From 61a27bc336c79ad171da6a5dc6b0414a326e6fe6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 11 Oct 2024 14:13:17 +0100 Subject: [PATCH] feat(profile): initial integration with attached path. The feature is not yet enabled. See https://apparmor.pujol.io/development/internal/#re-attached-path --- apparmor.d/abstractions/attached/base | 14 ++++++++++++++ apparmor.d/abstractions/attached/consoles | 13 +++++++++++++ apparmor.d/abstractions/common/app | 3 ++- apparmor.d/abstractions/common/bwrap | 13 +++++++------ apparmor.d/groups/apt/apt | 4 ++-- apparmor.d/groups/apt/unattended-upgrade | 2 +- .../groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/browsers/epiphany | 2 +- apparmor.d/groups/bus/at-spi2-registryd | 3 +-- apparmor.d/groups/bus/dbus-accessibility | 3 +-- apparmor.d/groups/bus/dbus-system | 16 ++++++++-------- apparmor.d/groups/children/child-modprobe-nvidia | 2 -- apparmor.d/groups/freedesktop/colord | 4 ++-- apparmor.d/groups/freedesktop/pipewire | 5 +++-- apparmor.d/groups/freedesktop/pipewire-pulse | 4 ++-- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 4 ++-- apparmor.d/groups/freedesktop/xdg-desktop-portal | 5 +++-- .../groups/freedesktop/xdg-desktop-portal-gnome | 3 +-- .../groups/freedesktop/xdg-document-portal | 8 ++++---- .../groups/freedesktop/xdg-permission-store | 3 +-- apparmor.d/groups/freedesktop/xkbcomp | 2 +- apparmor.d/groups/freedesktop/xwayland | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gjs-console | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + apparmor.d/groups/gnome/gnome-music | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 7 ++++--- apparmor.d/groups/gnome/gnome-shell | 15 +++++++++------ apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/gsd-a11y-settings | 3 +-- apparmor.d/groups/gnome/gsd-color | 3 +-- apparmor.d/groups/gnome/gsd-datetime | 3 +-- apparmor.d/groups/gnome/gsd-housekeeping | 3 +-- apparmor.d/groups/gnome/gsd-keyboard | 3 +-- apparmor.d/groups/gnome/gsd-media-keys | 5 ++--- apparmor.d/groups/gnome/gsd-power | 5 ++--- apparmor.d/groups/gnome/gsd-print-notifications | 3 +-- apparmor.d/groups/gnome/gsd-printer | 3 +-- apparmor.d/groups/gnome/gsd-rfkill | 3 +-- apparmor.d/groups/gnome/gsd-screensaver-proxy | 3 +-- apparmor.d/groups/gnome/gsd-sharing | 3 +-- apparmor.d/groups/gnome/gsd-smartcard | 3 +-- apparmor.d/groups/gnome/gsd-sound | 3 +-- apparmor.d/groups/gnome/gsd-wacom | 3 +-- apparmor.d/groups/gnome/mutter-x11-frames | 3 +-- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/ksmserver | 2 +- apparmor.d/groups/kde/kwin_wayland | 2 +- apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 6 ++++-- apparmor.d/groups/network/mullvad-gui | 2 +- apparmor.d/groups/ssh/sshd | 3 ++- apparmor.d/groups/systemd/systemd-inhibit | 2 +- apparmor.d/groups/systemd/systemd-networkd | 4 ++-- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/virt/dockerd | 4 ++-- apparmor.d/groups/virt/libvirtd | 3 ++- apparmor.d/groups/virt/virtinterfaced | 2 +- apparmor.d/groups/virt/virtlogd | 3 ++- apparmor.d/groups/virt/virtnetworkd | 3 ++- apparmor.d/groups/virt/virtnodedevd | 3 ++- apparmor.d/groups/virt/virtsecretd | 3 ++- apparmor.d/groups/virt/virtstoraged | 3 ++- apparmor.d/groups/xfce/xfce-power-manager | 2 +- apparmor.d/groups/xfce/xfce-screensaver | 2 +- apparmor.d/profiles-a-f/flatpak-portal | 4 ++-- apparmor.d/profiles-a-f/foliate | 2 +- apparmor.d/profiles-a-f/fprintd | 3 ++- apparmor.d/profiles-a-f/fwupd | 3 ++- apparmor.d/profiles-g-l/linuxqq | 2 +- apparmor.d/profiles-m-r/mission-control | 2 +- apparmor.d/profiles-m-r/nvtop | 3 ++- apparmor.d/profiles-m-r/packagekitd | 3 ++- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spice-vdagent | 3 +-- apparmor.d/profiles-s-z/steam | 2 +- apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/udisksd | 3 ++- apparmor.d/profiles-s-z/uname | 2 +- apparmor.d/profiles-s-z/wechat-universal | 2 +- apparmor.d/profiles-s-z/xbrlapi | 3 +-- apparmor.d/tunables/multiarch.d/system | 1 - 85 files changed, 164 insertions(+), 139 deletions(-) create mode 100644 apparmor.d/abstractions/attached/base create mode 100644 apparmor.d/abstractions/attached/consoles diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base new file mode 100644 index 00000000..65c16331 --- /dev/null +++ b/apparmor.d/abstractions/attached/base @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, it is automatically included in profiles when it is required. + + abi , + + @{att}/apparmor/.null rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles new file mode 100644 index 00000000..6959bc40 --- /dev/null +++ b/apparmor.d/abstractions/attached/consoles @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + owner @{att}/dev/pts/@{int} rw, + owner @{att}/dev/tty@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 392ea2c5..4cb47c9d 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -67,10 +67,11 @@ owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp rk, @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 7f337aff..3a2b0c59 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -44,15 +44,16 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + @{att}/@{PROC}/sys/user/max_user_namespaces rw, + owner @{att}/@{PROC}/@{pid}/cgroup r, + owner @{att}/@{PROC}/@{pid}/gid_map rw, + owner @{att}/@{PROC}/@{pid}/mountinfo r, + owner @{att}/@{PROC}/@{pid}/setgroups rw, + owner @{att}/@{PROC}/@{pid}/uid_map rw, + @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, - @{PROC}/sys/user/max_user_namespaces rw, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/setgroups rw, - owner @{PROC}/@{pid}/uid_map rw, include if exists diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5b362f12..19f187cc 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -141,6 +141,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt.conf.