From 557d905543e89a458fa6caab0fdd5c288095c923 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 17 Aug 2023 20:01:53 +0100 Subject: [PATCH] Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables * 'tunables' of https://github.com/nobody43/apparmor.d: dbus temp tails Update apparmor.d Update gdm-runtime-config more unrelated changes adjust date-time random tails rename to int, convert more profiles fixes tunables --- apparmor.d/abstractions/X-strict | 2 +- apparmor.d/abstractions/apt-common | 2 +- .../dbus-session-strict.d/complete | 8 +++--- apparmor.d/abstractions/gstreamer | 4 +-- apparmor.d/abstractions/ibus.d/complete | 8 +++--- apparmor.d/abstractions/kde5-plasma5 | 16 +++++------ apparmor.d/abstractions/qt5-shader-cache | 8 +++--- .../abstractions/thumbnails-cache-write | 8 +++--- apparmor.d/abstractions/trash.d/complete | 8 +++--- .../groups/akonadi/akonadi_archivemail_agent | 2 +- .../groups/akonadi/akonadi_indexing_agent | 4 +-- .../akonadi/akonadi_maildispatcher_agent | 2 +- .../groups/akonadi/akonadi_mailfilter_agent | 4 +-- .../akonadi/akonadi_newmailnotifier_agent | 2 +- apparmor.d/groups/apps/calibre | 12 ++++---- apparmor.d/groups/apps/dropbox | 2 +- apparmor.d/groups/apps/flameshot | 6 ++-- apparmor.d/groups/apps/okular | 12 ++++---- apparmor.d/groups/apps/telegram-desktop | 4 +-- apparmor.d/groups/apps/vlc | 6 ++-- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/dpkg-query | 2 +- apparmor.d/groups/browsers/chromium-wrapper | 2 +- apparmor.d/groups/browsers/firefox | 7 +++-- apparmor.d/groups/browsers/firefox-glxtest | 4 +-- .../groups/browsers/firefox-kmozillahelper | 4 +-- apparmor.d/groups/bus/dbus-daemon | 2 -- apparmor.d/groups/bus/ibus-daemon | 6 ++-- apparmor.d/groups/bus/ibus-dconf | 12 ++++---- apparmor.d/groups/bus/ibus-engine-simple | 6 ++-- apparmor.d/groups/bus/ibus-extension-gtk3 | 4 +-- apparmor.d/groups/bus/ibus-memconf | 4 +-- apparmor.d/groups/bus/ibus-portal | 2 +- apparmor.d/groups/bus/ibus-x11 | 6 ++-- apparmor.d/groups/children/child-dpkg | 2 +- apparmor.d/groups/children/child-dpkg-divert | 2 +- apparmor.d/groups/children/child-systemctl | 8 +++--- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-apt | 2 +- .../groups/cron/cron-popularity-contest | 10 +++---- apparmor.d/groups/freedesktop/accounts-daemon | 11 +++++--- .../groups/freedesktop/at-spi-bus-launcher | 4 +-- .../groups/freedesktop/at-spi2-registryd | 6 ++-- apparmor.d/groups/freedesktop/dconf | 3 +- apparmor.d/groups/freedesktop/dconf-editor | 2 +- .../polkit-kde-authentication-agent | 6 ++-- apparmor.d/groups/freedesktop/pulseaudio | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 8 +++--- .../groups/freedesktop/xdg-desktop-portal-kde | 4 +-- .../groups/freedesktop/xdg-permission-store | 2 +- .../groups/freedesktop/xdg-user-dirs-update | 2 +- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/freedesktop/xprop | 6 ++-- apparmor.d/groups/freedesktop/xrdb | 4 +-- apparmor.d/groups/freedesktop/xsetroot | 4 +-- apparmor.d/groups/freedesktop/xwayland | 4 +-- apparmor.d/groups/gnome/gdm-runtime-config | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 2 ++ apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gjs-console | 4 +-- apparmor.d/groups/gnome/gnome-control-center | 20 +++++++++---- .../groups/gnome/gnome-remote-desktop-daemon | 6 ++++ apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-session-ctl | 2 +- apparmor.d/groups/gnome/gnome-shell | 20 ++++++------- .../groups/gnome/gnome-shell-hotplug-sniffer | 1 + apparmor.d/groups/gnome/gnome-software | 4 +-- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/kgx | 2 +- apparmor.d/groups/gnome/mutter-x11-frames | 4 +-- apparmor.d/groups/gnome/tracker-extract | 4 +-- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/grub/grub-install | 1 + apparmor.d/groups/grub/grub-multi-install | 5 +++- apparmor.d/groups/gvfs/gvfsd-dav | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 2 +- apparmor.d/groups/gvfs/gvfsd-http | 2 +- apparmor.d/groups/gvfs/gvfsd-mtp | 2 +- apparmor.d/groups/gvfs/gvfsd-network | 2 +- apparmor.d/groups/gvfs/gvfsd-recent | 2 +- apparmor.d/groups/gvfs/gvfsd-smb | 2 +- apparmor.d/groups/gvfs/gvfsd-smb-browse | 2 +- apparmor.d/groups/gvfs/gvfsd-trash | 2 +- apparmor.d/groups/kde/baloo | 2 +- apparmor.d/groups/kde/drkonqi | 4 +-- apparmor.d/groups/kde/gmenudbusmenuproxy | 4 +-- apparmor.d/groups/kde/kaccess | 4 +-- apparmor.d/groups/kde/kalendarac | 8 +++--- apparmor.d/groups/kde/kcminit | 16 +++++------ apparmor.d/groups/kde/kconf_update | 8 +++--- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kded5 | 6 ++-- apparmor.d/groups/kde/kglobalaccel5 | 4 +-- apparmor.d/groups/kde/kioslave5 | 6 ++-- apparmor.d/groups/kde/kscreenlocker-greet | 12 ++++---- apparmor.d/groups/kde/ksmserver | 12 ++++---- apparmor.d/groups/kde/kwalletd5 | 10 +++---- apparmor.d/groups/kde/kwalletmanager5 | 12 ++++---- apparmor.d/groups/kde/kwin_x11 | 16 +++++------ apparmor.d/groups/kde/plasma-discover | 4 +-- apparmor.d/groups/kde/plasmashell | 16 +++++------ apparmor.d/groups/kde/sddm | 10 +++---- apparmor.d/groups/kde/sddm-greeter | 6 ++-- apparmor.d/groups/kde/startplasma | 10 +++---- apparmor.d/groups/kde/xdm-xsession | 4 +-- apparmor.d/groups/kde/xembedsniproxy | 6 ++-- apparmor.d/groups/kde/xsettingsd | 6 ++-- apparmor.d/groups/network/mullvad-gui | 6 ++-- apparmor.d/groups/systemd/coredumpctl | 10 +++---- apparmor.d/groups/systemd/journalctl | 14 +++++----- apparmor.d/groups/systemd/networkctl | 8 +++--- apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-remount-fs | 2 +- .../systemd/systemd-user-generators-autostart | 8 ++++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/subiquity-console-conf | 10 +++---- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/aa-log | 4 +-- apparmor.d/profiles-a-f/anki | 14 +++++----- apparmor.d/profiles-a-f/birdtray | 6 ++-- apparmor.d/profiles-a-f/blkid | 4 +-- apparmor.d/profiles-a-f/btrfs | 2 +- apparmor.d/profiles-a-f/btrfstune | 2 +- apparmor.d/profiles-a-f/cfdisk | 2 +- apparmor.d/profiles-a-f/conky | 2 +- apparmor.d/profiles-a-f/cupsd | 2 +- apparmor.d/profiles-a-f/dumpe2fs | 2 +- apparmor.d/profiles-a-f/e2fsck | 2 +- apparmor.d/profiles-a-f/engrampa | 2 +- apparmor.d/profiles-a-f/exim4 | 2 +- apparmor.d/profiles-a-f/exo-helper | 2 +- apparmor.d/profiles-a-f/flatpak-system-helper | 4 +-- apparmor.d/profiles-a-f/fsck | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/glib-pacrunner | 2 ++ apparmor.d/profiles-g-l/gsettings | 4 +-- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 8 +++--- apparmor.d/profiles-g-l/ioping | 4 +-- apparmor.d/profiles-g-l/jmtpfs | 2 +- apparmor.d/profiles-g-l/kanyremote | 2 +- apparmor.d/profiles-g-l/keepassxc | 16 +++++------ apparmor.d/profiles-g-l/labwc | 2 +- apparmor.d/profiles-m-r/megasync | 8 +++--- apparmor.d/profiles-m-r/minitube | 16 +++++------ apparmor.d/profiles-m-r/mke2fs | 2 +- apparmor.d/profiles-m-r/mkvtoolnix-gui | 12 ++++---- apparmor.d/profiles-m-r/mono-sgen | 4 +-- apparmor.d/profiles-m-r/mumble | 6 ++-- apparmor.d/profiles-m-r/obexd | 2 ++ apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pam/mappings | 6 ++-- apparmor.d/profiles-m-r/pinentry-gtk-2 | 2 +- apparmor.d/profiles-m-r/pinentry-qt | 4 +-- apparmor.d/profiles-m-r/plocate-build | 4 +-- apparmor.d/profiles-m-r/popularity-contest | 2 +- apparmor.d/profiles-m-r/psi | 10 +++---- apparmor.d/profiles-m-r/psi-plus | 10 +++---- apparmor.d/profiles-m-r/pwck | 3 +- apparmor.d/profiles-m-r/qbittorrent | 14 ++++------ apparmor.d/profiles-m-r/qbittorrent-nox | 8 +++--- apparmor.d/profiles-m-r/qnapi | 14 +++++----- apparmor.d/profiles-m-r/qpdfview | 8 +++--- apparmor.d/profiles-m-r/qt5ct | 6 ++-- apparmor.d/profiles-m-r/quiterss | 2 +- apparmor.d/profiles-m-r/redshift | 2 +- apparmor.d/profiles-m-r/rpi-imager | 8 +++--- apparmor.d/profiles-m-r/run-parts | 4 ++- apparmor.d/profiles-m-r/rustdesk | 4 +-- apparmor.d/profiles-s-z/scrcpy | 3 +- apparmor.d/profiles-s-z/scrot | 2 +- apparmor.d/profiles-s-z/smplayer | 6 ++-- apparmor.d/profiles-s-z/smtube | 8 +++--- apparmor.d/profiles-s-z/steam | 2 +- apparmor.d/profiles-s-z/steam-game | 2 +- apparmor.d/profiles-s-z/strawberry | 10 +++---- apparmor.d/profiles-s-z/strawberry-tagreader | 2 +- apparmor.d/profiles-s-z/su | 2 +- apparmor.d/profiles-s-z/system-config-printer | 2 +- apparmor.d/profiles-s-z/tint2 | 2 +- apparmor.d/profiles-s-z/tune2fs | 2 +- apparmor.d/profiles-s-z/udisksd | 2 +- apparmor.d/profiles-s-z/updatedb.plocate | 4 +-- apparmor.d/profiles-s-z/usbguard-applet-qt | 4 +-- apparmor.d/profiles-s-z/vidcutter | 16 +++++------ apparmor.d/profiles-s-z/wireshark | 2 +- apparmor.d/profiles-s-z/wpa-gui | 2 +- apparmor.d/profiles-s-z/xauth | 22 +++++++-------- apparmor.d/profiles-s-z/yadifad | 10 +++---- apparmor.d/profiles-s-z/zpool | 2 +- apparmor.d/tunables/multiarch.d/apparmor.d | 26 ++++++++++++++--- dists/ubuntu/abstractions/trash | 28 +++++++++---------- 198 files changed, 560 insertions(+), 507 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index c63a6b09..b18d939d 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -28,7 +28,7 @@ @{run}/user/@{uid}/xauth_* rl, # Xwayland - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, /etc/X11/cursors/{,**} r, /usr/share/X11/{,**} r, diff --git a/apparmor.d/abstractions/apt-common b/apparmor.d/abstractions/apt-common index 3207391d..089b3901 100644 --- a/apparmor.d/abstractions/apt-common +++ b/apparmor.d/abstractions/apt-common @@ -27,6 +27,6 @@ /var/lib/ubuntu-advantage/apt-esm/{,**} r, owner /tmp/clearsigned.message.* rw, - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete index ab2da5ee..c6f5f0f6 100644 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -2,12 +2,12 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", - unix (bind, listen) type=stream addr="@/tmp/dbus-*", + unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-????????", + unix (bind, listen) type=stream addr="@/tmp/dbus-????????", - unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"), + unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-????????"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, - owner /tmp/dbus-[0-9a-zA-Z]* rw, + owner /tmp/dbus-@{rand8} rw, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index f39bcab0..2b3afac8 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -13,7 +13,7 @@ /etc/openni2/OpenNI.ini r, owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw, - owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw, /tmp/ r, /var/tmp/ r, @@ -46,4 +46,4 @@ /dev/bus/usb/ r, /dev/dri/ r, - include if exists \ No newline at end of file + include if exists diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 103ac89a..7a22a6b0 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -6,17 +6,17 @@ # abstract path in ibus < 1.5.22 uses /tmp unix (connect, receive, send) type=stream - peer=(addr="@/tmp/ibus/dbus-*"), + peer=(addr="@/tmp/ibus/dbus-????????"), # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) # type=stream - # peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"), + # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-*"), + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-*", + addr="@/home/*/.cache/ibus/dbus-????????", diff --git a/apparmor.d/abstractions/kde5-plasma5 b/apparmor.d/abstractions/kde5-plasma5 index e45c72e4..5c592178 100644 --- a/apparmor.d/abstractions/kde5-plasma5 +++ b/apparmor.d/abstractions/kde5-plasma5 @@ -19,14 +19,14 @@ # For app config (in order to work the KDE_APP_NAME variable has to be set in profile which # includes this abstraction) - #owner @{user_config_dirs}/#[0-9]*[0-9] rwk, - #owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#[0-9]*[0-9], - #owner @{run}/user/@{uid}/#[0-9]*[0-9] rw, - #owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9], + #owner @{user_config_dirs}/#@{int} rwk, + #owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#@{int}, + #owner @{run}/user/@{uid}/#@{int} rw, + #owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#@{int}, # Common KDE config files - #owner @{user_config_dirs}/#[0-9]*[0-9] rw, - #owner @{user_config_dirs}/kdeglobals* rwkl -> @{user_config_dirs}/#[0-9]*[0-9], + #owner @{user_config_dirs}/#@{int} rw, + #owner @{user_config_dirs}/kdeglobals* rwkl -> @{user_config_dirs}/#@{int}, #owner @{user_config_dirs}/baloofilerc r, #owner @{user_config_dirs}/dolphinrc r, #owner @{user_config_dirs}/trashrc r, @@ -36,8 +36,8 @@ # For bookmarks #@{bin}/keditbookmarks rPUx, #owner @{user_share_dirs}/kfile/ rw, - #owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw, - #owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9], + #owner @{user_share_dirs}/kfile/#@{int} rw, + #owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#@{int}, # Common cache files #owner @{user_cache_dirs}/icon-cache.kcache rw, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index b3641edf..d89b89b8 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -6,10 +6,10 @@ abi , owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/#@{int} rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, include if exists diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index e136d08d..19944649 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -6,12 +6,12 @@ owner @{HOME}/thumbnails/ rw, owner @{HOME}/thumbnails/{large,normal}/ rw, - owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw, - owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9], + owner @{HOME}/thumbnails/{large,normal}/#@{int} rw, + owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int}, owner @{user_cache_dirs}/thumbnails/ rw, owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw, - owner @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9], + owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw, + owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int}, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/trash.d/complete b/apparmor.d/abstractions/trash.d/complete index db23f93a..c15fc1ae 100644 --- a/apparmor.d/abstractions/trash.d/complete +++ b/apparmor.d/abstractions/trash.d/complete @@ -5,11 +5,11 @@ owner @{user_config_dirs}/trashrc rw, owner @{user_config_dirs}/trashrc.lock rwk, - owner @{user_config_dirs}/#[0-9]*[0-9] rwk, - owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/#@{int} rwk, + owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#@{int}, - owner @{run}/user/@{uid}/#[0-9]*[0-9] rw, - owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9], + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#@{int}, # Home trash location owner @{user_share_dirs}/Trash/{,**} rwl, diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index 29f7b0ca..bbc76ba8 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -31,7 +31,7 @@ profile akonadi_archivemail_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_archivemail_agentrc r, owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent r, owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent_changes{,.dat} rw, diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent index 98b33eca..72feebf2 100644 --- a/apparmor.d/groups/akonadi/akonadi_indexing_agent +++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent @@ -34,8 +34,8 @@ profile akonadi_indexing_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/akonadi_indexing_agentrc r, - owner @{user_config_dirs}/akonadi/#[0-9]* rw, - owner @{user_config_dirs}/akonadi/agent_config_akonadi_indexing_agent* rwlk, + owner @{user_config_dirs}/akonadi/#@{int} rw, + owner @{user_config_dirs}/akonadi/agent_config_akonadi_indexing_agent{,.