diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/profiles-a-f/aa-enabled index d377a30a..561c762f 100644 --- a/apparmor.d/profiles-a-f/aa-enabled +++ b/apparmor.d/profiles-a-f/aa-enabled @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/aa-enabled +@{exec_path} = @{bin}/aa-enabled profile aa-enabled @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 1e91e8e0..33ee9823 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/aa-log +@{exec_path} = @{bin}/aa-log profile aa-log @{exec_path} { include include @@ -15,7 +15,7 @@ profile aa-log @{exec_path} { @{exec_path} mr, - /{usr/,}bin/journalctl rix, + @{bin}/journalctl rix, /etc/machine-id r, /etc/nsswitch.conf r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index be8b6cb5..81cb167e 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/aa-notify +@{exec_path} = @{bin}/aa-notify profile aa-notify @{exec_path} { include include @@ -19,7 +19,7 @@ profile aa-notify @{exec_path} { @{exec_path} mr, - /{usr/,}bin/ r, + @{bin}/ r, /etc/apparmor/*.conf r, /etc/inputrc r, diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status index cb85f595..3972c971 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/aa-status /{usr/,}{s,}bin/apparmor_status +@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status profile aa-status @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index bc1dfda5..8208566a 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/acpi +@{exec_path} = @{bin}/acpi profile acpi @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 843b6eec..dae4595f 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -11,20 +11,20 @@ profile acpi-powerbtn flags=(attach_disconnected) { /etc/acpi/powerbtn-acpi-support.sh r, - /{usr/,}{s,}bin/killall5 rix, - /{usr/,}{s,}bin/shutdown rix, - /{usr/,}bin/{ba,da,}sh rix, - /{usr/,}bin/{e,}grep rix, - /{usr/,}bin/dbus-send rix, - /{usr/,}bin/pgrep rix, - /{usr/,}bin/pinky rix, - /{usr/,}bin/sed rix, + @{bin}/{ba,da,}sh rix, + @{bin}/{e,}grep rix, + @{bin}/dbus-send rix, + @{bin}/killall5 rix, + @{bin}/pgrep rix, + @{bin}/pinky rix, + @{bin}/sed rix, + @{bin}/shutdown rix, /etc/acpi/powerbtn.sh rix, - /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/ps rPx, + @{bin}/systemctl rPx -> child-systemctl, + @{bin}/ps rPx, - /{usr/,}bin/fgconsole rCx, + @{bin}/fgconsole rCx, /usr/share/acpi-support/** r, @@ -40,7 +40,7 @@ profile acpi-powerbtn flags=(attach_disconnected) { capability sys_tty_config, - /{usr/,}bin/fgconsole r, + @{bin}/fgconsole r, /dev/tty rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 8074ef09..3ac41590 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/acpid +@{exec_path} = @{bin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include @@ -18,8 +18,8 @@ profile acpid @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/{ba,da,}sh rix, - /{usr/,}bin/logger rix, + @{bin}/{ba,da,}sh rix, + @{bin}/logger rix, /etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn, diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index bbc41e1d..08b5b5ef 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -7,8 +7,8 @@ abi , include -@{exec_path} = /{usr/,}bin/adb -@{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb +@{exec_path} = @{bin}/adb +@{exec_path} += @{lib}/android-sdk/platform-tools/adb profile adb @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 1ea91478..7813a892 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/add{user,group} +@{exec_path} = @{bin}/add{user,group} profile adduser @{exec_path} { include include @@ -20,21 +20,21 @@ profile adduser @{exec_path} { capability fsetid, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/find rix, - /{usr/,}bin/rm rix, + @{bin}/{,ba,da}sh rix, + @{bin}/find rix, + @{bin}/rm rix, - /{usr/,}{s,}bin/groupadd rPx, - /{usr/,}{s,}bin/groupdel rPx, - /{usr/,}{s,}bin/useradd rPx, - /{usr/,}{s,}bin/userdel rPx, - /{usr/,}{s,}bin/usermod rPx, - /{usr/,}bin/chage rPx, - /{usr/,}bin/chfn rPx, - /{usr/,}bin/gpasswd rPx, - /{usr/,}bin/passwd rPx, + @{bin}/chage rPx, + @{bin}/chfn rPx, + @{bin}/gpasswd rPx, + @{bin}/groupadd rPx, + @{bin}/groupdel rPx, + @{bin}/passwd rPx, + @{bin}/useradd rPx, + @{bin}/userdel rPx, + @{bin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index a76e9673..7c6aca1d 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/adequate +@{exec_path} = @{bin}/adequate profile adequate @{exec_path} flags=(complain) { include include @@ -16,25 +16,25 @@ profile adequate @{exec_path} flags=(complain) { #capability sys_tty_config, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}{s,}bin/ldconfig rix, + @{bin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. - /{usr/,}bin/ldd rCx -> ldd, + @{bin}/ldd rCx -> ldd, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, #/usr/share/debconf/frontend rCx -> frontend, - /{usr/,}bin/pkg-config rCx -> pkg-config, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/pkg-config rCx -> pkg-config, + @{bin}/dpkg rPx -> child-dpkg, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, # - /{usr/,}bin/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, @@ -50,19 +50,18 @@ profile adequate @{exec_path} flags=(complain) { include include - /{usr/,}bin/ldd mr, + @{bin}/ldd mr, - /{usr/,}bin/* mr, - /{usr/,}{s,}bin/* mr, - /usr/games/* mr, - /{usr/,}lib{,x}{,32,64}/** mr, - /{usr/,}lib/@{multiarch}/** mr, + @{bin}/* mr, + /usr/games/* mr, + @{lib}{,x}/** mr, + @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, - /{usr/,}lib/@{multiarch}/ld-*.so rix, - /{usr/,}lib{,x}32/ld-*.so rix, + @{lib}/@{multiarch}/ld-*.so rix, + @{lib}{,x}32/ld-*.so rix, } @@ -73,13 +72,13 @@ profile adequate @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/adequate rPx, + @{bin}/adequate rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, @@ -91,8 +90,8 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, @@ -103,7 +102,7 @@ profile adequate @{exec_path} flags=(complain) { profile pkg-config flags=(complain) { include - /{usr/,}bin/pkg-config mr, + @{bin}/pkg-config mr, } diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 06447d88..4396afc3 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/agetty +@{exec_path} = @{bin}/agetty profile agetty @{exec_path} { include include @@ -21,7 +21,7 @@ profile agetty @{exec_path} { @{exec_path} mr, - /{usr/,}bin/login rPx, + @{bin}/login rPx, /usr/share/subiquity/console-conf-wrapper rPx, # only:core22 diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index a8e37584..c840fd78 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/amixer +@{exec_path} = @{bin}/amixer profile amixer @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron index 707267d4..e3e843fa 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/anacron +@{exec_path} = @{bin}/anacron profile anacron @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/run-parts rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/run-parts rPx, / r, /etc/anacrontab r, diff --git a/apparmor.d/profiles-a-f/anki b/apparmor.d/profiles-a-f/anki index cbdba787..66a821bd 100644 --- a/apparmor.d/profiles-a-f/anki +++ b/apparmor.d/profiles-a-f/anki @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/anki +@{exec_path} = @{bin}/anki profile anki @{exec_path} { include include @@ -35,18 +35,18 @@ profile anki @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}{s,}bin/ldconfig rix, + @{bin}/ldconfig rix, - /{usr/,}bin/ r, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/mpv rCx -> mpv, + @{bin}/ r, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rCx -> open, + @{bin}/mpv rCx -> mpv, # For recording sounds while creating decks - /{usr/,}bin/lame rCx -> lame, + @{bin}/lame rCx -> lame, - /{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, + @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, /usr/share/qt5/**/*.pak r, owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, @@ -128,8 +128,8 @@ profile anki @{exec_path} { /etc/mime.types r, # SyncThread - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, + @{bin}/{,ba,da}sh rix, + @{bin}/uname rix, /etc/ r, /etc/debian_version r, @@ -141,7 +141,7 @@ profile anki @{exec_path} { owner @{HOME}/.xsession-errors w, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, profile mpv { @@ -152,7 +152,7 @@ profile anki @{exec_path} { signal (receive) set=(term, kill) peer=anki, - /{usr/,}bin/mpv mr, + @{bin}/mpv mr, /etc/mpv/encoding-profiles.conf r, @@ -181,7 +181,7 @@ profile anki @{exec_path} { profile lame { include - /{usr/,}bin/lame mr, + @{bin}/lame mr, owner @{user_share_dirs}/Anki{,2}/*/collection.media/rec.{mp3,wav} rw, @@ -191,19 +191,19 @@ profile anki @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index d84ebc37..090df64d 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/anyremote +@{exec_path} = @{bin}/anyremote profile anyremote @{exec_path} { include include @@ -20,45 +20,45 @@ profile anyremote @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/head rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/sleep rix, - /{usr/,}bin/find rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/rm rix, + @{bin}/{,e}grep rix, + @{bin}/cut rix, + @{bin}/id rix, + @{bin}/mv rix, + @{bin}/expr rix, + @{bin}/which{,.debianutils} rix, + @{bin}/head rix, + @{bin}/wc rix, + @{bin}/tr rix, + @{bin}/mkdir rix, + @{bin}/tail rix, + @{bin}/{m,g,}awk rix, + @{bin}/sed rix, + @{bin}/md5sum rix, + @{bin}/basename rix, + @{bin}/sleep rix, + @{bin}/find rix, - /{usr/,}bin/convert-im6.q16 rCx -> imagemagic, - /{usr/,}bin/killall rCx -> killall, - /{usr/,}bin/pgrep rCx -> pgrep, - /{usr/,}lib/qt5/bin/qdbus rCx -> qdbus, - /{usr/,}bin/curl rCx -> curl, + @{bin}/convert-im6.q16 rCx -> imagemagic, + @{bin}/killall rCx -> killall, + @{bin}/pgrep rCx -> pgrep, + @{lib}/qt5/bin/qdbus rCx -> qdbus, + @{bin}/curl rCx -> curl, - /{usr/,}bin/pacmd rPx, - /{usr/,}bin/pactl rPx, - /{usr/,}bin/wmctrl rPx, - /{usr/,}bin/qtchooser rPx, - /{usr/,}bin/ps rPx, + @{bin}/pacmd rPx, + @{bin}/pactl rPx, + @{bin}/wmctrl rPx, + @{bin}/qtchooser rPx, + @{bin}/ps rPx, # Players - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/amarok rPx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/mpv rPx, - /{usr/,}bin/strawberry rPx, + @{bin}/smplayer rPx, + @{bin}/amarok rPx, + @{bin}/vlc rPx, + @{bin}/mpv rPx, + @{bin}/strawberry rPx, owner /tmp/amarok_covers/ rw, owner /tmp/*.png rw, @@ -80,7 +80,7 @@ profile anyremote @{exec_path} { profile imagemagic { include - /{usr/,}bin/convert-im6.q16 mr, + @{bin}/convert-im6.q16 mr, /usr/share/ImageMagick-[0-9]/*.xml rw, /etc/ImageMagick-[0-9]/*.xml r, @@ -107,7 +107,7 @@ profile anyremote @{exec_path} { ptrace (read), - /{usr/,}bin/killall mr, + @{bin}/killall mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied @@ -125,7 +125,7 @@ profile anyremote @{exec_path} { signal (send) set=(term, kill), - /{usr/,}bin/pgrep mr, + @{bin}/pgrep mr, # The /proc/ dir and the cmdline have to be radable to avoid pgrep segfault. @{PROC}/ r, @@ -143,14 +143,14 @@ profile anyremote @{exec_path} { include include - /{usr/,}bin/curl mr, + @{bin}/curl mr, } profile qdbus { include - /{usr/,}lib/qt5/bin/qdbus mr, + @{lib}/qt5/bin/qdbus