Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

* 'tunables' of https://github.com/nobody43/apparmor.d: dbus temp tails Update apparmor.d Update gdm-runtime-config more unrelated changes adjust date-time random tails rename to int, convert more profiles fixes tunables
2025-01-31 07:17:22 +01:00 · 2023-08-17 20:01:53 +01:00 · 2023-08-17 20:01:53 +01:00 · 557d905543
commit 557d905543
parent 7b018a60bd
198 changed files with 560 additions and 507 deletions
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@ -28,7 +28,7 @@
        @{run}/user/@{uid}/xauth_* rl,
  # Xwayland
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
  /etc/X11/cursors/{,**} r,
  /usr/share/X11/{,**} r,
--- a/apparmor.d/abstractions/apt-common
+++ b/apparmor.d/abstractions/apt-common
@ -27,6 +27,6 @@
  /var/lib/ubuntu-advantage/apt-esm/{,**} r,
  owner /tmp/clearsigned.message.* rw,
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,
  include if exists <abstractions/apt-common.d>
--- a/apparmor.d/abstractions/dbus-session-strict.d/complete
+++ b/apparmor.d/abstractions/dbus-session-strict.d/complete
@ -2,12 +2,12 @@
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
+  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-????????",
-  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
+  unix (bind, listen) type=stream addr="@/tmp/dbus-????????",
-  unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
+  unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-????????"),
  owner @{run}/user/@{uid}/at-spi/ rw,
  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
-  owner /tmp/dbus-[0-9a-zA-Z]* rw,
+  owner /tmp/dbus-@{rand8} rw,
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@ -13,7 +13,7 @@
  /etc/openni2/OpenNI.ini r,
  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw,
-  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
+  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
  /tmp/ r,
  /var/tmp/ r,
--- a/apparmor.d/abstractions/ibus.d/complete
+++ b/apparmor.d/abstractions/ibus.d/complete
@ -6,17 +6,17 @@
  # abstract path in ibus < 1.5.22 uses /tmp
  unix (connect, receive, send)
      type=stream
-      peer=(addr="@/tmp/ibus/dbus-*"),
+      peer=(addr="@/tmp/ibus/dbus-????????"),
  # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs})
  # This should use this, but due to LP: #1856738 we cannot
  #unix (connect, receive, send)
  #    type=stream
-  #    peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"),
+  #    peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"),
  unix (connect, receive, send)
      type=stream
-      peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+      peer=(addr="@/home/*/.cache/ibus/dbus-????????"),
  unix (connect, send, receive, accept, bind, listen)
       type=stream
-       addr="@/home/*/.cache/ibus/dbus-*",
+       addr="@/home/*/.cache/ibus/dbus-????????",
--- a/apparmor.d/abstractions/kde5-plasma5
+++ b/apparmor.d/abstractions/kde5-plasma5
@ -19,14 +19,14 @@
  # For app config (in order to work the KDE_APP_NAME variable has to be set in profile which
  # includes this abstraction)
-  #owner @{user_config_dirs}/#[0-9]*[0-9] rwk,
+  #owner @{user_config_dirs}/#@{int} rwk,
-  #owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#[0-9]*[0-9],
+  #owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#@{int},
-  #owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
+  #owner @{run}/user/@{uid}/#@{int} rw,
-  #owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
+  #owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#@{int},
  # Common KDE config files
-  #owner @{user_config_dirs}/#[0-9]*[0-9] rw,
+  #owner @{user_config_dirs}/#@{int} rw,
-  #owner @{user_config_dirs}/kdeglobals* rwkl -> @{user_config_dirs}/#[0-9]*[0-9],
+  #owner @{user_config_dirs}/kdeglobals* rwkl -> @{user_config_dirs}/#@{int},
  #owner @{user_config_dirs}/baloofilerc r,
  #owner @{user_config_dirs}/dolphinrc r,
  #owner @{user_config_dirs}/trashrc r,
@ -36,8 +36,8 @@
  # For bookmarks
  #@{bin}/keditbookmarks rPUx,
  #owner @{user_share_dirs}/kfile/ rw,
-  #owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw,
+  #owner @{user_share_dirs}/kfile/#@{int} rw,
-  #owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9],
+  #owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#@{int},
  # Common cache files
  #owner @{user_cache_dirs}/icon-cache.kcache rw,
--- a/apparmor.d/abstractions/qt5-shader-cache
+++ b/apparmor.d/abstractions/qt5-shader-cache
@ -6,10 +6,10 @@
  abi <abi/3.0>,
  owner @{user_cache_dirs}/qtshadercache/ rw,
-  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
+  owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
-  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
  include if exists <abstractions/qt5-shader-cache.d>
--- a/apparmor.d/abstractions/thumbnails-cache-write
+++ b/apparmor.d/abstractions/thumbnails-cache-write
@ -6,12 +6,12 @@
  owner @{HOME}/thumbnails/ rw,
  owner @{HOME}/thumbnails/{large,normal}/ rw,
-  owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
+  owner @{HOME}/thumbnails/{large,normal}/#@{int} rw,
-  owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9],
+  owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
  owner @{user_cache_dirs}/thumbnails/ rw,
  owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw,
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
+  owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw,
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
  include if exists <abstractions/thumbnails-cache-write.d>
--- a/apparmor.d/abstractions/trash.d/complete
+++ b/apparmor.d/abstractions/trash.d/complete
@ -5,11 +5,11 @@
  owner @{user_config_dirs}/trashrc rw,
  owner @{user_config_dirs}/trashrc.lock rwk,
-  owner @{user_config_dirs}/#[0-9]*[0-9] rwk,
+  owner @{user_config_dirs}/#@{int} rwk,