*} rwlk, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent index 4e0965f3..0c830f29 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent +++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent @@ -37,7 +37,7 @@ profile akonadi_maildispatcher_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi/#[0-9]* rw, + owner @{user_config_dirs}/akonadi/#@{int} rw, owner @{user_config_dirs}/akonadi/agent_config_akonadi_maildispatcher_agent* rwkl, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 0e374696..d7061798 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -36,7 +36,7 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r, owner @{user_config_dirs}/akonadi_*_resource_*rc r, owner @{user_config_dirs}/akonadi_mailfilter_agentrc r, @@ -54,7 +54,7 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/kwinrc r, - owner /tmp/#[0-9]* rw, + owner /tmp/#@{int} rw, owner /tmp/akonadi_mailfilter_agent.* rwl, owner @{user_config_dirs}/specialmailcollectionsrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index b5766023..c6039478 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -33,7 +33,7 @@ profile akonadi_newmailnotifier_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r, owner @{user_config_dirs}/akonadi/agent_config_akonadi_newmailnotifier_agent_changes{,_changes.dat,.dat} rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index 6696f90a..aee55121 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -128,14 +128,14 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache/#@{int} rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, - owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw, owner @{user_config_dirs}/qt5ct/{,**} r, @@ -146,7 +146,7 @@ profile calibre @{exec_path} { # owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, # newer AA version owner /tmp/* rw, - owner /dev/shm/#[0-9]*[0-9] rw, + owner /dev/shm/#@{int} rw, @{sys}/devices/pci[0-9]*/**/irq r, diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index 47bb83ec..9c7321f6 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -107,7 +107,7 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner /tmp/dropbox-antifreeze-* rw, owner /tmp/[a-zA-z0-9]* rw, - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, owner /var/tmp/etilqs_* rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index 3c0054bc..645934f4 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -40,8 +40,8 @@ profile flameshot @{exec_path} { # Flameshot home files owner @{user_config_dirs}/flameshot/ rw, owner @{user_config_dirs}/flameshot/flameshot.ini rw, - owner @{user_config_dirs}/flameshot/#[0-9]*[0-9] rw, - owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#[0-9]*[0-9], + owner @{user_config_dirs}/flameshot/#@{int} rw, + owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#@{int}, owner @{user_config_dirs}/flameshot/flameshot.ini.lock rwk, owner @{user_config_dirs}/qt5ct/{,**} r, @@ -63,7 +63,7 @@ profile flameshot @{exec_path} { /etc/fstab r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/apps/okular b/apparmor.d/groups/apps/okular index c4aba3b7..ffc8473e 100644 --- a/apparmor.d/groups/apps/okular +++ b/apparmor.d/groups/apps/okular @@ -39,15 +39,15 @@ profile okular @{exec_path} { /tmp/mozilla_*/ r, owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw, - owner @{user_config_dirs}/#[0-9]*[0-9] rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.lock rwk, - owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwalletrc r, @@ -72,7 +72,7 @@ profile okular @{exec_path} { deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -86,8 +86,8 @@ profile okular @{exec_path} { # Print to pdf @{bin}/ps2pdf rPUx, owner /tmp/@{hex} rw, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#@{int} rw, + owner /tmp/okular_*.ps rwl -> /tmp/#@{int}, # About /usr/share/kf5/licenses/GPL_V2 r, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 69292d57..96260592 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -51,7 +51,7 @@ profile telegram-desktop @{exec_path} { # Download dir owner @{TELEGRAM_WORK_DIR}/ rw, - owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#[0-9]*[0-9], + owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#@{int}, # Telegram's profile (via telegram -many -workdir ~/some/dir/) #owner @{TELEGRAM_WORK_DIR}/{,**} rw, @@ -62,7 +62,7 @@ profile telegram-desktop @{exec_path} { owner /tmp/@{hex}-* rwk, owner @{run}/user/@{uid}/@{hex}-* rwk, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, owner @{PROC}/@{pid}/fd/ r, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index c80f106f..44e0b4c9 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -161,13 +161,13 @@ profile vlc @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/vlc/ rw, owner @{user_cache_dirs}/vlc/{,**} rw, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/vlc/ rw, - owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9], + owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#@{int}, owner @{user_share_dirs}/vlc/{,**} rw, @@ -193,7 +193,7 @@ profile vlc @{exec_path} { audit @{PROC}/sys/kernel/random/boot_id r, audit owner @{PROC}/@{pid}/cmdline r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, owner /dev/tty[0-9]* rw, # Silencer diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index eac75559..de7705bd 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -239,7 +239,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-tty-ask-password-agent rix, - owner @{run}/systemd/ask-password-block/* rw, + owner @{run}/systemd/ask-password-block/{,*} rw, owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/private rw, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 3d718d03..0e0b99dd 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -25,7 +25,7 @@ profile apt-extracttemplates @{exec_path} { owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner /tmp/*.{config,template}.?????? rw, + owner /tmp/*.{config,template}.@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index f09a49f8..96e84736 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -44,7 +44,7 @@ profile debsecan @{exec_path} { owner @{PROC}/@{pid}/fd/ r, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index d18cde27..ec5fcaf1 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -22,7 +22,7 @@ profile dpkg-query @{exec_path} { /var/lib/dpkg/** r, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{int} rw, /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index 77fcd3cd..5660b450 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -38,7 +38,7 @@ profile chromium-wrapper @{exec_path} { owner @{HOME}/.xsession-errors w, - owner /tmp/chromiumargs.?????? rw, + owner /tmp/chromiumargs.@{rand6} rw, owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/** rwk, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index c154d3ad..454390d5 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -190,11 +190,12 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ r, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r, - owner @{user_config_dirs}/mimeapps.list{,.*} rw, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw, + owner @{user_share_dirs}/applications/userapp-Firefox-@{rand6}.desktop{,.@{rand6}} rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index ae2a0431..6a0f44ef 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -26,9 +26,9 @@ profile firefox-glxtest @{exec_path} { owner /tmp/firefox/.parentlock rw, - owner /tmp/xauth_?????? r, + owner /tmp/xauth_@{rand6} r, - owner @{run}/user/@{uid}/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, @{sys}/bus/pci/devices/ r, @{sys}/devices/pci[0-9]*/**/class r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index 9447cc2e..c1e25695 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -40,11 +40,11 @@ profile firefox-kmozillahelper @{exec_path} { owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kwinrc r, - owner @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/core_pattern r, /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index af6ab9a3..0c217a2a 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -77,8 +77,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/dbus-1/{,**} r, @{user_share_dirs}/icc/{,edid-*} r, - owner /tmp/dbus-[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 41c53d22..6d4ca9fb 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -16,9 +16,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { signal (receive) set=(usr1) peer=gnome-shell, signal (send) set=(term) peer=ibus*, - unix (bind, listen) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-*, - unix (send, receive, accept) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-* peer=(label=ibus-*), - unix (send, receive, accept) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-* peer=(label=gnome-shell), + unix (bind, listen) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", + unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=ibus-*), + unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=gnome-shell), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 211553c3..cdce8cd6 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -16,8 +16,8 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=ibus-daemon, - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon), - unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable @@ -32,16 +32,16 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /etc/dconf/db/ibus r, /etc/dconf/profile/ibus r, - /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, /var/lib/gdm{3,}/.cache/dconf/ w, /var/lib/gdm{3,}/.cache/dconf/user rw, /var/lib/gdm{3,}/.config/dconf/ w, /var/lib/gdm{3,}/.config/dconf/user rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, - owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 8931cb1e..37fbad06 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -13,15 +13,15 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { signal (receive) set=term peer=ibus-daemon, - unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), @{exec_path} mr, /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 22dfd4f2..385b765f 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -72,10 +72,10 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, - /var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 4ea7f8af..ae8852ef 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} { /etc/machine-id r, /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index b4a537a8..1fc82387 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -37,7 +37,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 6b1c1f0b..b913490b 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -44,13 +44,13 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, owner @{user_config_dirs}/ibus/bus/ r, - owner @{user_config_dirs}/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index cd3b138a..e3a25162 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -45,7 +45,7 @@ profile child-dpkg { /var/log/dpkg.log ra, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 03199d3c..ebcc6ae3 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -26,7 +26,7 @@ profile child-dpkg-divert { /var/lib/dpkg/diversions r, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 70fe2bf3..77a1f17f 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -39,10 +39,10 @@ profile child-systemctl flags=(attach_disconnected) { /etc/systemd/user/{,**} rwl, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex}/system.journal* r, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, @{run}/systemd/private rw, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 807e6227..b751d910 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -53,7 +53,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref rw, - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 41f5f931..e874f15a 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -83,7 +83,7 @@ profile cron-apt @{exec_path} { owner /tmp/cron-apt.