From 7c2c806ffaece99b4777b110becc8f9627ef9655 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Jul 2023 14:46:56 +0100 Subject: [PATCH] refactor(profiles): use @{bin} and @{lib} in profiles (6) --- apparmor.d/profiles-m-r/macchanger | 2 +- apparmor.d/profiles-m-r/man | 76 ++++++------- apparmor.d/profiles-m-r/mandb | 2 +- apparmor.d/profiles-m-r/mdevctl | 2 +- apparmor.d/profiles-m-r/mediainfo | 2 +- apparmor.d/profiles-m-r/mediainfo-gui | 16 +-- apparmor.d/profiles-m-r/megasync | 32 +++--- apparmor.d/profiles-m-r/memtester | 2 +- apparmor.d/profiles-m-r/merkaartor | 2 +- apparmor.d/profiles-m-r/mimetype | 2 +- apparmor.d/profiles-m-r/minitube | 38 +++---- apparmor.d/profiles-m-r/mission-control | 2 +- apparmor.d/profiles-m-r/mke2fs | 6 +- apparmor.d/profiles-m-r/mkfs-btrfs | 2 +- apparmor.d/profiles-m-r/mkfs-fat | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 102 +++++++++--------- apparmor.d/profiles-m-r/mkntfs | 2 +- apparmor.d/profiles-m-r/mkswap | 2 +- apparmor.d/profiles-m-r/mkvmerge | 2 +- apparmor.d/profiles-m-r/mkvtoolnix-gui | 6 +- apparmor.d/profiles-m-r/mlocate | 2 +- apparmor.d/profiles-m-r/modprobed-db | 30 +++--- apparmor.d/profiles-m-r/molly-guard | 16 +-- apparmor.d/profiles-m-r/monitorix | 30 +++--- apparmor.d/profiles-m-r/mono-sgen | 6 +- apparmor.d/profiles-m-r/mount | 10 +- apparmor.d/profiles-m-r/mount-cifs | 4 +- apparmor.d/profiles-m-r/mount-nfs | 8 +- apparmor.d/profiles-m-r/mount-zfs | 2 +- apparmor.d/profiles-m-r/mpsyt | 18 ++-- apparmor.d/profiles-m-r/mpv | 28 ++--- apparmor.d/profiles-m-r/mtools | 2 +- apparmor.d/profiles-m-r/mtr | 4 +- apparmor.d/profiles-m-r/mtr-packet | 2 +- apparmor.d/profiles-m-r/mumble | 20 ++-- apparmor.d/profiles-m-r/mumble-overlay | 10 +- apparmor.d/profiles-m-r/needrestart | 34 +++--- .../profiles-m-r/needrestart-apt-pinvoke | 10 +- .../profiles-m-r/needrestart-dpkg-status | 8 +- .../needrestart-iucode-scan-versions | 12 +-- apparmor.d/profiles-m-r/nemo | 6 +- apparmor.d/profiles-m-r/netcap | 2 +- apparmor.d/profiles-m-r/nethogs | 2 +- apparmor.d/profiles-m-r/netstat | 2 +- apparmor.d/profiles-m-r/newgidmap | 2 +- apparmor.d/profiles-m-r/newgrp | 6 +- apparmor.d/profiles-m-r/newuidmap | 2 +- apparmor.d/profiles-m-r/nfsdcld | 16 +++ apparmor.d/profiles-m-r/nft | 2 +- apparmor.d/profiles-m-r/nmap | 2 +- apparmor.d/profiles-m-r/nologin | 2 +- apparmor.d/profiles-m-r/ntfs-3g | 6 +- apparmor.d/profiles-m-r/ntfs-3g-probe | 2 +- apparmor.d/profiles-m-r/ntfscat | 2 +- apparmor.d/profiles-m-r/ntfsclone | 2 +- apparmor.d/profiles-m-r/ntfscluster | 2 +- apparmor.d/profiles-m-r/ntfscmp | 2 +- apparmor.d/profiles-m-r/ntfscp | 2 +- apparmor.d/profiles-m-r/ntfsdecrypt | 2 +- apparmor.d/profiles-m-r/ntfsfallocate | 2 +- apparmor.d/profiles-m-r/ntfsfix | 2 +- apparmor.d/profiles-m-r/ntfsinfo | 2 +- apparmor.d/profiles-m-r/ntfslabel | 2 +- apparmor.d/profiles-m-r/ntfsls | 2 +- apparmor.d/profiles-m-r/ntfsmove | 2 +- apparmor.d/profiles-m-r/ntfsrecover | 2 +- apparmor.d/profiles-m-r/ntfsresize | 2 +- apparmor.d/profiles-m-r/ntfssecaudit | 2 +- apparmor.d/profiles-m-r/ntfstruncate | 2 +- apparmor.d/profiles-m-r/ntfsundelete | 2 +- apparmor.d/profiles-m-r/ntfsusermap | 2 +- apparmor.d/profiles-m-r/ntfswipe | 2 +- apparmor.d/profiles-m-r/nullmailer-send | 4 +- apparmor.d/profiles-m-r/numlockx | 2 +- apparmor.d/profiles-m-r/nvidia-settings | 25 +++++ apparmor.d/profiles-m-r/nvtop | 2 +- apparmor.d/profiles-m-r/obamenu | 6 +- apparmor.d/profiles-m-r/obconf | 2 +- apparmor.d/profiles-m-r/obex-folder-listing | 2 +- apparmor.d/profiles-m-r/obexautofs | 6 +- apparmor.d/profiles-m-r/obexctl | 2 +- apparmor.d/profiles-m-r/obexd | 2 +- apparmor.d/profiles-m-r/obexfs | 6 +- apparmor.d/profiles-m-r/obexpush-atd | 2 +- apparmor.d/profiles-m-r/obexpushd | 2 +- apparmor.d/profiles-m-r/obxprop | 2 +- apparmor.d/profiles-m-r/on-ac-power | 8 +- apparmor.d/profiles-m-r/onefetch | 4 +- apparmor.d/profiles-m-r/openbox | 32 +++--- apparmor.d/profiles-m-r/openbox-session | 8 +- apparmor.d/profiles-m-r/orage | 24 ++--- apparmor.d/profiles-m-r/os-prober | 54 +++++----- apparmor.d/profiles-m-r/packagekitd | 60 +++++------ apparmor.d/profiles-m-r/pacmd | 2 +- apparmor.d/profiles-m-r/pactl | 2 +- apparmor.d/profiles-m-r/pagesize | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 22 ++-- apparmor.d/profiles-m-r/pam/mappings | 12 +-- apparmor.d/profiles-m-r/pam_roles | 4 +- apparmor.d/profiles-m-r/parted | 10 +- apparmor.d/profiles-m-r/partprobe | 10 +- apparmor.d/profiles-m-r/pass | 94 ++++++++-------- apparmor.d/profiles-m-r/pass-import | 18 ++-- apparmor.d/profiles-m-r/passwd | 2 +- apparmor.d/profiles-m-r/pavucontrol | 2 +- apparmor.d/profiles-m-r/pcb-gtk | 8 +- apparmor.d/profiles-m-r/pcscd | 2 +- apparmor.d/profiles-m-r/picom | 10 +- apparmor.d/profiles-m-r/pidof | 2 +- apparmor.d/profiles-m-r/pinentry | 6 +- apparmor.d/profiles-m-r/pinentry-curses | 4 +- apparmor.d/profiles-m-r/pinentry-gnome3 | 2 +- apparmor.d/profiles-m-r/pinentry-gtk-2 | 2 +- apparmor.d/profiles-m-r/pinentry-kwallet | 20 ++-- apparmor.d/profiles-m-r/pinentry-qt | 2 +- apparmor.d/profiles-m-r/pkcs11-register | 2 +- apparmor.d/profiles-m-r/pkexec | 15 ++- apparmor.d/profiles-m-r/pkttyagent | 6 +- apparmor.d/profiles-m-r/plocate | 2 +- apparmor.d/profiles-m-r/plocate-build | 2 +- apparmor.d/profiles-m-r/polipo | 2 +- apparmor.d/profiles-m-r/popcon-largest-unused | 16 +-- apparmor.d/profiles-m-r/popularity-contest | 14 +-- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-m-r/ps | 2 +- apparmor.d/profiles-m-r/ps-mem | 6 +- apparmor.d/profiles-m-r/pscap | 2 +- apparmor.d/profiles-m-r/psi | 30 +++--- apparmor.d/profiles-m-r/psi-plus | 30 +++--- apparmor.d/profiles-m-r/pulseeffects | 2 +- apparmor.d/profiles-m-r/pwck | 4 +- apparmor.d/profiles-m-r/qbittorrent | 60 +++++------ apparmor.d/profiles-m-r/qbittorrent-nox | 2 +- apparmor.d/profiles-m-r/qemu-ga | 4 +- apparmor.d/profiles-m-r/qnapi | 24 ++--- apparmor.d/profiles-m-r/qpdfview | 12 +-- apparmor.d/profiles-m-r/qt5ct | 2 +- apparmor.d/profiles-m-r/qtchooser | 6 +- apparmor.d/profiles-m-r/qtox | 18 ++-- apparmor.d/profiles-m-r/quiterss | 18 ++-- apparmor.d/profiles-m-r/rdmsr | 2 +- apparmor.d/profiles-m-r/redshift | 2 +- apparmor.d/profiles-m-r/repo | 28 ++--- apparmor.d/profiles-m-r/reprepro | 14 +-- apparmor.d/profiles-m-r/resize2fs | 2 +- apparmor.d/profiles-m-r/resolvconf | 22 ++-- apparmor.d/profiles-m-r/rfkill | 2 +- apparmor.d/profiles-m-r/rngd | 2 +- apparmor.d/profiles-m-r/rpi-imager | 4 +- apparmor.d/profiles-m-r/rredtool | 2 +- apparmor.d/profiles-m-r/rsyslogd | 4 +- apparmor.d/profiles-m-r/rtkit-daemon | 2 +- apparmor.d/profiles-m-r/rtkitctl | 2 +- apparmor.d/profiles-m-r/run-parts | 97 +++++++++-------- apparmor.d/profiles-m-r/runuser | 6 +- apparmor.d/profiles-m-r/rustdesk | 4 +- 156 files changed, 828 insertions(+), 791 deletions(-) create mode 100644 apparmor.d/profiles-m-r/nfsdcld create mode 100644 apparmor.d/profiles-m-r/nvidia-settings diff --git a/apparmor.d/profiles-m-r/macchanger b/apparmor.d/profiles-m-r/macchanger index f4e6b133..b6feb9a1 100644 --- a/apparmor.d/profiles-m-r/macchanger +++ b/apparmor.d/profiles-m-r/macchanger @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/macchanger +@{exec_path} = @{bin}/macchanger profile macchanger @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index 7cfce7c5..9777fdde 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/man +@{exec_path} = @{bin}/man profile man @{exec_path} { include include @@ -19,30 +19,30 @@ profile man @{exec_path} { # Use a special profile when man calls anything groff-related. We only include # the programs that actually parse input data in a non-trivial way, not # wrappers such as groff and nroff, since they would need a broader profile. - /{usr/,}bin/eqn rCx -> man_groff, - /{usr/,}bin/grap rCx -> man_groff, - /{usr/,}bin/pic rCx -> man_groff, - /{usr/,}bin/preconv rCx -> man_groff, - /{usr/,}bin/refer rCx -> man_groff, - /{usr/,}bin/tbl rCx -> man_groff, - /{usr/,}bin/troff rCx -> man_groff, - /{usr/,}bin/vgrind rCx -> man_groff, + @{bin}/eqn rCx -> man_groff, + @{bin}/grap rCx -> man_groff, + @{bin}/pic rCx -> man_groff, + @{bin}/preconv rCx -> man_groff, + @{bin}/refer rCx -> man_groff, + @{bin}/tbl rCx -> man_groff, + @{bin}/troff rCx -> man_groff, + @{bin}/vgrind rCx -> man_groff, # Use a special profile when man calls decompressors and other simple filters. - /{usr/,}bin/bzip2 rCx -> man_filter, - /{usr/,}bin/gzip rCx -> man_filter, - /{usr/,}bin/col rCx -> man_filter, - /{usr/,}bin/compress rCx -> man_filter, - /{usr/,}bin/iconv rCx -> man_filter, - /{usr/,}bin/lzip.lzip rCx -> man_filter, - /{usr/,}bin/tr rCx -> man_filter, - /{usr/,}bin/xz rCx -> man_filter, + @{bin}/bzip2 rCx -> man_filter, + @{bin}/gzip rCx -> man_filter, + @{bin}/col rCx -> man_filter, + @{bin}/compress rCx -> man_filter, + @{bin}/iconv rCx -> man_filter, + @{bin}/lzip.lzip rCx -> man_filter, + @{bin}/tr rCx -> man_filter, + @{bin}/xz rCx -> man_filter, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, - /{usr/,}bin/locale rix, + @{bin}/locale rix, /usr/share/groff/{,**} r, @@ -64,16 +64,16 @@ profile man_groff { signal peer=man, - /{usr/,}bin/eqn mr, - /{usr/,}bin/grap mr, - /{usr/,}bin/pic mr, - /{usr/,}bin/preconv mr, - /{usr/,}bin/refer mr, - /{usr/,}bin/tbl mr, - /{usr/,}bin/troff mr, - /{usr/,}bin/vgrind mr, + @{bin}/eqn mr, + @{bin}/grap mr, + @{bin}/pic mr, + @{bin}/preconv mr, + @{bin}/refer mr, + @{bin}/tbl mr, + @{bin}/troff mr, + @{bin}/vgrind mr, - /{usr/,}lib/groff/site-tmac/** r, + @{lib}/groff/site-tmac/** r, /usr/share/groff/** r, /etc/groff/** r, @@ -91,14 +91,14 @@ profile man_filter { signal peer=man, - /{usr/,}bin/bzip2 mr, - /{usr/,}bin/gzip mr, - /{usr/,}bin/col mr, - /{usr/,}bin/compress mr, - /{usr/,}bin/iconv mr, - /{usr/,}bin/lzip.lzip mr, - /{usr/,}bin/tr mr, - /{usr/,}bin/xz mr, + @{bin}/bzip2 mr, + @{bin}/gzip mr, + @{bin}/col mr, + @{bin}/compress mr, + @{bin}/iconv mr, + @{bin}/lzip.lzip mr, + @{bin}/tr mr, + @{bin}/xz mr, # Manual pages can be more or less anywhere, especially with "man -l", and # there's no harm in allowing wide read access here since the worst it can diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 25a26502..81fa7816 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mandb +@{exec_path} = @{bin}/mandb profile mandb @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index e0e87a50..4f8bac9a 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mdevctl +@{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo index 1411739f..ce83ed63 100644 --- a/apparmor.d/profiles-m-r/mediainfo +++ b/apparmor.d/profiles-m-r/mediainfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mediainfo +@{exec_path} = @{bin}/mediainfo profile mediainfo @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 57985eb8..e3699e5d 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mediainfo-gui +@{exec_path} = @{bin}/mediainfo-gui profile mediainfo-gui @{exec_path} { include include @@ -19,7 +19,7 @@ profile mediainfo-gui @{exec_path} { @{exec_path} mr, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, owner @{user_music_dirs}/** r, owner @{user_videos_dirs}/** r, @@ -28,14 +28,14 @@ profile mediainfo-gui @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, - /{usr/,}lib/firefox/firefox rPx, + @{lib}/firefox/firefox rPx, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 2e4eef9d..f946bddc 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/megasync +@{exec_path} = @{bin}/megasync profile megasync @{exec_path} { include include @@ -32,14 +32,14 @@ profile megasync @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/{m,g,}awk rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, - /{usr/,}bin/xrdb rPx, - /{usr/,}bin/xdg-mime rPx, + @{bin}/xrdb rPx, + @{bin}/xdg-mime rPx, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # Megasync home files owner @{HOME}/ r, @@ -76,8 +76,8 @@ profile megasync @{exec_path} { /usr/share/hwdata/pnp.ids r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/spacefm rPx, + @{lib}/firefox/firefox rPx, + @{bin}/spacefm rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -87,12 +87,12 @@ profile megasync @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/" r, @@ -100,8 +100,8 @@ profile megasync @{exec_path} { owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/spacefm rPx, + @{lib}/firefox/firefox rPx, + @{bin}/spacefm rPx, # file_inherit owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw, diff --git a/apparmor.d/profiles-m-r/memtester b/apparmor.d/profiles-m-r/memtester index 032115fd..6f3d1e05 100644 --- a/apparmor.d/profiles-m-r/memtester +++ b/apparmor.d/profiles-m-r/memtester @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/memtester +@{exec_path} = @{bin}/memtester profile memtester @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index debbaf24..d9556b67 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/merkaartor +@{exec_path} = @{bin}/merkaartor profile merkaartor @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 5d37c4a2..b611e677 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mimetype +@{exec_path} = @{bin}/mimetype profile mimetype @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index a13d4edb..e1eba50a 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/minitube +@{exec_path} = @{bin}/minitube profile minitube @{exec_path} { include include @@ -86,13 +86,13 @@ profile minitube @{exec_path} { owner /tmp/qtsingleapp-minitu-* rw, owner /tmp/qtsingleapp-minitu-*-lockfile rwk, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # Be able to turn off the screensaver while playing movies - /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, + @{bin}/xdg-screensaver rCx -> xdg-screensaver, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, + @{lib}/firefox/firefox rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -102,19 +102,19 @@ profile minitube @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, @@ -125,16 +125,16 @@ profile minitube @{exec_path} { include include - /{usr/,}bin/xdg-screensaver mr, + @{bin}/xdg-screensaver mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/xset rix, - /{usr/,}bin/xautolock rix, - /{usr/,}bin/dbus-send rix, + @{bin}/{,ba,da}sh rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xset rix, + @{bin}/xautolock rix, + @{bin}/dbus-send rix, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index 9620b113..512c9ead 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/{,telepathy/}mission-control-5 +@{exec_path} = @{lib}/{,telepathy/}mission-control-5 profile mission-control @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index a42c2dc7..a309e839 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4} +@{exec_path} = @{bin}/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4} profile mke2fs @{exec_path} { include include @@ -18,8 +18,8 @@ profile mke2fs @{exec_path} { @{exec_path} mr, # To check for badblocks - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}{s,}bin/badblocks rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs index bdf210bb..16624fcf 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/mkfs.btrfs +@{exec_path} = @{bin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat index e89971d6..9bf55200 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs} +@{exec_path} = @{bin}/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs} profile mkfs-fat @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index c2e4c5b7..6e961ec6 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -8,7 +8,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/mkinitramfs +@{exec_path} = @{bin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -19,49 +19,49 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}{s,}bin/ r, - /{usr/,}lib/ r, - /{usr/,}lib64/ r, + @{bin}/ r, + @{lib}/ r, + @{lib}64/ r, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cpio rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/env rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/id rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/lzma rix, - /{usr/,}bin/lzop rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/tsort rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/zstd rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/bzip2 rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cp rix, + @{bin}/cpio rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/getopt rix, + @{bin}/gzip rix, + @{bin}/id rix, + @{bin}/ln rix, + @{bin}/lzma rix, + @{bin}/lzop rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/tsort rix, + @{bin}/xargs rix, + @{bin}/xz rix, + @{bin}/zstd rix, - /{usr/,}bin/ldd rCx -> ldd, - /{usr/,}lib{32,64}/ld-linux.so.2 rCx -> ldd, - /{usr/,}sbin/ldconfig rCx -> ldconfig, - /{usr/,}bin/find rCx -> find, - /{usr/,}bin/kmod rCx -> kmod, + @{bin}/find rCx -> find, + @{bin}/kmod rCx -> kmod, + @{bin}/ldconfig rCx -> ldconfig, + @{bin}/ldd rCx -> ldd, + @{lib}/ld-linux.so.2 rCx -> ldd, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/linux-version rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/linux-version rPx, # What to do with it? (#FIXME#) /usr/share/initramfs-tools/hooks/* rPUx, @@ -98,14 +98,14 @@ profile mkinitramfs @{exec_path} { include include - /{usr/,}bin/ldd mr, + @{bin}/ldd mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/kmod mr, - /{usr/,}lib/initramfs-tools/bin/* mr, + @{bin}/{,ba,da}sh rix, + @{bin}/kmod mr, + @{lib}/initramfs-tools/bin/* mr, - /{usr/,}lib/@{multiarch}/ld-*.so* rix, - /{usr/,}lib{,x}32/ld-*.so{,.2} rix, + @{lib}/@{multiarch}/ld-*.so* rix, + @{lib}{,x}32/ld-*.so{,.2} rix, } @@ -115,10 +115,10 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - /{usr/,}{s,}bin/ldconfig mr, + @{bin}/ldconfig mr, - /{usr/,}{s,}bin/ldconfig.real rix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, + @{bin}/ldconfig.real rix, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, @@ -139,7 +139,7 @@ profile mkinitramfs @{exec_path} { include include - /{usr/,}bin/find mr, + @{bin}/find mr, # pwd dir / r, @@ -158,7 +158,7 @@ profile mkinitramfs @{exec_path} { include include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/profiles-m-r/mkntfs index 907a6054..b946452e 100644 --- a/apparmor.d/profiles-m-r/mkntfs +++ b/apparmor.d/profiles-m-r/mkntfs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/{mkntfs,mkfs.ntfs} +@{exec_path} = @{bin}/{mkntfs,mkfs.ntfs} profile mkntfs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/profiles-m-r/mkswap index a4f3917b..da57d46d 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/profiles-m-r/mkswap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/mkswap +@{exec_path} = @{bin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index b0868935..11c50571 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mkvmerge +@{exec_path} = @{bin}/mkvmerge profile mkvmerge @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index b980f99d..9d4abdbf 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mkvtoolnix-gui +@{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include include @@ -28,8 +28,8 @@ profile mkvtoolnix-gui @{exec_path} { @{exec_path} mr, - /{usr/,}bin/mkvmerge rPx, - /{usr/,}bin/mediainfo-gui rPx, + @{bin}/mkvmerge rPx, + @{bin}/mediainfo-gui rPx, /usr/share/qt5ct/** r, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/profiles-m-r/mlocate b/apparmor.d/profiles-m-r/mlocate index d0a799b5..09ae9270 100644 --- a/apparmor.d/profiles-m-r/mlocate +++ b/apparmor.d/profiles-m-r/mlocate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mlocate +@{exec_path} = @{bin}/mlocate profile mlocate @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index e609bacd..7f3310a8 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,27 +6,27 @@ abi , include -@{exec_path} = /{usr/,}bin/modprobed-db +@{exec_path} = @{bin}/modprobed-db profile modprobed-db @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/getent rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/logname rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/wc rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/cut rix, + @{bin}/gawk rix, + @{bin}/getent rix, + @{bin}/grep rix, + @{bin}/logname rix, + @{bin}/md5sum rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/uniq rix, + @{bin}/wc rix, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index ec60f8d0..35a11274 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/molly-guard/molly-guard +@{exec_path} = @{lib}/molly-guard/molly-guard profile molly-guard @{exec_path} { include include @@ -17,13 +17,13 @@ profile molly-guard @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/{,e,p}grep rix, - /{usr/,}bin/run-parts rix, - /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/tr rix, - /{usr/,}bin/tty rix, + @{bin}/{,ba,da}sh rix, + @{bin}/hostname rix, + @{bin}/{,e,p}grep rix, + @{bin}/run-parts rix, + @{bin}/systemctl rPx -> child-systemctl, + @{bin}/tr rix, + @{bin}/tty