mr, } diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index 0516410b..ae5fb5ae 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/aplay +@{exec_path} = @{bin}/aplay profile aplay @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index f88f1e4f..470d7011 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd +@{exec_path} = @{lib}/apparmor/apparmor.systemd profile apparmor.systemd @{exec_path} flags=(complain) { include include @@ -15,18 +15,18 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}{s,}bin/aa-status rPx, - /{usr/,}{s,}bin/apparmor_parser rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/systemd-detect-virt rPx, - /{usr/,}bin/xargs rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/aa-status rPx, + @{bin}/apparmor_parser rPx, + @{bin}/getconf rix, + @{bin}/ls rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xargs rix, - /{usr/,}lib/apparmor/rc.apparmor.functions r, + @{lib}/apparmor/rc.apparmor.functions r, /etc/apparmor.d/ r, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 56b1c6f3..d751a4f6 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/apparmor_parser +@{exec_path} = @{bin}/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index f19456eb..9661f8fa 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/appstreamcli +@{exec_path} = @{bin}/appstreamcli profile appstreamcli @{exec_path} flags=(complain) { include include @@ -18,9 +18,9 @@ profile appstreamcli @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/curl rCx -> curl, - /{usr/,}bin/gzip rix, - /{usr/,}bin/tar rix, + @{bin}/curl rCx -> curl, + @{bin}/gzip rix, + @{bin}/tar rix, /usr/share/app-info/{,**} r, /usr/share/appdata/ r, @@ -68,7 +68,7 @@ profile appstreamcli @{exec_path} flags=(complain) { include include - /{usr/,}bin/curl mr, + @{bin}/curl mr, include if exists } diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index 495f45c2..2c7df462 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/arandr +@{exec_path} = @{bin}/arandr profile arandr @{exec_path} { include include @@ -18,10 +18,10 @@ profile arandr @{exec_path} { include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/xrandr rPx, + @{bin}/ r, + @{bin}/xrandr rPx, owner @{HOME}/.screenlayout/ rw, diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index 072c36b3..ac4b4402 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/archivemount +@{exec_path} = @{bin}/archivemount profile archivemount @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/fusermount{,3} rCx -> fusermount, + @{bin}/fusermount{,3} rCx -> fusermount, /**.{tar,tar.gz,zip} r, /**.{TAR,TAR.GZ,ZIP} r, @@ -36,7 +36,7 @@ profile archivemount @{exec_path} { # To mount anything: capability sys_admin, - /{usr/,}bin/fusermount{,3} mr, + @{bin}/fusermount{,3} mr, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/, diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index a82604b5..a4a14920 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/arduino +@{exec_path} = @{bin}/arduino profile arduino @{exec_path} { include include @@ -29,22 +29,22 @@ profile arduino @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/id rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/groups rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/avrdude rix, + @{bin}/{,ba,da}sh rix, + @{bin}/id rix, + @{bin}/{,e}grep rix, + @{bin}/groups rix, + @{bin}/sed rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/avrdude rix, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, - /{usr/,}bin/dpkg-architecture rPx, - /{usr/,}bin/arduino-builder rPx, + @{bin}/dpkg-architecture rPx, + @{bin}/arduino-builder rPx, - /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix, - /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, + @{lib}/jvm/java-[0-9]*-openjdk-*/bin/java rix, + @{lib}/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, /usr/share/java/*.jar r, /etc/java-[0-9]*-openjdk/** r, /etc/ssl/certs/java/cacerts r, @@ -113,20 +113,20 @@ profile arduino @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - /{usr/,}bin/spacefm rPUx, + @{lib}/firefox/firefox rPUx, + @{bin}/spacefm rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index c4c0e3a7..27988615 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -6,30 +6,30 @@ abi , include -@{exec_path} = /{usr/,}bin/arduino-builder +@{exec_path} = @{bin}/arduino-builder profile arduino-builder @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/ r, - /{usr/,}bin/avr-g++ rix, - /{usr/,}bin/avr-gcc rix, - /{usr/,}bin/avr-gcc-ar rix, - /{usr/,}bin/avr-size rix, - /{usr/,}bin/avrdude rix, - /{usr/,}lib/gcc/avr/[0-9]*/cc1plus rix, - /{usr/,}lib/gcc/avr/[0-9]*/cc1 rix, - /{usr/,}lib/gcc/avr/[0-9]*/collect2 rix, - /{usr/,}lib/gcc/avr/[0-9]*/lto-wrapper rix, - /{usr/,}lib/gcc/avr/[0-9]*/lto1 rix, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}lib/avr/bin/as rix, - /{usr/,}lib/avr/bin/ar rix, - /{usr/,}lib/avr/bin/ld rix, - /{usr/,}lib/avr/bin/objcopy rix, + @{bin}/ r, + @{bin}/avr-g++ rix, + @{bin}/avr-gcc rix, + @{bin}/avr-gcc-ar rix, + @{bin}/avr-size rix, + @{bin}/avrdude rix, + @{lib}/gcc/avr/[0-9]*/cc1plus rix, + @{lib}/gcc/avr/[0-9]*/cc1 rix, + @{lib}/gcc/avr/[0-9]*/collect2 rix, + @{lib}/gcc/avr/[0-9]*/lto-wrapper rix, + @{lib}/gcc/avr/[0-9]*/lto1 rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{lib}/avr/bin/as rix, + @{lib}/avr/bin/ar rix, + @{lib}/avr/bin/ld rix, + @{lib}/avr/bin/objcopy rix, - /{usr/,}bin/arduino-ctags rPx, + @{bin}/arduino-ctags rPx, /usr/share/arduino/{,**} r, /usr/share/arduino-builder/{,**} r, diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index 32146884..b83b36ef 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/arduino-ctags +@{exec_path} = @{bin}/arduino-ctags profile arduino-ctags @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 77f085d2..390d9544 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/aspell +@{exec_path} = @{bin}/aspell profile aspell @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 34603739..20d2400a 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -6,25 +6,25 @@ abi , include -@{exec_path} = /{usr/,}sbin/aspell-autobuildhash +@{exec_path} = @{bin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/precat rix, - /{usr/,}bin/zcat rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/prezip-bin rix, + @{bin}/{,ba,da}sh rix, + @{bin}/basename rix, + @{bin}/gzip rix, + @{bin}/precat rix, + @{bin}/prezip-bin rix, + @{bin}/which{,.debianutils} rix, + @{bin}/zcat rix, - /{usr/,}bin/dpkg-trigger rPx, - /{usr/,}bin/aspell rPx, + @{bin}/dpkg-trigger rPx, + @{bin}/aspell rPx, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -46,13 +46,13 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}sbin/aspell-autobuildhash rPx, + @{bin}/aspell-autobuildhash rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, @@ -63,8 +63,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 1344a57a..fc4e505d 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -26,8 +26,8 @@ profile atd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}{s,}bin/sendmail rPUx, + @{bin}/{,ba,da}sh rix, + @{bin}/sendmail rPUx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index d6e5ca5e..7d141556 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/atftpd +@{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 3ea5a707..ea018648 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/atril{,-*} +@{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include include @@ -64,12 +64,12 @@ profile atril @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/atril-previewer rPx, + @{bin}/atril-previewer rPx, - /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, - /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, + @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, + @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, /usr/share/atril/{,**} r, /usr/share/poppler/{,**} r, @@ -110,7 +110,7 @@ profile atril @{exec_path} { include if exists } -profile /{usr/,}bin/atril-previewer { +profile @{bin}/atril-previewer { include include if exists diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index c2bd244a..d6bbc0ea 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/atril/atrild +@{exec_path} = @{lib}/atril/atrild profile atrild @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index aea50ce5..be160547 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/auditctl +@{exec_path} = @{bin}/auditctl profile auditctl @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index a9158b76..8f76fc1b 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/auditd +@{exec_path} = @{bin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 7de0a43e..fad941a0 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -6,22 +6,22 @@ abi , include -@{exec_path} = /{usr/,}bin/augenrules +@{exec_path} = @{bin}/augenrules profile augenrules @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/auditctl rPx, - /{usr/,}bin/chmod rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, + @{bin}/auditctl rPx, + @{bin}/chmod rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/gawk rix, + @{bin}/grep rix, + @{bin}/ls rix, + @{bin}/mktemp rix, + @{bin}/rm rix, /etc/audit/audit.rules rw, /etc/audit/rules.d/ r, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index d8f9b79b..3e1e35bc 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/badblocks +@{exec_path} = @{bin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index 8d247a0d..1e5d1b6d 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/biosdecode +@{exec_path} = @{bin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 113d364a..03d62c22 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/birdtray +@{exec_path} = @{bin}/birdtray profile birdtray @{exec_path} { include include @@ -28,9 +28,9 @@ profile birdtray @{exec_path} { @{exec_path} mr, # To be able to start Thunderbird - /{usr/,}bin/thunderbird rPx, + @{bin}/thunderbird rPx, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, /usr/share/ulduzsoft/birdtray/{,**} r, @@ -76,19 +76,19 @@ profile birdtray @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 149bbbd2..3f60c79c 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -7,20 +7,20 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/blkdeactivate +@{exec_path} = @{bin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @{exec_path} rm, - /{usr/,}{s,}bin/multipathd rPx, - /{usr/,}{s,}bin/dmsetup rPUx, - /{usr/,}{s,}bin/lvm rPx, - /{usr/,}bin/grep rix, - /{usr/,}bin/lsblk rPx, - /{usr/,}bin/sort rix, - /{usr/,}bin/umount rPx, + @{bin}/dmsetup rPUx, + @{bin}/grep rix, + @{bin}/lsblk rPx, + @{bin}/lvm rPx, + @{bin}/multipathd rPx, + @{bin}/sort rix, + @{bin}/umount rPx, @{sys}/devices/virtual/block/*/holders/ r, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index bf940e95..d593c4c5 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/blkid +@{exec_path} = @{bin}/blkid profile blkid @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/profiles-a-f/blockdev index 9e89d111..4ec1d3b6 100644 --- a/apparmor.d/profiles-a-f/blockdev +++ b/apparmor.d/profiles-a-f/blockdev @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/blockdev +@{exec_path} = @{bin}/blockdev profile blockdev @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 11c8d32e..4b15033d 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/blueman-* +@{exec_path} = @{bin}/blueman-* profile blueman @{exec_path} flags=(attach_disconnected) { include include @@ -31,11 +31,11 @@ profile blueman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/{b,d}ash rix, - /{usr/,}lib/gio-launch-desktop rix, + @{bin}/{b,d}ash rix, + @{lib}/gio-launch-desktop rix, - /{usr/,}bin/blueman-tray rPx, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/blueman-tray rPx, + @{bin}/xdg-open rCx -> open, /usr/share/blueman/{,**} r, /usr/share/X11/xkb/{,**} r, @@ -75,21 +75,21 @@ profile blueman @{exec_path} flags=(attach_disconnected) { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/dbus-send rix, - /{usr/,}bin/file rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/mimetype rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/xprop rix, + @{bin}/{,ba,da}sh rix, + @{bin}/basename rix, + @{bin}/dbus-send rix, + @{bin}/file rix, + @{bin}/{m,g,}awk rix, + @{bin}/mimetype rix, + @{bin}/readlink rix, + @{bin}/uname rix, + @{bin}/xprop rix, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/spacefm rPx, + @{lib}/firefox/firefox rPx, + @{bin}/spacefm rPx, /usr/share/perl5/** r, diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index b3dd451d..548c5242 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{libexec}/blueman-mechanism -@{exec_path} += /{usr/,}lib/blueman/blueman-mechanism +@{exec_path} = @{lib}/blueman-mechanism +@{exec_path} += @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include include @@ -23,7 +23,7 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{libexec}/ r, + @{lib}/ r, /var/lib/blueman/network.state rw, @@ -33,10 +33,10 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #/{usr/,}bin/ip rix, - #/{usr/,}{s,}bin/xtables-nft-multi rix, - #/{usr/,}{s,}bin/dnsmasq rPx, - #/{usr/,}{s,}bin/dhclient rPx, + #@{bin}/ip rix, + #@{bin}/xtables-nft-multi rix, + #@{bin}/dnsmasq rPx, + #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, # @{PROC}/sys/net/ipv4/conf/*/forwarding w, diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher index 3f00bf98..e039d780 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -6,14 +6,14 @@ abi , include -@{exec_path} = @{libexec}/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include @{exec_path} r, - @{libexec}/ r, + @{lib}/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/profiles-a-f/bluemoon index 0e3b696f..12818fa6 100644 --- a/apparmor.d/profiles-a-f/bluemoon +++ b/apparmor.d/profiles-a-f/bluemoon @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/bluemoon +@{exec_path} = @{bin}/bluemoon profile bluemoon @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/profiles-a-f/bluetoothctl index 253bff9c..6a1d42ba 100644 --- a/apparmor.d/profiles-a-f/bluetoothctl +++ b/apparmor.d/profiles-a-f/bluetoothctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/bluetoothctl +@{exec_path} = @{bin}/bluetoothctl profile bluetoothctl @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index e88f8365..0ec3deaa 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{libexec}/bluetooth/bluetoothd +@{exec_path} = @{lib}/bluetooth/bluetoothd profile bluetoothd @{exec_path} { include @@ -23,7 +23,7 @@ profile bluetoothd @{exec_path} { @{exec_path} mr, - /{usr/,}lib/@{multiarch}/bluetooth/plugins/*.so mr, + @{lib}/@{multiarch}/bluetooth/plugins/*.so mr, /etc/bluetooth/{,*.conf} r, diff --git a/apparmor.d/profiles-a-f/bmon b/apparmor.d/profiles-a-f/bmon index 5474466f..ba9ef9e9 100644 --- a/apparmor.d/profiles-a-f/bmon +++ b/apparmor.d/profiles-a-f/bmon @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/bmon +@{exec_path} = @{bin}/bmon profile bmon @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 5a0123ff..c31abbca 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/boltd +@{exec_path} = @{lib}/boltd profile boltd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 1bd177a7..b667f348 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/borg +@{exec_path} = @{bin}/borg profile borg @{exec_path} { include include @@ -22,18 +22,18 @@ profile borg @{exec_path} { @{exec_path} r, - /{usr/,}bin/ r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/ r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/uname rix, - /{usr/,}bin/cat rix, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/{,@{multiarch}-}ld.bfd rix, + @{bin}/{,@{multiarch}-}ld.bfd rix, + @{bin}/cat rix, + @{bin}/ldconfig rix, + @{bin}/uname rix, - /{usr/,}bin/pass rPUx, - /{usr/,}bin/ssh rPx, - /{usr/,}bin/ccache rCx -> ccache, - /{usr/,}bin/fusermount{,3} rCx -> fusermount, + @{bin}/pass rPUx, + @{bin}/ssh rPx, + @{bin}/ccache rCx -> ccache, + @{bin}/fusermount{,3} rCx -> fusermount, mount fstype=fuse -> @{MOUNTS}/, mount fstype=fuse -> @{MOUNTS}/*/, @@ -91,11 +91,11 @@ profile borg @{exec_path} { profile ccache { include - /{usr/,}bin/ccache mr, + @{bin}/ccache mr, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, @@ -110,7 +110,7 @@ profile borg @{exec_path} { # To mount anything: capability sys_admin, - /{usr/,}bin/fusermount{,3} mr, + @{bin}/fusermount{,3} mr, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 4357c5ae..f1fab826 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/browserpass +@{exec_path} = @{bin}/browserpass profile browserpass @{exec_path} flags=(attach_disconnected) { include include @@ -15,7 +15,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/gpg{2,} rCx -> gpg, + @{bin}/gpg{2,} rCx -> gpg, owner @{HOME}/.password-store/{,**} r, owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw, @@ -45,7 +45,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index f2f445df..8ba14f01 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/{btrfs,btrfsck} +@{exec_path} = @{bin}/{btrfs,btrfsck} profile btrfs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/profiles-a-f/btrfs-convert index f9adb651..97ce7a2d 100644 --- a/apparmor.d/profiles-a-f/btrfs-convert +++ b/apparmor.d/profiles-a-f/btrfs-convert @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/btrfs-convert +@{exec_path} = @{bin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root index 8819f908..8f5f04a5 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/btrfs-find-root +@{exec_path} = @{bin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image index 8dfa0db9..6364346e 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/btrfs-image +@{exec_path} = @{bin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical index e1948f11..1f57e93f 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/btrfs-map-logical +@{exec_path} = @{bin}/btrfs-map-logical profile btrfs-map-logical @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/profiles-a-f/btrfs-select-super index 2bdca765..f01b9070 100644 --- a/apparmor.d/profiles-a-f/btrfs-select-super +++ b/apparmor.d/profiles-a-f/btrfs-select-super @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/btrfs-select-super +@{exec_path} = @{bin}/btrfs-select-super profile btrfs-select-super @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/profiles-a-f/btrfstune index e779b4d7..bc76fc51 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/profiles-a-f/btrfstune @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/btrfstune +@{exec_path} = @{bin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index cc69661b..2414a422 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/cawbird +@{exec_path} = @{bin}/cawbird profile cawbird @{exec_path} { include include @@ -28,10 +28,10 @@ profile cawbird @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/exo-open rCx -> open, + @{bin}/xdg-open rCx -> open, + @{bin}/exo-open rCx -> open, owner @{user_config_dirs}/cawbird/ rw, owner @{user_config_dirs}/cawbird/** rwk, @@ -51,19 +51,19 @@ profile cawbird @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper index 1c70969f..5bb52d71 100644 --- a/apparmor.d/profiles-a-f/cc-remote-login-helper +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -5,7 +5,7 @@ abi , include -@{exec_path} = @{libexec}/cc-remote-login-helper +@{exec_path} = @{lib}/cc-remote-login-helper profile cc-remote-login-helper @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/ccze b/apparmor.d/profiles-a-f/ccze index 75f8b085..6be60b98 100644 --- a/apparmor.d/profiles-a-f/ccze +++ b/apparmor.d/profiles-a-f/ccze @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ccze +@{exec_path} = @{bin}/ccze profile ccze @{exec_path} { include include @@ -14,7 +14,7 @@ profile ccze @{exec_path} { @{exec_path} mr, - /{usr/,}lib/@{multiarch}/ccze/*.so mr, + @{lib}/@{multiarch}/ccze/*.so mr, /etc/cczerc r, diff --git a/apparmor.d/profiles-a-f/cert-sync b/apparmor.d/profiles-a-f/cert-sync index cc049296..4a29dbdb 100644 --- a/apparmor.d/profiles-a-f/cert-sync +++ b/apparmor.d/profiles-a-f/cert-sync @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/cert-sync +@{exec_path} = @{bin}/cert-sync profile cert-sync @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/mono-sgen rPx, + @{bin}/mono-sgen rPx, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index eb577f02..f88a9fba 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/cfdisk +@{exec_path} = @{bin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index f2357d35..e05da04b 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/cgdisk +@{exec_path} = @{bin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index dc720c6b..0069a281 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/cgrulesengd +@{exec_path} = @{bin}/cgrulesengd profile cgrulesengd @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/profiles-a-f/chage index 9654eb1d..8372b5d0 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/profiles-a-f/chage @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/chage +@{exec_path} = @{bin}/chage profile chage @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/changestool b/apparmor.d/profiles-a-f/changestool index ab1cc85b..835126cc 100644 --- a/apparmor.d/profiles-a-f/changestool +++ b/apparmor.d/profiles-a-f/changestool @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}bin/changestool +@{exec_path} = @{bin}/changestool profile changestool @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, owner @{PROC}/@{pid}/fd/ r, @@ -25,9 +25,9 @@ profile changestool @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpgsm mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index a17264d6..68e7d65b 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/check-bios-nx +@{exec_path} = @{bin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -16,15 +16,15 @@ profile check-bios-nx @{exec_path} { capability dac_override, @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, + @{bin}/uname rix, + @{bin}/{,e}grep rix, + @{bin}/getopt rix, - /{usr/,}bin/kmod rCx -> kmod, + @{bin}/kmod rCx -> kmod, - /{usr/,}{s,}bin/rdmsr rPx, + @{bin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/2 w, @@ -32,13 +32,13 @@ profile check-bios-nx @{exec_path} { profile kmod { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, - /{usr/,}lib/modprobe.d/ r, - /{usr/,}lib/modprobe.d/*.conf r, - /{usr/,}lib/modules/*/modules.