*/action{log,error,mail,syslog} rw, # file_inherit - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index ee488945..ab56a7cb 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -56,7 +56,7 @@ profile cron-popularity-contest @{exec_path} { owner /tmp/tmp.*/random_seed w, # file_inherit - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, profile savelog { @@ -81,7 +81,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest rw, # file_inherit - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, } @@ -105,7 +105,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.new w, # file_inherit - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, } @@ -125,7 +125,7 @@ profile cron-popularity-contest @{exec_path} { owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**, # file_inherit - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, } @@ -150,7 +150,7 @@ profile cron-popularity-contest @{exec_path} { /var/log/popularity-contest.[0-9]*.gpg r, # file_inherit - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, } diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index a3074669..b9719066 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -49,17 +49,19 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{bin}/passwd rPx, @{bin}/userdel rPx, @{bin}/usermod rPx, + @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, /usr/share/language-tools/set-language-helper rPUx, + /usr/share/language-tools/save-to-pam-env rPUx, /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, /etc/default/locale r, /etc/gdm{3,}/ r, - /etc/gdm{3,}/custom.conf{,.??????} rw, - /etc/gdm{3,}/daemon.conf{,.??????} rw, + /etc/gdm{3,}/custom.conf{,.@{rand6}} rw, + /etc/gdm{3,}/daemon.conf{,.@{rand6}} rw, /etc/machine-id r, /etc/shadow r, /etc/shells r, @@ -68,7 +70,8 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, - @{HOME}/ r, + @{HOME}/ r, + owner @{HOME}/.pam_environment r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, @@ -81,7 +84,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { # wtmp.d ? /var/log/wtmp r, - owner /tmp/gnome-control-center-user-icon-?????? rw, + owner /tmp/gnome-control-center-user-icon-@{rand6} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher index a1a82e4b..3513a421 100644 --- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher +++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher @@ -39,10 +39,10 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, - owner /tmp/runtime-*/xauth_?????? r, + owner /tmp/runtime-*/xauth_@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, /var/lib/lightdm/.Xauthority r, /var/lib/gdm{3,}/.config/dconf/user r, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index db02e74c..9df76101 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -89,11 +89,11 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, - owner /tmp/runtime-*/xauth_?????? r, - owner /tmp/xauth_?????? r, + owner /tmp/runtime-*/xauth_@{rand6} r, + owner /tmp/xauth_@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index f904a756..32d70511 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -17,11 +17,12 @@ profile dconf @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /etc/dconf/db/** rw, + /etc/gdm{3,}/greeter.dconf-defaults r, /usr/share/gdm/dconf/{,**} r, /var/lib/gdm{3,}/ r, - /var/lib/gdm{3,}/greeter-dconf-defaults{,.??????} rw, + /var/lib/gdm{3,}/greeter-dconf-defaults{,.@{rand6}} rw, owner @{user_config_dirs}/dconf/ rw, owner @{user_config_dirs}/dconf/user{,.*} rw, diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index b68999c4..cf4bd887 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -24,7 +24,7 @@ profile dconf-editor @{exec_path} { owner @{user_config_dirs}/glib-2.0/ rw, owner @{user_config_dirs}/glib-2.0/settings/ rw, owner @{user_config_dirs}/glib-2.0/settings/keyfile rw, - owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw, + owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-@{rand6} rw, owner @{HOME}/.Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 41fb4a40..fa533cea 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -48,8 +48,8 @@ profile polkit-kde-authentication-agent @{exec_path} { owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/qt5ct/{,**} r, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#@{int} rw, + owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, @{run}/systemd/users/@{uid} r, @@ -58,7 +58,7 @@ profile polkit-kde-authentication-agent @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/sys/kernel/core_pattern r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 41551698..a2638222 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -159,7 +159,7 @@ profile pulseaudio @{exec_path} { owner /var/lib/lightdm/.config/pulse/cookie k, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, - /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index a844681a..b4678479 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -164,12 +164,12 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/.icons/{,**} r, owner @{HOME}/@{XDG_DATA_DIR}/ r, - owner /tmp/runtime-*/xauth_?????? r, - owner /tmp/xauth_?????? r, + owner /tmp/runtime-*/xauth_@{rand6} r, + owner /tmp/xauth_@{rand6} r, @{run}/mount/utab r, - @{run}/user/@{uid}/xauth_* rl, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + @{run}/user/@{uid}/xauth_@{rand6} rl, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 14e9f4ea..d61f95d7 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -45,9 +45,9 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc r, - owner /tmp/xauth_?????? r, + owner /tmp/xauth_@{rand6} r, - @{run}/user/@{uid}/xauth_* rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index af1c8b15..f04f1bab 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -50,7 +50,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/ w, owner @{user_share_dirs}/flatpak/db/ rw, - owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, + owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index b3749ca7..0dd4238f 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -50,7 +50,7 @@ profile xdg-user-dirs-update @{exec_path} { owner @{HOME}/@{XDG_VIDEOS_DIR}/ w, owner @{user_config_dirs}/user-dirs.dirs rw, - owner @{user_config_dirs}/user-dirs.dirs?????? rw, + owner @{user_config_dirs}/user-dirs.dirs@{rand6} rw, owner @{user_config_dirs}/user-dirs.locale rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 9d1732ff..6cbcd653 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -141,7 +141,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /dev/fb[0-9] rw, /dev/input/event[0-9]* rw, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index b4358c90..dd172f45 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -19,10 +19,10 @@ profile xprop @{exec_path} { owner @{HOME}/.Xauthority r, owner @{HOME}/.icons/default/index.theme r, - owner /tmp/runtime-*/xauth_?????? r, - owner /tmp/xauth_?????? r, + owner /tmp/runtime-*/xauth_@{rand6} r, + owner /tmp/xauth_@{rand6} r, - owner @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/xauth_@{rand6} rl, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 73c87be0..1182d3c7 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -35,8 +35,8 @@ profile xrdb @{exec_path} { owner /tmp/kcminit.* r, owner /tmp/plasma-apply-lookandfeel.* r, - owner /tmp/runtime-*/xauth_?????? r, - owner /tmp/startplasma-x11.?????? r, + owner /tmp/runtime-*/xauth_@{rand6} r, + owner /tmp/startplasma-x11.@{rand6} r, owner /tmp/xauth-[0-9]*-_[0-9] r, @{run}/sddm/\{@{uuid}\} r, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 6915528a..85c168bb 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -24,8 +24,8 @@ profile xsetroot @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log w, @{run}/sddm/\{@{uuid}\} r, - @{run}/sddm/xauth_?????? r, - @{run}/user/@{uid}/xauth_* rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, + @{run}/sddm/xauth_@{rand6} r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 2fffcf11..6d359871 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -37,8 +37,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, owner /tmp/server-[0-9]*.xkm rwk, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, - owner @{run}/user/@{uid}/xwayland-shared-?????? rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, + owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config index 58628f7e..b3fc99d0 100644 --- a/apparmor.d/groups/gnome/gdm-runtime-config +++ b/apparmor.d/groups/gnome/gdm-runtime-config @@ -13,7 +13,7 @@ profile gdm-runtime-config @{exec_path} { @{exec_path} mr, @{run}/gdm{3,}/ rw, - @{run}/gdm{3,}/custom.conf* rw, + @{run}/gdm{3,}/custom.conf{,.@{rand6}} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d5e92f6b..c447fdd8 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -82,6 +82,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/sysconfig/displaymanager r, /etc/sysconfig/windowmanager r, + owner @{HOME}/.pam_environment r, + owner @{run}/user/@{uid}/keyring/control rw, @{run}/cockpit/active.motd r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index ba51cf06..412df890 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -54,7 +54,7 @@ profile gdm-xsession @{exec_path} { /etc/default/im-config r, /etc/X11/{,**} r, - owner /tmp/gdm{3,}-config-err-?????? rw, + owner /tmp/gdm{3,}-config-err-@{rand6} rw, # file_inherit /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 60595f1c..2958a064 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -89,7 +89,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, - /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, @@ -98,7 +98,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 67159e3e..a9480a49 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -35,7 +35,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=unconfined, signal (send) set=(kill) peer=passwd, - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket @@ -86,6 +86,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{lib}/gnome-control-center-print-renderer rPx, @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, + /usr/share/language-tools/language-options rPUx, /snap/*/[0-9]*/**.png r, /usr/share/backgrounds/{,**} r, @@ -100,13 +101,14 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, /usr/share/libdrm/*.ids r, + /usr/share/language-tools/main-countries r, /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, - + # freedesktop.org-strict /usr/share/*ubuntu/applications/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -134,22 +136,27 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, - owner @{user_config_dirs}/mimeapps.list* rw, - owner @{user_config_dirs}/rygel.conf{,.??????} rw, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/sounds/__custom/{,*} rw, owner @{user_share_dirs}/webkitgtk/{,**} r, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, + owner @{user_share_dirs}/gnome-remote-desktop/ w, + owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk, owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, - owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/wayland-@{int} rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, @{run}/systemd/sessions/ r, @@ -190,6 +197,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/*/comm rw, + owner @{PROC}/@{pid}/loginuid r, @{PROC}/cmdline r, @{PROC}/zoneinfo r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index d70bbf72..46cff0c0 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -13,12 +13,18 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include include + network inet stream, + network inet6 stream, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{run}/user/@{uid}/wayland-@{int} rw, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index cdb40652..aa14e53e 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -214,7 +214,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, - owner /tmp/dirs-?????? rw, + owner /tmp/dirs-@{rand6} rw, owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{user_config_dirs}/gnome-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index e6457817..b5ffa063 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -21,7 +21,7 @@ profile gnome-session-ctl @{exec_path} { member=Initialized peer=(name=org.gnome.SessionManager, label=gnome-session-binary), - unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-*, label=dbus-daemon), + unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bf768733..ee432e94 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -52,7 +52,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -514,20 +514,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /etc/xdg/menus/gnome-applications.menu r, /var/lib/gdm{3,}/.cache/ w, - /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, + /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk, /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw, - /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw, /var/lib/gdm{3,}/.cache/libgweather/ r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, /var/lib/gdm{3,}/.config/pulse/ r, /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rwk, @@ -554,7 +554,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_games_dirs}/**/*.{png,jpg} r, owner @{user_music_dirs}/**/*.