6} ra, owner @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 7d3b1ae4..590ed971 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -45,7 +45,7 @@ profile runuser @{exec_path} { /etc/default/runuser r, # file_inherit - owner /tmp/debian-security-support.postinst.*/output w, + owner @{tmp}/debian-security-support.postinst.*/output w, include if exists } diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index b82576a1..50e5ae8c 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -41,7 +41,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{user_share_dirs}/YACReader/YACReaderLibrary/ rw, owner @{user_share_dirs}/YACReader/YACReaderLibrary/** rwlk, - owner /tmp/@{uuid} w, + owner @{tmp}/@{uuid} w, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index 721a1b46..1bc9288d 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -32,7 +32,7 @@ profile s3fs @{exec_path} { owner @{MOUNTS}/ r, owner @{MOUNTS}/*/ r, - owner /tmp/* rw, + owner @{tmp}/* rw, /dev/fuse rw, @@ -59,7 +59,7 @@ profile s3fs @{exec_path} { @{MOUNTS}/ r, @{MOUNTS}/*/ r, - owner /tmp/s3fstmp.* rw, + owner @{tmp}/s3fstmp.* rw, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index 0be658dd..f0b8426c 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -27,7 +27,7 @@ profile sanoid @{exec_path} flags=(complain) { @{run}/sanoid/sanoid_cacheupdate.lock rwk, @{run}/sanoid/sanoid_pruning.lock rwk, - owner /tmp/** rw, + owner @{tmp}/** rw, include if exists } diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 6b785ebe..3751c4ab 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -64,11 +64,11 @@ profile smplayer @{exec_path} { owner @{user_cache_dirs}/#@{int} rw, - owner /tmp/qtsingleapp-smplay-* rw, - owner /tmp/qtsingleapp-smplay-*-lockfile rwk, - owner /tmp/smplayer_preview/ rw, - owner /tmp/smplayer_preview/@{int}.{jpg,png} rw, - owner /tmp/smplayer-mpv-* w, + owner @{tmp}/qtsingleapp-smplay-* rw, + owner @{tmp}/qtsingleapp-smplay-*-lockfile rwk, + owner @{tmp}/smplayer_preview/ rw, + owner @{tmp}/smplayer_preview/@{int}.{jpg,png} rw, + owner @{tmp}/smplayer-mpv-* w, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 6eb60c47..26859829 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -71,7 +71,7 @@ profile snap @{exec_path} { @{HOME}/snap/{,**} rw, /snap/{,**} rw, - owner /tmp/snapd-auto-import-mount-@{int}/ rw, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 8d6a4a49..328eab74 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -39,7 +39,7 @@ profile snap-update-ns @{exec_path} { owner /var/snap/ rw, owner /var/snap/**/ rw, - owner /tmp/.snap/{,**} rwk, + owner @{tmp}/.snap/{,**} rwk, @{run}/snapd/lock/*.lock rwk, @{run}/snapd/ns/{,**} rw, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index dc1f4d95..94fa14f0 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -73,17 +73,17 @@ profile spectre-meltdown-checker @{exec_path} { # To fetch MCE.db from the MCExtractor project @{bin}/wget rCx -> mcedb, @{bin}/sqlite3 rCx -> mcedb, - owner /tmp/mcedb-* rw, - owner /tmp/smc-* rw, - owner /tmp/{,smc-}intelfw-*/ rw, - owner /tmp/{,smc-}intelfw-*/fw.zip rw, - owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, + owner @{tmp}/mcedb-* rw, + owner @{tmp}/smc-* rw, + owner @{tmp}/{,smc-}intelfw-*/ rw, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/{config,kernel}-* rw, + owner @{tmp}/{config,kernel}-* rw, owner /dev/cpu/@{int}/cpuid r, owner /dev/cpu/@{int}/msr rw, @@ -166,8 +166,8 @@ profile spectre-meltdown-checker @{exec_path} { owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/{,smc-}mcedb-* rwk, - owner /tmp/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}mcedb-* rwk, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, /usr/share/publicsuffix/public_suffix_list.* r, diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 99d7ae84..99d05d28 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -24,7 +24,7 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner /tmp/*.ss rw, + owner @{tmp}/*.ss rw, owner @{HOME}/*.ss rw, @{PROC} r, diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 8bb4cd73..9a51396c 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -40,7 +40,7 @@ profile startx @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xserverrc r, /tmp/ r, - owner /tmp/serverauth.