* r, + @{lib}/modprobe.d/ r, + @{lib}/modprobe.d/*.conf r, + @{lib}/modules/*/modules.* r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 3cc421ff..0fcac4d6 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -6,46 +6,46 @@ abi , include -@{exec_path} = /{usr/,}bin/check-support-status +@{exec_path} = @{bin}/check-support-status profile check-support-status @{exec_path} { include include @{exec_path} rix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/ r, - /{usr/,}bin/gettext.sh r, - /{usr/,}bin/cat rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/date rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/fold rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/comm rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/find rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/head rix, - /{usr/,}bin/gettext rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/envsubst rix, - /{usr/,}bin/dirname rix, + @{bin}/ r, + @{bin}/gettext.sh r, + @{bin}/cat rix, + @{bin}/{,e}grep rix, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/getopt rix, + @{bin}/fold rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/comm rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/find rix, + @{bin}/wc rix, + @{bin}/basename rix, + @{bin}/{m,g,}awk rix, + @{bin}/sort rix, + @{bin}/head rix, + @{bin}/gettext rix, + @{bin}/sed rix, + @{bin}/envsubst rix, + @{bin}/dirname rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, - /{usr/,}bin/debconf-escape rCx -> debconf-escape, + @{bin}/debconf-escape rCx -> debconf-escape, /etc/debian_version r, @@ -69,8 +69,8 @@ profile check-support-status @{exec_path} { include include - /{usr/,}bin/debconf-escape r, - /{usr/,}bin/perl r, + @{bin}/debconf-escape r, + @{bin}/perl r, owner /tmp/debian-security-support.postinst.*/output r, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 9414b670..f6d0ecb6 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -13,20 +13,20 @@ profile check-support-status-hook @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/ r, - /{usr/,}bin/getent rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/stat rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, + @{bin}/ r, + @{bin}/getent rix, + @{bin}/mkdir rix, + @{bin}/chown rix, + @{bin}/stat rix, + @{bin}/mktemp rix, + @{bin}/rm rix, - /{usr/,}sbin/adduser rPx, - /{usr/,}bin/check-support-status rPx, - /{usr/,}bin/debconf-escape rCx -> debconf-escape, - /{usr/,}sbin/runuser rCx -> runuser, + @{bin}/adduser rPx, + @{bin}/check-support-status rPx, + @{bin}/debconf-escape rCx -> debconf-escape, + @{bin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -51,8 +51,8 @@ profile check-support-status-hook @{exec_path} { include include - /{usr/,}bin/debconf-escape r, - /{usr/,}bin/perl r, + @{bin}/debconf-escape r, + @{bin}/perl r, /tmp/ r, owner /tmp/debian-security-support.postinst.*/output r, @@ -66,14 +66,14 @@ profile check-support-status-hook @{exec_path} { include /usr/share/debconf/frontend r, - /{usr/,}bin/perl r, + @{bin}/perl r, /usr/share/debian-security-support/ r, /usr/share/debian-security-support/check-support-status.hook rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, @@ -84,8 +84,8 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, @@ -110,11 +110,11 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - /{usr/,}sbin/runuser mr, + @{bin}/runuser mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/check-support-status rPx, + @{bin}/check-support-status rPx, owner @{PROC}/@{pids}/loginuid r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/profiles-a-f/chfn index 0ad1563a..515f2efd 100644 --- a/apparmor.d/profiles-a-f/chfn +++ b/apparmor.d/profiles-a-f/chfn @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/chfn +@{exec_path} = @{bin}/chfn profile chfn @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index a7344d9d..dc2cc393 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/chronyd +@{exec_path} = @{bin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index d154524b..8a9a8aa9 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/chsh +@{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index e3796f3f..5c51af7c 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/claws-mail +@{exec_path} = @{bin}/claws-mail profile claws-mail @{exec_path} flags=(complain) { include include @@ -23,16 +23,16 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/which{,.debianutils} rix, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, - /{usr/,}bin/orage rPUx, - /{usr/,}{s,}bin/exim4 rPUx, - /{usr/,}bin/geany rPUx, + @{bin}/orage rPUx, + @{bin}/exim4 rPUx, + @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, /usr/share/sounds/freedesktop/stereo/*.oga r, @@ -60,9 +60,9 @@ profile claws-mail @{exec_path} flags=(complain) { profile gpg { include - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgsm mr, - /{usr/,}bin/gpgconf mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgsm mr, + @{bin}/gpgconf mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/code-askpass b/apparmor.d/profiles-a-f/code-askpass index cbcfd7b6..2b56494d 100644 --- a/apparmor.d/profiles-a-f/code-askpass +++ b/apparmor.d/profiles-a-f/code-askpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh profile code-askpass @{exec_path} { include @@ -15,11 +15,11 @@ profile code-askpass @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}lib/electron[0-9]*/electron rUx, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{lib}/electron[0-9]*/electron rUx, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/profiles-a-f/code-git-editor b/apparmor.d/profiles-a-f/code-git-editor index 9d1a7637..2ea62ad9 100644 --- a/apparmor.d/profiles-a-f/code-git-editor +++ b/apparmor.d/profiles-a-f/code-git-editor @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}lib/code/extensions/git/dist/git-editor.sh +@{exec_path} = @{lib}/code/extensions/git/dist/git-editor.sh profile code-git-editor @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}lib/electron[0-9]*/electron rUx, + @{bin}/{,ba,da}sh rix, + @{lib}/electron[0-9]*/electron rUx, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton index f24d2710..baf8a38b 100644 --- a/apparmor.d/profiles-a-f/compton +++ b/apparmor.d/profiles-a-f/compton @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/compton +@{exec_path} = @{bin}/compton profile compton @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index d8d0ddf6..4fbaba97 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/conky +@{exec_path} = @{bin}/conky profile conky @{exec_path} { include include @@ -32,36 +32,36 @@ profile conky @{exec_path} { @{exec_path} mr, # Needed tools to render conky output - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/head rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/date rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sleep rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cp rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/tr rix, + @{bin}/uniq rix, + @{bin}/head rix, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/cat rix, + @{bin}/wc rix, + @{bin}/sed rix, + @{bin}/sleep rix, # For external IP address - #/{usr/,}bin/dig rix, + #@{bin}/dig rix, #owner @{PROC}/@{pid}/task/@{tid}/comm rw, # To remove the following error: # .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied - /{usr/,}bin/pgrep rix, + @{bin}/pgrep rix, @{PROC}/sys/kernel/osrelease r, # Browsers to fetch remote content - /{usr/,}bin/wget rCx -> browse, - /{usr/,}bin/curl rCx -> browse, - /{usr/,}bin/lynx rCx -> browse, - /{usr/,}bin/w3m rCx -> browse, + @{bin}/wget rCx -> browse, + @{bin}/curl rCx -> browse, + @{bin}/lynx rCx -> browse, + @{bin}/w3m rCx -> browse, # Conky home files owner @{HOME}/ r, @@ -69,13 +69,13 @@ profile conky @{exec_path} { owner @{HOME}/.conky/** rw, # Display images (graphic) inside of the conky window - /{usr/,}lib/@{multiarch}/imlib2/loaders/*.so mr, + @{lib}/@{multiarch}/imlib2/loaders/*.so mr, # Get the PRETTY_NAME name from /etc/os-release link /etc/ r, # Get the kernel version and its architecture via "uname -r" - /{usr/,}bin/uname rix, + @{bin}/uname rix, # Display machine's hostname /etc/hostname r, @@ -127,17 +127,17 @@ profile conky @{exec_path} { /dev/shm/#[0-9]*[0-9] rw, # Temperatures and Fans - /{usr/,}bin/sensors rPUx, + @{bin}/sensors rPUx, @{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_input r, @{sys}/devices/**/hwmon/hwmon[0-9]*/temp[0-9]*_input r, @{sys}/class/hwmon/ r, @{PROC}/acpi/ibm/fan r, # Display network data transfer status - /{usr/,}bin/vnstat rPUx, + @{bin}/vnstat rPUx, # Display Secure Boot status - /{usr/,}bin/mokutil rPUx, + @{bin}/mokutil rPUx, @{PROC}/@{pid}/net/route r, @@ -163,12 +163,12 @@ profile conky @{exec_path} { network inet6 stream, network netlink raw, - /{usr/,}bin/wget mr, - /{usr/,}bin/curl mr, - /{usr/,}bin/lynx mr, - /{usr/,}bin/w3m mr, + @{bin}/wget mr, + @{bin}/curl mr, + @{bin}/lynx mr, + @{bin}/w3m mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /etc/mime.types r, /etc/mailcap r, diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 47933cc8..cbdfab62 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/convertall /usr/share/convertall/convertall.py +@{exec_path} = @{bin}/convertall /usr/share/convertall/convertall.py profile convertall @{exec_path} { include include @@ -21,9 +21,9 @@ profile convertall @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/python3.[0-9]* rix, + @{bin}/python3.