-  owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
+  owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#@{int},
-  owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
+  owner @{run}/user/@{uid}/#@{int} rw,
-  owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
+  owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#@{int},
  # Home trash location
  owner @{user_share_dirs}/Trash/{,**} rwl,
--- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent
+++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent
@ -31,7 +31,7 @@ profile akonadi_archivemail_agent @{exec_path} {
  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/akonadi_archivemail_agentrc r,
  owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent r,
  owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent_changes{,.dat} rw,
--- a/apparmor.d/groups/akonadi/akonadi_indexing_agent
+++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent
@ -34,8 +34,8 @@ profile akonadi_indexing_agent @{exec_path} {
  owner @{user_cache_dirs}/icon-cache.kcache rw,
  owner @{user_config_dirs}/akonadi_indexing_agentrc r,
-  owner @{user_config_dirs}/akonadi/#[0-9]* rw,
+  owner @{user_config_dirs}/akonadi/#@{int} rw,
-  owner @{user_config_dirs}/akonadi/agent_config_akonadi_indexing_agent* rwlk,
+  owner @{user_config_dirs}/akonadi/agent_config_akonadi_indexing_agent{,.*} rwlk,
  owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/kdedefaults/kwinrc r,
--- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
+++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
@ -37,7 +37,7 @@ profile akonadi_maildispatcher_agent @{exec_path} {
  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_config_dirs}/akonadi/#[0-9]* rw,
+  owner @{user_config_dirs}/akonadi/#@{int} rw,
  owner @{user_config_dirs}/akonadi/agent_config_akonadi_maildispatcher_agent* rwkl,
  owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
--- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
+++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
@ -36,7 +36,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r,
  owner @{user_config_dirs}/akonadi_*_resource_*rc r,
  owner @{user_config_dirs}/akonadi_mailfilter_agentrc r,
@ -54,7 +54,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
  owner @{user_config_dirs}/kmail2rc r,
  owner @{user_config_dirs}/kwinrc r,
-  owner /tmp/#[0-9]* rw,
+  owner /tmp/#@{int} rw,
  owner /tmp/akonadi_mailfilter_agent.* rwl,
  owner @{user_config_dirs}/specialmailcollectionsrc r,
--- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
+++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
@ -33,7 +33,7 @@ profile akonadi_newmailnotifier_agent @{exec_path} {
  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r,
  owner @{user_config_dirs}/akonadi/agent_config_akonadi_newmailnotifier_agent_changes{,_changes.dat,.dat} rw,
  owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -128,14 +128,14 @@ profile calibre @{exec_path} {
  owner @{user_cache_dirs}/calibre/ rw,
  owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
  owner @{user_cache_dirs}/qtshadercache/ rw,
-  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
-  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
+  owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
  owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
+  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
  owner @{user_config_dirs}/qt5ct/{,**} r,
@ -146,7 +146,7 @@ profile calibre @{exec_path} {
 #  owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**,  # newer AA version
  owner /tmp/* rw,
-  owner /dev/shm/#[0-9]*[0-9] rw,
+  owner /dev/shm/#@{int} rw,
  @{sys}/devices/pci[0-9]*/**/irq r,
--- a/apparmor.d/groups/apps/dropbox
+++ b/apparmor.d/groups/apps/dropbox
@ -107,7 +107,7 @@ profile dropbox @{exec_path} {
  # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
  owner /tmp/dropbox-antifreeze-* rw,
  owner /tmp/[a-zA-z0-9]* rw,
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,
  owner /var/tmp/etilqs_* rw,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/apps/flameshot
+++ b/apparmor.d/groups/apps/flameshot
@ -40,8 +40,8 @@ profile flameshot @{exec_path} {
  # Flameshot home files
  owner @{user_config_dirs}/flameshot/ rw,
  owner @{user_config_dirs}/flameshot/flameshot.ini rw,
-  owner @{user_config_dirs}/flameshot/#[0-9]*[0-9] rw,
+  owner @{user_config_dirs}/flameshot/#@{int} rw,
-  owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#[0-9]*[0-9],
+  owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#@{int},
  owner @{user_config_dirs}/flameshot/flameshot.ini.lock rwk,
  owner @{user_config_dirs}/qt5ct/{,**} r,
@ -63,7 +63,7 @@ profile flameshot @{exec_path} {
  /etc/fstab r,
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/apps/okular
+++ b/apparmor.d/groups/apps/okular
@ -39,15 +39,15 @@ profile okular @{exec_path} {
        /tmp/mozilla_*/ r,
  owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,
-  owner @{user_config_dirs}/#[0-9]*[0-9] rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/okularrc rw,
  owner @{user_config_dirs}/okularrc.lock rwk,
-  owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
+  owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/okularpartrc rw,
  owner @{user_config_dirs}/okularpartrc.lock rwk,
-  owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
+  owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kwalletrc r,
@ -72,7 +72,7 @@ profile okular @{exec_path} {
  deny       @{PROC}/sys/kernel/random/boot_id r,
  deny owner @{PROC}/@{pid}/cmdline r,
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
@ -86,8 +86,8 @@ profile okular @{exec_path} {
  # Print to pdf
  @{bin}/ps2pdf rPUx,
  owner /tmp/@{hex} rw,
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,
-  owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