* rw, owner @{tmp}/apt.data.* rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, @@ -148,8 +150,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, - @{run}/systemd/inhibit/@{int}.ref rw, - profile editor flags=(complain) { include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index c528fb98..e4f6b61e 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -100,7 +100,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/log/apt/{term,history}.log w, /var/log/apt/eipp.log.xz w, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 67377500..cd35bb5a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -24,8 +24,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { owner /var/log/unattended-upgrades/*.log* rw, + owner @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, - owner @{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index a64850f1..dd01a36a 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -39,7 +39,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, owner /bindfile@{rand6} rw, - owner /.flatpak-info r, + owner @{att}/.flatpak-info r, owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 6c4bf4c6..8ead7a4e 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -27,8 +28,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 054af720..1a4b83e2 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -72,8 +73,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index ed2f931c..3b8a1e14 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -49,17 +49,17 @@ profile dbus-system flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - @{desktop_share_dirs}/icc/ r, - @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{user_share_dirs}/icc/ r, - @{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{desktop_share_dirs}/icc/ r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/ r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, # Dbus can receive any user files @{HOME}/** r, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/systemd/notify w, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{int} r, @{sys}/kernel/security/apparmor/.access rw, @@ -77,8 +77,8 @@ profile dbus-system flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, include if exists } diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index b3b0db7f..15b9c2d9 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -53,8 +53,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { owner /dev/nvidia-caps/ w, owner /dev/nvidia-caps/nvidia-cap@{int} w, - /dev/tty@{int} rw, - deny @{HOME}/.steam/** r, profile kmod { diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index f3ab4fed..ffdfe08a 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -49,8 +49,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{desktop_share_dirs}/icc/edid-*.icc r, - @{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, + @{att}/@{user_share_dirs}/icc/edid-*.icc r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index cf98a133..f6f4c12a 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -44,8 +44,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, - / r, - /.flatpak-info r, + / r, + @{att}/ r, + owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index b5644440..530fa97d 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -28,8 +28,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - / r, - /.flatpak-info r, + @{att}/ r, + owner @{att}/.flatpak-info r, owner @{run}/user/@{uid}/pulse/pid w, owner @{tmp}/librnnoise-@{int}.so rm, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index e9b6f5c0..f832d285 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -41,7 +41,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/hid/devices/ r, @{sys}/class/input/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 6ebc2892..e51f21e1 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -16,7 +17,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include - include include network unix stream, @@ -31,7 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, owner @{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 00cb35b6..eb450ee4 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -10,6 +10,7 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -61,8 +62,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - /.flatpak-info r, + / r, + @{att}/.flatpak-info r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 9cbf81bc..944bbc20 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -65,8 +66,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/status r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index f93a4f2b..e9f63dc5 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-document-portal profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -39,8 +40,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, - / r, - owner /.flatpak-info r, + owner @{att}/ r, + owner @{att}/.flatpak-info r, owner @{HOME}/ r, owner @{HOME}/*/{,**} rw, @@ -57,7 +58,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, /dev/fuse rw, - owner /dev/tty@{int} rw, profile fusermount flags=(attach_disconnected) { include @@ -83,7 +83,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/mounts r, /dev/fuse rw, - owner /dev/tty@{int} rw, + @{att}/dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 057c6420..298bc059 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include + include include include @@ -45,8 +46,6 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 941cc8f9..9ebecf6f 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xkbcomp profile xkbcomp @{exec_path} flags=(attach_disconnected) { include + include include include @@ -37,7 +38,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/fb@{int} rw, /dev/tty rw, - /dev/tty@{int} rw, deny /dev/input/event@{int} rw, deny /var/log/Xorg.