[0-9]* rix, owner @{HOME}/.convertall rw, diff --git a/apparmor.d/profiles-a-f/cppw-cpgr b/apparmor.d/profiles-a-f/cppw-cpgr index fc2ba446..1154877a 100644 --- a/apparmor.d/profiles-a-f/cppw-cpgr +++ b/apparmor.d/profiles-a-f/cppw-cpgr @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/cp{pw,gr} +@{exec_path} = @{bin}/cp{pw,gr} profile cppw-cpgr @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index d8c69371..98c184f6 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/cpuid +@{exec_path} = @{bin}/cpuid profile cpuid @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index 8ef3e295..9b347c66 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/cracklib-packer +@{exec_path} = @{bin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index aa7aad6b..e4f67aff 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/crda +@{exec_path} = @{bin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh index 676bbcb1..716e376e 100644 --- a/apparmor.d/profiles-a-f/cups-backend-beh +++ b/apparmor.d/profiles-a-f/cups-backend-beh @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/beh +@{exec_path} = @{lib}/cups/backend/beh profile cups-backend-beh @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf index 24211196..4157bbba 100644 --- a/apparmor.d/profiles-a-f/cups-backend-brf +++ b/apparmor.d/profiles-a-f/cups-backend-brf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/cups-brf +@{exec_path} = @{lib}/cups/backend/cups-brf profile cups-backend-brf @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd index cfc987c5..dea4763f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-dnssd +++ b/apparmor.d/profiles-a-f/cups-backend-dnssd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/dnssd +@{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass index 4311b10b..91ca44d1 100644 --- a/apparmor.d/profiles-a-f/cups-backend-implicitclass +++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/implicitclass +@{exec_path} = @{lib}/cups/backend/implicitclass profile cups-backend-implicitclass @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp index ddf6834b..70fffc4c 100644 --- a/apparmor.d/profiles-a-f/cups-backend-ipp +++ b/apparmor.d/profiles-a-f/cups-backend-ipp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/ipp +@{exec_path} = @{lib}/cups/backend/ipp profile cups-backend-ipp @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd index eec56070..b0c2cc72 100644 --- a/apparmor.d/profiles-a-f/cups-backend-lpd +++ b/apparmor.d/profiles-a-f/cups-backend-lpd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/lpd +@{exec_path} = @{lib}/cups/backend/lpd profile cups-backend-lpd @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel index b0318f02..427754e5 100644 --- a/apparmor.d/profiles-a-f/cups-backend-parallel +++ b/apparmor.d/profiles-a-f/cups-backend-parallel @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/parallel +@{exec_path} = @{lib}/cups/backend/parallel profile cups-backend-parallel @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf index fa586345..da37447d 100644 --- a/apparmor.d/profiles-a-f/cups-backend-pdf +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/cups-pdf +@{exec_path} = @{lib}/cups/backend/cups-pdf profile cups-backend-pdf @{exec_path} { include include @@ -22,11 +22,11 @@ profile cups-backend-pdf @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/gs rix, - /{usr/,}bin/gsc rix, - /{usr/,}lib/ghostscript/** mr, + @{bin}/{,ba,da}sh rix, + @{bin}/cp rix, + @{bin}/gs rix, + @{bin}/gsc rix, + @{lib}/ghostscript/** mr, /usr/share/ghostscript/{,**} r, diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial index 33264531..f5084e08 100644 --- a/apparmor.d/profiles-a-f/cups-backend-serial +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/serial +@{exec_path} = @{lib}/cups/backend/serial profile cups-backend-serial @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp index 40f2e03e..510c9fe8 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/snmp +@{exec_path} = @{lib}/cups/backend/snmp profile cups-backend-snmp @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket index 8c66d634..7b471690 100644 --- a/apparmor.d/profiles-a-f/cups-backend-socket +++ b/apparmor.d/profiles-a-f/cups-backend-socket @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/socket +@{exec_path} = @{lib}/cups/backend/socket profile cups-backend-socket @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb index e6c56800..648a1738 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/cups/backend/usb +@{exec_path} = @{lib}/cups/backend/usb profile cups-backend-usb @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed index 2dbef344..ed117a5a 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/cups-browsed +@{exec_path} = @{bin}/cups-browsed profile cups-browsed @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism index f54b06b6..03d4040d 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism -@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism +@{exec_path} = @{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism +@{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism profile cups-pk-helper-mechanism @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 83395ee3..7ca3d5fd 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -4,7 +4,7 @@ include -@{exec_path} = /{usr/,}{s,}bin/cupsd +@{exec_path} = @{bin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include @@ -46,29 +46,29 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/gsc rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/ippfind rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/printenv rix, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/smbspool rPx, - /{usr/,}bin/touch rix, - /{usr/,}bin/xz rix, - /{usr/,}lib/cups/backend/* rPx, - /{usr/,}lib/cups/cgi-bin/*.cgi rix, - /{usr/,}lib/cups/daemon/* rix, - /{usr/,}lib/cups/driver/* rix, - /{usr/,}lib/cups/filter/* rix, - /{usr/,}lib/cups/monitor/* rix, - /{usr/,}lib/cups/notifier/* rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cp rix, + @{bin}/grep rix, + @{bin}/gsc rix, + @{bin}/hostname rix, + @{bin}/ippfind rix, + @{bin}/mktemp rix, + @{bin}/printenv rix, + @{bin}/python3.[0-9]* rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/smbspool rPx, + @{bin}/touch rix, + @{bin}/xz rix, + @{lib}/cups/backend/* rPx, + @{lib}/cups/cgi-bin/*.cgi rix, + @{lib}/cups/daemon/* rix, + @{lib}/cups/driver/* rix, + @{lib}/cups/filter/* rix, + @{lib}/cups/monitor/* rix, + @{lib}/cups/notifier/* rix, /usr/share/cups/{,**} r, /usr/share/ppd/{,**} r, diff --git a/apparmor.d/profiles-a-f/curl b/apparmor.d/profiles-a-f/curl index fb93af56..1ff09bec 100644 --- a/apparmor.d/profiles-a-f/curl +++ b/apparmor.d/profiles-a-f/curl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/curl +@{exec_path} = @{bin}/curl profile curl @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/czkawka-cli b/apparmor.d/profiles-a-f/czkawka-cli index 6a880ab6..13c12230 100644 --- a/apparmor.d/profiles-a-f/czkawka-cli +++ b/apparmor.d/profiles-a-f/czkawka-cli @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/czkawka_cli +@{exec_path} = @{bin}/czkawka_cli profile czkawka-cli @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index 62ee47c9..e590e4c3 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/czkawka_gui +@{exec_path} = @{bin}/czkawka_gui profile czkawka-gui @{exec_path} { include include @@ -17,7 +17,7 @@ profile czkawka-gui @{exec_path} { @{exec_path} mr, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # Dirs to scan for duplicates #owner @{HOME}/** rw, @@ -41,22 +41,22 @@ profile czkawka-gui @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - #/{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, + #@{lib}/firefox/firefox rPx, + @{bin}/smplayer rPx, + @{bin}/geany rPx, + @{bin}/viewnior rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index 1e8344c3..59a6a7da 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/ddclient +@{exec_path} = @{bin}/ddclient profile ddclient @{exec_path} { include include @@ -15,10 +15,10 @@ profile ddclient @{exec_path} { include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/logger rix, + @{bin}/{,ba,da}sh rix, + @{bin}/logger rix, /etc/ddclient.conf r, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index eeae7bce..126173d8 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -6,8 +6,8 @@ abi , include -@{DCD_LIBDIR} = /{usr/,}lib/deltachat-desktop -@{DCD_LIBDIR} += /{usr/,}lib/deltachat +@{DCD_LIBDIR} = @{lib}/deltachat-desktop +@{DCD_LIBDIR} += @{lib}/deltachat @{DCD_LIBDIR} += /opt/DeltaChat/ @{exec_path} = /usr/bin/deltachat-desktop @@ -73,31 +73,31 @@ profile deltachat-desktop @{exec_path} { deny @{sys}/devices/virtual/tty/tty0/active r, # no new privs - /{usr/,}bin/xdg-settings rPx, + @{bin}/xdg-settings rPx, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, + @{lib}/firefox/firefox rPx, profile open { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, + @{lib}/firefox/firefox rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 3e826e8a..6d08fa36 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/del{user,group} +@{exec_path} = @{bin}/del{user,group} profile deluser @{exec_path} { include include @@ -20,17 +20,17 @@ profile deluser @{exec_path} { capability dac_override, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}{s,}bin/userdel rPx, - /{usr/,}{s,}bin/groupdel rPx, - /{usr/,}bin/gpasswd rPx, + @{bin}/userdel rPx, + @{bin}/groupdel rPx, + @{bin}/gpasswd rPx, - /{usr/,}bin/crontab rPx, + @{bin}/crontab rPx, - /{usr/,}bin/mount rCx -> mount, + @{bin}/mount rCx -> mount, /etc/adduser.conf r, /etc/deluser.conf r, @@ -48,7 +48,7 @@ profile deluser @{exec_path} { profile mount { include - /{usr/,}bin/mount mr, + @{bin}/mount mr, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/profiles-a-f/df index a1b94b08..33c0a1b6 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/profiles-a-f/df @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/df +@{exec_path} = @{bin}/df profile df @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc index 95e54e09..ff7585bd 100644 --- a/apparmor.d/profiles-a-f/dfc +++ b/apparmor.d/profiles-a-f/dfc @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dfc +@{exec_path} = @{bin}/dfc profile dfc @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dhclient b/apparmor.d/profiles-a-f/dhclient index a5c09ef3..9208ecc6 100644 --- a/apparmor.d/profiles-a-f/dhclient +++ b/apparmor.d/profiles-a-f/dhclient @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/dhclient +@{exec_path} = @{bin}/dhclient profile dhclient @{exec_path} { include include @@ -27,7 +27,7 @@ profile dhclient @{exec_path} { @{exec_path} mr, # To run dhclient scripts - /{usr/,}{s,}bin/dhclient-script rPx, + @{bin}/dhclient-script rPx, /etc/dhclient.conf r, /etc/dhcp/{,**} r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index cac62f6c..e8a99efd 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/dhclient-script +@{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include include @@ -20,30 +20,30 @@ profile dhclient-script @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/ddclient rPx, - /{usr/,}{s,}bin/sysctl rix, - /{usr/,}bin/{,ba,da}sh mrix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/chronyc rPUx, - /{usr/,}bin/date rix, - /{usr/,}bin/fold rix, - /{usr/,}bin/head rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/ip rix, - /{usr/,}bin/logger rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/paste rix, - /{usr/,}bin/ping rPx, - /{usr/,}bin/printenv rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/sed rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/xxd rix, - /{usr/,}sbin/resolvconf rPx, + @{bin}/{,ba,da}sh mrix, + @{bin}/chmod rix, + @{bin}/chown rix, + @{bin}/chronyc rPUx, + @{bin}/date rix, + @{bin}/ddclient rPx, + @{bin}/fold rix, + @{bin}/head rix, + @{bin}/hostname rix, + @{bin}/ip rix, + @{bin}/logger rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/paste rix, + @{bin}/ping rPx, + @{bin}/printenv rix, + @{bin}/readlink rix, + @{bin}/resolvconf rPx, + @{bin}/rm rix, + @{bin}/run-parts rCx -> run-parts, + @{bin}/sed rix, + @{bin}/sysctl rix, + @{bin}/tr rix, + @{bin}/xxd rix, /etc/default/ddclient r, /etc/dhcp/{,**} r, @@ -71,7 +71,7 @@ profile dhclient-script @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, /etc/dhcp/dhclient-{enter,exit}-hooks.d/ r, diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index e4cf9cfd..5e17059c 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dig +@{exec_path} = @{bin}/dig profile dig @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index c29d92e0..e2933a61 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dino-im +@{exec_path} = @{bin}/dino-im profile dino-im @{exec_path} { include include @@ -27,9 +27,9 @@ profile dino-im @{exec_path} { @{exec_path} mr, # Needed for GPG/PGP support - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/** rwk, @@ -39,9 +39,9 @@ profile dino-im @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpgsm mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, owner @{HOME}/.gnupg/ rw, owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 5a48337c..0de4bb50 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -8,7 +8,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/dkms +@{exec_path} = @{bin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -23,44 +23,44 @@ profile dkms @{exec_path} flags=(attach_disconnected) { unix (receive) type=stream, @{exec_path} r, - /{usr/,}bin/cat rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/date rix, - /{usr/,}bin/diff rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/find rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/head rix, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/ln rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/make rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/nproc rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/{,@{multiarch}-}* rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e,f}grep rix, - /{usr/,}bin/{,g,m}awk rix, - /{usr/,}{,s}bin/update-secureboot-policy rPUx, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/diff rix, + @{bin}/echo rix, + @{bin}/find rix, + @{bin}/getconf rix, + @{bin}/head rix, + @{bin}/kmod rCx -> kmod, + @{bin}/ln rix, + @{bin}/ls rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/make rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/nproc rix, + @{bin}/pwd rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/uname rix, + @{bin}/wc rix, + @{bin}/xargs rix, + @{bin}/{,@{multiarch}-}* rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e,f}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/update-secureboot-policy rPUx, - /{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix, - /{usr/,}lib/linux-kbuild-*/scripts/** rix, - /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}lib/modules/*/build/scripts/** rix, - /{usr/,}lib/modules/*/build/tools/objtool/objtool rix, + @{lib}/gcc/@{multiarch}/[0-9]*/* rix, + @{lib}/linux-kbuild-*/scripts/** rix, + @{lib}/linux-kbuild-*/tools/objtool/objtool rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{lib}/modules/*/build/scripts/** rix, + @{lib}/modules/*/build/tools/objtool/objtool rix, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, @@ -68,9 +68,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { /var/lib/shim-signed/mok/** r, / r, - /{usr/,}lib/modules/*/updates/ rw, - /{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw, - /{usr/,}lib/modules/*/kernel/drivers/{,*,*/,**.ko.xz,**.ko.zst} rw, + @{lib}/modules/*/updates/ rw, + @{lib}/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw, + @{lib}/modules/*/kernel/drivers/{,*,*/,**.ko.xz,**.ko.zst} rw, /var/lib/dkms/ r, /var/lib/dkms/** rw, @@ -110,13 +110,13 @@ profile dkms @{exec_path} flags=(attach_disconnected) { include include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, @{PROC}/cmdline r, /etc/depmod.d/{,*} r, - /{usr/,}lib/modules/*/modules.* rw, + @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, owner /boot/System.map-* r, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index 511ed2ad..ac421cbc 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -7,20 +7,20 @@ abi , include -@{exec_path} = /{usr/,}lib/dkms/dkms_autoinstaller +@{exec_path} = @{lib}/dkms/dkms_autoinstaller profile dkms-autoinstaller @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}{s,}bin/dkms rPx, - /{usr/,}bin/echo rix, - /{usr/,}bin/plymouth rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/tput rix, + @{bin}/{,ba,da}sh rix, + @{bin}/dkms rPx, + @{bin}/echo rix, + @{bin}/plymouth rix, + @{bin}/readlink rix, + @{bin}/run-parts rCx -> run-parts, + @{bin}/systemctl rPx -> child-systemctl, + @{bin}/tput rix, # For shell pwd / r, @@ -31,7 +31,7 @@ profile dkms-autoinstaller @{exec_path} { include include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, } diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 79f66b58..46a2d36b 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -6,30 +6,30 @@ abi , include -@{exec_path} = /{usr/,}bin/dlocate +@{exec_path} = @{bin}/dlocate profile dlocate @{exec_path} { include include include @{exec_path} rix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/grep-dctrl rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/du rix, - /{usr/,}bin/stat rix, + @{bin}/getopt rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cat rix, + @{bin}/sort rix, + @{bin}/sed rix, + @{bin}/stty rix, + @{bin}/grep-dctrl rix, + @{bin}/cut rix, + @{bin}/xargs rix, + @{bin}/ls rix, + @{bin}/du rix, + @{bin}/stat rix, - /{usr/,}bin/md5sum rCx -> md5sum, + @{bin}/md5sum rCx -> md5sum, /etc/default/dlocate r, @@ -52,7 +52,7 @@ profile dlocate @{exec_path} { profile md5sum { include - /{usr/,}bin/md5sum mr, + @{bin}/md5sum mr, # For the md5 check /boot/** r, diff --git a/apparmor.d/profiles-a-f/dmcrypt-get-device b/apparmor.d/profiles-a-f/dmcrypt-get-device index 15e625d4..22d44bdf 100644 --- a/apparmor.d/profiles-a-f/dmcrypt-get-device +++ b/apparmor.d/profiles-a-f/dmcrypt-get-device @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/eject/dmcrypt-get-device +@{exec_path} = @{lib}/eject/dmcrypt-get-device profile dmcrypt-get-device @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index cd7fee04..e454571b 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dmesg +@{exec_path} = @{bin}/dmesg profile dmesg @{exec_path} { include include @@ -17,14 +17,14 @@ profile dmesg @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/less rPx -> child-pager, + @{bin}/{,ba,da}sh rix, + @{bin}/less rPx -> child-pager, /dev/kmsg r, /usr/share/terminfo/{,**} r, deny /{usr/,}local/bin/ r, - deny /{usr/,}bin/{,*/} r, + deny @{bin}/{,*/} r, include if exists } diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index d0b2b7ed..952379e6 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/dmeventd +@{exec_path} = @{bin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index e605ee5f..adc5c443 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/dmidecode +@{exec_path} = @{bin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 13717b13..bb0889a5 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/dnscrypt-proxy +@{exec_path} = @{bin}/dnscrypt-proxy profile dnscrypt-proxy @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index 4bceb1b2..11785c16 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -21,7 +21,7 @@ profile downloadhelper @{exec_path} { @{exec_path} mr, - /{usr/,}bin/ffmpeg rix, + @{bin}/ffmpeg rix, /opt/ r, /opt/net.downloadhelper.coapp/ r, diff --git a/apparmor.d/profiles-a-f/dring b/apparmor.d/profiles-a-f/dring index 09ba01ff..c2c68ca5 100644 --- a/apparmor.d/profiles-a-f/dring +++ b/apparmor.d/profiles-a-f/dring @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/ring/dring +@{exec_path} = @{lib}/ring/dring profile dring @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index d40b9380..91544885 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dumpcap +@{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index e6a4c247..eac046ed 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/{dumpe2fs,e2mmpstatus} +@{exec_path} = @{bin}/{dumpe2fs,e2mmpstatus} profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index 692aef0c..5110c092 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dunst +@{exec_path} = @{bin}/dunst profile dunst @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dunstctl b/apparmor.d/profiles-a-f/dunstctl index 92db1794..5a1c55d0 100644 --- a/apparmor.d/profiles-a-f/dunstctl +++ b/apparmor.d/profiles-a-f/dunstctl @@ -6,18 +6,18 @@ abi , include -@{exec_path} = /{usr/,}bin/dunstctl +@{exec_path} = @{bin}/dunstctl profile dunstctl @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/dbus-send rCx -> dbus, + @{bin}/dbus-send rCx -> dbus, profile dbus { include - /{usr/,}bin/dbus-send mr, + @{bin}/dbus-send mr, } include if exists diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify index b0663dbc..612facd9 100644 --- a/apparmor.d/profiles-a-f/dunstify +++ b/apparmor.d/profiles-a-f/dunstify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dunstify +@{exec_path} = @{bin}/dunstify profile dunstify @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 18b99af8..9fa61cf7 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/{e2fsck,fsck.ext2,fsck.ext3,fsck.ext4} +@{exec_path} = @{bin}/{e2fsck,fsck.ext2,fsck.ext3,fsck.ext4} profile e2fsck @{exec_path} { include include @@ -19,8 +19,8 @@ profile e2fsck @{exec_path} { @{exec_path} mr, # To check for badblocks - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}{s,}bin/badblocks rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index 3216a4db..1690dc3a 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/e2image +@{exec_path} = @{bin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/edid-decode b/apparmor.d/profiles-a-f/edid-decode index 13143309..89b3f99f 100644 --- a/apparmor.d/profiles-a-f/edid-decode +++ b/apparmor.d/profiles-a-f/edid-decode @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/edid-decode +@{exec_path} = @{bin}/edid-decode profile edid-decode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/profiles-a-f/eject index c0fa5e36..47d9cdcf 100644 --- a/apparmor.d/profiles-a-f/eject +++ b/apparmor.d/profiles-a-f/eject @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/eject +@{exec_path} = @{bin}/eject profile eject @{exec_path} { include include @@ -16,9 +16,9 @@ profile eject @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}lib/eject/dmcrypt-get-device rPx, + @{lib}/eject/dmcrypt-get-device rPx, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index f02ddcca..cc0c5b80 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/engrampa +@{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include include @@ -75,29 +75,29 @@ profile engrampa @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cp rix, + @{bin}/{,ba,da}sh rix, + @{bin}/ls rix, + @{bin}/rm rix, + @{bin}/mv rix, + @{bin}/cp rix, # Archivers - /{usr/,}bin/7z rix, - /{usr/,}lib/p7zip/7z rix, - /{usr/,}bin/unrar-nonfree rix, - /{usr/,}bin/zip rix, - /{usr/,}bin/unzip rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/cpio rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/zstd rix, + @{bin}/7z rix, + @{lib}/p7zip/7z rix, + @{bin}/unrar-nonfree rix, + @{bin}/zip rix, + @{bin}/unzip rix, + @{bin}/tar rix, + @{bin}/xz rix, + @{bin}/bzip2 rix, + @{bin}/cpio rix, + @{bin}/gzip rix, + @{bin}/zstd rix, # For deb packages - /{usr/,}bin/dpkg-deb rix, + @{bin}/dpkg-deb rix, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - /{usr/,}bin/xdg-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/xdg-open rCx -> open, owner @{user_config_dirs}/engrampa/ rw, @@ -135,11 +135,11 @@ profile engrampa @{exec_path} { /etc/fstab