feat(profiles): make profile entrypoint more universal.

2025-01-18 00:48:10 +01:00 · 2023-02-04 23:28:17 +00:00 · 2023-02-04 23:28:17 +00:00 · 6e56cfccc9
commit 6e56cfccc9
parent e031c129ed
70 changed files with 122 additions and 147 deletions
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{firefox_name} = firefox{,-esr}
-@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/
+@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name}
@{firefox_config_dirs} = @{HOME}/.mozilla/
@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -38,8 +38,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
-  /{usr/,}bin/ r,
+  @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd                         rPx,
  @{libexec}/*                                                           rPUx,
  @{libexec}/gnome-shell/gnome-shell-calendar-server                      rPx,
  /{usr/,}bin/                                                              r,
  /{usr/,}bin/[a-z0-9]*                                                  rPUx,
  /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd                            rPUx,
  /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd                          rPUx,
--- a/apparmor.d/groups/bus/dbus-daemon-launch-helper
+++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper
@ -18,11 +18,10 @@ profile dbus-daemon-launch-helper @{exec_path} {
  @{exec_path} mr,
-  /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
+  @{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism     rPx,
  /{usr/,}lib/cups-pk-helper-mechanism                      rPx,
  /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism       rPx,
  /{usr/,}lib/software-properties/software-properties-dbus  rPx,
  @{libexec}/language-selector/ls-dbus-backend              rPx,
  /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
  /{usr/,}lib/software-properties/software-properties-dbus  rPx,
  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
  /usr/share/usb-creator/usb-creator-helper rPx,
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -42,11 +42,12 @@ profile child-open {
  # Browsers
  /{usr/,}bin/chromium                                                        rPx,
-  /{usr/,}bin/firefox                                                         rPx,
+  /{usr/,}bin/firefox{,-esr}                                                  rPx,
  /{usr/,}lib{,32,64}/firefox{,-esr}/firefox{,-esr}                           rPx,
  /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}  rPx,
  /{usr/,}lib/chromium/chromium                                               rPx,
  /{usr/,}lib/firefox/firefox                                                 rPx,
  /opt/brave.com/brave{,-beta,-dev}/brave{,-beta,-dev}                        rPx,
  /opt/firefox{,-esr}/firefox{,-esr}                                          rPx,
  /opt/google/chrome{,-beta,-unstable}/chrome{,-beta,-unstable}               rPx,
  # Text editors
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} =  /{usr/,}lib/accountsservice/accounts-daemon
+@{exec_path} = @{libexec}/{,accountsservice/}accounts-daemon
@{exec_path} += @{libexec}/accounts-daemon
 profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher
+@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher
@{exec_path} += @{libexec}/at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session>
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi2-registryd
+@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd
@{exec_path} += @{libexec}/at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/freedesktop/colord-sane
+++ b/apparmor.d/groups/freedesktop/colord-sane
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/colord/colord-sane
+@{exec_path} = @{libexec}/{,colord/}colord-sane
@{exec_path} += @{libexec}/colord-sane
 profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service
+@{exec_path} =  @{libexec}/{,dconf/}dconf-service
 profile dconf-service @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/polkit-1/polkitd
+@{exec_path} = @{libexec}/{,polkit-1/}polkitd
@{exec_path} += @{libexec}/polkitd
 profile polkitd @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/upower/upowerd
+@{exec_path} = @{libexec}/{,upower/}upowerd
@{exec_path} += @{libexec}/upowerd
 profile upowerd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path}  = /{usr/,}bin/X
-@{exec_path} += /{usr/,}bin/Xorg
+@{exec_path} += /{usr/,}bin/Xorg{,.bin}
@{exec_path} += /{usr/,}lib/Xorg{,.wrap}
@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