+  owner /tmp/okular_*.ps rwl -> /tmp/#@{int},
  # About
  /usr/share/kf5/licenses/GPL_V2 r,
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/groups/apps/telegram-desktop
@ -51,7 +51,7 @@ profile telegram-desktop @{exec_path} {
  # Download dir
  owner @{TELEGRAM_WORK_DIR}/ rw,
-  owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#[0-9]*[0-9],
+  owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#@{int},
  # Telegram's profile (via telegram -many -workdir ~/some/dir/)
  #owner @{TELEGRAM_WORK_DIR}/{,**} rw,
@ -62,7 +62,7 @@ profile telegram-desktop @{exec_path} {
  owner /tmp/@{hex}-* rwk,
  owner @{run}/user/@{uid}/@{hex}-* rwk,
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
       owner @{PROC}/@{pid}/fd/ r,
  deny owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@ -161,13 +161,13 @@ profile vlc @{exec_path} {
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
+  owner @{user_cache_dirs}/#@{int} rw,
  owner @{user_cache_dirs}/vlc/ rw,
  owner @{user_cache_dirs}/vlc/{,**} rw,
  owner @{user_config_dirs}/qt5ct/{,**} r,
  owner @{user_config_dirs}/vlc/ rw,
-  owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9],
+  owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#@{int},
  owner @{user_share_dirs}/vlc/{,**} rw,
@ -193,7 +193,7 @@ profile vlc @{exec_path} {
  audit       @{PROC}/sys/kernel/random/boot_id r,
  audit owner @{PROC}/@{pid}/cmdline r,
-        /dev/shm/#[0-9]*[0-9] rw,
+        /dev/shm/#@{int} rw,
  owner /dev/tty[0-9]* rw,
  # Silencer
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -239,7 +239,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
    @{bin}/systemd-tty-ask-password-agent rix,
-    owner @{run}/systemd/ask-password-block/* rw,
+    owner @{run}/systemd/ask-password-block/{,*} rw,
    owner @{run}/systemd/ask-password/ rw,
    owner @{run}/systemd/private rw,
--- a/apparmor.d/groups/apt/apt-extracttemplates
+++ b/apparmor.d/groups/apt/apt-extracttemplates
@ -25,7 +25,7 @@ profile apt-extracttemplates @{exec_path} {
  owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
-  owner /tmp/*.{config,template}.?????? rw,
+  owner /tmp/*.{config,template}.@{rand6} rw,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/apt/debsecan
+++ b/apparmor.d/groups/apt/debsecan
@ -44,7 +44,7 @@ profile debsecan @{exec_path} {
  owner @{PROC}/@{pid}/fd/ r,
  # file_inherit
-  /tmp/#[0-9]*[0-9] rw,
+  /tmp/#@{int} rw,
  include if exists <local/debsecan>
 }
--- a/apparmor.d/groups/apt/dpkg-query
+++ b/apparmor.d/groups/apt/dpkg-query
@ -22,7 +22,7 @@ profile dpkg-query @{exec_path} {
  /var/lib/dpkg/** r,
  # file_inherit
-  /tmp/#[0-9]*[0-9] rw,
+  /tmp/#@{int} rw,
  /dev/tty[0-9]* rw,
  include if exists <local/dpkg-query>
--- a/apparmor.d/groups/browsers/chromium-wrapper
+++ b/apparmor.d/groups/browsers/chromium-wrapper
@ -38,7 +38,7 @@ profile chromium-wrapper @{exec_path} {
  owner @{HOME}/.xsession-errors w,
-  owner /tmp/chromiumargs.?????? rw,
+  owner /tmp/chromiumargs.@{rand6} rw,
  owner /tmp/tmp.*/ rw,
  owner /tmp/tmp.*/** rwk,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -190,11 +190,12 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/ r,
  owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
-  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r,
+  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/mimeapps.list{,.*} rw,
+  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
  owner @{user_share_dirs}/ r,
-  owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw,
+  owner @{user_share_dirs}/applications/userapp-Firefox-@{rand6}.desktop{,.@{rand6}} rw,
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@ -26,9 +26,9 @@ profile firefox-glxtest @{exec_path} {
  owner /tmp/firefox/.parentlock rw,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/xauth_@{rand6} r,
-  owner @{run}/user/@{uid}/xauth_?????? r,
+  owner @{run}/user/@{uid}/xauth_@{rand6} r,
  @{sys}/bus/pci/devices/ r,
  @{sys}/devices/pci[0-9]*/**/class r,
--- a/apparmor.d/groups/browsers/firefox-kmozillahelper
+++ b/apparmor.d/groups/browsers/firefox-kmozillahelper
@ -40,7 +40,7 @@ profile firefox-kmozillahelper @{exec_path} {
  owner @{user_config_dirs}/kmozillahelperrc r,
  owner @{user_config_dirs}/kwinrc r,
-  owner @{run}/user/@{uid}/xauth_* rl,
+  owner @{run}/user/@{uid}/xauth_@{rand6} rl,
  @{PROC}/sys/kernel/core_pattern r,
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -77,8 +77,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/dbus-1/{,**} r,
        @{user_share_dirs}/icc/{,edid-*} r,
  owner /tmp/dbus-[0-9a-zA-Z]* rw,
  owner @{run}/user/@{uid}/dbus-1/ rw,
  owner @{run}/user/@{uid}/dbus-1/services/ rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@ -16,9 +16,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=(usr1) peer=gnome-shell,
  signal (send) set=(term) peer=ibus*,
-  unix (bind, listen)          type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-*,
+  unix (bind, listen)          type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????",
-  unix (send, receive, accept) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-* peer=(label=ibus-*),
+  unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=ibus-*),
-  unix (send, receive, accept) type=stream addr=@/var/lib/gdm{3,}/.cache/ibus/dbus-* peer=(label=gnome-shell),
+  unix (send, receive, accept) type=stream addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????" peer=(label=gnome-shell),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -16,8 +16,8 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=term peer=ibus-daemon,
-  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*",          label=ibus-daemon),
+  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????",          label=ibus-daemon),
-  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon),
+  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