r, # Allowed apps to open - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/ristretto rPUx, + @{bin}/engrampa rPx, + @{bin}/geany rPx, + @{bin}/viewnior rPUx, + @{bin}/spacefm rPx, + @{bin}/ristretto rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -150,23 +150,23 @@ profile engrampa @{exec_path} { include include - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - /{usr/,}bin/xdg-open mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/spacefm rPx, + @{bin}/engrampa rPx, + @{bin}/geany rPx, + @{bin}/viewnior rPUx, + @{bin}/spacefm rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index f1946c24..a9ae7591 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/etckeeper +@{exec_path} = @{bin}/etckeeper profile etckeeper @{exec_path} { include include @@ -17,32 +17,32 @@ profile etckeeper @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/diff rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/dpkg-query rpx, - /{usr/,}bin/find rix, - /{usr/,}bin/getent rix, - /{usr/,}bin/git* rix, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/hostname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/ps rPx, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/whoami rix, - /{usr/,}bin/xargs rix, - /{usr/,}lib/git-core/git* rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/diff rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/find rix, + @{bin}/getent rix, + @{bin}/git* rix, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/hostname rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/perl rix, + @{bin}/ps rPx, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/tail rix, + @{bin}/tty rix, + @{bin}/uniq rix, + @{bin}/whoami rix, + @{bin}/xargs rix, + @{lib}/git-core/git* rix, /etc/.git/hooks/* rix, /etc/etckeeper/*.d/* rix, @@ -67,8 +67,8 @@ profile etckeeper @{exec_path} { include include - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpg-agent rPx, + @{bin}/gpg{,2} mr, + @{bin}/gpg-agent rPx, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index e11aaabe..8d1687bc 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/evince @{libexec}/evinced +@{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include include @@ -81,10 +81,10 @@ profile evince @{exec_path} { @{exec_path} rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gio-launch-desktop rPx, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - /{usr/,}lib/gio-launch-desktop rPx -> child-open, + @{bin}/{,ba,da}sh rix, + @{bin}/gio-launch-desktop rPx, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, /usr/share/djvu/{,**} r, /usr/share/evince/{,**} r, @@ -107,7 +107,7 @@ profile evince @{exec_path} { /dev/tty rw, - deny /{usr/,}lib/ r, # asks when viewing PostScript files + deny @{lib}/ r, # asks when viewing PostScript files include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 9086451a..bf705a3e 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/dcut /usr/share/dput/execute-dcut +@{exec_path} = @{bin}/dcut /usr/share/dput/execute-dcut profile execute-dcut @{exec_path} flags=(complain) { include include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 07ad5cb9..26f843e5 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dput /usr/share/dput/execute-dput +@{exec_path} = @{bin}/dput /usr/share/dput/execute-dput profile execute-dput @{exec_path} flags=(complain) { include include @@ -15,13 +15,13 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{bin}/{,ba,da}sh rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, /usr/share/dput/{,**} r, @@ -39,9 +39,9 @@ profile execute-dput @{exec_path} flags=(complain) { profile gpg { include - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgsm mr, + @{bin}/gpgconf mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgsm mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index c1fa80ed..b85920b0 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/exim4 +@{exec_path} = @{bin}/exim4 profile exim4 @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index a4df3021..94d71dbf 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -12,12 +12,12 @@ profile exo-compose-mail @{exec_path} { include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, # Mail clients - /{usr/,}bin/thunderbird rPx, - /{usr/,}lib/thunderbird/thunderbird rPx, - /{usr/,}lib/thunderbird/thunderbird-bin rPx, + @{bin}/thunderbird rPx, + @{lib}/thunderbird/thunderbird rPx, + @{lib}/thunderbird/thunderbird-bin rPx, include if exists } diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index 9c24b544..5953d17f 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/exo-[0-9]/exo-helper-[0-9] +@{exec_path} = @{lib}/@{multiarch}/xfce[0-9]/exo-[0-9]/exo-helper-[0-9] profile exo-helper @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open index 19192c2c..a4556d14 100644 --- a/apparmor.d/profiles-a-f/exo-open +++ b/apparmor.d/profiles-a-f/exo-open @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/exo-open +@{exec_path} = @{bin}/exo-open profile exo-open @{exec_path} { include include @@ -18,10 +18,10 @@ profile exo-open @{exec_path} { @{exec_path} mr, - /{usr/,}lib/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx, + @{lib}/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx, # It looks like gio-launch-desktop decides what app should be opened - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/f3brew b/apparmor.d/profiles-a-f/f3brew index 84b2bc4e..6edf8354 100644 --- a/apparmor.d/profiles-a-f/f3brew +++ b/apparmor.d/profiles-a-f/f3brew @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/f3brew +@{exec_path} = @{bin}/f3brew profile f3brew @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index 40749712..aded289b 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/f3fix +@{exec_path} = @{bin}/f3fix profile f3fix @{exec_path} { include include @@ -25,11 +25,11 @@ profile f3fix @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}{s,}bin/dmidecode rPx, + @{bin}/dmidecode rPx, - /{usr/,}bin/udevadm rCx -> udevadm, + @{bin}/udevadm rCx -> udevadm, owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, @@ -39,7 +39,7 @@ profile f3fix @{exec_path} { ptrace (read), - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-a-f/f3probe b/apparmor.d/profiles-a-f/f3probe index 9346e100..ad36f09e 100644 --- a/apparmor.d/profiles-a-f/f3probe +++ b/apparmor.d/profiles-a-f/f3probe @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/f3probe +@{exec_path} = @{bin}/f3probe profile f3probe @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index 9ff0d7ad..be331ee1 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/f3read +@{exec_path} = @{bin}/f3read profile f3read @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index 14145347..aed9ce34 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/f3write +@{exec_path} = @{bin}/f3write profile f3write @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 83c3e694..6c1e7337 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fail2ban-client +@{exec_path} = @{bin}/fail2ban-client profile fail2ban-client @{exec_path} flags=(attach_disconnected) { include include @@ -14,8 +14,8 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/ r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/ r, + @{bin}/python3.[0-9]* r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 11369a9a..2695bd44 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fail2ban-server +@{exec_path} = @{bin}/fail2ban-server profile fail2ban-server @{exec_path} flags=(attach_disconnected) { include include @@ -20,12 +20,12 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}{s,}bin/xtables-nft-multi rix, - /{usr/,}{s,}bin/iptables rix, + @{bin}/{,ba,da}sh rix, + @{bin}/xtables-nft-multi rix, + @{bin}/iptables rix, - /{usr/,}bin/ r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/ r, + @{bin}/python3.[0-9]* r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index 10b1be89..3d40c3f0 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/fatlabel +@{exec_path} = @{bin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index d9bbbf0d..d4015c77 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/fatresize +@{exec_path} = @{bin}/fatresize profile fatresize @{exec_path} { include include @@ -23,11 +23,11 @@ profile fatresize @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}{s,}bin/dmidecode rPx, + @{bin}/dmidecode rPx, - /{usr/,}bin/udevadm rCx -> udevadm, + @{bin}/udevadm rCx -> udevadm, owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, @@ -38,7 +38,7 @@ profile fatresize @{exec_path} { ptrace (read), - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index a7b993c5..e9e2eb6c 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/fdisk +@{exec_path} = @{bin}/fdisk profile fdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index b1d1efdb..d8ce55be 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ffmpeg +@{exec_path} = @{bin}/ffmpeg profile ffmpeg @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index ab67a8e5..106ef686 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ffplay +@{exec_path} = @{bin}/ffplay profile ffplay @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe index c80a56b2..fcb30189 100644 --- a/apparmor.d/profiles-a-f/ffprobe +++ b/apparmor.d/profiles-a-f/ffprobe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ffprobe +@{exec_path} = @{bin}/ffprobe profile ffprobe @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index b86446f0..7fb5801b 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/file-roller +@{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include include @@ -19,17 +19,17 @@ profile file-roller @{exec_path} { @{exec_path} mr, # Archivers - /{usr/,}bin/7z rix, - /{usr/,}lib/p7zip/7z rix, - /{usr/,}bin/unrar-nonfree rix, - /{usr/,}bin/zip rix, - /{usr/,}bin/unzip rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/cpio rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/zstd rix, + @{bin}/7z rix, + @{lib}/p7zip/7z rix, + @{bin}/unrar-nonfree rix, + @{bin}/zip rix, + @{bin}/unzip rix, + @{bin}/tar rix, + @{bin}/xz rix, + @{bin}/bzip2 rix, + @{bin}/cpio rix, + @{bin}/gzip rix, + @{bin}/zstd rix, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/profiles-a-f/filecap index a575cf2d..8a5115cc 100644 --- a/apparmor.d/profiles-a-f/filecap +++ b/apparmor.d/profiles-a-f/filecap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/filecap +@{exec_path} = @{bin}/filecap profile filecap @{exec_path} { include include @@ -14,10 +14,8 @@ profile filecap @{exec_path} { @{exec_path} mr, # The default behavior is to check only the directories in the PATH environmental variable. - /{usr/,}{s,}bin/ r, - /{usr/,}{s,}bin/* r, - /{usr/,}bin/ r, - /{usr/,}bin/* r, + @{bin}/ r, + @{bin}/* r, /usr/local/sbin/ r, /usr/local/sbin/* r, /usr/local/bin/ r, diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index bd0e934c..5e2cdf72 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/findmnt +@{exec_path} = @{bin}/findmnt profile findmnt @{exec_path} flags=(attach_disconnected,complain) { include include diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index ffce0bf2..1d5edb02 