 profile xorg @{exec_path} flags=(attach_disconnected) {
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{libexec}/evolution-addressbook-factory
+@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-addressbook-factory
 profile evolution-addressbook-factory @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-network-manager-strict>
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{libexec}/evolution-data-server/evolution-alarm-notify
+@{exec_path} = @{libexec}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify
 profile evolution-alarm-notify @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session>
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{libexec}/evolution-calendar-factory
+@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-calendar-factory
 profile evolution-calendar-factory @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-network-manager-strict>
--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{libexec}/evolution-source-registry
+@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-source-registry
 profile evolution-source-registry @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{libexec}/gdm-session-worker
+@{exec_path} = @{libexec}/{,gdm/}gdm-session-worker
 profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
@ -58,9 +58,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mrix,
  @{libexec}/{,gdm/}gdm-wayland-session   rPx,
  @{libexec}/{,gdm/}gdm-x-session         rPx,
  /{usr/,}bin/gnome-keyring-daemon        rPx,
  @{libexec}/gdm-wayland-session          rPx,
  @{libexec}/gdm-x-session                rPx,
  /etc/gdm{3,}/{Pre,Post}Session/Default  rix,
  /etc/gdm{3,}/PrimeOff/Default           rix,
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{libexec}/gdm-wayland-session
+@{exec_path} = @{libexec}/{,gdm/}gdm-wayland-session
 profile gdm-wayland-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/bash>
--- a/apparmor.d/groups/gnome/gnome-contacts-search-provider
+++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/gnome-contacts-search-provider
+@{exec_path} = @{libexec}/gnome-contacts-search-provider
 profile gnome-contacts-search-provider @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -147,12 +147,12 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  @{libexec}/gnome-session-check-accelerated-gl-helper     rix,
  @{libexec}/gnome-session-check-accelerated-gles-helper   rix,
  @{libexec}/gnome-session-failed                          rix,
-  @{libexec}/gnome-shell-overrides-migration.sh            rix,
+  @{libexec}/{,gnome-shell/}gnome-shell-overrides-migration.sh  rix,
  @{libexec}/gsd-*                                         rPx,
  # TODO: rCx gio-launch-desktop and put all the following program in this
  #       subprofile. Not done yet as it breaks compatibility with Ubuntu/Debian
-  /{usr/,}lib/gio-launch-desktop                           rix,
+  @{libexec}/gio-launch-desktop                            rix,
  /{usr/,}bin/aa-notify                                    rPx,
  /{usr/,}bin/baloo_file                                  rPUx,
@ -180,8 +180,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/xapps/sn-watcher/*                           rPUx,
  /{usr/,}share/libpam-kwallet-common/pam_kwallet_init    rPUx,
  @{libexec}/deja-dup/deja-dup-monitor                     rPUx,
  @{libexec}/evolution-data-server/evolution-alarm-notify  rPx,
  @{libexec}/gsd-disk-utility-notify                       rPx,
  @{libexec}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
  /usr/share/applications/{,**} r,
  /usr/share/dconf/profile/gdm r,
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{libexec}/gnome-shell-calendar-server
+@{exec_path} = @{libexec}/{,gnome-shell/}gnome-shell-calendar-server
 profile gnome-shell-calendar-server @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfs-afc-volume-monitor
+@{exec_path} = @{libexec}/{,gvfs}/gvfs-afc-volume-monitor
@{exec_path} += @{libexec}/gvfs-afc-volume-monitor
 profile gvfs-afc-volume-monitor @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfs-goa-volume-monitor
+@{exec_path} = @{libexec}/{,gvfs/}gvfs-goa-volume-monitor
@{exec_path} += @{libexec}/gvfs-goa-volume-monitor
 profile gvfs-goa-volume-monitor @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfs-gphoto2-volume-monitor
+@{exec_path} = @{libexec}/{,gvfs/}gvfs-gphoto2-volume-monitor
@{exec_path} += @{libexec}/gvfs-gphoto2-volume-monitor
 profile gvfs-gphoto2-volume-monitor @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfs-mtp-volume-monitor