  dbus receive bus=session path=/
       interface=org.freedesktop.DBus.Introspectable
@ -32,16 +32,16 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  /etc/dconf/db/ibus r,
  /etc/dconf/profile/ibus r,
-  /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
+  /var/lib/gdm{3,}/.config/ibus/bus/ r,
-  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  /var/lib/gdm{3,}/.cache/dconf/ w,
  /var/lib/gdm{3,}/.cache/dconf/user rw,
  /var/lib/gdm{3,}/.config/dconf/ w,
  /var/lib/gdm{3,}/.config/dconf/user rw,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
-  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
+  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r,
+  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -13,15 +13,15 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=term peer=ibus-daemon,
-  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon),
+  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
  @{exec_path} mr,
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
-  /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
+  /var/lib/gdm{3,}/.config/ibus/bus/ r,
-  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9] r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@ -72,10 +72,10 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
  /usr/share/icons/{,**} r,
  /usr/share/X11/xkb/** r,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  /var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} {
  /etc/machine-id r,
  /var/lib/gdm{3,}/.config/ibus/bus/ r,
-  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  include if exists <local/ibus-memconf>
 }
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -37,7 +37,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  /var/lib/dbus/machine-id r,
  /var/lib/gdm{3,}/.config/ibus/bus/ r,
-  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -44,13 +44,13 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /var/lib/gdm{3,}/.config/ibus/bus/ r,
-  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r,
+  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/children/child-dpkg
+++ b/apparmor.d/groups/children/child-dpkg
@ -45,7 +45,7 @@ profile child-dpkg {
  /var/log/dpkg.log ra,
  # file_inherit
-  /tmp/#[0-9]*[0-9] rw,
+  /tmp/#@{int} rw,
  include if exists <local/child-dpkg>
 }
--- a/apparmor.d/groups/children/child-dpkg-divert
+++ b/apparmor.d/groups/children/child-dpkg-divert
@ -26,7 +26,7 @@ profile child-dpkg-divert {
  /var/lib/dpkg/diversions r,
  # file_inherit
-  /tmp/#[0-9]*[0-9] rw,
+  /tmp/#@{int} rw,
  include if exists <local/child-dpkg-divert>
 }
--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@ -39,10 +39,10 @@ profile child-systemctl flags=(attach_disconnected) {
  /etc/systemd/user/{,**} rwl,
  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/@{hex}/ r,
+  /{run,var}/log/journal/@{md5}/ r,
-  /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
+  /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
-  /{run,var}/log/journal/@{hex}/system.journal* r,
+  /{run,var}/log/journal/@{md5}/system.journal* r,
-  /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
+  /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
  @{run}/systemd/private rw,
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -53,7 +53,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/sessions/*.ref rw,
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,
  owner @{PROC}/@{pid}/uid_map r,
  owner @{PROC}/@{pid}/loginuid rw,
--- a/apparmor.d/groups/cron/cron-apt
+++ b/apparmor.d/groups/cron/cron-apt
@ -83,7 +83,7 @@ profile cron-apt @{exec_path} {
  owner /tmp/cron-apt.*/action{log,error,mail,syslog} rw,
  # file_inherit
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,
  include if exists <local/cron-apt>
 }
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@ -56,7 +56,7 @@ profile cron-popularity-contest @{exec_path} {
  owner /tmp/tmp.*/random_seed w,
  # file_inherit
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,
  profile savelog {
@ -81,7 +81,7 @@ profile cron-popularity-contest @{exec_path} {
    /var/log/popularity-contest rw,
    # file_inherit
-    owner /tmp/#[0-9]*[0-9] rw,
+    owner /tmp/#@{int} rw,
  }
@ -105,7 +105,7 @@ profile cron-popularity-contest @{exec_path} {
    /var/log/popularity-contest.new w,
    # file_inherit
-    owner /tmp/#[0-9]*[0-9] rw,
+    owner /tmp/#@{int} rw,
  }
@ -125,7 +125,7 @@ profile cron-popularity-contest @{exec_path} {
    owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**,
    # file_inherit
-    owner /tmp/#[0-9]*[0-9] rw,
+    owner /tmp/#@{int} rw,
  }
@ -150,7 +150,7 @@ profile cron-popularity-contest @{exec_path} {
    /var/log/popularity-contest.[0-9]*.gpg r,
    # file_inherit
-    owner /tmp/#[0-9]*[0-9] rw,
+    owner /tmp/#@{int} rw,
  }
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -49,17 +49,19 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  @{bin}/passwd      rPx,
  @{bin}/userdel     rPx,
  @{bin}/usermod     rPx,
  @{bin}/locale     rPUx,
  /usr/share/language-tools/language-validate   rPx,
  /usr/share/language-tools/set-language-helper rPUx,
  /usr/share/language-tools/save-to-pam-env rPUx,
  /usr/share/accountsservice/{,**} r,
  /usr/share/dbus-1/interfaces/*.xml r,
  /etc/default/locale r,
  /etc/gdm{3,}/ r,
-  /etc/gdm{3,}/custom.conf{,.??????} rw,
+  /etc/gdm{3,}/custom.conf{,.@{rand6}} rw,
-  /etc/gdm{3,}/daemon.conf{,.??????} rw,
+  /etc/gdm{3,}/daemon.conf{,.@{rand6}} rw,
  /etc/machine-id r,
  /etc/shadow r,
  /etc/shells r,
@ -69,6 +71,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/AccountsService/** rw,
        @{HOME}/ r,
  owner @{HOME}/.pam_environment r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid rw,
@ -81,7 +84,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  # wtmp.d ?