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/firecfg +@{exec_path} = @{bin}/firecfg profile firecfg @{exec_path} flags=(attach_disconnected) { include include @@ -18,8 +18,8 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/apparmor_parser rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/apparmor_parser rPx, /etc/login.defs r, /etc/firejail/firejail.users r, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index dcd778ff..1cab6588 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/firewalld +@{exec_path} = @{bin}/firewalld profile firewalld @{exec_path} { include include @@ -23,15 +23,15 @@ profile firewalld @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/ r, - /{usr/,}{s,}bin/ebtables-legacy rix, - /{usr/,}{s,}bin/ebtables-legacy-restore rix, - /{usr/,}{s,}bin/ipset rix, - /{usr/,}{s,}bin/kmod rPx, - /{usr/,}{s,}bin/xtables-legacy-multi rix, - /{usr/,}{s,}bin/xtables-nft-multi rix, - /{usr/,}bin/alts rix, - /{usr/,}bin/false rix, + @{bin}/ r, + @{bin}/alts rix, + @{bin}/ebtables-legacy rix, + @{bin}/ebtables-legacy-restore rix, + @{bin}/false rix, + @{bin}/ipset rix, + @{bin}/kmod rPx, + @{bin}/xtables-legacy-multi rix, + @{bin}/xtables-nft-multi rix, /usr/share/libalternatives/ r, /usr/share/libalternatives/ebtables*/{,*} r, diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index 0892cfc6..c2b07033 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/flatpak-portal +@{exec_path} = @{lib}/flatpak-portal profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include @@ -21,7 +21,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/flatpak rUx, + @{bin}/flatpak rUx, /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 4f216a55..3c2c35de 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/flatpak-session-helper +@{exec_path} = @{lib}/flatpak-session-helper profile flatpak-session-helper @{exec_path} { include include @@ -15,11 +15,11 @@ profile flatpak-session-helper @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dbus-monitor rPUx, - /{usr/,}bin/p11-kit rix, - /{usr/,}bin/pkexec rPx, - /{usr/,}lib/p11-kit/p11-kit-remote rix, - /{usr/,}lib/p11-kit/p11-kit-server rix, + @{bin}/dbus-monitor rPUx, + @{bin}/p11-kit rix, + @{bin}/pkexec rPx, + @{lib}/p11-kit/p11-kit-remote rix, + @{lib}/p11-kit/p11-kit-server rix, owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index d9effdf5..3d342ce9 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/flatpak-system-helper +@{exec_path} = @{lib}/flatpak-system-helper profile flatpak-system-helper @{exec_path} { include include @@ -27,11 +27,11 @@ profile flatpak-system-helper @{exec_path} { @{exec_path} mr, - /{usr/,}bin/bwrap rPUx, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, - /{usr/,}lib/revokefs-fuse rix, + @{bin}/bwrap rPUx, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, + @{lib}/revokefs-fuse rix, /etc/flatpak/{,**} r, @@ -52,11 +52,11 @@ profile flatpak-system-helper @{exec_path} { include include - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpgsm mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, - /{usr/,}bin/gpg-agent rix, + @{bin}/gpg-agent rix, owner /tmp/ostree-gpg-*/ r, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 2375871f..e6a60fd1 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/font-manager +@{exec_path} = @{bin}/font-manager profile font-manager @{exec_path} { include include @@ -26,8 +26,8 @@ profile font-manager @{exec_path} { @{exec_path} r, - /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, - /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, + @{lib}/@{multiarch}/webkit*gtk-*/WebKitWebProcess rix, + @{lib}/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/font-manager/ rw, diff --git a/apparmor.d/profiles-a-f/fping b/apparmor.d/profiles-a-f/fping index 5d6906bf..524c97a7 100644 --- a/apparmor.d/profiles-a-f/fping +++ b/apparmor.d/profiles-a-f/fping @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fping{,6} +@{exec_path} = @{bin}/fping{,6} profile fping @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 44be96b3..dd34d5be 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/fprintd +@{exec_path} = @{lib}/fprintd profile fprintd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 61a9c60b..638baa82 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/freefall +@{exec_path} = @{bin}/freefall profile freefall @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index c9325713..9fe267c2 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fritzing{,.real} +@{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 2312b789..25808c5f 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -21,27 +21,27 @@ profile frontend @{exec_path} flags=(complain) { capability dac_read_search, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/stty rix, + @{bin}/{,ba,da}sh rix, + @{bin}/hostname rix, + @{bin}/locale rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/stty rix, # debconf apps - /{usr/,}{s,}bin/aspell-autobuildhash rPx, - /{usr/,}{s,}bin/pam-auth-update rPx, - /{usr/,}bin/adequate rPx, - /{usr/,}bin/debconf-apt-progress rPx, - /{usr/,}bin/linux-check-removal rPx, - /{usr/,}bin/ucf rPx, - /{usr/,}bin/whiptail rPx, - /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, + @{bin}/adequate rPx, + @{bin}/aspell-autobuildhash rPx, + @{bin}/debconf-apt-progress rPx, + @{bin}/linux-check-removal rPx, + @{bin}/pam-auth-update rPx, + @{bin}/ucf rPx, + @{bin}/whiptail rPx, + @{lib}/tasksel/tasksel-debconf rPx -> tasksel, /usr/share/debian-security-support/check-support-status.hook rPx, # Grub - /{usr/,}lib/grub/grub-multi-install rPx, + @{lib}/grub/grub-multi-install rPx, /usr/share/grub/grub-check-signatures rPx, # Run the package maintainer's scripts @@ -63,9 +63,9 @@ profile frontend @{exec_path} flags=(complain) { # DKMS scipts # What to do with it? (#FIXME#) - /{usr/,}lib/dkms/common.postinst rPUx, - /{usr/,}lib/dkms/dkms-* rPUx, - /{usr/,}lib/dkms/dkms_* rPUx, + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, /usr/share/debconf/{,**} r, @@ -97,14 +97,11 @@ profile frontend @{exec_path} flags=(complain) { / r, - /{usr/,}bin/ r, - /{usr/,}bin/* rPUx, + @{bin}/ r, + @{bin}/* rPUx, - /{usr/,}sbin/ r, - /{usr/,}sbin/* rPUx, - - /{usr/,}lib/ r, - /{usr/,}lib/** rPUx, + @{lib}/ r, + @{lib}/** rPUx, /usr/share/ r, /usr/share/** rPUx, diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 89a64ffa..534a1abc 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/fsck +@{exec_path} = @{bin}/fsck profile fsck @{exec_path} { include include @@ -18,9 +18,8 @@ profile fsck @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/e2fsck rPx, - /{usr/,}sbin/fsck.* rPx, - /{usr/,}bin/fsck.* rPx, + @{bin}/e2fsck rPx, + @{bin}/fsck.* rPx, /etc/fstab r, diff --git a/apparmor.d/profiles-a-f/fsck-btrfs b/apparmor.d/profiles-a-f/fsck-btrfs index 9d6b1edf..bed6737d 100644 --- a/apparmor.d/profiles-a-f/fsck-btrfs +++ b/apparmor.d/profiles-a-f/fsck-btrfs @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/fsck.btrfs +@{exec_path} = @{bin}/fsck.btrfs profile fsck-btrfs @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /etc/fstab r, diff --git a/apparmor.d/profiles-a-f/fsck-ext4 b/apparmor.d/profiles-a-f/fsck-ext4 index 8d552e0e..15f2efe0 100644 --- a/apparmor.d/profiles-a-f/fsck-ext4 +++ b/apparmor.d/profiles-a-f/fsck-ext4 @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/fsck.ext4 +@{exec_path} = @{bin}/fsck.ext4 profile fsck-ext4 @{exec_path} { include @{exec_path} rm, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /etc/fstab r, diff --git a/apparmor.d/profiles-a-f/fsck-fat b/apparmor.d/profiles-a-f/fsck-fat index c35f0004..99826340 100644 --- a/apparmor.d/profiles-a-f/fsck-fat +++ b/apparmor.d/profiles-a-f/fsck-fat @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/{fsck.fat,fsck.msdos,fsck.vfat,dosfsck} +@{exec_path} = @{bin}/{fsck.fat,fsck.msdos,fsck.vfat,dosfsck} profile fsck-fat @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index 85cf0b25..767d0e79 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fuse-overlayfs +@{exec_path} = @{bin}/fuse-overlayfs profile fuse-overlayfs @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index c7372c32..fa121ff7 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fuseiso +@{exec_path} = @{bin}/fuseiso profile fuseiso @{exec_path} { include include @@ -19,7 +19,7 @@ profile fuseiso @{exec_path} { @{exec_path} mr, - /{usr/,}bin/fusermount{,3} rCx -> fusermount, + @{bin}/fusermount{,3} rCx -> fusermount, # Where to mount ISO files owner @{HOME}/*/ rw, @@ -47,7 +47,7 @@ profile fuseiso @{exec_path} { mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/.cache/**/, - /{usr/,}bin/fusermount{,3} mr, + @{bin}/fusermount{,3} mr, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index beaafa9c..55cfa6f5 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fusermount{,3} +@{exec_path} = @{bin}/fusermount{,3} profile fusermount @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 1d0a24e6..ad10044b 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{libexec}/{,fwupd/}fwupd +@{exec_path} = @{lib}/{,fwupd/}fwupd profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include include @@ -82,11 +82,11 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{exec_path} mr, - /{usr/,}lib/fwupd/fwupd-detect-cet rix, + @{lib}/fwupd/fwupd-detect-cet rix, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, /usr/share/mime/mime.cache r, @@ -105,7 +105,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /boot/EFI/*/.goutputstream-* rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fwupdx[0-9]*.efi rw, - @{libexec}/fwupd/efi/fwupdx[0-9]*.efi r, + @{lib}/fwupd/efi/fwupdx[0-9]*.efi r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -164,10 +164,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { capability dac_read_search, - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpgsm mr, - /{usr/,}bin/gpg-agent mrix, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + @{bin}/gpg-agent mrix, owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 4a4e6ce4..32c0dc2e 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fwupdmgr +@{exec_path} = @{bin}/fwupdmgr profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include include @@ -48,8 +48,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, - /{usr/,}bin/dbus-launch rCx -> dbus, - /{usr/,}bin/pkttyagent rPx, + @{bin}/dbus-launch rCx -> dbus, + @{bin}/pkttyagent rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -73,7 +73,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include include - /{usr/,}bin/dbus-launch mr, + @{bin}/dbus-launch mr, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/fzsftp b/apparmor.d/profiles-a-f/fzsftp index de15e941..8d66f6c8 100644 --- a/apparmor.d/profiles-a-f/fzsftp +++ b/apparmor.d/profiles-a-f/fzsftp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/fzsftp +@{exec_path} = @{bin}/fzsftp profile fzsftp @{exec_path} { include include @@ -19,9 +19,9 @@ profile fzsftp @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh mrix, - /{usr/,}bin/ps rix, - /{usr/,}bin/ls rix, + @{bin}/{,ba,da}sh mrix, + @{bin}/ps rix, + @{bin}/ls rix, @{PROC}/ r, @{PROC}/uptime r,