rix, /etc/molly-guard/{,**} r, /etc/molly-guard/run.d/* rix, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index 0ffaf702..34e1494c 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/monitorix +@{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include include @@ -33,20 +33,20 @@ profile monitorix @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/df rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/free rix, - /{usr/,}bin/ss rix, - /{usr/,}bin/who rix, - /{usr/,}sbin/lvm rix, - /{usr/,}sbin/xtables-nft-multi rix, - /{usr/,}bin/sensors rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/ps rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/df rix, + @{bin}/cat rix, + @{bin}/tail rix, + @{bin}/{m,g,}awk rix, + @{bin}/free rix, + @{bin}/ss rix, + @{bin}/who rix, + @{bin}/lvm rix, + @{bin}/xtables-nft-multi rix, + @{bin}/sensors rix, + @{bin}/getconf rix, + @{bin}/ps rix, /etc/monitorix/monitorix.conf r, /etc/monitorix/conf.d/ r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 035286b2..3001cd54 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mono-sgen +@{exec_path} = @{bin}/mono-sgen profile mono-sgen @{exec_path} { include include @@ -26,9 +26,9 @@ profile mono-sgen @{exec_path} { @{exec_path} mr, - /{usr/,}bin/ r, + @{bin}/ r, /{usr/,}local/bin/ r, - /{usr/,}bin/* rPUx, + @{bin}/* rPUx, /usr/share/.mono/{,**} rw, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 3307c4d5..93abdc2b 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -8,7 +8,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/mount +@{exec_path} = @{bin}/mount profile mount @{exec_path} flags=(attach_disconnected) { include include @@ -33,10 +33,10 @@ profile mount @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}{s,}bin/lowntfs-3g rPx, - /{usr/,}{s,}bin/mount.* rPx, - /{usr/,}bin/ntfs-3g rPx, - /{usr/,}bin/sshfs rPx, + @{bin}/lowntfs-3g rPx, + @{bin}/mount.* rPx, + @{bin}/ntfs-3g rPx, + @{bin}/sshfs rPx, /etc/fstab r, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 1ee7662b..106882fd 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/mount.cifs +@{exec_path} = @{bin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include include @@ -24,7 +24,7 @@ profile mount-cifs @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/systemd-ask-password rPUx, + @{bin}/systemd-ask-password rPUx, /etc/fstab r, diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 1e9a6fbf..c8f31769 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/mount.nfs +@{exec_path} = @{bin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -27,9 +27,9 @@ profile mount-nfs @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}{s,}bin/start-statd rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/flock rix, + @{bin}/{,ba,da}sh rix, + @{bin}/flock rix, + @{bin}/start-statd rix, /usr/bin/systemctl rPx -> child-systemctl, diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index b1332233..1c035b0a 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/mount.zfs +@{exec_path} = @{bin}/mount.zfs profile mount-zfs @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 3e72a474..ea40cb8e 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mpsyt +@{exec_path} = @{bin}/mpsyt profile mpsyt @{exec_path} { include include @@ -24,16 +24,16 @@ profile mpsyt @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/tset rix, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/uname rix, + @{bin}/ r, + @{bin}/ldconfig rix, + @{bin}/tset rix, + @{bin}/uname rix, - /{usr/,}bin/mpv rPUx, - /{usr/,}bin/ffmpeg rPUx, - /{usr/,}bin/ffprobe rPUx, + @{bin}/mpv rPUx, + @{bin}/ffmpeg rPUx, + @{bin}/ffprobe rPUx, # MPV config files /etc/mpv/* r, diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index d0915c40..cf14169e 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mpv +@{exec_path} = @{bin}/mpv profile mpv @{exec_path} { include include @@ -36,10 +36,10 @@ profile mpv @{exec_path} { @{exec_path} mr, - /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, + @{bin}/xdg-screensaver rCx -> xdg-screensaver, - /{usr/,}bin/youtube-dl rPx, - /{usr/,}bin/yt-dlp rPx, + @{bin}/youtube-dl rPx, + @{bin}/yt-dlp rPx, /etc/mpv/* r, /etc/samba/smb.conf r, @@ -90,17 +90,17 @@ profile mpv @{exec_path} { include include - /{usr/,}bin/xdg-screensaver mr, + @{bin}/xdg-screensaver mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/xset rix, - /{usr/,}bin/xautolock rix, - /{usr/,}bin/dbus-send rix, - /{usr/,}bin/xscreensaver-command rix, + @{bin}/{,ba,da}sh rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xset rix, + @{bin}/xautolock rix, + @{bin}/dbus-send rix, + @{bin}/xscreensaver-command rix, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index 5f717544..072a9e0c 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip} +@{exec_path} = @{bin}/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip} profile mtools @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr index 1cfbfa6e..7b2421f3 100644 --- a/apparmor.d/profiles-m-r/mtr +++ b/apparmor.d/profiles-m-r/mtr @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mtr +@{exec_path} = @{bin}/mtr profile mtr @{exec_path} { include include @@ -23,7 +23,7 @@ profile mtr @{exec_path} { @{exec_path} mr, - /{usr/,}bin/mtr-packet rPx, + @{bin}/mtr-packet rPx, include if exists } diff --git a/apparmor.d/profiles-m-r/mtr-packet b/apparmor.d/profiles-m-r/mtr-packet index 9c1ccb38..b76dc8d1 100644 --- a/apparmor.d/profiles-m-r/mtr-packet +++ b/apparmor.d/profiles-m-r/mtr-packet @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mtr-packet +@{exec_path} = @{bin}/mtr-packet profile mtr-packet @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index dcbcc2a0..d27821f6 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mumble +@{exec_path} = @{bin}/mumble profile mumble @{exec_path} { include include @@ -34,8 +34,8 @@ profile mumble @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rCx -> open, # Mumble home files owner @{HOME}/ r, @@ -71,7 +71,7 @@ profile mumble @{exec_path} { /usr/share/hwdata/pnp.ids r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -81,19 +81,19 @@ profile mumble @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index bfc23918..647e64e9 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -6,18 +6,18 @@ abi , include -@{exec_path} = /{usr/,}bin/mumble-overlay +@{exec_path} = @{bin}/mumble-overlay profile mumble-overlay @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/file rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/file rix, + @{bin}/which{,.debianutils} rix, - /{usr/,}bin/glxgears rPx, + @{bin}/glxgears rPx, /etc/magic r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 0fe5da82..52728d29 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/needrestart +@{exec_path} = @{bin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include include @@ -23,23 +23,23 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/dpkg-query rpx, - /{usr/,}bin/fail2ban-server rPx, - /{usr/,}bin/locale rix, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/systemctl rPx, - /{usr/,}bin/systemd-detect-virt rPx, - /{usr/,}bin/udevadm rPx, - /{usr/,}bin/whiptail rPx, - /{usr/,}bin/who rix, - /{usr/,}lib/needrestart/iucode-scan-versions rPx, - /usr/share/debconf/frontend rix, + @{bin}/{,ba,da}sh rix, + @{bin}/dpkg-query rpx, + @{bin}/fail2ban-server rPx, + @{bin}/locale rix, + @{bin}/python3.[0-9]* rix, + @{bin}/sed rix, + @{bin}/stty rix, + @{bin}/systemctl rPx, + @{bin}/systemd-detect-virt rPx, + @{bin}/udevadm rPx, + @{bin}/whiptail rPx, + @{bin}/who rix, + @{lib}/needrestart/iucode-scan-versions rPx, + /usr/share/debconf/frontend rix, - /{usr/,}bin/networkd-dispatcher r, - /{usr/,}bin/gettext.sh r, + @{bin}/networkd-dispatcher r, + @{bin}/gettext.sh r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 976e6b7e..54755420 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/needrestart/apt-pinvoke +@{exec_path} = @{lib}/needrestart/apt-pinvoke profile needrestart-apt-pinvoke @{exec_path} { include include @@ -14,10 +14,10 @@ profile needrestart-apt-pinvoke @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/needrestart rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/dbus-send rix, - /{usr/,}bin/rm rix, + @{bin}/{,ba,da}sh rix, + @{bin}/dbus-send rix, + @{bin}/needrestart rPx, + @{bin}/rm rix, @{run}/needrestart/{,**} rw, diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status index 1054ae25..c6f09fef 100644 --- a/apparmor.d/profiles-m-r/needrestart-dpkg-status +++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/needrestart/dpkg-status +@{exec_path} = @{lib}/needrestart/dpkg-status profile needrestart-dpkg-status @{exec_path} { include include @@ -15,9 +15,9 @@ profile needrestart-dpkg-status @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/touch rix, + @{bin}/{,ba,da}sh rix, + @{bin}/mkdir rix, + @{bin}/touch rix, @{run}/needrestart/{,**} rw, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 17a723e0..92b94ed3 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -6,17 +6,17 @@ abi , include -@{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions +@{exec_path} = @{lib}/needrestart/iucode-scan-versions profile needrestart-iucode-scan-versions @{exec_path} { include @{exec_path} mr, - /{usr/,}{s,}bin/iucode_tool rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/bsdtar rix, - /{usr/,}bin/cat rix, + @{bin}/iucode_tool rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/bsdtar rix, + @{bin}/cat rix, /usr/share/misc/ r, /usr/share/misc/intel-microcode* r, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index dd3cf979..513fae32 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/nemo +@{exec_path} = @{bin}/nemo profile nemo @{exec_path} { include include @@ -32,9 +32,9 @@ profile nemo @{exec_path} { @{exec_path} mr, - /{usr/,}lib/@{multiarch}/nemo/** mrix, + @{lib}/@{multiarch}/nemo/** mrix, - /usr/libexec/gvfsd-* rPx, + @{lib}/gvfsd-* rPx, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/profiles-m-r/netcap index 473f2dc8..b739732d 100644 --- a/apparmor.d/profiles-m-r/netcap +++ b/apparmor.d/profiles-m-r/netcap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/netcap +@{exec_path} = @{bin}/netcap profile netcap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/nethogs b/apparmor.d/profiles-m-r/nethogs index 012a0a16..b7609ba9 100644 --- a/apparmor.d/profiles-m-r/nethogs +++ b/apparmor.d/profiles-m-r/nethogs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/nethogs +@{exec_path} = @{bin}/nethogs profile nethogs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index 