{png,jpg} r, - owner @{user_config_dirs}/.goutputstream{,*} rw, + owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/pulse/ r, @@ -578,10 +578,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, - owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, - owner @{run}/user/@{uid}/wayland-[0-9]* rwk, + owner @{run}/user/@{uid}/wayland-@{int} rwk, owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 0a54af2b..6ae8704f 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnome-shell-hotplug-sniffer profile gnome-shell-hotplug-sniffer @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 254d8c7d..b15d1bd6 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -71,7 +71,7 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/** rwkl, - /var/tmp/#[0-9]* rw, + /var/tmp/#@{int} rw, owner @{HOME}/.var/app/{,**} rw, @@ -86,7 +86,7 @@ profile gnome-software @{exec_path} { owner /tmp/ostree-gpg-*/ rw, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/#[0-9]* rw, + owner /tmp/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 257b3fdf..c4141bd6 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -49,7 +49,7 @@ profile gnome-terminal-server @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, - owner /tmp/#[0-9]* rw, + owner /tmp/#@{int} rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 052722e5..14c2e873 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -79,6 +79,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/mountinfo r, @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index c52efb06..64288cf3 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -141,7 +141,7 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index 193e7eee..fae7c222 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -40,7 +40,7 @@ profile kgx @{exec_path} { /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, - owner /tmp/#[0-9]* rw, + owner /tmp/#@{int} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 463d8066..690fa6c6 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -23,7 +23,7 @@ profile mutter-x11-frames @{exec_path} { @{exec_path} mr, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index a130cf57..d79baf9f 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -83,10 +83,10 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.cache/ rw, /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw, - /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw, + /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/lib/lightdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp??????} r, + /var/lib/lightdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} r, /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, /var/lib/flatpak/exports/share/mime/mime.cache r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index ea6e8e79..ece36469 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -88,7 +88,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /var/lib/lightdm/.config/dconf/user r, /var/lib/lightdm/.cache/tracker3/files/meta.db{,-wal} rwk, - /var/lib/lightdm/.cache/tracker3/files/no-need-mtime-check.txt{,.??????} rw, + /var/lib/lightdm/.cache/tracker3/files/no-need-mtime-check.txt{,.@{rand6}} rw, owner /var/tmp/etilqs_@{hex} rw, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 06238987..ed1962bf 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -29,6 +29,7 @@ profile grub-install @{exec_path} flags=(complain) { /etc/default/grub.d/{,**} r, /etc/default/grub r, + /boot/efi/EFI/ubuntu/* w, /boot/efi/EFI/BOOT/{,**} rw, /boot/EFI/*/grubx*.efi rw, /boot/grub/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 88e8a037..60d9a38a 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -17,6 +17,7 @@ profile grub-multi-install @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, @{bin}/cat rix, + @{bin}/cut rix, @{bin}/dpkg-query rpx, @{bin}/readlink rix, @{bin}/sed rix, @@ -33,5 +34,7 @@ profile grub-multi-install @{exec_path} { owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mounts r, + /dev/disk/by-id/ r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 68d5f54b..de9cf025 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -28,7 +28,7 @@ profile gvfsd-dav @{exec_path} { /usr/share/mime/mime.cache r, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 183d102d..79f9888e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -57,7 +57,7 @@ profile gvfsd-dnssd @{exec_path} { @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-Z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 55941c2e..abb98c80 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,7 +24,7 @@ profile gvfsd-http @{exec_path} { @{exec_path} mr, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 086ba5fa..e605b36b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -23,7 +23,7 @@ profile gvfsd-mtp @{exec_path} { owner @{HOME}/{,**} rw, owner @{MOUNTS}/{,**} rw, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index dd95aed1..c4db24fe 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -51,7 +51,7 @@ profile gvfsd-network @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 035150d5..347573ce 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -26,7 +26,7 @@ profile gvfsd-recent @{exec_path} { owner @{user_share_dirs}/recently-used.xbel r, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 2259ac77..29ee1627 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -23,7 +23,7 @@ profile gvfsd-smb @{exec_path} { /etc/samba/smb.conf r, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index c37b2dee..72b40cf9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -58,7 +58,7 @@ profile gvfsd-smb-browse @{exec_path} { owner @{run}/samba/ rw, owner @{run}/samba/gencache.tdb rwk, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{user_cache_dirs}/samba/ w, owner @{user_cache_dirs}/samba/gencache.tdb rwk, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 7574fd48..f3ed674c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -50,7 +50,7 @@ profile gvfsd-trash @{exec_path} { owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 50de39ef..284a26bf 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -38,7 +38,7 @@ profile baloo @{exec_path} { owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, owner @{user_config_dirs}/baloofilerc.lock rwkl, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 87adf94a..6cb02196 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -22,9 +22,9 @@ profile drkonqi @{exec_path} { /usr/share/drkonqi/{,**} r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, - @{run}/user/@{uid}/xauth_* rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index e99cb5ec..659642fb 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -23,8 +23,8 @@ profile gmenudbusmenuproxy @{exec_path} { /etc/machine-id r, owner @{HOME}/.gtkrc-2.0 rw, - owner @{user_config_dirs}/gtk-{2,3}.0/#[0-9]* rw, - owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.??????} rwl, + owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw, + owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl, owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 3f0106b3..2a48abec 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -38,9 +38,9 @@ profile kaccess @{exec_path} { owner @{user_share_dirs}/mime/generic-icons r, - owner /tmp/xauth_?????? r, + owner /tmp/xauth_@{rand6} r, - owner @{run}/user/@{uid}/xauth_?????? r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index e403a1ad..4801e75b 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -32,23 +32,23 @@ profile kalendarac @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, owner @{user_config_dirs}/kalendaracrc rw, - owner @{user_config_dirs}/kalendaracrc.?????? rwl, + owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl, owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, - @{run}/user/@{uid}/xauth_* rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/core_pattern r, /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index eb37c005..0a49483e 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -28,9 +28,9 @@ profile kcminit @{exec_path} { owner @{HOME}/.Xdefaults r, - owner @{user_config_dirs}/#[0-9]* rw, - owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl, - owner @{user_config_dirs}/gtkrc{,.??????} rwl, + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, + owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, @@ -40,16 +40,16 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, - owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl, + owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, - owner /tmp/kcminit.?????? rwl, - owner /tmp/#[0-9]* rw, + owner /tmp/kcminit.@{rand6} rwl, + owner /tmp/#@{int} rw, - @{run}/user/@{uid}/xauth_* rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 377d58a2..70d8a94f 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -34,7 +34,7 @@ profile kconf_update @{exec_path} { /etc/machine-id r, /etc/xdg/kdeglobals r, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akregatorrc r, owner @{user_config_dirs}/kateschemarc r, owner @{user_config_dirs}/kcminputrc r, @@ -59,10 +59,10 @@ profile kconf_update @{exec_path} { owner @{user_config_dirs}/kxkbrc.lock rwk, owner @{user_config_dirs}/plasmashellrc r, - owner /tmp/#[0-9]* rw, - owner /tmp/kconf_update.* rwl, + owner /tmp/#@{int} rw, + owner /tmp/kconf_update.@{rand6} rwl, @{PROC}/@{sys}/kernel/random/boot_id r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 1f572576..d3533f5d 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -29,7 +29,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#[0-9]*, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index 83f5b98f..10f43628 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -71,7 +71,7 @@ profile kded5 @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca5_* r, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/bluedevilglobalrc rk, owner @{user_config_dirs}/bluedevilglobalrc* rwkl, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, @@ -108,11 +108,11 @@ profile kded5 @{exec_path} { owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, - owner @{run}/user/@{uid}/#[0-9]* rw, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/kded5*kioworker.socket rwl, - owner /tmp/plasma-csd-generator.??????/{,**} rw, + owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/kde/kglobalaccel5 b/apparmor.d/groups/kde/kglobalaccel5 index 9f8d495c..323d252d 100644 --- a/apparmor.d/groups/kde/kglobalaccel5 +++ b/apparmor.d/groups/kde/kglobalaccel5 @@ -22,9 +22,9 @@ profile kglobalaccel5 @{exec_path} { /etc/machine-id r, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, - owner @{user_config_dirs}/#[0-9]* rw, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/core_pattern r, @@ -32,4 +32,4 @@ profile kglobalaccel5 @{exec_path} { /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 index c8e7afb8..557b4c2d 100644 --- a/apparmor.d/groups/kde/kioslave5 +++ b/apparmor.d/groups/kde/kioslave5 @@ -61,9 +61,9 @@ profile kioslave5 @{exec_path} { owner @{user_share_dirs}/baloo/index-lock rwk, owner @{user_share_dirs}/baloo/index rw, - owner @{run}/user/@{uid}/#[0-9]* rw, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl, - owner @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/mountinfo r, @@ -72,4 +72,4 @@ profile kioslave5 @{exec_path} { /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet index 163c1bda..21907394 100644 --- a/apparmor.d/groups/kde/kscreenlocker-greet +++ b/apparmor.d/groups/kde/kscreenlocker-greet @@ -71,12 +71,12 @@ profile kscreenlocker-greet @{exec_path} { owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements-default_v* r, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache/#@{int} rw, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, @@ -85,7 +85,7 @@ profile kscreenlocker-greet @{exec_path} { owner @{user_config_dirs}/plasmarc r, # If one is blocked, the others are probed. - deny owner @{HOME}/#[0-9]*[0-9] mrw, + deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, owner /tmp/*-cover-*.{jpg,png} r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 23c10136..dc3e4517 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -44,10 +44,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/xdg/kwinrc r, /etc/xdg/menus/ r, - owner @{HOME}/?????? rw, + owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, - owner @{user_cache_dirs}/#[0-9]* rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r, owner @{user_cache_dirs}/ksycoca5_* rl, @@ -56,18 +56,18 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/ksmserverrc.?????? rwl, + owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc r, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksmserverrc.lock rwk, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, - owner /tmp/?????? rw, + owner /tmp/@{rand6} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, - owner @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/xauth_@{rand6} rl, @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, diff --git a/apparmor.d/groups/kde/kwalletd5 b/apparmor.d/groups/kde/kwalletd5 index 359db5a1..f91fec79 100644 --- a/apparmor.d/groups/kde/kwalletd5 +++ b/apparmor.d/groups/kde/kwalletd5 @@ -55,19 +55,19 @@ profile kwalletd5 @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/kdewallet_attributes.json r, owner @{user_share_dirs}/kwalletd/*.kwl rw, - owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#[0-9]*[0-9], + owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#@{int}, owner @{user_share_dirs}/kwalletd/*.salt rw, - owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw, + owner @{user_share_dirs}/kwalletd/#@{int} rw, owner /tmp/kwalletd5.