* rw, + owner @{tmp}/serverauth.* rw, /dev/ r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 429aca59..d370dbb2 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -139,13 +139,13 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - owner /tmp/dumps/ rw, - owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw, - owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw, - owner /tmp/miles_image_* mrw, - owner /tmp/runtime-info.txt.* rwk, - owner /tmp/sh-thd.* rw, - owner /tmp/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner @{tmp}/dumps/ rw, + owner @{tmp}/dumps/{assert,crash}_@{int}_@{int}.dmp rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + owner @{tmp}/miles_image_* mrw, + owner @{tmp}/runtime-info.txt.* rwk, + owner @{tmp}/sh-thd.* rw, + owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index d011c16c..e476bc26 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -161,10 +161,10 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/wine-*-fsync rw, - owner /tmp/.wine-@{uid}/server-*/* rwk, - owner /tmp/** rw, - owner /tmp/miles_image_* mr, - owner /tmp/pressure-vessel-*/{,**} rwl, + owner @{tmp}/.wine-@{uid}/server-*/* rwk, + owner @{tmp}/** rw, + owner @{tmp}/miles_image_* mr, + owner @{tmp}/pressure-vessel-*/{,**} rwl, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index fac7818f..44100175 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -45,9 +45,9 @@ profile steam-gameoverlayui @{exec_path} { owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - owner /tmp/gameoverlayui.log* rw, - owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, - owner /tmp/miles_image_* mrw, + owner @{tmp}/gameoverlayui.log* rw, + owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, + owner @{tmp}/miles_image_* mrw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index a36d59d2..9852d56b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -79,13 +79,13 @@ profile strawberry @{exec_path} { /dev/shm/#@{int} rw, /dev/sr[0-9]* r, - owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, - owner /tmp/.*/ rw, - owner /tmp/.*/s rw, - owner /tmp/strawberry*[0-9] w, - owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#@{int}, - owner /tmp/#@{int} rw, - owner /tmp/*= w, + owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, + owner @{tmp}/.*/ rw, + owner @{tmp}/.*/s rw, + owner @{tmp}/strawberry*[0-9] w, + owner @{tmp}/strawberry-cover-*.jpg rwl -> /tmp/#@{int}, + owner @{tmp}/#@{int} rw, + owner @{tmp}/*= w, owner /var/tmp/etilqs_@{hex} rw, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index bb516789..18aafae6 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner /tmp/swtpm_setup.certs.*/ w, - owner /tmp/swtpm_setup.certs.*/*.cert rw, - owner /tmp/.swtpm_setup.pidfile* rw, + owner @{tmp}/swtpm_setup.certs.*/ w, + owner @{tmp}/swtpm_setup.certs.*/*.cert rw, + owner @{tmp}/.swtpm_setup.pidfile* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index c04232d8..36a5c985 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,7 +25,7 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - owner /tmp/** rw, + owner @{tmp}/** rw, @{PROC}/@{pids}/maps r, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index f6f5025a..fb3c6077 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -46,7 +46,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{run}/cups/cups.sock rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner /tmp/* rw, + owner @{tmp}/* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 24cc65c1..94bba6ce 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -38,7 +38,7 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/debconf/confmodule r, - owner /tmp/file* w, + owner @{tmp}/file* w, profile tasksel-tests flags=(complain) { @@ -66,7 +66,7 @@ profile tasksel @{exec_path} flags=(complain) { # The following is needed when debconf uses dialog/whiptail frontend. @{bin}/whiptail rPx, - owner /tmp/file* w, + owner @{tmp}/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 86b064de..c63a5657 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -36,7 +36,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/terminator/{,**} rw, - owner /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pid}/net/tcp{,6} r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 04e67287..d27f84aa 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -126,14 +126,14 @@ profile thunderbird @{exec_path} { /tmp/ r, /var/tmp/ r, - owner /tmp/@{name}{,_*}/ rw, - owner /tmp/@{name}{,_*}/* rwk, - owner /tmp/* rw, - owner /tmp/mozilla_*/ rw, - owner /tmp/mozilla_*/* rw, - owner /tmp/MozillaMailnews/ rw, - owner /tmp/MozillaMailnews/*.msf rw, - owner /tmp/Temp-@{uuid}/ rw, + owner @{tmp}/@{name}{,_*}/ rw, + owner @{tmp}/@{name}{,_*}/* rwk, + owner @{tmp}/* rw, + owner @{tmp}/mozilla_*/ rw, + owner @{tmp}/mozilla_*/* rw, + owner @{tmp}/MozillaMailnews/ rw, + owner @{tmp}/MozillaMailnews/*.msf rw, + owner @{tmp}/Temp-@{uuid}/ rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index c36601b9..b69db491 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -21,7 +21,7 @@ profile thunderbird-glxtest @{exec_path} { owner @{config_dirs}/*/.parentlock rw, - owner /tmp/thunderbird/.parentlock rw, + owner @{tmp}/thunderbird/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index d5050b01..345b7a6f 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -20,7 +20,7 @@ profile thunderbird-vaapitest @{exec_path} { @{exec_path} mr, - owner /tmp/thunderbird/.parentlock rw, + owner @{tmp}/thunderbird/.parentlock rw, deny @{cache_dirs}/*/startupCache/** r, deny @{config_dirs}/*/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index 889014b1..e098f55e 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -43,7 +43,7 @@ profile tint2 @{exec_path} { owner @{HOME}/.Xauthority r, - owner /tmp/tint2-@{pid}-@{int}.png rw, + owner @{tmp}/tint2-@{pid}-@{int}.png rw, # Battery applet @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index 179fdd89..5b232a00 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -40,7 +40,7 @@ profile transmission-qt @{exec_path} { owner @{user_cache_dirs}/transmission/ rw, owner @{user_cache_dirs}/transmission/** rwk, - owner /tmp/tr_session_id_* rwk, + owner @{tmp}/tr_session_id_* rwk, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 1795bc6c..65ddef5e 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -51,7 +51,7 @@ profile ucf @{exec_path} flags=(complain) { /etc/ucf.conf r, /var/lib/ucf/** rw, - owner /tmp/* rw, + owner @{tmp}/* rw, /etc/default/* rw, # For md5sum diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 59bdb710..23f4e249 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -38,14 +38,14 @@ profile unmkinitramfs @{exec_path} { /boot/ r, owner /boot/initrd.img-* r, /tmp/ r, - owner /tmp/initrd.img-* r, + owner @{tmp}/initrd.img-* r, /mnt/ r, owner /mnt/initrd.img-* r, /mnt/boot/ r, owner /mnt/boot/initrd.img-* r, # To extract the content of the initrd image - owner /tmp/** rwl -> /tmp/**, + owner @{tmp}/** rwl -> /tmp/**, /var/tmp/ r, owner /var/tmp/unmkinitramfs_* rw, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 8d0f61b4..d1dba09e 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -53,7 +53,7 @@ profile update-ca-certificates @{exec_path} { / r, /tmp/ r, - owner /tmp/ca-certificates{,.crt}.tmp.* rw, + owner @{tmp}/ca-certificates{,.crt}.tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index df2b9734..7c2d4c1b 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -36,7 +36,7 @@ profile update-cracklib @{exec_path} { owner /var/cache/cracklib/{,**} rw, - owner /tmp/sort@{rand6} rw, + owner @{tmp}/sort@{rand6} rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index b491f4a1..9ceb9ec4 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -28,7 +28,7 @@ profile vcsi @{exec_path} { /etc/fstab r, - owner /tmp/* rw, + owner @{tmp}/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 9ceb3fd4..b9c12955 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -51,10 +51,10 @@ profile vidcutter @{exec_path} { owner @{user_config_dirs}/vidcutter/ rw, owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int}, - owner /tmp/vidcutter-@{uuid} w, - owner /tmp/#@{int} rw, - owner /tmp/*.jpg rwl -> /tmp/#@{int}, - owner /tmp/vidcutter/{,*} rw, + owner @{tmp}/vidcutter-@{uuid} w, + owner @{tmp}/#@{int} rw, + owner @{tmp}/*.jpg rwl -> /tmp/#@{int}, + owner @{tmp}/vidcutter/{,*} rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index 21a369ad..464d5862 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -18,7 +18,7 @@ profile whiptail @{exec_path} flags=(complain) { /etc/newt/palette.