  /var/log/wtmp r,
-  owner /tmp/gnome-control-center-user-icon-?????? rw,
+  owner /tmp/gnome-control-center-user-icon-@{rand6} rw,
  include if exists <local/accounts-daemon>
 }
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -39,10 +39,10 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,
-  owner /tmp/runtime-*/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/xauth_?????? r,
+  owner @{run}/user/@{uid}/xauth_@{rand6} r,
  /var/lib/lightdm/.Xauthority r,
  /var/lib/gdm{3,}/.config/dconf/user r,
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -89,11 +89,11 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,
-  owner /tmp/runtime-*/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/xauth_@{rand6} r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/xauth_?????? r,
+  owner @{run}/user/@{uid}/xauth_@{rand6} r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/dconf
+++ b/apparmor.d/groups/freedesktop/dconf
@ -17,11 +17,12 @@ profile dconf @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /etc/dconf/db/** rw,
  /etc/gdm{3,}/greeter.dconf-defaults r,
  /usr/share/gdm/dconf/{,**} r,
  /var/lib/gdm{3,}/ r,
-  /var/lib/gdm{3,}/greeter-dconf-defaults{,.??????} rw,
+  /var/lib/gdm{3,}/greeter-dconf-defaults{,.@{rand6}} rw,
  owner @{user_config_dirs}/dconf/ rw,
  owner @{user_config_dirs}/dconf/user{,.*} rw,
--- a/apparmor.d/groups/freedesktop/dconf-editor
+++ b/apparmor.d/groups/freedesktop/dconf-editor
@ -24,7 +24,7 @@ profile dconf-editor @{exec_path} {
  owner @{user_config_dirs}/glib-2.0/ rw,
  owner @{user_config_dirs}/glib-2.0/settings/ rw,
  owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
-  owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,
+  owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-@{rand6} rw,
  owner @{HOME}/.Xauthority r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@ -48,8 +48,8 @@ profile polkit-kde-authentication-agent @{exec_path} {
  owner @{user_config_dirs}/kwinrc r,
  owner @{user_config_dirs}/qt5ct/{,**} r,
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,
-  owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#[0-9]*[0-9],
+  owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
  @{run}/systemd/users/@{uid} r,
@ -58,7 +58,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/sys/kernel/core_pattern r,
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
  include if exists <local/polkit-kde-authentication-agent>
 }
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -159,7 +159,7 @@ profile pulseaudio @{exec_path} {
  owner /var/lib/lightdm/.config/pulse/cookie   k,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
-  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
+  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
  owner @{user_config_dirs}/ w,
  owner @{user_config_dirs}/pulse/{,**} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -164,12 +164,12 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  owner @{HOME}/.icons/{,**} r,
  owner @{HOME}/@{XDG_DATA_DIR}/ r,
-  owner /tmp/runtime-*/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/xauth_@{rand6} r,
        @{run}/mount/utab r,
-        @{run}/user/@{uid}/xauth_* rl,
+        @{run}/user/@{uid}/xauth_@{rand6} rl,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@ -45,9 +45,9 @@ profile xdg-desktop-portal-kde @{exec_path} {
  owner @{user_config_dirs}/kwinrc r,
  owner @{user_config_dirs}/xdg-desktop-portal-kderc r,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/xauth_@{rand6} r,
-  @{run}/user/@{uid}/xauth_* rl,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,
  @{PROC}/sys/kernel/core_pattern r,
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -50,7 +50,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/flatpak/ w,
  owner @{user_share_dirs}/flatpak/db/ rw,
-  owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw,
+  owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/flatpak/db/background rw,
  owner @{user_share_dirs}/flatpak/db/notifications rw,
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
@ -50,7 +50,7 @@ profile xdg-user-dirs-update @{exec_path} {
  owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
  owner @{user_config_dirs}/user-dirs.dirs rw,
-  owner @{user_config_dirs}/user-dirs.dirs?????? rw,
+  owner @{user_config_dirs}/user-dirs.dirs@{rand6} rw,
  owner @{user_config_dirs}/user-dirs.locale rw,
  include if exists <local/xdg-user-dirs-update>
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -141,7 +141,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  /dev/fb[0-9] rw,
  /dev/input/event[0-9]* rw,
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
  /dev/shm/shmfd-* rw,
  /dev/tty rw,
  /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/xprop
+++ b/apparmor.d/groups/freedesktop/xprop
@ -19,10 +19,10 @@ profile xprop @{exec_path} {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.icons/default/index.theme r,
-  owner /tmp/runtime-*/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/xauth_@{rand6} r,
-  owner @{run}/user/@{uid}/xauth_* rl,
+  owner @{run}/user/@{uid}/xauth_@{rand6} rl,
  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -35,8 +35,8 @@ profile xrdb @{exec_path} {
  owner /tmp/kcminit.* r,
  owner /tmp/plasma-apply-lookandfeel.* r,
-  owner /tmp/runtime-*/xauth_?????? r,
+  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/startplasma-x11.?????? r,
+  owner /tmp/startplasma-x11.@{rand6} r,
  owner /tmp/xauth-[0-9]*-_[0-9] r,
  @{run}/sddm/\{@{uuid}\} r,
--- a/apparmor.d/groups/freedesktop/xsetroot
+++ b/apparmor.d/groups/freedesktop/xsetroot
@ -24,8 +24,8 @@ profile xsetroot @{exec_path} {
  owner @{user_share_dirs}/sddm/xorg-session.log w,
  @{run}/sddm/\{@{uuid}\} r,
-  @{run}/sddm/xauth_?????? r,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,
-  @{run}/user/@{uid}/xauth_* rl,
+  @{run}/sddm/xauth_@{rand6} r,
  include if exists <local/xsetroot>
 }
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -37,8 +37,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
  owner /tmp/server-[0-9]*.xkm rwk,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
-  owner @{run}/user/@{uid}/xwayland-shared-?????? rw,
+  owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw,
  @{sys}/bus/pci/devices/ r,
--- a/apparmor.d/groups/gnome/gdm-runtime-config
+++ b/apparmor.d/groups/gnome/gdm-runtime-config
@ -13,7 +13,7 @@ profile gdm-runtime-config @{exec_path} {
  @{exec_path} mr,
  @{run}/gdm{3,}/ rw,
-  @{run}/gdm{3,}/custom.conf* rw,
+  @{run}/gdm{3,}/custom.conf{,.@{rand6}} rw,
  include if exists <local/gdm-runtime-config>
 }
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -82,6 +82,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  /etc/sysconfig/displaymanager r,
  /etc/sysconfig/windowmanager r,