* rw, - owner /tmp/runtime-*/xauth_?????? r, - owner /tmp/xauth_?????? r, + owner /tmp/runtime-*/xauth_@{rand6} r, + owner /tmp/xauth_@{rand6} r, @{PROC}/sys/kernel/core_pattern r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, profile gpg { include diff --git a/apparmor.d/groups/kde/kwalletmanager5 b/apparmor.d/groups/kde/kwalletmanager5 index 76cce525..1a723f18 100644 --- a/apparmor.d/groups/kde/kwalletmanager5 +++ b/apparmor.d/groups/kde/kwalletmanager5 @@ -37,16 +37,16 @@ profile kwalletmanager5 @{exec_path} { /var/lib/dbus/machine-id r, owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/qt5ct/{,**} r, - owner @{user_config_dirs}/#[0-9]*[0-9] rw, owner @{user_config_dirs}/kwalletmanager5rc rw, - owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletmanager5rc.lock rwk, owner @{user_config_dirs}/kwalletrc rw, - owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/session/#[0-9]*[0-9] rw, - owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#[0-9]*[0-9], + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, owner @{user_config_dirs}/kdeglobals r, @@ -60,7 +60,7 @@ profile kwalletmanager5 @{exec_path} { @{PROC}/@{pid}/mounts r, /dev/shm/ r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, include if exists } diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 7c57a622..f5664c40 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -46,33 +46,33 @@ profile kwin_x11 @{exec_path} { owner @{HOME}/.Xauthority r, owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/#[0-9]* rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, owner @{user_cache_dirs}/kwin/{,**} rwl, owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl, + owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl, owner @{user_cache_dirs}/qtshadercache-*/@{hex} r, - owner @{user_cache_dirs}/session/#[0-9]* rw, + owner @{user_cache_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.??????} rwl, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_config_dirs}/plasmarc r, - owner /tmp/#[0-9]* rw, - owner /tmp/kwin.?????? rwl, + owner /tmp/#@{int} rw, + owner /tmp/kwin.@{rand6} rwl, owner @{run}/user/@{uid}/kcrash_[0-9]* rw, - owner @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/xauth_@{rand6} rl, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 515ede00..725ca177 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -49,7 +49,7 @@ profile plasma-discover @{exec_path} { /var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/** rwkl, - /var/tmp/#[0-9]* rw, + /var/tmp/#@{int} rw, /var/cache/swcatalog/ rw, @@ -63,7 +63,7 @@ profile plasma-discover @{exec_path} { owner @{user_cache_dirs}/kio_http/ w, owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/#[0-9]* rwl, + owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/discoverrc rwl, owner @{user_config_dirs}/discoverrc.lock rwk, owner @{user_config_dirs}/kde.org/{,**} rwlk, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 3a392061..09ba4eb4 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -91,19 +91,19 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_templates_dirs}/ r, owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/#[0-9]* rwk, - owner @{user_cache_dirs}/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, + owner @{user_cache_dirs}/#@{int} rwk, + owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca5_* rl, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, - owner @{user_cache_dirs}/plasma-svgelements.?????? rwlk, + owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwlk, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, owner @{user_cache_dirs}/plasma-svgelements* rwl, owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl, + owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/*kde*.desktop* r, - owner @{user_config_dirs}/#[0-9]* rwk, owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/baloofilerc r, @@ -128,7 +128,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/pulse/cookie rwk, owner @{user_config_dirs}/trashrc r, - owner @{user_share_dirs}/#[0-9]* rw, + owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/akonadi/search_db/{,**} r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, @@ -138,7 +138,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, owner @{user_share_dirs}/krunnerstaterc rwl, - owner @{user_share_dirs}/krunnerstaterc.?????? rwl, + owner @{user_share_dirs}/krunnerstaterc.@{rand6} rwl, owner @{user_share_dirs}/krunnerstaterc.lock rwk, owner @{user_share_dirs}/ktp/cache.db rwk, owner @{user_share_dirs}/plasma_icons/*.desktop r, @@ -146,9 +146,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/user-places.xbel r, @{run}/user/@{uid}/gvfs/ r, - owner @{run}/user/@{uid}/#[0-9]* rw, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kdesud_:1 w, - owner @{run}/user/@{uid}/plasmashell??????.[0-9].kioworker.socket rwl, + owner @{run}/user/@{uid}/plasmashell@{rand6}.[0-9].kioworker.socket rwl, owner @{run}/user/@{uid}/pulse/ rw, @{sys}/bus/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index f366aed1..7429b2fb 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -123,18 +123,18 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/sddm-* rw, owner /tmp/*/{,s} rw, - owner /tmp/#[0-9]* rw, + owner /tmp/#@{int} rw, owner /tmp/sddm-auth* rw, - owner /tmp/xauth_?????? rwl -> /tmp/#[0-9]*, + owner /tmp/xauth_@{rand6} rwl -> /tmp/#@{int}, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/sddm.pid rw, @{run}/sddm/\{@{uuid}\} rw, - @{run}/sddm/xauth_?????? rwl -> @{run}/sddm/#[0-9]*, + @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int}, @{run}/systemd/sessions/*.ref rw, - @{run}/user/@{uid}/xauth_?????? rwl, + @{run}/user/@{uid}/xauth_@{rand6} rwl, owner @{run}/sddm/ rw, - owner @{run}/user/@{uid}/#[0-9]* rw, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kwallet5.socket rw, @{PROC}/ r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 80cb20b7..f0422f50 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -48,7 +48,7 @@ profile sddm-greeter @{exec_path} { /var/lib/dbus/machine-id r, owner /var/lib/sddm/** rw, - owner /var/lib/sddm/#[0-9]*[0-9] mrw, + owner /var/lib/sddm/#@{int} mrw, owner /var/lib/sddm/.cache/** mrwkl -> /var/lib/sddm/.cache/**, /var/lib/sddm/state.conf r, @@ -64,11 +64,11 @@ profile sddm-greeter @{exec_path} { owner @{user_config_dirs}/qt5ct/{,**} r, # If one is blocked, the others are probed. - deny owner @{HOME}/#[0-9]*[0-9] mrw, + deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, owner /tmp/runtime-sddm/ rw, - owner /tmp/xauth_?????? rw, + owner /tmp/xauth_@{rand6} rw, owner @{run}/sddm/{,*} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index b8d51c5d..cbdf2d68 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -37,12 +37,12 @@ profile startplasma @{exec_path} { owner @{HOME}/.Xauthority r, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#[0-9]* rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/kcrash-metadata/ rw, owner @{user_cache_dirs}/ksycoca5_* rwkl, owner @{user_cache_dirs}/plasma-svgelements rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc rl, owner @{user_config_dirs}/gtkrc-2.0 rl, owner @{user_config_dirs}/kcminputrc r, @@ -63,10 +63,10 @@ profile startplasma @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log rw, owner @{user_share_dirs}/sddm/wayland-session.log rw, - owner /tmp/#[0-9][0-9] rw, - owner /tmp/startplasma-x11.?????? rwl, + owner /tmp/#@{int} rw, + owner /tmp/startplasma-x11.@{rand6} rwl, - @{run}/user/@{uid}/xauth_* rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 47e86148..37d04784 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -82,7 +82,7 @@ profile xdm-xsession @{exec_path} { owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw, owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, - @{run}/user/@{uid}/xauth_* rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, owner /tmp/ssh-*/ rw, owner /tmp/ssh-*/agent.* rw, @@ -106,4 +106,4 @@ profile xdm-xsession @{exec_path} { } include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index ac67c5fd..3254991b 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -18,9 +18,9 @@ profile xembedsniproxy @{exec_path} { /usr/share/hwdata/*.ids r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, - owner /tmp/xauth_?????? r, + owner /tmp/xauth_@{rand6} r, - @{run}/user/@{uid}/xauth_* rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 2e7488a2..00495e47 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -16,9 +16,9 @@ profile xsettingsd @{exec_path} { owner @{user_config_dirs}/xsettingsd/{,**} rw, - owner /tmp/xauth_?????? r, + owner /tmp/xauth_@{rand6} r, - owner @{run}/user/@{uid}/xauth_* rl, + owner @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 1105e296..afcf3c38 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,7 +7,7 @@ abi , include @{exec_path} = /opt/Mullvad*/mullvad-gui -profile mullvad-gui @{exec_path} flags=(attach_disconnected) { +profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include include include @@ -51,7 +51,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/dconf/user rw, owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/systemd/inhibit/*.ref rw, @@ -80,4 +80,4 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index c282c115..0b3f3763 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/coredumpctl +@{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include include @@ -30,10 +30,10 @@ profile coredumpctl @{exec_path} flags=(complain) { /var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex}/system.journal* r, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, owner /tmp/*.coredump w, owner /tmp/core.* w, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 249d0a6c..a655d650 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -34,13 +34,13 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/catalog/.#database* rw, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/system.journal* r, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, - owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*, - owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw, - owner /var/tmp/#[0-9]* rw, + /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw, + owner /{run,var}/log/journal/@{md5}/fss wl -> /var/log/journal/@{md5}/fss.tmp.*, + owner /{run,var}/log/journal/@{md5}/fss.tmp.* rw, + owner /var/tmp/#@{int} rw, @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 3200f41a..0e5e3629 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex}/system.journal* r, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, @{run}/systemd/netif/links/[0-9]* r, @{run}/systemd/netif/state r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 9288266f..a3ea5768 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -42,7 +42,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{etc_rw}/.#hostname* rw, @{etc_rw}/hostname rw, - /etc/.#machine-info?????? rw, + /etc/.#machine-info@{rand6} rw, /etc/machine-info rw, @{run}/systemd/default-hostname rw, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index cd6afae5..b6182579 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -30,7 +30,7 @@ profile systemd-journald @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex}/{,*} rwl -> /{run,var}/log/journal/@{hex}/**, + /{run,var}/log/journal/@{md5}/{,*} rw -> /{run,var}/log/journal/@{md5}/**, owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 0067eff3..b11fa2d8 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -27,7 +27,7 @@ profile systemd-remount-fs @{exec_path} { @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.?????? rw, + @{run}/mount/utab.@{rand6} rw, @{run}/mount/utab.lock rwk, @{PROC}/ r, diff --git a/apparmor.d/groups/systemd/systemd-user-generators-autostart b/apparmor.d/groups/systemd/systemd-user-generators-autostart index c16806a4..b5372ec3 100644 --- a/apparmor.d/groups/systemd/systemd-user-generators-autostart +++ b/apparmor.d/groups/systemd/systemd-user-generators-autostart @@ -10,14 +10,18 @@ include profile systemd-user-generators-autostart @{exec_path} { include + ptrace (read) peer=unconfined, + @{exec_path} mr, - /etc/xdg/autostart/*.desktop r, + /etc/xdg/autostart/{,*.desktop} r, owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/environ r, + @{PROC}/@{pids}/cgroup r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 31059064..dd7fbd83 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -77,7 +77,7 @@ profile apport-gtk @{exec_path} { /var/log/installer/media-info r, @{run}/snapd.socket rw, - owner @{run}/user/.mutter-Xwaylandauth.* rw, + owner @{run}/user/.mutter-Xwaylandauth.@{rand6} rw, /tmp/[a-z0-9]* rw, /tmp/apport_core_* rw, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index c16a4171..54a056db 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -102,10 +102,10 @@ profile subiquity-console-conf @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex}/ rw, - /{run,var}/log/journal/@{hex}/system.journal* rw, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/ rw, + /{run,var}/log/journal/@{md5}/system.journal* rw, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw, owner @{PROC}/@{pid}/stat r, @@ -115,4 +115,4 @@ profile subiquity-console-conf @{exec_path} { } include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8827c23e..39d97c16 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -72,7 +72,7 @@ profile update-notifier @{exec_path} { owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/update-notifier.pid rwk, - owner /tmp/#[0-9]* rw, + owner /tmp/#@{int} rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 33ee9823..9a2323ac 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -26,7 +26,7 @@ profile aa-log @{exec_path} { /var/log/syslog* r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/{,*} r, + /{run,var}/log/journal/@{md5}/{,*} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @@ -36,4 +36,4 @@ profile aa-log @{exec_path} { /dev/tty[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-a-f/anki b/apparmor.d/profiles-a-f/anki index 32b08503..ebb3c954 100644 --- a/apparmor.d/profiles-a-f/anki +++ b/apparmor.d/profiles-a-f/anki @@ -54,10 +54,10 @@ profile anki @{exec_path} { owner @{HOME}/ r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/#@{int} rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, /usr/share/anki/{,**} r, @@ -81,9 +81,9 @@ profile anki @{exec_path} { owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, # If one is blocked, the others are probed. - deny owner @{HOME}/#[0-9]*[0-9] mrw, + deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - # owner /tmp/#[0-9]*[0-9] mrw, + # owner /tmp/#@{int} mrw, # owner /tmp/.glvnd* mrw, # The /proc/ dir is needed to avoid the following error: @@ -118,7 +118,7 @@ profile anki @{exec_path} { owner /tmp/mozilla_*/*.apkg r, owner /dev/shm/.org.chromium.Chromium.