+@{exec_path} = @{libexec}/{,gvfs/}gvfs-mtp-volume-monitor
@{exec_path} += @{libexec}/gvfs-mtp-volume-monitor
 profile gvfs-mtp-volume-monitor @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfs-udisks2-volume-monitor
+@{exec_path} = @{libexec}/{,gvfs/}gvfs-udisks2-volume-monitor
@{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor
 profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd
@{exec_path} += @{libexec}/gvfsd
 profile gvfsd @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
@ -54,8 +53,7 @@ profile gvfsd @{exec_path} {
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh      rix,
-  /{usr/,}lib/gvfs/gvfsd-*  rpx,
+  @{libexec}/{,gvfs/}gvfsd-*  rpx,
  @{libexec}/gvfsd-*        rpx,
  /usr/share/gvfs/{,**} r,
--- a/apparmor.d/groups/gvfs/gvfsd-admin
+++ b/apparmor.d/groups/gvfs/gvfsd-admin
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-admin
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-admin
@{exec_path} += @{libexec}/gvfsd-admin
 profile gvfsd-admin @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-afc
+++ b/apparmor.d/groups/gvfs/gvfsd-afc
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-afc
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-afc
@{exec_path} += @{libexec}/gvfsd-afc
 profile gvfsd-afc @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-afp
+++ b/apparmor.d/groups/gvfs/gvfsd-afp
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-afp
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-afp
@{exec_path} += @{libexec}/gvfsd-afp
 profile gvfsd-afp @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-afp-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-afp-browse
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-afp-browse
@{exec_path} += @{libexec}/gvfsd-afp-browse
 profile gvfsd-afp-browse @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-archive
+++ b/apparmor.d/groups/gvfs/gvfsd-archive
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-archive
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-archive
@{exec_path} += @{libexec}/gvfsd-archive
 profile gvfsd-archive @{exec_path} {
  include <abstractions/base>
  include <abstractions/freedesktop.org>
--- a/apparmor.d/groups/gvfs/gvfsd-burn
+++ b/apparmor.d/groups/gvfs/gvfsd-burn
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-burn
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-burn
@{exec_path} += @{libexec}/gvfsd-burn
 profile gvfsd-burn @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-cdda
+++ b/apparmor.d/groups/gvfs/gvfsd-cdda
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-cdda
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-cdda
@{exec_path} += @{libexec}/gvfsd-cdda
 profile gvfsd-cdda @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-computer
+++ b/apparmor.d/groups/gvfs/gvfsd-computer
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-computer
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-computer
@{exec_path} += @{libexec}/gvfsd-computer
 profile gvfsd-computer @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-dav
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-dav
@{exec_path} += @{libexec}/gvfsd-dav
 profile gvfsd-dav @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-dnssd
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-dnssd
@{exec_path} += @{libexec}/gvfsd-dnssd
 profile gvfsd-dnssd @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfsd-ftp
+++ b/apparmor.d/groups/gvfs/gvfsd-ftp
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-ftp
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-ftp
@{exec_path} += @{libexec}/gvfsd-ftp
 profile gvfsd-ftp @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-fuse
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-fuse
@{exec_path} += @{libexec}/gvfsd-fuse
 profile gvfsd-fuse @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
--- a/apparmor.d/groups/gvfs/gvfsd-google
+++ b/apparmor.d/groups/gvfs/gvfsd-google
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-google
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-google
@{exec_path} += @{libexec}/gvfsd-google
 profile gvfsd-google @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-gphoto2
+++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-gphoto2
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-gphoto2
@{exec_path} += @{libexec}/gvfsd-gphoto2
 profile gvfsd-gphoto2 @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-http
+++ b/apparmor.d/groups/gvfs/gvfsd-http
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-http