@{int}.log w, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index c2710eb8..05fb5a6f 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -36,7 +36,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, - /dev/tty@{int} rw, + @{att}/dev/tty@{int} rw, /dev/tty rw, include if exists diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 8f6770ec..731d1576 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -114,13 +114,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{run}/gdm{3,}/dbus/ w, owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/cockpit/active.motd r, @{run}/faillock/@{user} rwk, @{run}/fscrypt/ rw, @{run}/fscrypt/@{uid}.count rwk, @{run}/motd.d/{,*} r, @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 613be32d..20d5e48d 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,6 +14,7 @@ include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -85,7 +86,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /dev/ r, /dev/tty rw, - /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 905c16b8..d0b84c1b 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 834e6703..82be211f 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, owner /var/tmp/etilqs_@{hex15} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 0825d418..995dbab6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -79,9 +79,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority rw, @@ -104,6 +105,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include + include include @{bin}/env rix, @@ -119,7 +121,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/games/** PUx, /dev/tty rw, - /dev/tty@{int} rw, include if exists include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b83de9bf..227edc40 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -207,8 +207,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/xml/iso-codes/{,**} r, @{system_share_dirs}/gnome-shell/{,**} r, - / r, - /.flatpak-info r, /etc/fstab r, /etc/timezone r, /etc/tpm2-tss/*.json r, @@ -220,6 +218,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, + owner @{att}/ r, + owner @{att}/.flatpak-info r, + owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ w, owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, @@ -293,11 +294,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/tags/seat/ r, @@ -365,9 +367,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/input/event@{int} rw, - /dev/media@{int} rw, - /dev/tty@{int} rw, + /dev/media@{int} rw, + /dev/tty@{int} rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, profile shell flags=(attach_disconnected,mediate_deleted) { include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 4726881e..cddcb730 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -111,7 +111,7 @@ profile gnome-software @{exec_path} { owner /dev/shm/flatpak-com.*/ rw, owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 86ca1bbf..cfbaa626 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -31,8 +32,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 3f4895db..6ff47dcd 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -49,8 +50,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/edid-*.icc rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index b7a3e4bc..984f7c18 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -49,8 +50,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index f7d0f51a..288c29af 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,6 +10,7 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -46,8 +47,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index baac36f8..87560b6f 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -39,8 +40,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6fee16f5..3c2ef3da 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -72,7 +73,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -86,8 +87,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 452d18af..97b31d6c 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-power profile gsd-power @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -60,7 +61,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+leds:* r, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/class/ r, @@ -83,8 +84,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index bb047e91..2c8319bd 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -38,8 +39,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 4c485e17..9e67c8c7 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -29,8 +30,6 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index c7eb53e6..1fd4157e 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -33,8 +34,6 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - owner /dev/tty@{int} rw, - /dev/rfkill rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 8115ca01..1ac54d0f 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include + include include include @@ -24,8 +25,6 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index a2fdf107..871e10ab 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -44,8 +45,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 9cda7f5d..f93f0313 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -42,8 +43,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index