* rw, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/devices/pci[0-9]*/**/{vendor,device} r, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 03d62c22..d2494028 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -37,8 +37,8 @@ profile birdtray @{exec_path} { owner @{user_config_dirs}/ulduzsoft/ rw, owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, - owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#[0-9]*[0-9], - owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w, @@ -56,7 +56,7 @@ profile birdtray @{exec_path} { /usr/share/hwdata/pnp.ids r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index d593c4c5..fe57ea88 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -20,7 +20,7 @@ profile blkid @{exec_path} { /etc/blkid.conf r, # When the system doesn't have the /run/ dir, the cache file is placed under /etc/ - @{etc_rw}/blkid.tab{,-*} rw, + @{etc_rw}/blkid.tab{,-@{rand6}} rw, @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab, # Image files @@ -29,7 +29,7 @@ profile blkid @{exec_path} { # The standard location of the cache file # Without owner here if this tool should be used as a regular user @{run}/blkid/ rw, - @{run}/blkid/blkid.tab{,-*} rw, + @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # For the EVALUATE=scan method diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index a4d04389..bb7c5382 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -39,7 +39,7 @@ profile btrfs @{exec_path} { # For fsck of the btrfs filesystem directly from gparted owner /tmp/gparted-*/ rw, - @{run}/blkid/blkid.tab{,-*} rw, + @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{sys}/fs/btrfs/@{uuid}/devinfo/[0-9]*/fsid r, diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/profiles-a-f/btrfstune index bc76fc51..82faba87 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/profiles-a-f/btrfstune @@ -16,7 +16,7 @@ profile btrfstune @{exec_path} { @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, include if exists diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index f88a9fba..706e5eda 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -25,7 +25,7 @@ profile cfdisk @{exec_path} { # A place for file images owner @{user_img_dirs}/{,**} rwk, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 4fbaba97..9ea58f41 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -124,7 +124,7 @@ profile conky @{exec_path} { # Xserver auth cookie for clients owner @{HOME}/.Xauthority r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, # Temperatures and Fans @{bin}/sensors rPUx, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index 35525396..4c8021d5 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -93,7 +93,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pids}/fd r, + @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner /tmp/*_latest_print_info w, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index eac046ed..ab4b42d1 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -18,7 +18,7 @@ profile dumpe2fs @{exec_path} { # Image files owner @{user_img_dirs}/{,**} r, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 9fa61cf7..8d3e4b23 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -30,7 +30,7 @@ profile e2fsck @{exec_path} { @{run}/blkid/ rw, @{run}/systemd/fsck.progress rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{sys}/devices/**/power_supply/AC/online r, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 9662ff32..43d3c185 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -118,7 +118,7 @@ profile engrampa @{exec_path} { owner @{user_config_dirs}/ r, owner @{user_config_dirs}/engrampa/ rw, - owner @{user_config_dirs}/mimeapps.list{,.*} rw, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_share_dirs}/ r, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index b85920b0..764c871c 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -71,7 +71,7 @@ profile exim4 @{exec_path} { owner @{run}/dbus/system_bus_socket rw, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{int} rw, /var/lib/dpkg/status r, /var/log/cron-apt/lastfullmessage r, diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index 5953d17f..fcf7d795 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -36,7 +36,7 @@ profile exo-helper @{exec_path} { owner @{user_share_dirs}/xfce4/helpers/*.desktop rw, owner @{user_share_dirs}/xfce4/helpers/*.desktop.@{pid}.tmp rw, - owner @{user_config_dirs}/mimeapps.list{,.*} rw, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, # Some missing icons /usr/share/**.png r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 3d342ce9..87cd64a0 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -41,7 +41,7 @@ profile flatpak-system-helper @{exec_path} { /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, - owner /{var/,}tmp/#[0-9]* rw, + owner /{var/,}tmp/#@{int} rw, owner /{var/,}tmp/ostree-gpg-*/ rw, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, @@ -66,4 +66,4 @@ profile flatpak-system-helper @{exec_path} { } include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 534a1abc..4d5f07a5 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -30,7 +30,7 @@ profile fsck @{exec_path} { owner @{run}/fsck/ rw, owner @{run}/fsck/*.lock rwk, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index ad10044b..302e13a3 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -102,7 +102,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /var/tmp/etilqs_@{hex} rw, /boot/{,**} r, - /boot/EFI/*/.goutputstream-* rw, + /boot/EFI/*/.goutputstream-@{rand6} rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fwupdx[0-9]*.efi rw, @{lib}/fwupd/efi/fwupdx[0-9]*.efi r, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 971c6ca6..77741338 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp*} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index 9dcd5d97..097e756d 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/glib-pacrunner profile glib-pacrunner @{exec_path} { include + include + include include network inet dgram, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 78174cc2..fba7f30c 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -11,7 +11,7 @@ profile gsettings @{exec_path} { include include - unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-????????"), @{exec_path} mr, @@ -27,4 +27,4 @@ profile gsettings @{exec_path} { owner @{run}/user/@{uid}/bus rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 360eb1ad..adc91951 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -109,7 +109,7 @@ profile hardinfo @{exec_path} { owner @{HOME}/.hardinfo/ rw, - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index b908e8a5..b5230110 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -132,10 +132,10 @@ profile hw-probe @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex}/ rw, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex}/system.journal* rw, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/ rw, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/system.journal* rw, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 112046b4..4c6367f9 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -23,9 +23,9 @@ profile ioping @{exec_path} { # case of files, this write operation can damage files, so we allow only to read the files. When # pinging dirs, a file similar to "#1573619" is created in that dir, so it's allowed as well. / rw, - /#[0-9]*[0-9] rw, + /#@{int} rw, /**/ rw, - /**/#[0-9]*[0-9] rw, + /**/#@{int} rw, # Allow pinging files, but without write operation. Like in the case of dirs, when pinging dirs # there's also created the file similar to "#1573619" . diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index 3de4f8ea..2b52492f 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -18,7 +18,7 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, owner /tmp/tmp* rw, - owner /tmp/#[0-9]* rw, + owner /tmp/#@{int} rw, # Mount points owner @{HOME}/*/ r, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 1e73b4a4..9a083c81 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -67,7 +67,7 @@ profile kanyremote @{exec_path} { deny owner @{PROC}/@{pid}/cmdline r, deny @{PROC}/sys/kernel/random/boot_id r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 09667bf1..3d237cd9 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -65,18 +65,18 @@ profile keepassxc @{exec_path} { # Database locations owner @{user_cache_dirs}/keepassxc/ rw, - owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#[0-9]*[0-9], + owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int}, owner @{user_config_dirs}/keepassxc/ rw, - owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#[0-9]*[0-9], + owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int}, owner @{user_password_store_dirs}/ r, owner @{user_password_store_dirs}/*.csv rw, - owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#[0-9]*[0-9], - owner @{user_password_store_dirs}/#[0-9]*[0-9] rw, + owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, + owner @{user_password_store_dirs}/#@{int} rw, owner /tmp/.[a-zA-Z]*/{,s} rw, - owner /tmp/*.*.gpgkey rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/*.*.settings rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int}, + owner /tmp/*.*.settings rwl -> /tmp/#@{int}, + owner /tmp/#@{int} rw, owner /tmp/keepassxc-*.lock{,.rmlock} rwk, owner /tmp/keepassxc-*.socket rw, owner /tmp/keepassxc.lock rw, @@ -97,7 +97,7 @@ profile keepassxc @{exec_path} { owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /dev/tty rw, /dev/urandom rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 8c62faac..3e399fdf 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -58,7 +58,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, @{run}/systemd/seats/seat[0-9]* r, - @{run}/user/@{uid}/wayland-[0-9].lock k, + @{run}/user/@{uid}/wayland-@{int}.lock k, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index f946bddc..e00f278b 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -44,7 +44,7 @@ profile megasync @{exec_path} { # Megasync home files owner @{HOME}/ r, owner "@{user_share_dirs}/data/Mega Limited/" rw, - owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#[0-9]*[0-9]", + owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}", # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, @@ -65,10 +65,10 @@ profile megasync @{exec_path} { /etc/fstab r, # Autostart - owner @{user_config_dirs}/autostart/#[0-9]*[0-9] rw, - owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#[0-9]*[0-9], + owner @{user_config_dirs}/autostart/#@{int} rw, + owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int}, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index e1eba50a..0e290fd3 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -35,7 +35,7 @@ profile minitube @{exec_path} { # Minitube home files owner "@{user_config_dirs}/Flavio Tordini/" rw, - owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#[0-9]*[0-9]", + owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#@{int}", owner "@{user_share_dirs}/Flavio Tordini/" rw, owner "@{user_share_dirs}/Flavio Tordini/Minitube/" rw, owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk, @@ -47,9 +47,9 @@ profile minitube @{exec_path} { /usr/share/minitube/{,**} r, # If one is blocked, the others are probed. - deny owner @{HOME}/#[0-9]*[0-9] mrw, + deny owner @{HOME}/#@{int} mrw, owner @{HOME}/.glvnd* mrw, - # owner /tmp/#[0-9]*[0-9] mrw, + # owner /tmp/#@{int} mrw, # owner /tmp/.glvnd* mrw, # Cache @@ -59,17 +59,17 @@ profile minitube @{exec_path} { owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**", owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/#@{int} rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, deny /dev/ r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /etc/vdpau_wrapper.cfg r, diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index a309e839..4205ee3e 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -31,7 +31,7 @@ profile mke2fs @{exec_path} { # For virt-resize owner /var/tmp/.guestfs-[0-9]*/** rwk, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 9d4abdbf..51d71c50 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -43,7 +43,7 @@ profile mkvtoolnix-gui @{exec_path} { owner @{user_config_dirs}/bunkus.org/ rw, owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/ rw, - owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/** rwkl -> @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/#[0-9]*[0-9], + owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/** rwkl -> @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/#@{int}, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/bunkus.org/ rw, @@ -53,12 +53,12 @@ profile mkvtoolnix-gui @{exec_path} { owner @{user_config_dirs}/qt5ct/{,**} r, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#@{int} rw, + owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int}, + owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#@{int}, + owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int}, owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw, - owner /dev/shm/#[0-9]*[0-9] rw, + owner /dev/shm/#@{int} rw, deny owner @{PROC}/@{pid}/cmdline r, deny @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 3001cd54..a48b7259 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -37,7 +37,7 @@ profile mono-sgen @{exec_path} { owner @{user_config_dirs}/openra/{,**} rw, owner @{user_config_dirs}/.mono/{,**} r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner /tmp/*.