From 66c8f42d94b27974842a555e40df302d8b214561 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 7 May 2024 17:41:34 +0100
Subject: [PATCH] feat(tunable): add the new @{user} variable

---
 apparmor.d/profiles-a-f/arduino        | 4 ++--
 apparmor.d/profiles-g-l/hardinfo       | 4 ++--
 apparmor.d/profiles-g-l/jdownloader    | 4 ++--
 apparmor.d/tunables/multiarch.d/system | 7 ++++++-
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino
index 16d4fcad..d92b5dce 100644
--- a/apparmor.d/profiles-a-f/arduino
+++ b/apparmor.d/profiles-a-f/arduino
@@ -68,8 +68,8 @@ profile arduino @{exec_path} {
 
         /tmp/ r,
   owner @{tmp}/cc*.{s,res,c,o,ld,le} rw,
-  owner @{tmp}/hsperfdata_*/ rw,
-  owner @{tmp}/hsperfdata_*/@{pid} rw,
+  owner @{tmp}/hsperfdata_@{user}/ rw,
+  owner @{tmp}/hsperfdata_@{user}/@{pid} rw,
   owner @{tmp}/untitled[0-9]*.tmp rw,
   owner @{tmp}/untitled[0-9]*.tmp/{,**} rw,
   owner @{tmp}/console[0-9]*.tmp rw,
diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo
index 8e727c75..02dd62dc 100644
--- a/apparmor.d/profiles-g-l/hardinfo
+++ b/apparmor.d/profiles-g-l/hardinfo
@@ -154,8 +154,8 @@ profile hardinfo @{exec_path} {
 
     @{sys}/fs/cgroup/{,**} r,
 
-    owner @{tmp}/hsperfdata_*/ rw,
-    owner @{tmp}/hsperfdata_*/@{pid} rw,
+    owner @{tmp}/hsperfdata_@{user}/ rw,
+    owner @{tmp}/hsperfdata_@{user}/@{pid} rw,
 
   }
 
diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader
index e65add8e..27981fe7 100644
--- a/apparmor.d/profiles-g-l/jdownloader
+++ b/apparmor.d/profiles-g-l/jdownloader
@@ -61,8 +61,8 @@ profile jdownloader @{exec_path} {
 
   owner @{HOME}/.install4j rw,
 
-  owner @{tmp}/hsperfdata_*/ rw,
-  owner @{tmp}/hsperfdata_*/@{pid} rw,
+  owner @{tmp}/hsperfdata_@{user}/ rw,
+  owner @{tmp}/hsperfdata_@{user}/@{pid} rw,
   # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead
   owner @{tmp}/SevenZipJBinding-*/ rw,
   owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index ef842a44..4a08a431 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -33,6 +33,11 @@
 # Universally unique identifier
 @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
 
+# Username & group valid characters
+@{u}=[a-z0-9_]
+@{user}=[a-z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
+@{group}=@{user}
+
 # Shortcut for PCI device
 @{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
 @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
@@ -48,7 +53,7 @@
 # @{MOUNTDIRS} is a space-separated list of where user mount directories
 # are stored, for programs that must enumerate all mount directories on a
 # system.
-@{MOUNTDIRS}=/media/ @{run}/media/*/ /mnt/
+@{MOUNTDIRS}=/media/ @{run}/media/@{user}/ /mnt/
 
 # @{MOUNTS} is a space-separated list of all user mounted directories.
 @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/