* r, - owner /tmp/gpm* w, + owner @{tmp}/gpm* w, include if exists } diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 19f38bc9..3c10760d 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -48,7 +48,7 @@ profile wireshark @{exec_path} { owner @{HOME}/.wireshark/{,**} rw, owner @{user_config_dirs}/wireshark/{,**} rw, - owner /tmp/wireshark_extcap_ciscodump_@{int}_* rw, + owner @{tmp}/wireshark_extcap_ciscodump_@{int}_* rw, deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index 6e621d57..b961da10 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -17,7 +17,7 @@ profile wl-copy @{exec_path} { @{bin}/xdg-mime rPx, - owner /tmp/wl-copy-buffer-*/{,**} rw, + owner @{tmp}/wl-copy-buffer-*/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index c324f3b9..03c3db36 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} { owner @{HOME}/.wpa_cli_history-@{int}.tmp rw, owner @{run}/wpa_supplicant/ r, - owner /tmp/wpa_ctrl_@{pid}-[0-9] rw, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index f9396ba9..6718f20c 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -24,7 +24,7 @@ profile wpa-gui @{exec_path} { /usr/share/hwdata/pnp.ids r, - owner /tmp/wpa_ctrl_@{pid}-[0-9] w, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index eb6f8f95..dccccc2b 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -56,7 +56,7 @@ profile xarchiver @{exec_path} { @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r, - owner /tmp/** rw, + owner @{tmp}/** rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index 44710efd..02ab3042 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -26,15 +26,15 @@ profile xauth @{exec_path} { owner @{HOME}/.Xauthority-n rw, owner @{HOME}/.Xauthority rwl -> @{HOME}/.Xauthority-n, - owner /tmp/serverauth.*-c w, - owner /tmp/serverauth.*-l wl -> /tmp/serverauth.*-c, - owner /tmp/serverauth.*-n rw, - owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, + owner @{tmp}/serverauth.*-c w, + owner @{tmp}/serverauth.*-l wl -> /tmp/serverauth.*-c, + owner @{tmp}/serverauth.*-n rw, + owner @{tmp}/serverauth.* rwl -> /tmp/serverauth.*-n, - owner /tmp/runtime-*/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6} r, - owner /tmp/xauth_@{rand6}-c w, - owner /tmp/xauth_@{rand6}-l wl, + owner @{tmp}/runtime-*/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6} r, + owner @{tmp}/xauth_@{rand6}-c w, + owner @{tmp}/xauth_@{rand6}-l wl, owner @{run}/user/@{uid}/xauth_@{rand6} rw, owner @{run}/user/@{uid}/xauth_@{rand6}-c w, diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 0aadf7a6..68258cae 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -16,8 +16,8 @@ profile xclip @{exec_path} { @{exec_path} mr, - owner /tmp/mutt-* rw, - owner /tmp/xauth_@{rand6} r, + owner @{tmp}/mutt-* rw, + owner @{tmp}/xauth_@{rand6} r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 8c8428d1..03ec3ff9 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -70,8 +70,8 @@ profile xinit @{exec_path} { owner @{HOME}/.xserverrc r, owner @{HOME}/.xsession-errors w, - owner /tmp/file* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/file* rw, + owner @{tmp}/tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 6b065bcd..9fb9593d 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -19,7 +19,7 @@ profile xsel @{exec_path} { owner @{user_cache_dirs}/xsel.log rw, owner @{HOME}/.Xauthority r, - owner /tmp/xauth-@{int}-_[0-9] r, + owner @{tmp}/xauth-@{int}-_[0-9] r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index c2fa6162..1ce39288 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -43,7 +43,7 @@ profile zed @{exec_path} { @{run}/zed.state rwkl, @{run}/zfs-list.cache@* rw, - owner /tmp/tmp.* rw, + owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 8d4a0934..2136952a 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -37,8 +37,8 @@ profile zenmap @{exec_path} { /usr/share/zenmap/** r, - owner /tmp/* rw, - owner /tmp/zenmap-stdout-* rw, + owner @{tmp}/* rw, + owner @{tmp}/zenmap-stdout-* rw, include if exists }