  owner @{HOME}/.pam_environment r,
  owner @{run}/user/@{uid}/keyring/control rw,
  @{run}/cockpit/active.motd r,
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@ -54,7 +54,7 @@ profile gdm-xsession @{exec_path} {
  /etc/default/im-config r,
  /etc/X11/{,**} r,
-  owner /tmp/gdm{3,}-config-err-?????? rw,
+  owner /tmp/gdm{3,}-config-err-@{rand6} rw,
  # file_inherit
  /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -89,7 +89,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
-  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
+  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
@ -98,7 +98,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_cache_dirs}/gstreamer-1.0/ rw,
-  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
+  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -35,7 +35,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  signal (send) set=(kill) peer=unconfined,
  signal (send) set=(kill) peer=passwd,
-  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*", label=ibus-daemon),
+  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
@ -86,6 +86,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  @{lib}/gnome-control-center-print-renderer     rPx,
  @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
  /usr/share/language-tools/language2locale      rix,
  /usr/share/language-tools/language-options    rPUx,
  /snap/*/[0-9]*/**.png r,
  /usr/share/backgrounds/{,**} r,
@ -100,6 +101,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-shell/search-providers/{,**} r,
  /usr/share/gnome/gnome-version.xml r,
  /usr/share/libdrm/*.ids r,
  /usr/share/language-tools/main-countries r,
  /usr/share/mime/{,**} r,
  /usr/share/pipewire/client.conf r,
  /usr/share/thumbnailers/{,*} r,
@ -134,22 +136,27 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
  owner @{user_cache_dirs}/thumbnails/{,**} rw,
  owner @{user_config_dirs}/gnome-control-center/{,**} rw,
-  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r,
+  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/mimeapps.list* rw,
+  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
-  owner @{user_config_dirs}/rygel.conf{,.??????} rw,
+  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
  owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/icc/{,edid-*} r,
  owner @{user_share_dirs}/sounds/__custom/{,*} rw,
  owner @{user_share_dirs}/webkitgtk/{,**} r,
  owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
  owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
  owner @{user_share_dirs}/gnome-remote-desktop/ w,
  owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
  owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
  owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk,
  owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
  owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{run}/user/@{uid}/wayland-@{int} rw,
        @{run}/cups/cups.sock rw,
        @{run}/samba/ rw,
        @{run}/systemd/sessions/  r,
@ -190,6 +197,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/task/*/comm rw,
  owner @{PROC}/@{pid}/loginuid r,
        @{PROC}/cmdline r,
        @{PROC}/zoneinfo r,
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@ -13,12 +13,18 @@ profile gnome-remote-desktop-daemon @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/openssl>
  include <abstractions/vulkan>
  network inet stream,
  network inet6 stream,
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  owner @{run}/user/@{uid}/wayland-@{int} rw,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node[0-9]*/meminfo r,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -214,7 +214,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /var/lib/flatpak/exports/share/mime/mime.cache r,
  /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
-  owner /tmp/dirs-?????? rw,
+  owner /tmp/dirs-@{rand6} rw,
  owner @{user_config_dirs}/autostart/{,*.desktop} r,
  owner @{user_config_dirs}/gnome-session/ rw,
--- a/apparmor.d/groups/gnome/gnome-session-ctl
+++ b/apparmor.d/groups/gnome/gnome-session-ctl
@ -21,7 +21,7 @@ profile gnome-session-ctl @{exec_path} {
       member=Initialized
       peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
-  unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-*, label=dbus-daemon),
+  unix (send, receive, connect) type=stream peer=(addr=@/tmp/dbus-????????, label=dbus-daemon),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -52,7 +52,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
  unix (send,receive) type=stream addr=none peer=(label=xwayland),
-  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon),
+  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -514,20 +514,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /etc/xdg/menus/gnome-applications.menu r,
  /var/lib/gdm{3,}/.cache/ w,
-  /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
+  /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk,
  /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, 
  /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw,
-  /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
+  /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,
  /var/lib/gdm{3,}/.cache/libgweather/ r,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
-  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw,
-  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw,
-  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.config/ibus/ rw,
  /var/lib/gdm{3,}/.config/ibus/bus/ rw,
-  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  /var/lib/gdm{3,}/.config/pulse/ r,
  /var/lib/gdm{3,}/.config/pulse/client.conf r,
  /var/lib/gdm{3,}/.config/pulse/cookie rwk,
@ -554,7 +554,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{user_games_dirs}/**/*.{png,jpg} r,
  owner @{user_music_dirs}/**/*.{png,jpg} r,
-  owner @{user_config_dirs}/.goutputstream{,*} rw,
+  owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
  owner @{user_config_dirs}/ibus/ w,
  owner @{user_config_dirs}/monitors.xml{,~} rwl,
  owner @{user_config_dirs}/pulse/ r,
@ -578,10 +578,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rwk,
+  owner @{run}/user/@{uid}/wayland-@{int} rwk,
  owner /dev/shm/.org.chromium.Chromium.* rw,
  owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
--- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
+++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-shell-hotplug-sniffer
 profile gnome-shell-hotplug-sniffer @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -71,7 +71,7 @@ profile gnome-software @{exec_path} {
  /var/tmp/flatpak-cache-*/ rw,
  /var/tmp/flatpak-cache-*/** rwkl,
-  /var/tmp/#[0-9]* rw,
+  /var/tmp/#@{int} rw,
  owner @{HOME}/.var/app/{,**} rw,
@ -86,7 +86,7 @@ profile gnome-software @{exec_path} {
  owner /tmp/ostree-gpg-*/ rw,
  owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
-  owner /tmp/#[0-9]* rw,
+  owner /tmp/#@{int} rw,
  owner @{run}/user/@{uid}/.dbus-proxy/ rw,
  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -49,7 +49,7 @@ profile gnome-terminal-server @{exec_path} {
  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner /tmp/#[0-9]* rw,
+  owner /tmp/#@{int} rw,
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -79,6 +79,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pids}/mountinfo r,
  @{run}/mount/utab r,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -141,7 +141,7 @@ profile gsd-xsettings @{exec_path} {
  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
        @{run}/systemd/sessions/* r,
        @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@ -40,7 +40,7 @@ profile kgx @{exec_path} {
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
-  owner /tmp/#[0-9]* rw,
+  owner /tmp/#@{int} rw,
        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline r,
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -23,7 +23,7 @@ profile mutter-x11-frames @{exec_path} {
  @{exec_path} mr,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
  include if exists <local/mutter-x11-frames>
 }
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -83,10 +83,10 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.cache/ rw,
  /var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
-  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
+  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
-  /var/lib/lightdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp??????} r,
+  /var/lib/lightdm/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} r,
  /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
  /var/lib/flatpak/exports/share/mime/mime.cache r,
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -88,7 +88,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  /var/lib/lightdm/.config/dconf/user r,
  /var/lib/lightdm/.cache/tracker3/files/meta.db{,-wal} rwk,
-  /var/lib/lightdm/.cache/tracker3/files/no-need-mtime-check.txt{,.??????} rw,
+  /var/lib/lightdm/.cache/tracker3/files/no-need-mtime-check.txt{,.@{rand6}} rw,
  owner /var/tmp/etilqs_@{hex} rw,
--- a/apparmor.d/groups/grub/grub-install
+++ b/apparmor.d/groups/grub/grub-install
@ -29,6 +29,7 @@ profile grub-install @{exec_path} flags=(complain) {
  /etc/default/grub.d/{,**} r,
  /etc/default/grub r,
  /boot/efi/EFI/ubuntu/* w,
  /boot/efi/EFI/BOOT/{,**} rw,
  /boot/EFI/*/grubx*.efi rw,
  /boot/grub/{,**} rw,
--- a/apparmor.d/groups/grub/grub-multi-install
+++ b/apparmor.d/groups/grub/grub-multi-install
@ -17,6 +17,7 @@ profile grub-multi-install @{exec_path} {
  @{bin}/{,ba,da}sh         rix,
  @{bin}/{,e}grep           rix,
  @{bin}/cat                rix,
  @{bin}/cut                rix,
  @{bin}/dpkg-query         rpx,
  @{bin}/readlink           rix,
  @{bin}/sed                rix,
@ -33,5 +34,7 @@ profile grub-multi-install @{exec_path} {
  owner @{PROC}/@{pid}/maps r,
  owner @{PROC}/@{pid}/mounts r,
  /dev/disk/by-id/ r,
  include if exists <local/grub-multi-install>
 }
--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@ -28,7 +28,7 @@ profile gvfsd-dav @{exec_path} {
  /usr/share/mime/mime.cache r,
  owner @{run}/user/@{uid}/gvfsd/ rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@ -57,7 +57,7 @@ profile gvfsd-dnssd @{exec_path} {
  @{exec_path} mr,
  owner @{run}/user/@{uid}/gvfsd/ rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-Z0-9]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  include if exists <local/gvfsd-dnssd>
 }
--- a/apparmor.d/groups/gvfs/gvfsd-http
+++ b/apparmor.d/groups/gvfs/gvfsd-http
@ -24,7 +24,7 @@ profile gvfsd-http @{exec_path} {
  @{exec_path} mr,
-  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@ -23,7 +23,7 @@ profile gvfsd-mtp @{exec_path} {
  owner @{HOME}/{,**} rw,
  owner @{MOUNTS}/{,**} rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  include if exists <local/gvfsd-mtp>
 }
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@ -51,7 +51,7 @@ profile gvfsd-network @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  owner @{run}/user/@{uid}/gvfsd/ rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  include if exists <local/gvfsd-network>
 }
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@ -26,7 +26,7 @@ profile gvfsd-recent @{exec_path} {
  owner @{user_share_dirs}/recently-used.xbel r,
  owner @{run}/user/@{uid}/gvfsd/ rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/gvfs/gvfsd-smb
+++ b/apparmor.d/groups/gvfs/gvfsd-smb
@ -23,7 +23,7 @@ profile gvfsd-smb @{exec_path} {
  /etc/samba/smb.conf r,
-  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  include if exists <local/gvfsd-smb>
 }
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@ -58,7 +58,7 @@ profile gvfsd-smb-browse @{exec_path} {
  owner @{run}/samba/ rw,
  owner @{run}/samba/gencache.tdb rwk,
-  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{user_cache_dirs}/samba/ w,
  owner @{user_cache_dirs}/samba/gencache.tdb rwk,
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -50,7 +50,7 @@ profile gvfsd-trash @{exec_path} {
  owner @{MOUNTS}/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/ rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  @{run}/mount/utab r,
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@ -38,7 +38,7 @@ profile baloo @{exec_path} {
  owner @{MOUNTS}/{,**} r,
  owner /tmp/*/{,**} r,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/baloofilerc rwl,
  owner @{user_config_dirs}/baloofilerc.lock rwkl,
--- a/apparmor.d/groups/kde/drkonqi
+++ b/apparmor.d/groups/kde/drkonqi
@ -22,7 +22,7 @@ profile drkonqi @{exec_path} {
  /usr/share/drkonqi/{,**} r,
  /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
-  @{run}/user/@{uid}/xauth_* rl,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,
  /dev/tty r,
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@ -23,8 +23,8 @@ profile gmenudbusmenuproxy @{exec_path} {
  /etc/machine-id r,
  owner @{HOME}/.gtkrc-2.0 rw,
-  owner @{user_config_dirs}/gtk-{2,3}.0/#[0-9]* rw,
+  owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw,
-  owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.??????} rwl,
+  owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
  owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
  @{PROC}/sys/kernel/random/boot_id r,
--- a/apparmor.d/groups/kde/kaccess
+++ b/apparmor.d/groups/kde/kaccess
@ -38,9 +38,9 @@ profile kaccess @{exec_path} {
  owner @{user_share_dirs}/mime/generic-icons r,
-  owner /tmp/xauth_?????? r,
+  owner /tmp/xauth_@{rand6} r,
-  owner @{run}/user/@{uid}/xauth_?????? r,
+  owner @{run}/user/@{uid}/xauth_@{rand6} r,
  @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@ -32,19 +32,19 @@ profile kalendarac @{exec_path} {