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-http
@{exec_path} += @{libexec}/gvfsd-http
 profile gvfsd-http @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gvfs/gvfsd-localtest
+++ b/apparmor.d/groups/gvfs/gvfsd-localtest
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-localtest
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-localtest
@{exec_path} += @{libexec}/gvfsd-localtest
 profile gvfsd-localtest @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/gvfs/gvfsd-metadata
+++ b/apparmor.d/groups/gvfs/gvfsd-metadata
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-metadata
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-metadata
@{exec_path} += @{libexec}/gvfsd-metadata
 profile gvfsd-metadata @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-mtp
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-mtp
@{exec_path} += @{libexec}/gvfsd-mtp
 profile gvfsd-mtp @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-network
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-network
@{exec_path} += @{libexec}/gvfsd-network
 profile gvfsd-network @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfsd-nfs
+++ b/apparmor.d/groups/gvfs/gvfsd-nfs
@ -1,13 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-nfs
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-nfs
@{exec_path} += @{libexec}/gvfsd-nfs
 profile gvfsd-nfs @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@ -1,14 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-recent
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-recent
@{exec_path} += @{libexec}/gvfsd-recent
 profile gvfsd-recent @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gvfs/gvfsd-sftp
+++ b/apparmor.d/groups/gvfs/gvfsd-sftp
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-sftp
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-sftp
@{exec_path} += @{libexec}/gvfsd-sftp
 profile gvfsd-sftp @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/gvfs/gvfsd-smb
+++ b/apparmor.d/groups/gvfs/gvfsd-smb
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-smb
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-smb
@{exec_path} += @{libexec}/gvfsd-smb
 profile gvfsd-smb @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-smb-browse
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-smb-browse
@{exec_path} += @{libexec}/gvfsd-smb-browse
 profile gvfsd-smb-browse @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/gvfs/gvfsd-trash
+@{exec_path} = @{libexec}/{,gvfs/}gvfsd-trash
@{exec_path} += @{libexec}/gvfsd-trash
 profile gvfsd-trash @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -92,13 +92,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/dnsmasq                            rPx,
  /{usr/,}bin/resolvconf                         rPx,
  /{usr/,}bin/systemctl                          rPx -> child-systemctl,
-  /{usr/,}lib/nm-dhcp-helper                     rPx,
+  @{libexec}/nm-dhcp-helper                      rPx,
-  /{usr/,}lib/nm-dispatcher                      rPx,
+  @{libexec}/nm-dispatcher                       rPx,
-  /{usr/,}lib/nm-iface-helper                    rPx,
+  @{libexec}/nm-iface-helper                     rPx,
-  /{usr/,}lib/nm-initrd-generator                rPx,
+  @{libexec}/nm-initrd-generator                 rPx,
-  /{usr/,}lib/nm-openvpn-auth-dialog             rPx,
+  @{libexec}/nm-openvpn-auth-dialog              rPx,
-  /{usr/,}lib/nm-openvpn-service                 rPx,
+  @{libexec}/nm-openvpn-service                  rPx,
-  /{usr/,}lib/nm-openvpn-service-openvpn-helper  rPx,
+  @{libexec}/nm-openvpn-service-openvpn-helper   rPx,
  @{libexec}/nm-daemon-helper                    rPx,
  /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
--- a/apparmor.d/groups/network/nm-dhcp-helper
+++ b/apparmor.d/groups/network/nm-dhcp-helper
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/nm-dhcp-helper
+@{exec_path} = @{libexec}/nm-dhcp-helper
 profile nm-dhcp-helper @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus>
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -6,8 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/nm-dispatcher
+@{exec_path} = @{libexec}/{,NetworkManager/}nm-dispatcher
@{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher
 profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/network/nm-iface-helper
+++ b/apparmor.d/groups/network/nm-iface-helper
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/nm-iface-helper
+@{exec_path} = @{libexec}/nm-iface-helper