ae484495..8c5e7891 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,8 +37,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/sounds/ rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index ff0dc419..f9c4ffb3 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -32,8 +33,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 183e6cf4..4fe3bc06 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -33,8 +34,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 5af21ae7..d37b53dd 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -45,7 +45,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** owner @{run}/user/@{uid}kcrash_@{int} rw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 3f95292f..61cd6724 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -66,7 +66,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/@{rand6} rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, /dev/tty r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 0bd53e3a..9922eff9 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -99,7 +99,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 9a780107..8ac535f1 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -34,7 +34,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/n@{int} r, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/bus/usb/devices/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index ff317ec9..e20ea48b 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -95,7 +95,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, - / r, + @{att}/ r, + /etc/ r, /etc/iproute2/* r, /etc/machine-id r, @@ -115,11 +116,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/rfkill/ r, @{sys}/class/rfkill/ r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @{run}/nscd/db* rwl, - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index b5346964..e1c55c7e 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, /dev/tty rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 29cc3843..2f704fb3 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -97,12 +97,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, + @{att}/@{run}/systemd/sessions/@{int}.ref rw, + @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/systemd/notify w, - @{run}/systemd/sessions/*.ref rw, owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 9938015d..2be38e6b 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -20,7 +20,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index b4d13794..f38564ae 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -50,9 +50,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/networkd-dispatcher/carrier.d/{,*} r, - / r, + @{att}/ r, - owner /var/lib/systemd/network/ r, + owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 8fb71732..119ac517 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -71,7 +71,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 6b1616e9..cfbd2d7b 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -85,9 +85,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { /etc/docker/{,**} r, - / r, + @{att}/ r, - owner @{lib}/containerd/** w, + owner @{att}/@{lib}/containerd/** rw, owner @{lib}/docker/overlay2/*/work/{,**} rw, owner /var/lib/containerd/** rw, owner /var/lib/docker/{,**} rwk, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index e1aa55d5..db6d5d37 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -153,11 +153,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/ rw, @{run}/libvirt/** rwk, @{run}/libvirtd.pid wk, @{run}/lock/LCK.._pts_@{int} rw, - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/systemd/notify w, @{run}/utmp rk, diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced index 8ef827a1..4737dd80 100644 --- a/apparmor.d/groups/virt/virtinterfaced +++ b/apparmor.d/groups/virt/virtinterfaced @@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) { @{lib}/gconv/gconv-modules rm, @{lib}/gconv/gconv-modules.d/{,*} r, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/interface/ rw, owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 095084ef..44bf06ba 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -28,9 +28,10 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, owner @{run}/user/@{uid}/libvirt/virtlogd* w, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/common/system.token rwk, @{run}/libvirt/virtlogd-sock rw, - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/virtlogd.pid rwk, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 2ed2a73f..42e13ef6 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -24,8 +24,9 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libvirt/dnsmasq/*.macs* rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/network/default.pid r, - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp rk, owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/network/{,**} rwk, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index c0498c6c..0b48d63f 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -32,7 +32,8 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { /etc/libvirt/*.conf r, /etc/mdevctl.d/{,**} r, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/nodedev/ rw, owner @{run}/libvirt/nodedev/driver.pid wk, diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd index 58e228d5..9b3e7dda 100644 --- a/apparmor.d/groups/virt/virtsecretd +++ b/apparmor.d/groups/virt/virtsecretd @@ -20,7 +20,8 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/libvirt/secrets/ rw, owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/secrets/ rw, owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 847140a5..00565fcf 