9610a421..32ec937e 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -9,7 +9,7 @@ abi , include -@{exec_path} = /{usr/,}bin/netstat +@{exec_path} = @{bin}/netstat profile netstat @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap index d769bfcc..30faf7d8 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/newgidmap +@{exec_path} = @{bin}/newgidmap profile newgidmap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index b139326f..3dd9411b 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/newgrp +@{exec_path} = @{bin}/newgrp profile newgrp @{exec_path} { include include @@ -27,8 +27,8 @@ profile newgrp @{exec_path} { @{exec_path} mr, # Shells to use - /{usr/,}bin/{,b,d,rb}ash rPUx, - /{usr/,}bin/{c,k,tc,z}sh rPUx, + @{bin}/{,b,d,rb}ash rPUx, + @{bin}/{c,k,tc,z}sh rPUx, /etc/{passwd,group,shadow,gshadow} r, diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap index 3ec9d09e..7337500e 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/newuidmap +@{exec_path} = @{bin}/newuidmap profile newuidmap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/profiles-m-r/nfsdcld new file mode 100644 index 00000000..a2bca95c --- /dev/null +++ b/apparmor.d/profiles-m-r/nfsdcld @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/nfsdcld +profile nfsdcld @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index eccf630c..b93d119b 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/nft +@{exec_path} = @{bin}/nft profile nft @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 1d0325f5..2257b7ed 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/nmap +@{exec_path} = @{bin}/nmap profile nmap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/profiles-m-r/nologin index 572122a8..e578bc12 100644 --- a/apparmor.d/profiles-m-r/nologin +++ b/apparmor.d/profiles-m-r/nologin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/nologin +@{exec_path} = @{bin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g index 94014b46..9a5f2b96 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -7,8 +7,8 @@ abi , include -@{exec_path} = /{usr/,}bin/{low,}ntfs{,-3g} -@{exec_path} += /{usr/,}{s,}bin/mount.{low,}ntfs{,-3g} +@{exec_path} = @{bin}/{low,}ntfs{,-3g} +@{exec_path} += @{bin}/mount.{low,}ntfs{,-3g} profile ntfs-3g @{exec_path} { include include @@ -23,7 +23,7 @@ profile ntfs-3g @{exec_path} { @{exec_path} mr, - /{usr/,}bin/kmod rPx, # To load the fuse kernel module + @{bin}/kmod rPx, # To load the fuse kernel module # Mount points @{MOUNTDIRS}/ r, diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/profiles-m-r/ntfs-3g-probe index c3c9af6b..610a464a 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g-probe +++ b/apparmor.d/profiles-m-r/ntfs-3g-probe @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfs-3g.probe +@{exec_path} = @{bin}/ntfs-3g.probe profile ntfs-3g-probe @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/profiles-m-r/ntfscat index c0801942..eb31b61d 100644 --- a/apparmor.d/profiles-m-r/ntfscat +++ b/apparmor.d/profiles-m-r/ntfscat @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfscat +@{exec_path} = @{bin}/ntfscat profile ntfscat @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone index 713cbbe0..4ae95acd 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/ntfsclone +@{exec_path} = @{bin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/profiles-m-r/ntfscluster index 7472bcb9..3720c924 100644 --- a/apparmor.d/profiles-m-r/ntfscluster +++ b/apparmor.d/profiles-m-r/ntfscluster @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfscluster +@{exec_path} = @{bin}/ntfscluster profile ntfscluster @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/profiles-m-r/ntfscmp index 823ff8b0..00f5271f 100644 --- a/apparmor.d/profiles-m-r/ntfscmp +++ b/apparmor.d/profiles-m-r/ntfscmp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfscmp +@{exec_path} = @{bin}/ntfscmp profile ntfscmp @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/profiles-m-r/ntfscp index a10e17f2..a0fdc4e8 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/ntfscp +@{exec_path} = @{bin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt index 4fef21f2..65cfe5ca 100644 --- a/apparmor.d/profiles-m-r/ntfsdecrypt +++ b/apparmor.d/profiles-m-r/ntfsdecrypt @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfsdecrypt +@{exec_path} = @{bin}/ntfsdecrypt profile ntfsdecrypt @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/profiles-m-r/ntfsfallocate index 7c5845e4..73f4e2c6 100644 --- a/apparmor.d/profiles-m-r/ntfsfallocate +++ b/apparmor.d/profiles-m-r/ntfsfallocate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfsfallocate +@{exec_path} = @{bin}/ntfsfallocate profile ntfsfallocate @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/profiles-m-r/ntfsfix index 435e8642..969eac5b 100644 --- a/apparmor.d/profiles-m-r/ntfsfix +++ b/apparmor.d/profiles-m-r/ntfsfix @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfsfix +@{exec_path} = @{bin}/ntfsfix profile ntfsfix @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/profiles-m-r/ntfsinfo index 3909b59d..4f21bcfe 100644 --- a/apparmor.d/profiles-m-r/ntfsinfo +++ b/apparmor.d/profiles-m-r/ntfsinfo @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfsinfo +@{exec_path} = @{bin}/ntfsinfo profile ntfsinfo @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/profiles-m-r/ntfslabel index 46195989..3fa554c0 100644 --- a/apparmor.d/profiles-m-r/ntfslabel +++ b/apparmor.d/profiles-m-r/ntfslabel @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/ntfslabel +@{exec_path} = @{bin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/profiles-m-r/ntfsls index 04b68853..6cf3c4fb 100644 --- a/apparmor.d/profiles-m-r/ntfsls +++ b/apparmor.d/profiles-m-r/ntfsls @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfsls +@{exec_path} = @{bin}/ntfsls profile ntfsls @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/profiles-m-r/ntfsmove index 398f3d0d..1dcb3279 100644 --- a/apparmor.d/profiles-m-r/ntfsmove +++ b/apparmor.d/profiles-m-r/ntfsmove @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfsmove +@{exec_path} = @{bin}/ntfsmove profile ntfsmove @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/profiles-m-r/ntfsrecover index 89114078..f727ad11 100644 --- a/apparmor.d/profiles-m-r/ntfsrecover +++ b/apparmor.d/profiles-m-r/ntfsrecover @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfsrecover +@{exec_path} = @{bin}/ntfsrecover profile ntfsrecover @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/profiles-m-r/ntfsresize index b0eb66b1..f6077681 100644 --- a/apparmor.d/profiles-m-r/ntfsresize +++ b/apparmor.d/profiles-m-r/ntfsresize @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/ntfsresize +@{exec_path} = @{bin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/profiles-m-r/ntfssecaudit index 99f0aef4..db06ec62 100644 --- a/apparmor.d/profiles-m-r/ntfssecaudit +++ b/apparmor.d/profiles-m-r/ntfssecaudit @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfssecaudit +@{exec_path} = @{bin}/ntfssecaudit profile ntfssecaudit @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/profiles-m-r/ntfstruncate index ed4d7460..dcf1a578 100644 --- a/apparmor.d/profiles-m-r/ntfstruncate +++ b/apparmor.d/profiles-m-r/ntfstruncate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfstruncate +@{exec_path} = @{bin}/ntfstruncate profile ntfstruncate @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete index dee5bd54..ee45bac8 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/ntfsundelete +@{exec_path} = @{bin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap index 706035d7..902330fb 100644 --- a/apparmor.d/profiles-m-r/ntfsusermap +++ b/apparmor.d/profiles-m-r/ntfsusermap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfsusermap +@{exec_path} = @{bin}/ntfsusermap profile ntfsusermap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/profiles-m-r/ntfswipe index c70bf9d5..c5a697a6 100644 --- a/apparmor.d/profiles-m-r/ntfswipe +++ b/apparmor.d/profiles-m-r/ntfswipe @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ntfswipe +@{exec_path} = @{bin}/ntfswipe profile ntfswipe @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/nullmailer-send b/apparmor.d/profiles-m-r/nullmailer-send index 01d2465c..0287fb7d 100644 --- a/apparmor.d/profiles-m-r/nullmailer-send +++ b/apparmor.d/profiles-m-r/nullmailer-send @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/nullmailer-send +@{exec_path} = @{bin}/nullmailer-send profile nullmailer-send @{exec_path} { include include @@ -14,7 +14,7 @@ profile nullmailer-send @{exec_path} { @{exec_path} mr, - /{usr/,}lib/nullmailer/smtp rix, + @{lib}/nullmailer/smtp rix, /etc/mailname r, /etc/nullmailer/{,*} r, diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx index 7e9438c5..4f59005b 100644 --- a/apparmor.d/profiles-m-r/numlockx +++ b/apparmor.d/profiles-m-r/numlockx @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/numlockx +@{exec_path} = @{bin}/numlockx profile numlockx @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings new file mode 100644 index 00000000..63475611 --- /dev/null +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/nvidia-settings +profile nvidia-settings @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/pixmaps/{,**} r, + /usr/share/X11/xkb/{,**} r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 43887f26..8a89c8ba 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/nvtop +@{exec_path} = @{bin}/nvtop profile nvtop @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index e2bcc172..ca2493fc 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}bin/obamenu +@{exec_path} = @{bin}/obamenu profile obamenu @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* rix, + @{bin}/python3.