  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/akonadi-firstrunrc r,
  owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
  owner @{user_config_dirs}/emaildefaults r,
  owner @{user_config_dirs}/emailidentities r,
  owner @{user_config_dirs}/kalendaracrc rw,
-  owner @{user_config_dirs}/kalendaracrc.?????? rwl,
+  owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl,
  owner @{user_config_dirs}/kalendaracrc.lock rwk,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kmail2rc r,
-  @{run}/user/@{uid}/xauth_* rl,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,
  @{PROC}/sys/kernel/core_pattern r,
--- a/apparmor.d/groups/kde/kcminit
+++ b/apparmor.d/groups/kde/kcminit
@ -28,9 +28,9 @@ profile kcminit @{exec_path} {
  owner @{HOME}/.Xdefaults r,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
-  owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl,
+  owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl,
-  owner @{user_config_dirs}/gtkrc{,.??????} rwl,
+  owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl,
  owner @{user_config_dirs}/kcminputrc r,
  owner @{user_config_dirs}/kdedefaults/kcminputrc r,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
@ -40,12 +40,12 @@ profile kcminit @{exec_path} {
  owner @{user_config_dirs}/kwinrc r,
  owner @{user_config_dirs}/touchpadrc r,
  owner @{user_config_dirs}/Trolltech.conf.lock rwk,
-  owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl,
+  owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
-  owner /tmp/kcminit.?????? rwl,
+  owner /tmp/kcminit.@{rand6} rwl,
-  owner /tmp/#[0-9]* rw,
+  owner /tmp/#@{int} rw,
-  @{run}/user/@{uid}/xauth_* rl,
+  @{run}/user/@{uid}/xauth_@{rand6} rl,
  @{PROC}/sys/kernel/random/boot_id r,
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@ -34,7 +34,7 @@ profile kconf_update @{exec_path} {
  /etc/machine-id r,
  /etc/xdg/kdeglobals r,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/akregatorrc r,
  owner @{user_config_dirs}/kateschemarc r,
  owner @{user_config_dirs}/kcminputrc r,
@ -59,8 +59,8 @@ profile kconf_update @{exec_path} {
  owner @{user_config_dirs}/kxkbrc.lock rwk,
  owner @{user_config_dirs}/plasmashellrc r,
-  owner /tmp/#[0-9]* rw,
+  owner /tmp/#@{int} rw,
-  owner /tmp/kconf_update.* rwl,
+  owner /tmp/kconf_update.@{rand6} rwl,
  @{PROC}/@{sys}/kernel/random/boot_id r,
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -29,7 +29,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
  owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#[0-9]*,
--- a/apparmor.d/groups/kde/kded5
+++ b/apparmor.d/groups/kde/kded5
@ -71,7 +71,7 @@ profile kded5 @{exec_path} {
  owner @{user_cache_dirs}/icon-cache.kcache rw,
  owner @{user_cache_dirs}/ksycoca5_* r,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/bluedevilglobalrc rk,
  owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
  owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
@ -108,11 +108,11 @@ profile kded5 @{exec_path} {
  owner @{user_share_dirs}/remoteview/ r,
  owner @{user_share_dirs}/services5/{,**} r,
-  owner @{run}/user/@{uid}/#[0-9]* rw,
+  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/gvfs/ r,
  owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,
-  owner /tmp/plasma-csd-generator.??????/{,**} rw,
+  owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
        @{PROC}/@{pids}/cmdline/ r,
        @{PROC}/@{pids}/fd/ r,
--- a/apparmor.d/groups/kde/kglobalaccel5
+++ b/apparmor.d/groups/kde/kglobalaccel5
@ -22,9 +22,9 @@ profile kglobalaccel5 @{exec_path} {
  /etc/machine-id r,
  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/kglobalshortcutsrc* rwl,
  owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
  owner @{user_config_dirs}/#[0-9]* rw,
  @{PROC}/sys/kernel/random/boot_id r,
  @{PROC}/sys/kernel/core_pattern r,
--- a/apparmor.d/groups/kde/kioslave5
+++ b/apparmor.d/groups/kde/kioslave5
@ -61,9 +61,9 @@ profile kioslave5 @{exec_path} {
  owner @{user_share_dirs}/baloo/index-lock rwk,
  owner @{user_share_dirs}/baloo/index rw,
-  owner @{run}/user/@{uid}/#[0-9]* rw,
+  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl,
-  owner @{run}/user/@{uid}/xauth_* rl,
+  owner @{run}/user/@{uid}/xauth_@{rand6} rl,
        @{PROC}/sys/kernel/core_pattern r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/kde/kscreenlocker-greet
+++ b/apparmor.d/groups/kde/kscreenlocker-greet
@ -71,12 +71,12 @@ profile kscreenlocker-greet @{exec_path} {
  owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
  owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
  owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
-  owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
+  owner @{user_cache_dirs}/plasma-svgelements{,.@{rand6}} rwl,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
  owner @{user_cache_dirs}/qtshadercache/ rw,
-  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
-  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
+  owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
  owner @{user_config_dirs}/kdedefaults/* r,
  owner @{user_config_dirs}/kdeglobals r,
@ -85,7 +85,7 @@ profile kscreenlocker-greet @{exec_path} {
  owner @{user_config_dirs}/plasmarc r,
  # If one is blocked, the others are probed.
-  deny owner @{HOME}/#[0-9]*[0-9] mrw,
+  deny owner @{HOME}/#@{int} mrw,
       owner @{HOME}/.glvnd* mrw,
  owner /tmp/*-cover-*.{jpg,png} r,
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@ -44,10 +44,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /etc/xdg/kwinrc r,
  /etc/xdg/menus/ r,
-  owner @{HOME}/?????? rw,
+  owner @{HOME}/@{rand6} rw,
  owner @{HOME}/.Xauthority rw,
-  owner @{user_cache_dirs}/#[0-9]* rw,
+  owner @{user_cache_dirs}/#@{int} rw,
  owner @{user_cache_dirs}/icon-cache.kcache rw,
  owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
  owner @{user_cache_dirs}/ksycoca5_* rl,
@ -56,18 +56,18 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_config_dirs}/kdedefaults/* r,
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kscreenlockerrc r,
-  owner @{user_config_dirs}/ksmserverrc.?????? rwl,
+  owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
  owner @{user_config_dirs}/ksmserverrc r,
-  owner @{user_config_dirs}/#[0-9]* rw,
+  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/ksmserverrc.lock rwk,
  owner @{user_config_dirs}/kwinrc r,
  owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
-  owner /tmp/?????? rw,
+  owner /tmp/@{rand6} rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
  owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
-  owner @{run}/user/@{uid}/xauth_* rl,
+  owner @{run}/user/@{uid}/xauth_@{rand6} rl,
  @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
--- a/Show more
+++ b/Show more