 profile nm-iface-helper @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/network/nm-initrd-generator
+++ b/apparmor.d/groups/network/nm-initrd-generator
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/nm-initrd-generator
+@{exec_path} = @{libexec}/nm-initrd-generator
 profile nm-initrd-generator @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/network/nm-openvpn-auth-dialog
+++ b/apparmor.d/groups/network/nm-openvpn-auth-dialog
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/nm-openvpn-auth-dialog
+@{exec_path} = @{libexec}/nm-openvpn-auth-dialog
 profile nm-openvpn-auth-dialog @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/nm-openvpn-service
+@{exec_path} = @{libexec}/nm-openvpn-service
 profile nm-openvpn-service @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -18,10 +18,10 @@ profile nm-openvpn-service @{exec_path} {
  @{exec_path} mr,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{libexec}/nm-openvpn-auth-dialog rPx,
  @{libexec}/nm-openvpn-service-openvpn-helper rPx,
  /{usr/,}{s,}bin/openvpn rPx,
-  /{usr/,}lib/nm-openvpn-auth-dialog rPx,
+  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
  /{usr/,}bin/kmod rPx,
  @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
--- a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper
+++ b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/nm-openvpn-service-openvpn-helper
+@{exec_path} = @{libexec}/nm-openvpn-service-openvpn-helper
 profile nm-openvpn-service-openvpn-helper @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/profiles-a-f/bluetoothd
+++ b/apparmor.d/profiles-a-f/bluetoothd
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/bluetooth/bluetoothd
+@{exec_path} = @{libexec}/bluetooth/bluetoothd
@{exec_path} += @{libexec}/bluetooth/bluetoothd
 profile bluetoothd @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
+++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
@ -6,8 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/cups-pk-helper-mechanism
+@{exec_path} = @{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism
 profile cups-pk-helper-mechanism @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced
+@{exec_path} = /{usr/,}bin/evince @{libexec}/evinced
 profile evince @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd
+@{exec_path} = @{libexec}/{,fwupd/}fwupd
 profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/profiles-g-l/gparted
+++ b/apparmor.d/profiles-g-l/gparted
@ -30,8 +30,7 @@ profile gparted @{exec_path} {
  @{libexec}/gparted/gpartedbin  rPx,
  @{libexec}/gpartedbin          rPx,
-  /{usr/,}lib/udisks2/udisks2-inhibit  rix,
+  @{libexec}/{,udisks2/}udisks2-inhibit  rix,
  @{libexec}/udisks2/udisks2-inhibit rix,
  @{run}/udev/rules.d/ rw,
  @{run}/udev/rules.d/90-udisks-inhibit.rules rw,
--- a/apparmor.d/profiles-g-l/lightdm
+++ b/apparmor.d/profiles-g-l/lightdm
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -115,8 +116,7 @@ profile lightdm @{exec_path} {
  owner @{HOME}/.dmrc* rw,
  /var/cache/lightdm/dmrc/*.dmrc* rw,
-  /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
+  @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
  @{libexec}/at-spi-bus-launcher             rPUx,
  include if exists <local/lightdm>
 }
--- a/apparmor.d/profiles-g-l/lightdm-gtk-greeter
+++ b/apparmor.d/profiles-g-l/lightdm-gtk-greeter
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -50,9 +51,7 @@ profile lightdm-gtk-greeter @{exec_path} {
  @{HOME}/.dmrc r,
  @{HOME}/.face r,
-  /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
+  @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
  @{libexec}/at-spi-bus-launcher       rPUx,
  profile systemd {
    include <abstractions/base>
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@ -6,8 +6,8 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/telepathy/mission-control-5
+@{exec_path} = @{libexec}/{,telepathy/}mission-control-5
-profile mission-control @{exec_path} {
+profile mission-control @{exec_path} flags=(attach_disconnected)  {
  include <abstractions/base>
  include <abstractions/dconf-write>
--- a/apparmor.d/profiles-m-r/rtkit-daemon
+++ b/apparmor.d/profiles-m-r/rtkit-daemon
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{libexec}/rtkit-daemon
+@{exec_path} = @{libexec}/{,rtkit/}rtkit-daemon
 profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -7,8 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path}  = /{usr/,}lib/udisks2/udisksd
+@{exec_path} = @{libexec}/{,udisks2/}udisksd
@{exec_path} += @{libexec}/udisks2/udisksd
 profile udisksd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>