[0-9]* rix, - /{usr/,}bin/ r, + @{bin}/ r, /usr/share/*/*.desktop r, diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index db56ea93..dfa88355 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/obconf +@{exec_path} = @{bin}/obconf profile obconf @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing index 8e134416..0e9463f9 100644 --- a/apparmor.d/profiles-m-r/obex-folder-listing +++ b/apparmor.d/profiles-m-r/obex-folder-listing @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/obex-folder-listing +@{exec_path} = @{bin}/obex-folder-listing profile obex-folder-listing @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/profiles-m-r/obexautofs index 216b973f..acdc741d 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/profiles-m-r/obexautofs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/obexautofs +@{exec_path} = @{bin}/obexautofs profile obexautofs @{exec_path} { include @@ -17,7 +17,7 @@ profile obexautofs @{exec_path} { @{exec_path} mr, - /{usr/,}bin/fusermount{,3} rCx -> fusermount, + @{bin}/fusermount{,3} rCx -> fusermount, owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, @@ -47,7 +47,7 @@ profile obexautofs @{exec_path} { # To mount anything: capability sys_admin, - /{usr/,}bin/fusermount{,3} mr, + @{bin}/fusermount{,3} mr, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/profiles-m-r/obexctl index 79e2175f..d1bb34f2 100644 --- a/apparmor.d/profiles-m-r/obexctl +++ b/apparmor.d/profiles-m-r/obexctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/obexctl +@{exec_path} = @{bin}/obexctl profile obexctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/profiles-m-r/obexd index 60764ea2..fdbd0e7e 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/bluetooth/obexd +@{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/profiles-m-r/obexfs index 043c36eb..0b3fc2a3 100644 --- a/apparmor.d/profiles-m-r/obexfs +++ b/apparmor.d/profiles-m-r/obexfs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/obexfs +@{exec_path} = @{bin}/obexfs profile obexfs @{exec_path} { include @@ -16,7 +16,7 @@ profile obexfs @{exec_path} { @{exec_path} mr, - /{usr/,}bin/fusermount{,3} rCx -> fusermount, + @{bin}/fusermount{,3} rCx -> fusermount, owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, @@ -36,7 +36,7 @@ profile obexfs @{exec_path} { network bluetooth stream, - /{usr/,}bin/fusermount{,3} mr, + @{bin}/fusermount{,3} mr, /etc/fuse.conf r, diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/profiles-m-r/obexpush-atd index 92a778fa..61ab49a4 100644 --- a/apparmor.d/profiles-m-r/obexpush-atd +++ b/apparmor.d/profiles-m-r/obexpush-atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/obexpush_atd +@{exec_path} = @{bin}/obexpush_atd profile obexpush-atd @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/profiles-m-r/obexpushd index 19ac7a10..84492d20 100644 --- a/apparmor.d/profiles-m-r/obexpushd +++ b/apparmor.d/profiles-m-r/obexpushd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/obexpushd +@{exec_path} = @{bin}/obexpushd profile obexpushd @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/obxprop b/apparmor.d/profiles-m-r/obxprop index efe0e8ab..6fe179fe 100644 --- a/apparmor.d/profiles-m-r/obxprop +++ b/apparmor.d/profiles-m-r/obxprop @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/obxprop +@{exec_path} = @{bin}/obxprop profile obxprop @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index 634af9fb..1e6d0b82 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/on_ac_power +@{exec_path} = @{bin}/on_ac_power profile on-ac-power @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/cat rix, + @{bin}/{m,g,}awk rix, + @{bin}/cat rix, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/**/{online,type} r, diff --git a/apparmor.d/profiles-m-r/onefetch b/apparmor.d/profiles-m-r/onefetch index 5629b090..8ee2b1cc 100644 --- a/apparmor.d/profiles-m-r/onefetch +++ b/apparmor.d/profiles-m-r/onefetch @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/onefetch +@{exec_path} = @{bin}/onefetch profile onefetch @{exec_path} { include include @@ -14,7 +14,7 @@ profile onefetch @{exec_path} { @{exec_path} mr, - /{usr/,}bin/git rPx, + @{bin}/git rPx, owner @{user_config_dirs}/git/{,**} r, owner @{user_projects_dirs}/{,**} r, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index f20a8e3d..103fe7fa 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/openbox +@{exec_path} = @{bin}/openbox profile openbox @{exec_path} { include include @@ -18,14 +18,13 @@ profile openbox @{exec_path} { @{exec_path} mr, - /{usr/,}lib/@{multiarch}/openbox-autostart rCx -> autostart, + @{lib}/@{multiarch}/openbox-autostart rCx -> autostart, # Apps allowed to run - /{usr/,}sbin/* rPUx, - /{usr/,}bin/* rPUx, - /usr/local/bin/* rPUx, - @{libexec}/* rPUx, - /{usr/,}lib/@{multiarch}/*/** rPUx, + @{bin}/* rPUx, + @{lib}/@{multiarch}/*/** rPUx, + @{lib}/* rPUx, + /usr/local/bin/* rPUx, /usr/share/themes/*/openbox-3/themerc r, @@ -54,18 +53,17 @@ profile openbox @{exec_path} { profile autostart { include - /{usr/,}lib/@{multiarch}/openbox-autostart mr, - /{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix, + @{lib}/@{multiarch}/openbox-autostart mr, + @{lib}/@{multiarch}/openbox-xdg-autostart rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run - /{usr/,}sbin/* rPUx, - /{usr/,}bin/* rPUx, - /usr/local/bin/* rPUx, - @{libexec}/* rPUx, - /{usr/,}lib/@{multiarch}/*/** rPUx, + @{bin}/* rPUx, + /usr/local/bin/* rPUx, + @{lib}/* rPUx, + @{lib}/@{multiarch}/*/** rPUx, /usr/local/lib/python*/dist-packages/ r, @@ -76,7 +74,7 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - deny /{usr/,}lib/python3/** w, + deny @{lib}/python3/** w, deny owner @{HOME}/.local/lib/python*/site-packages/ r, # file_inherit diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session index 3c2de698..e7d302ed 100644 --- a/apparmor.d/profiles-m-r/openbox-session +++ b/apparmor.d/profiles-m-r/openbox-session @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}bin/openbox-session +@{exec_path} = @{bin}/openbox-session profile openbox-session @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/xprop rPx, - /{usr/,}bin/openbox rPx, + @{bin}/xprop rPx, + @{bin}/openbox rPx, /etc/xdg/openbox/environment r, owner @{user_config_dirs}/openbox/environment r, diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index e4c1caec..19576ce6 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/orage +@{exec_path} = @{bin}/orage profile orage @{exec_path} { include include @@ -18,11 +18,11 @@ profile orage @{exec_path} { @{exec_path} mr, - /{usr/,}bin/globaltime rPx, + @{bin}/globaltime rPx, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/exo-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/xdg-open rCx -> open, + @{bin}/exo-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, owner @{user_config_dirs}/orage/ rw, owner @{user_config_dirs}/orage/* rw, @@ -37,7 +37,7 @@ profile orage @{exec_path} { /etc/fstab r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -47,19 +47,19 @@ profile orage @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 47cedbe0..a8627231 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/os-prober +@{exec_path} = @{bin}/os-prober profile os-prober @{exec_path} flags=(attach_disconnected) { include include @@ -18,32 +18,32 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}{s,}bin/blkid rPx, - /{usr/,}{s,}bin/dmraid rPUx, - /{usr/,}{s,}bin/lvm rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{e,f,}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/find rix, - /{usr/,}bin/grub-mount rPx, - /{usr/,}bin/grub-probe rPx, - /{usr/,}bin/head rix, - /{usr/,}bin/kmod rPx, - /{usr/,}bin/logger rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/lsblk rPx, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/udevadm rPx, - /{usr/,}bin/umount rix, - /{usr/,}bin/uname rix, - /{usr/,}lib/newns rix, - /{usr/,}lib/os-prober/* rix, - /{usr/,}lib/os-probes/{,**} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{e,f,}grep rix, + @{bin}/blkid rPx, + @{bin}/cut rix, + @{bin}/dmraid rPUx, + @{bin}/find rix, + @{bin}/grub-mount rPx, + @{bin}/grub-probe rPx, + @{bin}/head rix, + @{bin}/kmod rPx, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/lsblk rPx, + @{bin}/lvm rPx, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/udevadm rPx, + @{bin}/umount rix, + @{bin}/uname rix, + @{lib}/newns rix, + @{lib}/os-prober/* rix, + @{lib}/os-probes/{,**} rix, /usr/share/os-prober/common.sh r, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 5469efe8..e72e96fa 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/packagekitd +@{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include include @@ -82,32 +82,32 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/gdbus rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/repo2solv rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/test rix, - /{usr/,}bin/touch rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cp rix, + @{bin}/echo rix, + @{bin}/gdbus rix, + @{bin}/gzip rix, + @{bin}/ischroot rix, + @{bin}/ldconfig rix, + @{bin}/repo2solv rix, + @{bin}/tar rix, + @{bin}/test rix, + @{bin}/touch rix, - /{usr/,}bin/appstreamcli rPx, - /{usr/,}bin/arch-audit rPx, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/glib-compile-schemas rPx, - /{usr/,}bin/systemd-inhibit rPx, - /{usr/,}bin/update-desktop-database rPx, - /{usr/,}lib/apt/methods/* rPx, - /{usr/,}lib/cnf-update-db rPx, - /{usr/,}lib/update-notifier/update-motd-updates-available rPx, - /{usr/,}lib/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile + @{bin}/appstreamcli rPx, + @{bin}/arch-audit rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/glib-compile-schemas rPx, + @{bin}/systemd-inhibit rPx, + @{bin}/update-desktop-database rPx, + @{lib}/apt/methods/* rPx, + @{lib}/cnf-update-db rPx, + @{lib}/update-notifier/update-motd-updates-available rPx, + @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, # Install/update packages @@ -146,12 +146,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpgsm mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, - /{usr/,}bin/gpg-agent rix, - /{usr/,}bin/scdaemon rix, + @{bin}/gpg-agent rix, + @{bin}/scdaemon rix, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index ca421551..2ad16ae8 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pacmd +@{exec_path} = @{bin}/pacmd profile pacmd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 4a50de12..a3861a8f 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pactl +@{exec_path} = @{bin}/pactl profile pactl @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pagesize b/apparmor.d/profiles-m-r/pagesize index e0afa358..f21f565b 100644 --- a/apparmor.d/profiles-m-r/pagesize +++ b/apparmor.d/profiles-m-r/pagesize @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pagesize +@{exec_path} = @{bin}/pagesize profile pagesize @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 345341b5..5c7fb4b0 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -6,17 +6,17 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/pam-auth-update +@{exec_path} = @{bin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include include include @{exec_path} mr, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/cp rix, + @{bin}/md5sum rix, + @{bin}/cp rix, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -34,13 +34,13 @@ profile pam-auth-update @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}{s,}bin/pam-auth-update rPx, + @{bin}/pam-auth-update rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, @@ -52,8 +52,8 @@ profile pam-auth-update @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings index 2ee5617d..ee9eb17c 100644 --- a/apparmor.d/profiles-m-r/pam/mappings +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -21,8 +21,8 @@ /etc/default/su r, @{etc_ro}/environment r, @{HOMEDIRS}/.xauth* w, - /{usr/,}bin/{,b,d,rb}ash Px -> default_user, - /{usr/,}bin/{c,k,tc,z}sh Px -> default_user, + @{bin}/{,b,d,rb}ash Px -> default_user, + @{bin}/{c,k,tc,z}sh Px -> default_user, } # USER is a confined user. The hat contains only the permissions necessary @@ -37,8 +37,8 @@ capability setgid, capability setuid, - /{usr/,}bin/{,b,d,rb}ash Px -> confined_user, - /{usr/,}bin/{c,k,tc,z}sh Px -> confined_user, + @{bin}/{,b,d,rb}ash Px -> confined_user, + @{bin}/{c,k,tc,z}sh Px -> confined_user, /etc/default/su r, @{etc_ro}/environment r, @@ -59,8 +59,8 @@ capability setgid, capability setuid, - /{usr/,}bin/{,b,d,rb}ash Ux, - /{usr/,}bin/{c,k,tc,z}sh Ux, + @{bin}/{,b,d,rb}ash Ux, + @{bin}/{c,k,tc,z}sh Ux, /etc/default/su r, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-m-r/pam_roles b/apparmor.d/profiles-m-r/pam_roles index e3956eb4..de1e3c86 100644 --- a/apparmor.d/profiles-m-r/pam_roles +++ b/apparmor.d/profiles-m-r/pam_roles @@ -23,7 +23,7 @@ profile default_user flags=(complain) { deny capability sys_ptrace, - /{usr/,}bin/** Pixmr, + @{bin}/** Pixmr, owner /** rkl, @{PROC}/** r, @@ -43,7 +43,7 @@ profile confined_user flags=(complain) { deny capability sys_ptrace, - /{usr/,}bin/** Pixmr, + @{bin}/** Pixmr, owner @{HOMEDIRS}/bin/** ixmr, owner @{user_bin_dirs}/** ixmr, diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 5ee1a859..3ac9ee4c 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/parted +@{exec_path} = @{bin}/parted profile parted @{exec_path} { include include @@ -28,11 +28,11 @@ profile parted @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/udevadm rCx -> udevadm, + @{bin}/udevadm rCx -> udevadm, - /{usr/,}{s,}bin/dmidecode rPx, + @{bin}/dmidecode rPx, /etc/inputrc r, @@ -51,7 +51,7 @@ profile parted @{exec_path} { ptrace (read), - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 5f101741..5eb1553f 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/partprobe +@{exec_path} = @{bin}/partprobe profile partprobe @{exec_path} { include include @@ -26,11 +26,11 @@ profile partprobe @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/udevadm rCx -> udevadm, + @{bin}/udevadm rCx -> udevadm, - /{usr/,}{s,}bin/dmidecode rPx, + @{bin}/dmidecode rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, @@ -45,7 +45,7 @@ profile partprobe @{exec_path} { ptrace (read), - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 73619e9c..c55151b1 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -6,53 +6,53 @@ abi , include -@{exec_path} = /{usr/,}bin/pass +@{exec_path} = @{bin}/pass profile pass @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/base64 rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/diff rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/env rix, - /{usr/,}bin/find rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/head rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/pkill rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/shred rix, - /{usr/,}bin/sleep rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/tree rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/which rix, + @{bin}/{,ba,da}sh rix, + @{bin}/base64 rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/diff rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/grep rix, + @{bin}/head rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/pkill rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/shred rix, + @{bin}/sleep rix, + @{bin}/sort rix, + @{bin}/tail rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/tree rix, + @{bin}/tty rix, + @{bin}/which rix, - /{usr/,}bin/git rCx -> git, - /{usr/,}bin/gpg{2,} rCx -> gpg, - /{usr/,}bin/qdbus rCx -> qdbus, - /{usr/,}bin/vim{,.*} rCx -> editor, - /{usr/,}bin/wl-{copy,paste} rPx, - /{usr/,}bin/xclip rPx, + @{bin}/git rCx -> git, + @{bin}/gpg{2,} rCx -> gpg, + @{bin}/qdbus rCx -> qdbus, + @{bin}/vim{,.*} rCx -> editor, + @{bin}/wl-{copy,paste} rPx, + @{bin}/xclip rPx, # Pass extensions - /{usr/,}bin/oathtool rix, # pass-otp - /{usr/,}bin/python3.[0-9]* rPx -> pass-import, # pass-import - /{usr/,}bin/qrencode rPUx, # pass-otp - /{usr/,}bin/tomb rPUx, # pass-tomb + @{bin}/oathtool rix, # pass-otp + @{bin}/python3.[0-9]* rPx -> pass-import, # pass-import + @{bin}/qrencode rPUx, # pass-otp + @{bin}/tomb rPUx, # pass-tomb /usr/share/terminfo/x/xterm-256color r, @@ -70,7 +70,7 @@ profile pass @{exec_path} { include include - /{usr/,}bin/vim{,.*} mrix, + @{bin}/vim{,.*} mrix, /etc/vim/{,**} r, /etc/vimrc r, @@ -105,14 +105,14 @@ profile pass @{exec_path} { network inet6 stream, network netlink raw, - /{usr/,}bin/git* mrix, - @{libexec}/git-core/git* mrix, + @{bin}/git* mrix, + @{lib}/git-core/git* mrix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, - /{usr/,}bin/gpg{2,} rPx -> pass//gpg, + @{bin}/gpg{2,} rPx -> pass//gpg, /usr/share/git-core/{,**} r, @@ -133,7 +133,7 @@ profile pass @{exec_path} { capability dac_read_search, - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -147,7 +147,7 @@ profile pass @{exec_path} { profile qdbus { include - /{usr/,}bin/qdbus mr, + @{bin}/qdbus mr, include if exists } diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index b7cd5722..d8274428 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pimport +@{exec_path} = @{bin}/pimport profile pass-import @{exec_path} { include include @@ -20,15 +20,15 @@ profile pass-import @{exec_path} { @{exec_path} mr, - /{usr/,}bin/ r, - /{usr/,}bin/pass rPx, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/gcc rix, # TODO: Test deny - /{usr/,}bin/ld rix, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}lib/gcc/**/collect2 rix, + @{bin}/ r, + @{bin}/gcc rix, # TODO: Test deny + @{bin}/ld rix, + @{bin}/ldconfig rix, + @{bin}/pass rPx, + @{bin}/python3.[0-9]* rix, + @{lib}/gcc/**/collect2 rix, - /{usr/,}lib/python{2.[4-7],3,3.[0-9]*}/** w, # TODO: Test deny + @{lib}/python{2.[4-7],3,3.[0-9]*}/** w, # TODO: Test deny /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index ddf0118e..497cecf6 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/passwd +@{exec_path} = @{bin}/passwd profile passwd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol index 1b2c8954..2f86ca01 100644 --- a/apparmor.d/profiles-m-r/pavucontrol +++ b/apparmor.d/profiles-m-r/pavucontrol @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pavucontrol +@{exec_path} = @{bin}/pavucontrol profile pavucontrol @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 133bb776..92745795 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pcb-gtk +@{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include include @@ -23,9 +23,9 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/tr rix, + @{bin}/dash rix, + @{bin}/cat rix, + @{bin}/tr rix, /usr/share/pcb/ r, /usr/share/pcb/** r, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 8a2a7dc4..7cb27aa3 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/pcscd +@{exec_path} = @{bin}/pcscd profile pcscd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom index de3be988..a1d8da4f 100644 --- a/apparmor.d/profiles-m-r/picom +++ b/apparmor.d/profiles-m-r/picom @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/picom{,-trans} +@{exec_path} = @{bin}/picom{,-trans} profile picom @{exec_path} { include include @@ -15,10 +15,10 @@ profile picom @{exec_path} { @{exec_path} mr, - /{usr/,}bin/sed rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/echo rix, + @{bin}/sed rix, + @{bin}/xargs rix, + @{bin}/{,e}grep rix, + @{bin}/echo rix, # For migrating from compton. owner @{user_config_dirs}/compton.conf r, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 8c47f645..f0e7ca4a 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pidof +@{exec_path} = @{bin}/pidof profile pidof @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry index 4c904ce0..0daa2c35 100644 --- a/apparmor.d/profiles-m-r/pinentry +++ b/apparmor.d/profiles-m-r/pinentry @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}bin/pinentry +@{exec_path} = @{bin}/pinentry profile pinentry @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/pinentry-* rPx, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/pinentry-* rPx, + @{bin}/{,ba,da}sh rix, /etc/pinentry/preexec r, diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index ba6390b1..491b097f 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}bin/pinentry-curses +@{exec_path} = @{bin}/pinentry-curses profile pinentry-curses @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index 73e5fc5f..04c77139 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pinentry-gnome3 +@{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk-2 index b186e20f..6218e9aa 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk-2 @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pinentry-gtk-2 +@{exec_path} = @{bin}/pinentry-gtk-2 profile pinentry-gtk-2 @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index 90a6762d..6bac4dc7 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pinentry-kwallet +@{exec_path} = @{bin}/pinentry-kwallet profile pinentry-kwallet @{exec_path} { include include @@ -16,16 +16,16 @@ profile pinentry-kwallet @{exec_path} { @{exec_path} mr, - /{usr/,}bin/pinentry-* rPx, + @{bin}/pinentry-* rPx, - /{usr/,}bin/kwalletcli_getpin rix, - /{usr/,}bin/kwalletcli rCx -> kwalletcli, + @{bin}/kwalletcli_getpin rix, + @{bin}/kwalletcli rCx -> kwalletcli, # when wrong PIN is provided - /{usr/,}bin/date rix, + @{bin}/date rix, - /{usr/,}bin/mksh rix, - /{usr/,}bin/env rix, + @{bin}/mksh rix, + @{bin}/env rix, owner @{HOME}/.Xauthority r, @@ -35,12 +35,12 @@ profile pinentry-kwallet @{exec_path} { profile kwalletcli { include - /{usr/,}bin/kwalletcli mr, + @{bin}/kwalletcli mr, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwalletrc r, - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index