* rw, owner /tmp/CASESENSITIVETEST* rw, @@ -52,4 +52,4 @@ profile mono-sgen @{exec_path} { owner @{PROC}/@{pid}/fd/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index d27821f6..b417b073 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -40,7 +40,7 @@ profile mumble @{exec_path} { # Mumble home files owner @{HOME}/ r, owner @{user_config_dirs}/Mumble/ rw, - owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#[0-9]*[0-9], + owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#@{int}, owner @{user_share_dirs}/Mumble/ rw, owner @{user_share_dirs}/Mumble/** rwk, owner @{HOME}/.MumbleOverlayPipe rw, @@ -51,8 +51,8 @@ profile mumble @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - /dev/shm/MumbleLink.[0-9]*[0-9] rw, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/MumbleLink.@{int} rw, + /dev/shm/#@{int} rw, owner @{run}/user/@{uid}/MumbleSocket rw, owner @{run}/user/@{uid}/MumbleOverlayPipe rw, diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/profiles-m-r/obexd index fdbd0e7e..242115a2 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include + include + include include network bluetooth stream, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 66c8fd0b..7e4ddb1c 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -175,4 +175,4 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { } include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings index ee9eb17c..8f81c72a 100644 --- a/apparmor.d/profiles-m-r/pam/mappings +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -20,7 +20,7 @@ capability setuid, /etc/default/su r, @{etc_ro}/environment r, - @{HOMEDIRS}/.xauth* w, + @{HOMEDIRS}/.xauth@{rand6} w, @{bin}/{,b,d,rb}ash Px -> default_user, @{bin}/{c,k,tc,z}sh Px -> default_user, } @@ -42,7 +42,7 @@ /etc/default/su r, @{etc_ro}/environment r, - @{HOMEDIRS}/.xauth* w, + @{HOMEDIRS}/.xauth@{rand6} w, } @@ -64,6 +64,6 @@ /etc/default/su r, @{etc_ro}/environment r, - @{HOMEDIRS}/.xauth* w, + @{HOMEDIRS}/.xauth@{rand6} w, } diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk-2 index 6218e9aa..89d189c0 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk-2 @@ -18,7 +18,7 @@ profile pinentry-gtk-2 @{exec_path} { /usr/share/gtk-2.0/gtkrc r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 79e12aaa..2ee465d6 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -27,12 +27,12 @@ profile pinentry-qt @{exec_path} { owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/#@{int} rw, /var/lib/dbus/machine-id r, /etc/machine-id r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index b13c7704..6a6fbda6 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -14,8 +14,8 @@ profile plocate-build @{exec_path} { /var/lib/mlocate/mlocate.db r, - /var/lib/mlocate/#[0-9]* rw, - /var/lib/mlocate/plocate.db rwl -> /var/lib/mlocate/#[0-9]*, + /var/lib/mlocate/#@{int} rw, + /var/lib/mlocate/plocate.db rwl -> /var/lib/mlocate/#@{int}, include if exists } diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index e1671f2b..b47ae3b3 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -54,7 +54,7 @@ profile popularity-contest @{exec_path} { /var/lib/ r, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{int} rw, /var/log/popularity-contest.[0-9]* w, include if exists diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index c385bbb9..266d10d6 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -56,17 +56,17 @@ profile psi @{exec_path} { owner @{HOME}/ r, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/psi/{,**} rw, owner @{user_config_dirs}/autostart/psi.desktop rw, owner @{user_config_dirs}/psi/ rw, - owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#[0-9]*[0-9], + owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#@{int}, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_share_dirs}/psi/ rw, owner @{user_share_dirs}/psi/** rwk, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#@{int} rw, + owner /tmp/Psi.* rwl -> /tmp/#@{int}, @{run}/systemd/inhibit/[0-9]*.ref rw, @@ -75,7 +75,7 @@ profile psi @{exec_path} { deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 6eac1722..57761905 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -54,17 +54,17 @@ profile psi-plus @{exec_path} { owner @{HOME}/ r, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/psi+/{,**} rw, owner @{user_config_dirs}/autostart/psi-plus.desktop rw, owner @{user_config_dirs}/psi+/ rw, - owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#[0-9]*[0-9], + owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#@{int}, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_share_dirs}/psi+/ rw, owner @{user_share_dirs}/psi+/** rwk, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#@{int} rw, + owner /tmp/Psi+.* rwl -> /tmp/#@{int}, owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @@ -74,7 +74,7 @@ profile psi-plus @{exec_path} { deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index e5ca2f09..308d8689 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pwck profile pwck @{exec_path} { include + include include @{exec_path} mr, @@ -27,4 +28,4 @@ profile pwck @{exec_path} { /etc/machine-id r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 6a2829d0..0f4717aa 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -106,8 +106,6 @@ profile qbittorrent @{exec_path} { dbus bind bus=session name=org.kde.StatusNotifierItem-*, - owner /tmp/dbus-[0-9a-zA-Z]* rw, - @{exec_path} mr, # For "search engine" @@ -115,16 +113,16 @@ profile qbittorrent @{exec_path} { # Qbittorrent home dirs owner @{user_config_dirs}/qBittorrent/ rw, - owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9], + owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, owner @{user_share_dirs}/data/ rw, owner @{user_share_dirs}/{,data/}qBittorrent/ rw, - owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#[0-9]*[0-9], + owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#@{int}, # Old dir, not recommended to use: # deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Cache dir owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw, # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration @@ -140,7 +138,7 @@ profile qbittorrent @{exec_path} { /dev/disk/by-label/ r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, owner @{PROC}/@{pids}/fd/ r, deny owner @{PROC}/@{pids}/cmdline r, @@ -260,11 +258,11 @@ profile qbittorrent @{exec_path} { owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, # Used while searching for torrents - owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9], + owner /dev/shm/sem.mp-* rwl -> /dev/shm/@{int}, owner /dev/shm/* rw, # To load/add torrents from the search engine - owner /tmp/[0-9]*[0-9] rw, + owner /tmp/@{int} rw, owner /tmp/tmp* rw, # file_inherit diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index ed803bf9..9fb2cc60 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -24,15 +24,15 @@ profile qbittorrent-nox @{exec_path} { # Qbittorrent home dirs owner @{user_config_dirs}/qBittorrent/ rw, - owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9], + owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, owner @{user_share_dirs}/qBittorrent/ rw, - owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9], + owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int}, # Old dir, not recommended to use: deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Cache dir owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw, # Torrent files @@ -41,7 +41,7 @@ profile qbittorrent-nox @{exec_path} { /dev/disk/by-label/ r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 8c6298b8..d42a38dd 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -57,8 +57,8 @@ profile qnapi @{exec_path} { owner @{user_config_dirs}/qnapi.ini rw, owner @{user_config_dirs}/qnapi.ini.lock rwk, - owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], - owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_cache_dirs}/ rw, @@ -66,15 +66,15 @@ profile qnapi @{exec_path} { /tmp/ r, owner /tmp/@{hex}.* rw, owner /tmp/** rw, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/QNapi-*-rc wl -> /tmp/#[0-9]*[0-9], + owner /tmp/#@{int} rw, + owner /tmp/QNapi-*-rc wl -> /tmp/#@{int}, owner /tmp/QNapi-*-rc.lock rwk, owner /tmp/QNapi.[0-9]*.tmp rw, owner /tmp/QNapi.[0-9]*.tmp.* rw, - owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/QNapi.[0-9]*[0-9] rw, + owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#@{int}, + owner /tmp/QNapi.@{int} rw, - owner /dev/shm/#[0-9]*[0-9] rw, + owner /dev/shm/#@{int} rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 3a27e4a8..ebef6c9b 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -50,17 +50,17 @@ profile qpdfview @{exec_path} { owner @{user_work_dirs}/{,**} rw, owner @{user_config_dirs}/qpdfview/ rw, - owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9], + owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#@{int}, owner @{user_share_dirs}/qpdfview/ rw, owner @{user_share_dirs}/qpdfview/** rwk, owner @{user_config_dirs}/qt5ct/{,**} r, - owner /dev/shm/#[0-9]*[0-9] rw, + owner /dev/shm/#@{int} rw, owner /tmp/@{hex} rw, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/qpdfview.*.pdf rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#@{int} rw, + owner /tmp/qpdfview.*.pdf rwl -> /tmp/#@{int}, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index 40393bf4..89c0a90d 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -23,11 +23,11 @@ profile qt5ct @{exec_path} { @{exec_path} mr, owner @{user_config_dirs}/qt5ct/ rw, - owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#[0-9]*[0-9], + owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#@{int}, owner @{user_config_dirs}/fontconfig/ rw, owner @{user_config_dirs}/fontconfig/** rw, - owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#[0-9]*[0-9], + owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int}, owner @{user_config_dirs}/kdeglobals r, @@ -48,7 +48,7 @@ profile qt5ct @{exec_path} { /usr/share/hwdata/pnp.ids r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index deb69e3a..382adeec 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -63,7 +63,7 @@ profile quiterss @{exec_path} { /usr/share/hwdata/pnp.ids r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw, owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk, diff --git a/apparmor.d/profiles-m-r/redshift b/apparmor.d/profiles-m-r/redshift index 6272c8fe..47d36acc 100644 --- a/apparmor.d/profiles-m-r/redshift +++ b/apparmor.d/profiles-m-r/redshift @@ -17,7 +17,7 @@ profile redshift @{exec_path} { dbus send bus=system - path=/org/freedesktop/GeoClue2/Client/[0-9]*[0-9], + path=/org/freedesktop/GeoClue2/Client/@{int}, dbus receive bus=system diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index 3690f885..91e513c5 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -54,11 +54,11 @@ profile rpi-imager @{exec_path} { owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**", owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache/#@{int} rw, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/QtProject.conf r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 0a1f95ee..0e4f7189 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -116,6 +116,7 @@ profile run-parts @{exec_path} { /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, + /etc/kernel/postinst.d/zz-shim rCx -> kernel, /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, /etc/kernel/postrm.d/ r, @@ -128,8 +129,9 @@ profile run-parts @{exec_path} { /etc/kernel/prerm.d/ r, /etc/kernel/prerm.d/dkms rCx -> kernel, - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{int} rw, owner /tmp/$anacron* rw, + owner /tmp/file@{rand6} ra, owner @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index f65f0953..6f53f680 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -89,7 +89,7 @@ profile rustdesk @{exec_path} { # service and GUI intercommunication @{HOME}/.Xauthority r, - @{run}/user/@{uid}/.mutter-Xwaylandauth.?????? r, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/gdm{,3}/Xauthority r, /tmp/[rR]ust[dD]esk/{,**} rw, /tmp/.X11-unix/ r, @@ -103,7 +103,7 @@ profile rustdesk @{exec_path} { owner @{run}/user/@{uid}/pulse/native rw, owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/cookie rwk, - owner @{user_config_dirs}/pulse/*-runtime{,.tmp} rw, + owner @{user_config_dirs}/pulse/@{md5}-runtime{,.tmp} rw, owner /tmp/pulse-*/ rw, # gtk-tiny diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 4c651624..c66ae449 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -31,7 +31,8 @@ profile scrcpy @{exec_path} { /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/pulse/cookie r, owner @{user_config_dirs}/pulse/cookie rk, diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index 397360ea..12b7f326 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -22,7 +22,7 @@ profile scrot @{exec_path} { owner @{HOME}/.Xauthority r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, owner @{HOME}/.icons/default/index.theme r, /usr/share/icons/*/index.theme r, diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 91f6b0ba..f8130927 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -61,10 +61,10 @@ profile smplayer @{exec_path} { owner @{user_videos_dirs}/{,**} rw, owner @{user_config_dirs}/smplayer/ rw, - owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9], + owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#@{int}, owner @{user_config_dirs}/qt5ct/{,**} r, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/#@{int} rw, owner /tmp/qtsingleapp-smplay-* rw, owner /tmp/qtsingleapp-smplay-*-lockfile rwk, @@ -75,7 +75,7 @@ profile smplayer @{exec_path} { owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, - owner /dev/shm/#[0-9]*[0-9] rw, + owner /dev/shm/#@{int} rw, deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index 4a8f1803..f958a0e0 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -33,15 +33,15 @@ profile smtube @{exec_path} { # SMTube config files owner @{user_config_dirs}/smtube/ rw, - owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#[0-9]*[0-9], + owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#@{int}, # Needed for updating YT code owner @{user_config_dirs}/smplayer/yt.js rw, - owner @{user_config_dirs}/smplayer/#[0-9]*[0-9] rw, + owner @{user_config_dirs}/smplayer/#@{int} rw, owner @{user_config_dirs}/smplayer/hdpi.ini rw, owner @{user_config_dirs}/smplayer/hdpi.ini.lock rwk, - owner @{user_config_dirs}/smplayer/hdpi.ini.