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -54,7 +54,8 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { owner @{run}/libvirt/storage/{,**} rwk, owner @{run}/virtstoraged.pid rwk, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp rwk, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index ff78b6f1..1c2a0263 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -21,7 +21,7 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index ce0a7661..e486ac6d 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -25,7 +25,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { /etc/xdg/menus/xfce4-screensavers.menu r, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal index 3f3d1e28..8a8d2b90 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -31,8 +31,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, - / r, - /.flatpak-info r, + owner @{att}/ r, + owner @{att}/.flatpak-info r, owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index b1c48540..42265208 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -40,7 +40,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { /usr/share/com.github.johnfactotum.Foliate/{,**} r, owner /bindfile@{rand6} rw, - owner /.flatpak-info r, + owner @{att}/.flatpak-info r, owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 9a0d4058..b3034dfe 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -27,8 +27,9 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { /var/lib/fprint/{,**} rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/journal/socket rw, - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7c1f2024..9ac0e21e 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -94,11 +94,12 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, @{sys}/power/mem_sleep r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/motd.d/ r, @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/* r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 497595e3..c4bf64d7 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -35,7 +35,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index efe44ebc..b8e79c0d 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -25,7 +25,7 @@ profile mission-control @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, owner @{user_cache_dirs}/.mc_connections rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index aed19fa5..88a164c0 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -23,7 +23,8 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/nvtop/{,**} rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 3eb16caa..b97c5e9a 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -94,7 +94,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner @{tmp}/packagekit* rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/systemd/users/@{uid} r, #aa:only opensuse diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index ed6544c3..33435fa8 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -57,7 +57,7 @@ profile psi @{exec_path} { owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index c7f310ac..32c05e55 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -57,7 +57,7 @@ profile psi-plus @{exec_path} { owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 972f111f..b905e8f3 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -40,7 +40,7 @@ profile signal-desktop @{exec_path} { audit @{lib_dirs}/chrome-sandbox rPx, @{lib_dirs}/chrome_crashpad_handler rix, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index f0731fd6..79204827 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -46,8 +47,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 3ad53cf0..e864663b 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -174,12 +174,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex8} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - owner /dev/shm/ValveIPCSHM_@{uid} rw, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 91ceef33..c0b94047 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -29,7 +29,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open-strict, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index af2eec34..b89d9c72 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -104,11 +104,12 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/ r, @{run}/mount/utab{,.*} rwk, @{run}/udisks2/{,**} rw, @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/inhibit/@{int}.ref rw, @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname index 7c5cb0cb..45a864c2 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/profiles-s-z/uname @@ -14,7 +14,7 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /dev/tty@{int} rw, + @{att}/dev/tty@{int} rw, deny network, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 55d4a555..f29df13d 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -46,7 +46,7 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, - @{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/utmp r, @{PROC}/@{pid}/net/route r, diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index 35006d46..f40b4fa6 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -9,14 +9,13 @@ include @{exec_path} = @{bin}/xbrlapi profile xbrlapi @{exec_path} flags=(attach_disconnected) { include + include network inet stream, network inet6 stream, @{exec_path} mr, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 2218a3dd..be37123f 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -151,7 +151,6 @@ @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -#aa:only abi3 # Attachment path for attach_disconnected.path flag. # Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. @{att}=/