bcd7de01..79e12aaa 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pinentry-qt +@{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index c72e1b6b..670aa869 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pkcs11-register +@{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index b9a15905..8930e937 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pkexec +@{exec_path} = @{bin}/pkexec profile pkexec @{exec_path} { include include @@ -53,14 +53,13 @@ profile pkexec @{exec_path} { @{exec_path} mr, # Apps to be run via pkexec - /{usr/,}{s,}bin/* rPUx, - /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#) - @{libexec}/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/update-notifier/package-system-locked rPx, + @{bin}/* rPUx, + @{lib}/cc-remote-login-helper rPx, + @{lib}/gvfs/gvfsd-admin rPUx, #(#FIXME#) + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-agent-helper-[0-9] rPx, + @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-gtk rPx, - @{libexec}/cc-remote-login-helper rPx, /etc/shells r, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index 7c3260da..d8e59f1f 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pkttyagent +@{exec_path} = @{bin}/pkttyagent profile pkttyagent @{exec_path} { include include @@ -39,8 +39,8 @@ profile pkttyagent @{exec_path} { @{exec_path} mr, - @{libexec}/polkit-agent-helper-[0-9] rPx, - /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-agent-helper-[0-9] rPx, owner @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index 832deaa3..9f44eb62 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/plocate +@{exec_path} = @{bin}/plocate profile plocate @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index da0fd3a3..b13c7704 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/plocate-build +@{exec_path} = @{bin}/plocate-build profile plocate-build @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/polipo b/apparmor.d/profiles-m-r/polipo index a4ab05b3..22927498 100644 --- a/apparmor.d/profiles-m-r/polipo +++ b/apparmor.d/profiles-m-r/polipo @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/polipo +@{exec_path} = @{bin}/polipo profile polipo @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/popcon-largest-unused b/apparmor.d/profiles-m-r/popcon-largest-unused index 53151495..44316876 100644 --- a/apparmor.d/profiles-m-r/popcon-largest-unused +++ b/apparmor.d/profiles-m-r/popcon-largest-unused @@ -6,21 +6,21 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/popcon-largest-unused +@{exec_path} = @{bin}/popcon-largest-unused profile popcon-largest-unused @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/xargs rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/sort rix, + @{bin}/cut rix, + @{bin}/xargs rix, - /{usr/,}bin/apt-cache rPx, + @{bin}/apt-cache rPx, /var/log/popularity-contest r, diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 8a690ef8..e1671f2b 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/popularity-contest +@{exec_path} = @{bin}/popularity-contest profile popularity-contest @{exec_path} { include include @@ -22,18 +22,18 @@ profile popularity-contest @{exec_path} { capability dac_read_search, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/env rix, + @{bin}/{,ba,da}sh rix, + @{bin}/env rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, # - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, # For shell pwd /root/ r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 86ad70fc..df946a72 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/power-profiles-daemon +@{exec_path} = @{lib}/power-profiles-daemon profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps index 9233c5f5..4e1418b5 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/profiles-m-r/ps @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ps +@{exec_path} = @{bin}/ps profile ps @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index 99c5f703..b90bf724 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ps_mem +@{exec_path} = @{bin}/ps_mem profile ps-mem @{exec_path} { include include @@ -16,9 +16,9 @@ profile ps-mem @{exec_path} { ptrace (read), @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, + @{bin}/ r, @{PROC}/ r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/profiles-m-r/pscap index 667edeed..f0d14a91 100644 --- a/apparmor.d/profiles-m-r/pscap +++ b/apparmor.d/profiles-m-r/pscap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pscap +@{exec_path} = @{bin}/pscap profile pscap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 8eff494a..c385bbb9 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/psi +@{exec_path} = @{bin}/psi profile psi @{exec_path} { include include @@ -37,11 +37,11 @@ profile psi @{exec_path} { @{exec_path} mr, - /{usr/,}bin/aplay rCx -> aplay, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}lib/firefox/firefox rPUx, + @{bin}/aplay rCx -> aplay, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rCx -> open, + @{lib}/firefox/firefox rPUx, /usr/share/hwdata/pnp.ids r, /usr/share/psi/{,**} r, @@ -84,8 +84,8 @@ profile psi @{exec_path} { include include - /{usr/,}bin/aplay mr, - #/{usr/,}bin/pulseaudio rPUx, + @{bin}/aplay mr, + #@{bin}/pulseaudio rPUx, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -102,7 +102,7 @@ profile psi @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/.gnupg/ rw, owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, @@ -116,19 +116,19 @@ profile psi @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index d3b3bb04..6eac1722 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/psi-plus +@{exec_path} = @{bin}/psi-plus profile psi-plus @{exec_path} { include include @@ -37,11 +37,11 @@ profile psi-plus @{exec_path} { @{exec_path} mr, - /{usr/,}bin/aplay rCx -> aplay, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}lib/firefox/firefox rPUx, + @{bin}/aplay rCx -> aplay, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rCx -> open, + @{lib}/firefox/firefox rPUx, /usr/share/hwdata/pnp.ids r, /usr/share/psi-plus/{,**} r, @@ -83,8 +83,8 @@ profile psi-plus @{exec_path} { include include - /{usr/,}bin/aplay mr, - #/{usr/,}bin/pulseaudio rPUx, + @{bin}/aplay mr, + #@{bin}/pulseaudio rPUx, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -101,7 +101,7 @@ profile psi-plus @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -115,19 +115,19 @@ profile psi-plus @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index 8c4beab4..1ee24af2 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/pulseeffects +@{exec_path} = @{bin}/pulseeffects profile pulseeffects @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 205df15a..e5ca2f09 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}bin/pwck +@{exec_path} = @{bin}/pwck profile pwck @{exec_path} { include include @{exec_path} mr, - /{usr/,}{s,}bin/nscd rix, + @{bin}/nscd rix, /etc/login.defs r, /etc/.pwd.lock wk, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 630c6947..6a2829d0 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -6,10 +6,10 @@ abi , include -@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox +@{FIREFOX_BIN} = @{lib}/firefox{,-esr}/firefox @{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox -@{exec_path} = /{usr/,}bin/qbittorrent +@{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include include @@ -111,7 +111,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, # For "search engine" - /{usr/,}bin/python3.[0-9]* rCx -> python3, + @{bin}/python3.[0-9]* rCx -> python3, # Qbittorrent home dirs owner @{user_config_dirs}/qBittorrent/ rw, @@ -171,18 +171,18 @@ profile qbittorrent @{exec_path} { /usr/share/gvfs/remote-volume-monitors/{,*} r, # Launch external apps - /{usr/,}bin/xdg-{open,mime} rCx -> open, + @{bin}/xdg-{open,mime} rCx -> open, # Allowed apps to open - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/mpv rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/ebook-viewer rPx, - /{usr/,}bin/nautilus rPx, + @{bin}/spacefm rPx, + @{bin}/smplayer rPx, + @{bin}/vlc rPx, + @{bin}/mpv rPx, + @{bin}/geany rPx, + @{bin}/viewnior rPUx, + @{bin}/qpdfview rPx, + @{bin}/ebook-viewer rPx, + @{bin}/nautilus rPx, @{FIREFOX_BIN} rPx, profile open { @@ -205,26 +205,26 @@ profile qbittorrent @{exec_path} { member=Set peer=(name=:*), - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, # Allowed apps to open - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/mpv rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/ebook-viewer rPx, - /{usr/,}bin/engrampa rPx, + @{bin}/spacefm rPx, + @{bin}/smplayer rPx, + @{bin}/vlc rPx, + @{bin}/mpv rPx, + @{bin}/geany rPx, + @{bin}/viewnior rPUx, + @{bin}/qpdfview rPx, + @{bin}/ebook-viewer rPx, + @{bin}/engrampa rPx, @{FIREFOX_BIN} rPx, - /{usr/,}bin/{ba,da,}sh rix, - /{usr/,}bin/{g,m,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/xfce4-mime-helper rix, + @{bin}/{ba,da,}sh rix, + @{bin}/{g,m,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xfce4-mime-helper rix, owner @{HOME}/ r, @@ -255,7 +255,7 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink raw, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 38fd8120..ed803bf9 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/qbittorrent-nox +@{exec_path} = @{bin}/qbittorrent-nox profile qbittorrent-nox @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 966e2a05..7ea7649c 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/qemu-ga +@{exec_path} = @{bin}/qemu-ga profile qemu-ga @{exec_path} { include @@ -20,7 +20,7 @@ profile qemu-ga @{exec_path} { @{exec_path} mr, - /{usr/,}bin/systemctl rix, + @{bin}/systemctl rix, /etc/qemu/qemu-ga.conf r, diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 96d639b0..8c6298b8 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/qnapi +@{exec_path} = @{bin}/qnapi profile qnapi @{exec_path} { include include @@ -35,12 +35,12 @@ profile qnapi @{exec_path} { @{exec_path} mr, - /{usr/,}bin/7z rix, - /{usr/,}lib/p7zip/7z rix, + @{bin}/7z rix, + @{lib}/p7zip/7z rix, - /{usr/,}bin/ffprobe rPx, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}lib/firefox/firefox rPx, + @{bin}/ffprobe rPx, + @{bin}/xdg-open rCx -> open, + @{lib}/firefox/firefox rPx, /usr/share/qt5ct/** r, /usr/share/hwdata/pnp.ids r, @@ -87,19 +87,19 @@ profile qnapi @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 1a90d973..3a27e4a8 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/qpdfview +@{exec_path} = @{bin}/qpdfview profile qpdfview @{exec_path} { include include @@ -26,12 +26,12 @@ profile qpdfview @{exec_path} { @{exec_path} mr, # For PDF's internal compression - /{usr/,}bin/gzip rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/xz rix, + @{bin}/gzip rix, + @{bin}/bzip2 rix, + @{bin}/xz rix, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}lib/firefox/firefox rPUx, + @{bin}/xdg-open rPx -> child-open, + @{lib}/firefox/firefox rPUx, /usr/share/hwdata/pnp.ids r, /usr/share/poppler/** r, diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index bc1319e0..40393bf4 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/qt5ct +@{exec_path} = @{bin}/qt5ct profile qt5ct @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/qtchooser b/apparmor.d/profiles-m-r/qtchooser index 02ace9d8..0e1f7f20 100644 --- a/apparmor.d/profiles-m-r/qtchooser +++ b/apparmor.d/profiles-m-r/qtchooser @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}bin/qtchooser +@{exec_path} = @{bin}/qtchooser profile qtchooser @{exec_path} flags=(complain) { include @{exec_path} mr, - /{usr/,}lib/qt5/bin/qdbus rPUx, - /{usr/,}lib/qt5/bin/qmake rPUx, + @{lib}/qt5/bin/qdbus rPUx, + @{lib}/qt5/bin/qmake rPUx, /usr/share/qtchooser/{,*.conf} r, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index 9df04520..9365233c 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/qtox +@{exec_path} = @{bin}/qtox profile qtox @{exec_path} { include include @@ -30,7 +30,7 @@ profile qtox @{exec_path} { @{exec_path} mr, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # For importing old profile owner @{HOME}/**.tox r, @@ -73,20 +73,20 @@ profile qtox @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - /{usr/,}bin/viewnior rPUx, + @{lib}/firefox/firefox rPUx, + @{bin}/viewnior rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 9e6f8038..deb69e3a 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/quiterss +@{exec_path} = @{bin}/quiterss profile quiterss @{exec_path} { include include @@ -36,7 +36,7 @@ profile quiterss @{exec_path} { @{exec_path} mr, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, @@ -70,7 +70,7 @@ profile quiterss @{exec_path} { owner /var/tmp/etilqs_* rw, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -80,19 +80,19 @@ profile quiterss @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 714adfe5..5ef9e0ad 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/rdmsr +@{exec_path} = @{bin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/redshift b/apparmor.d/profiles-m-r/redshift index 3e890b3e..6272c8fe 100644 --- a/apparmor.d/profiles-m-r/redshift +++ b/apparmor.d/profiles-m-r/redshift @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/redshift +@{exec_path} = @{bin}/redshift profile redshift @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index b2bc0204..ec76dd79 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -8,7 +8,7 @@ include @{ANDROID_SOURCE_DIR} = @{MOUNTS}/Android/ -@{exec_path} = /{usr/,}bin/repo +@{exec_path} = @{bin}/repo profile repo @{exec_path} { include include @@ -23,20 +23,20 @@ profile repo @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* rix, + @{bin}/python3.[0-9]* rix, - /{usr/,}bin/ r, - /{usr/,}bin/env rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, + @{bin}/ r, + @{bin}/env rix, + @{bin}/{,ba,da}sh rix, + @{bin}/uname rix, - /{usr/,}bin/git rix, - /{usr/,}lib/git-core/git rix, - /{usr/,}lib/git-core/git-* rix, + @{bin}/git rix, + @{lib}/git-core/git rix, + @{lib}/git-core/git-* rix, - /{usr/,}bin/curl rCx -> curl, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/ssh rPx, + @{bin}/curl rCx -> curl, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/ssh rPx, # Android source dir owner @{ANDROID_SOURCE_DIR}/** rwkl -> @{ANDROID_SOURCE_DIR}/**, @@ -70,14 +70,14 @@ profile repo @{exec_path} { include include - /{usr/,}bin/curl mr, + @{bin}/curl mr, } profile gpg { include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**, diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index d7664027..d7a08cff 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -8,15 +8,15 @@ include @{REPO_DIR} = @{MOUNTS}/debuilder/repo -@{exec_path} = /{usr/,}bin/reprepro +@{exec_path} = @{bin}/reprepro profile reprepro @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, owner @{PROC}/@{pid}/fd/ r, @@ -58,9 +58,9 @@ profile reprepro @{exec_path} { profile gpg { include - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgsm mr, + @{bin}/gpgconf mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgsm mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 82b7fab2..22d6102e 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/resize2fs +@{exec_path} = @{bin}/resize2fs profile resize2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index c2014727..f8caa8ad 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -6,23 +6,23 @@ abi , include -@{exec_path} = /{usr/,}sbin/resolvconf +@{exec_path} = @{bin}/resolvconf profile resolvconf @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/flock rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/run-parts rix, - /{usr/,}bin/sed rix, - /{usr/,}lib/resolvconf/list-records rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/flock rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/run-parts rix, + @{bin}/sed rix, + @{lib}/resolvconf/list-records rix, /usr/lib/resolvconf/{,**} r, diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index b87cdb02..6ed83bc0 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/rfkill +@{exec_path} = @{bin}/rfkill profile rfkill @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 8df9067b..5eb88292 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/rngd +@{exec_path} = @{bin}/rngd profile rngd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index 66c0cccf..3690f885 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/rpi-imager +@{exec_path} = @{bin}/rpi-imager profile rpi-imager @{exec_path} { include include @@ -39,7 +39,7 @@ profile rpi-imager @{exec_path} { @{exec_path} mr, - /{usr/,}bin/lsblk rPx, + @{bin}/lsblk rPx, /etc/fstab r, /etc/X11/cursors/*.theme r, diff --git a/apparmor.d/profiles-m-r/rredtool b/apparmor.d/profiles-m-r/rredtool index 7ea483ac..1489c967 100644 --- a/apparmor.d/profiles-m-r/rredtool +++ b/apparmor.d/profiles-m-r/rredtool @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/rredtool +@{exec_path} = @{bin}/rredtool profile rredtool @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index d586dbac..548580f8 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,7 +12,7 @@ include # following: # watch -n 1 'dmesg | tail -5' -@{exec_path} = /{usr/,}{s,}bin/rsyslogd +@{exec_path} = @{bin}/rsyslogd profile rsyslogd @{exec_path} { include include @@ -26,7 +26,7 @@ profile rsyslogd @{exec_path} { @{exec_path} mr, - /{usr/,}lib/@{multiarch}/rsyslog/*.so mr, + @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index e3bf99f8..fe2b9bc0 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{libexec}/{,rtkit/}rtkit-daemon +@{exec_path} = @{lib}/{,rtkit/}rtkit-daemon profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index 7224cf34..03e3d438 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/rtkitctl +@{exec_path} = @{bin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 157119c0..0a1f95ee 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -8,22 +8,21 @@ abi , include -@{exec_path} = /{usr/,}bin/run-parts +@{exec_path} = @{bin}/run-parts profile run-parts @{exec_path} { include include include @{exec_path} mr, - - /{usr/,}bin/anacron rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/date rix, - /{usr/,}bin/nice rix, - /{usr/,}bin/snapper rix, - + @{bin}/{,ba,da}sh rix, + @{bin}/anacron rix, + @{bin}/cat rix, + @{bin}/date rix, + @{bin}/nice rix, + @{bin}/snapper rix, + /usr/share/update-notifier/notify-reboot-required rPx, /usr/share/update-notifier/notify-updates-outdated rPx, @@ -139,21 +138,21 @@ profile run-parts @{exec_path} { profile motd { include - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{e,}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/find rix, - /{usr/,}bin/head rix, - /{usr/,}bin/id rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uname rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{e,}grep rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/sort rix, + @{bin}/tr rix, + @{bin}/uname rix, - /{usr/,}bin/snap rPx, - /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd rPx, - /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot rPx, - /{usr/,}lib/update-notifier/update-motd-reboot-required rix, + @{bin}/snap rPx, + @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, + @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, + @{lib}/update-notifier/update-motd-reboot-required rix, /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, /usr/share/update-notifier/notify-updates-outdated rPx, @@ -180,34 +179,34 @@ profile run-parts @{exec_path} { capability sys_module, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/{,m,g}awk rix, - /{usr/,}bin/kmod rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, - /{usr/,}{s,}bin/dkms rPx, - /{usr/,}{s,}bin/update-grub rPUx, - /{usr/,}{s,}bin/update-initramfs rPx, - /{usr/,}bin/apt-config rPx, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/systemd-detect-virt rPx, - /{usr/,}lib/dkms/dkms_autoinstaller rPx, + @{bin}/apt-config rPx, + @{bin}/dkms rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-grub rPUx, + @{bin}/update-initramfs rPx, + @{lib}/dkms/dkms_autoinstaller rPx, - /{usr/,}lib/modules/*/updates/ w, - /{usr/,}lib/modules/*/updates/dkms/ w, + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, /etc/kernel/header_postinst.d/* r, /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 4068e0ce..8217a147 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/runuser +@{exec_path} = @{bin}/runuser profile runuser @{exec_path} { include include @@ -33,8 +33,8 @@ profile runuser @{exec_path} { @{exec_path} mr, # Shells to use - /{usr/,}bin/{,b,d,rb}ash rpux, - /{usr/,}bin/{c,k,tc,z}sh rpux, + @{bin}/{,b,d,rb}ash rpux, + @{bin}/{c,k,tc,z}sh rpux, owner @{PROC}/@{pid}/loginuid r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 80a2a35b..f65f0953 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -153,8 +153,8 @@ profile rustdesk @{exec_path} { /etc/environment r, /etc/default/locale r, - /usr/libexec/sudo/libsudo_util.so* mr, - /usr/libexec/sudo/sudoers.so mr, + @{lib}/sudo/libsudo_util.so* mr, + @{lib}/sudo/sudoers.so mr, @{PROC}/1/limits r, owner @{PROC}/@{pid}/stat r,