* rwl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9], + owner @{user_config_dirs}/smplayer/hdpi.ini.* rwl -> @{user_config_dirs}/smplayer/#@{int}, # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, @@ -57,7 +57,7 @@ profile smtube @{exec_path} { /usr/share/hwdata/pnp.ids r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 76f6077a..b265ea2c 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -148,7 +148,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner /dev/shm/#[0-9]* rw, + owner /dev/shm/#@{int} rw, owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw, owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 75c9308b..b31521e1 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -177,7 +177,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer - owner /dev/shm/#[0-9]* rw, + owner /dev/shm/#@{int} rw, owner /dev/shm/mono.* rw, owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 20667d12..b9971fc2 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -53,14 +53,14 @@ profile strawberry @{exec_path} { owner @{HOME}/ r, owner @{user_config_dirs}/strawberry/ rw, - owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#[0-9]*[0-9], + owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int}, owner @{user_share_dirs}/strawberry/ rw, owner @{user_share_dirs}/strawberry/** rwk, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/strawberry/ rw, - owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#[0-9]*[0-9], + owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#@{int}, owner @{user_cache_dirs}/xine-lib/ rw, owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw, @@ -78,15 +78,15 @@ profile strawberry @{exec_path} { /etc/fstab r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /dev/sr[0-9]* r, owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner /tmp/.*/ rw, owner /tmp/.*/s rw, owner /tmp/strawberry*[0-9] w, - owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#@{int}, + owner /tmp/#@{int} rw, owner /tmp/*= w, owner /var/tmp/etilqs_@{hex} rw, diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 2b23d8ed..229dad80 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -25,7 +25,7 @@ profile strawberry-tagreader @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, owner @{HOME}/.anyRemote/anyremote.stdout w, - owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 0985699f..d3bbbc3a 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -53,7 +53,7 @@ profile su @{exec_path} { /etc/default/locale r, /etc/shells r, - owner @{HOME}/.xauth?????? rw, + owner @{HOME}/.xauth@{rand6} rw, owner @{PROC}/@{pids}/loginuid r, owner @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index ef8c338e..ed268af4 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -60,7 +60,7 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/cups/cups.sock rw, owner /tmp/* rw, diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index 92c44b09..b657f8f8 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -50,7 +50,7 @@ profile tint2 @{exec_path} { @{sys}/fs/cgroup/{,**} r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index c5e2dc9e..a336d8eb 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -25,7 +25,7 @@ profile tune2fs @{exec_path} { # Image files owner @{user_img_dirs}/{,**} rw, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b479f466..c854a4f0 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -139,7 +139,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw, - @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w, + @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop[0-9]*/uevent rw, diff --git a/apparmor.d/profiles-s-z/updatedb.plocate b/apparmor.d/profiles-s-z/updatedb.plocate index 31d9af29..10e5836f 100644 --- a/apparmor.d/profiles-s-z/updatedb.plocate +++ b/apparmor.d/profiles-s-z/updatedb.plocate @@ -26,8 +26,8 @@ profile updatedb.plocate @{exec_path} { owner @{PROC}/@{pid}/mounts r, /var/lib/plocate/plocate.db rw, - /var/lib/plocate/#[0-9]* rw, - /var/lib/plocate/plocate.db rwl -> /var/lib/plocate/#[0-9]*, + /var/lib/plocate/#@{int} rw, + /var/lib/plocate/plocate.db rwl -> /var/lib/plocate/#@{int}, / r, /**/ r, diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt index 8189e705..6f8e3640 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/profiles-s-z/usbguard-applet-qt @@ -25,9 +25,9 @@ profile usbguard-applet-qt @{exec_path} { @{exec_path} mr, owner @{user_config_dirs}/USBGuard/ rw, - owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#[0-9]*[0-9], + owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw, /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 0d61e62b..281414fd 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -57,14 +57,14 @@ profile vidcutter @{exec_path} { owner @{user_videos_dirs}/{,**} rw, owner @{user_config_dirs}/vidcutter/ rw, - owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#[0-9]*[0-9], + owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int}, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache/#@{int} rw, owner @{user_config_dirs}/qt5ct/{,**} r, @@ -72,8 +72,8 @@ profile vidcutter @{exec_path} { @{sys}/devices/system/node/node[0-9]*/meminfo r, owner /tmp/vidcutter-@{uuid} w, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/#@{int} rw, + owner /tmp/*.jpg rwl -> /tmp/#@{int}, owner /tmp/vidcutter/{,*} rw, deny owner @{PROC}/@{pid}/cmdline r, @@ -83,7 +83,7 @@ profile vidcutter @{exec_path} { deny @{PROC}/sys/kernel/random/boot_id r, /dev/ r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, /dev/disk/*/ r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index 0113a597..13732d3b 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -76,7 +76,7 @@ profile wireshark @{exec_path} { /usr/share/GeoIP/{,**} r, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{int} rw, owner /tmp/wireshark_extcap_ciscodump_[0-9]*_* rw, diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index d0fc1874..b356eb29 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -26,7 +26,7 @@ profile wpa-gui @{exec_path} { owner @{user_config_dirs}/qt5ct/{,**} r, owner /tmp/wpa_ctrl_@{pid}-[0-9] w, - owner /dev/shm/#[0-9]*[0-9] rw, + owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index a3791831..84b361b7 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -16,10 +16,10 @@ profile xauth @{exec_path} { /Xauthority-c w, - owner @{HOME}/.xauth?????? rw, - owner @{HOME}/.xauth??????-c w, - owner @{HOME}/.xauth??????-l wl, - owner @{HOME}/.xauth??????-n rw, + owner @{HOME}/.xauth@{rand6} rw, + owner @{HOME}/.xauth@{rand6}-c w, + owner @{HOME}/.xauth@{rand6}-l wl, + owner @{HOME}/.xauth@{rand6}-n rw, owner @{HOME}/.Xauthority-c w, owner @{HOME}/.Xauthority-l wl -> @{HOME}/.Xauthority-c, @@ -31,14 +31,14 @@ profile xauth @{exec_path} { owner /tmp/serverauth.*-n rw, owner /tmp/serverauth.* rwl -> /tmp/serverauth.*-n, - owner /tmp/runtime-*/xauth_?????? r, - owner /tmp/xauth_?????? r, - owner /tmp/xauth_??????-c w, - owner /tmp/xauth_??????-l wl, + owner /tmp/runtime-*/xauth_@{rand6} r, + owner /tmp/xauth_@{rand6} r, + owner /tmp/xauth_@{rand6}-c w, + owner /tmp/xauth_@{rand6}-l wl, - owner @{run}/user/@{uid}/xauth_?????? rw, - owner @{run}/user/@{uid}/xauth_??????-c w, - owner @{run}/user/@{uid}/xauth_??????-l wl, + owner @{run}/user/@{uid}/xauth_@{rand6} rw, + owner @{run}/user/@{uid}/xauth_@{rand6}-c w, + owner @{run}/user/@{uid}/xauth_@{rand6}-l wl, include if exists } diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad index a80a44f3..7b0f8870 100644 --- a/apparmor.d/profiles-s-z/yadifad +++ b/apparmor.d/profiles-s-z/yadifad @@ -24,15 +24,15 @@ profile yadifad @{exec_path} { /etc/yadifa/yadifad.conf r, /var/lib/yadifa/** r, - owner /var/lib/yadifa/ydf.?????? rw, - owner /var/lib/yadifa/keys/ydf.?????? rw, - owner /var/lib/yadifa/xfr/ydf.?????? rw, + owner /var/lib/yadifa/ydf.@{rand6} rw, + owner /var/lib/yadifa/keys/ydf.@{rand6} rw, + owner /var/lib/yadifa/xfr/ydf.@{rand6} rw, /var/log/yadifa/*.log rw, - /var/log/yadifa/ydf.?????? rw, + /var/log/yadifa/ydf.@{rand6} rw, owner @{run}/yadifa/yadifad.pid rwk, - owner @{run}/yadifa/ydf.?????? rw, + owner @{run}/yadifa/ydf.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index bd2cd296..3ad0e837 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -23,7 +23,7 @@ profile zpool @{exec_path} { @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old rwl, - @{run}/blkid/blkid.tab-* rwl, + @{run}/blkid/blkid.tab-@{rand6} rwl, /tmp/tmp.* rw, diff --git a/apparmor.d/tunables/multiarch.d/apparmor.d b/apparmor.d/tunables/multiarch.d/apparmor.d index 13f38637..d1fe3dff 100644 --- a/apparmor.d/tunables/multiarch.d/apparmor.d +++ b/apparmor.d/tunables/multiarch.d/apparmor.d @@ -6,15 +6,33 @@ # To allow extended personalisation without breaking everything. # All apparmor profiles should always use the variables defined here. +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Up to 10 digits (0-9999999999) +@{int}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],} + +# Any six characters +@{rand6}=@{c}@{c}@{c}@{c}@{c}@{c} + +# Any eight characters +@{rand8}=@{c}@{c}@{c}@{c}@{c}@{c}@{c}@{c} + +# MD5 hash +@{md5}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} + # Universally unique identifier -@{uuid}=[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]* +@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} # Hexadecimal -@{hex}=[0-9a-fA-F]* +@{hex}=@{h}*@{h} # Date and time -@{date}=[0-9][0-9][0-9][0-9]-[1-12]-[1-31] -@{time}=[1-24]-[0-60]-[0-60] +@{date}=[0-2][0-9][0-9][0-9]-[01][0-9]-[0-3][0-9] +@{time}={[0-2],}[0-9]-[0-5][0-9]-[0-6][0-9] # @{MOUNTDIRS} is a space-separated list of where user mount directories # are stored, for programs that must enumerate all mount directories on a diff --git a/dists/ubuntu/abstractions/trash b/dists/ubuntu/abstractions/trash index 4c1473d8..aab16b92 100644 --- a/dists/ubuntu/abstractions/trash +++ b/dists/ubuntu/abstractions/trash @@ -4,16 +4,16 @@ abi , owner @{user_config_dirs}/trashrc rw, owner @{user_config_dirs}/trashrc.lock rwk, - owner @{user_config_dirs}/#[0-9]*[0-9] rwk, - owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/#@{int} rwk, + owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#@{int}, - owner @{run}/user/@{uid}/#[0-9]*[0-9] rw, - owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9], + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#@{int}, # Home trash location owner @{user_share_dirs}/Trash/ rw, - owner @{user_share_dirs}/Trash/#[0-9]*[0-9] rw, - owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl -> @{user_share_dirs}/Trash/#[0-9]*[0-9], + owner @{user_share_dirs}/Trash/#@{int} rw, + owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl -> @{user_share_dirs}/Trash/#@{int}, owner @{user_share_dirs}/Trash/files/{,**} rw, owner @{user_share_dirs}/Trash/info/ rw, owner @{user_share_dirs}/Trash/info/*.trashinfo{,.*} rw, @@ -25,8 +25,8 @@ abi , # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir owner /media/*/.Trash/ rw, owner /media/*/.Trash/@{uid}/ rw, - owner /media/*/.Trash/@{uid}/#[0-9]*[0-9] rw, - owner /media/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash/@{uid}/#[0-9]*[0-9], + owner /media/*/.Trash/@{uid}/#@{int} rw, + owner /media/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash/@{uid}/#@{int}, owner /media/*/.Trash/@{uid}/files/{,**} rw, owner /media/*/.Trash/@{uid}/info/ rw, owner /media/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, @@ -37,8 +37,8 @@ abi , # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner /media/*/.Trash-@{uid}/ rw, - owner /media/*/.Trash-@{uid}/#[0-9]*[0-9] rw, - owner /media/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash-@{uid}/#[0-9]*[0-9], + owner /media/*/.Trash-@{uid}/#@{int} rw, + owner /media/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash-@{uid}/#@{int}, owner /media/*/.Trash-@{uid}/files/{,**} rw, owner /media/*/.Trash-@{uid}/info/ rw, owner /media/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, @@ -50,8 +50,8 @@ abi , # Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir owner /media/*/*/.Trash/ rw, owner /media/*/*/.Trash/@{uid}/ rw, - owner /media/*/*/.Trash/@{uid}/#[0-9]*[0-9] rw, - owner /media/*/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash/@{uid}/#[0-9]*[0-9], + owner /media/*/*/.Trash/@{uid}/#@{int} rw, + owner /media/*/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash/@{uid}/#@{int}, owner /media/*/*/.Trash/@{uid}/files/{,**} rw, owner /media/*/*/.Trash/@{uid}/info/ rw, owner /media/*/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, @@ -62,8 +62,8 @@ abi , # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner /media/*/*/.Trash-@{uid}/ rw, - owner /media/*/*/.Trash-@{uid}/#[0-9]*[0-9] rw, - owner /media/*/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash-@{uid}/#[0-9]*[0-9], + owner /media/*/*/.Trash-@{uid}/#@{int} rw, + owner /media/*/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash-@{uid}/#@{int}, owner /media/*/*/.Trash-@{uid}/files/{,**} rw, owner /media/*/*/.Trash-@{uid}/info/ rw, owner /media/*/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw,