refactor(profiles): use @{bin} and @{lib} in profiles (6)

apparmor.d/profiles-m-r/macchanger

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/macchanger
+@{exec_path} = @{bin}/macchanger
 profile macchanger @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/man

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/man
+@{exec_path} = @{bin}/man
 profile man @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -19,30 +19,30 @@ profile man @{exec_path} {
   # Use a special profile when man calls anything groff-related. We only include
   # the programs that actually parse input data in a non-trivial way, not
   # wrappers such as groff and nroff, since they would need a broader profile.
-  /{usr/,}bin/eqn      rCx -> man_groff,
+  @{bin}/eqn      rCx -> man_groff,
-  /{usr/,}bin/grap     rCx -> man_groff,
+  @{bin}/grap     rCx -> man_groff,
-  /{usr/,}bin/pic      rCx -> man_groff,
+  @{bin}/pic      rCx -> man_groff,
-  /{usr/,}bin/preconv  rCx -> man_groff,
+  @{bin}/preconv  rCx -> man_groff,
-  /{usr/,}bin/refer    rCx -> man_groff,
+  @{bin}/refer    rCx -> man_groff,
-  /{usr/,}bin/tbl      rCx -> man_groff,
+  @{bin}/tbl      rCx -> man_groff,
-  /{usr/,}bin/troff    rCx -> man_groff,
+  @{bin}/troff    rCx -> man_groff,
-  /{usr/,}bin/vgrind   rCx -> man_groff,
+  @{bin}/vgrind   rCx -> man_groff,
 
   # Use a special profile when man calls decompressors and other simple filters.
-  /{usr/,}bin/bzip2      rCx -> man_filter,
+  @{bin}/bzip2      rCx -> man_filter,
-  /{usr/,}bin/gzip       rCx -> man_filter,
+  @{bin}/gzip       rCx -> man_filter,
-  /{usr/,}bin/col        rCx -> man_filter,
+  @{bin}/col        rCx -> man_filter,
-  /{usr/,}bin/compress   rCx -> man_filter,
+  @{bin}/compress   rCx -> man_filter,
-  /{usr/,}bin/iconv      rCx -> man_filter,
+  @{bin}/iconv      rCx -> man_filter,
-  /{usr/,}bin/lzip.lzip  rCx -> man_filter,
+  @{bin}/lzip.lzip  rCx -> man_filter,
-  /{usr/,}bin/tr         rCx -> man_filter,
+  @{bin}/tr         rCx -> man_filter,
-  /{usr/,}bin/xz         rCx -> man_filter,
+  @{bin}/xz         rCx -> man_filter,
 
-  /{usr/,}bin/pager      rPx -> child-pager,
+  @{bin}/pager      rPx -> child-pager,
-  /{usr/,}bin/less       rPx -> child-pager,
+  @{bin}/less       rPx -> child-pager,
-  /{usr/,}bin/more       rPx -> child-pager,
+  @{bin}/more       rPx -> child-pager,
 
-  /{usr/,}bin/locale rix,
+  @{bin}/locale rix,
 
   /usr/share/groff/{,**} r,
 
@@ -64,16 +64,16 @@ profile man_groff {
 
   signal peer=man,
 
-  /{usr/,}bin/eqn      mr,
+  @{bin}/eqn      mr,
-  /{usr/,}bin/grap     mr,
+  @{bin}/grap     mr,
-  /{usr/,}bin/pic      mr,
+  @{bin}/pic      mr,
-  /{usr/,}bin/preconv  mr,
+  @{bin}/preconv  mr,
-  /{usr/,}bin/refer    mr,
+  @{bin}/refer    mr,
-  /{usr/,}bin/tbl      mr,
+  @{bin}/tbl      mr,
-  /{usr/,}bin/troff    mr,
+  @{bin}/troff    mr,
-  /{usr/,}bin/vgrind   mr,
+  @{bin}/vgrind   mr,
 
-  /{usr/,}lib/groff/site-tmac/** r,
+  @{lib}/groff/site-tmac/** r,
   /usr/share/groff/** r,
 
   /etc/groff/** r,
@@ -91,14 +91,14 @@ profile man_filter {
 
   signal peer=man,
 
-  /{usr/,}bin/bzip2      mr,
+  @{bin}/bzip2      mr,
-  /{usr/,}bin/gzip       mr,
+  @{bin}/gzip       mr,
-  /{usr/,}bin/col        mr,
+  @{bin}/col        mr,
-  /{usr/,}bin/compress   mr,
+  @{bin}/compress   mr,
-  /{usr/,}bin/iconv      mr,
+  @{bin}/iconv      mr,
-  /{usr/,}bin/lzip.lzip  mr,
+  @{bin}/lzip.lzip  mr,
-  /{usr/,}bin/tr         mr,
+  @{bin}/tr         mr,
-  /{usr/,}bin/xz         mr,
+  @{bin}/xz         mr,
 
   # Manual pages can be more or less anywhere, especially with "man -l", and
   # there's no harm in allowing wide read access here since the worst it can

apparmor.d/profiles-m-r/mandb

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mandb
+@{exec_path} = @{bin}/mandb
 profile mandb @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/mdevctl

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mdevctl
+@{exec_path} = @{bin}/mdevctl
 profile mdevctl @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/mediainfo

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mediainfo
+@{exec_path} = @{bin}/mediainfo
 profile mediainfo @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>

apparmor.d/profiles-m-r/mediainfo-gui

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mediainfo-gui
+@{exec_path} = @{bin}/mediainfo-gui
 profile mediainfo-gui @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -19,7 +19,7 @@ profile mediainfo-gui @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/xdg-open    rCx -> open,
+  @{bin}/xdg-open    rCx -> open,
 
   owner @{user_music_dirs}/** r,
   owner @{user_videos_dirs}/** r,
@@ -28,14 +28,14 @@ profile mediainfo-gui @{exec_path} {
     include <abstractions/base>
     include <abstractions/xdg-open>
 
-    /{usr/,}bin/xdg-open mr,
+    @{bin}/xdg-open mr,
 
-    /{usr/,}bin/{,ba,da}sh      rix,
+    @{bin}/{,ba,da}sh      rix,
-    /{usr/,}bin/{m,g,}awk       rix,
+    @{bin}/{m,g,}awk       rix,
-    /{usr/,}bin/readlink        rix,
+    @{bin}/readlink        rix,
-    /{usr/,}bin/basename        rix,
+    @{bin}/basename        rix,
 
-    /{usr/,}lib/firefox/firefox rPx,
+    @{lib}/firefox/firefox rPx,
 
     owner @{HOME}/ r,
     owner @{run}/user/@{uid}/ r,

apparmor.d/profiles-m-r/megasync

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/megasync
+@{exec_path} = @{bin}/megasync
 profile megasync @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -32,14 +32,14 @@ profile megasync @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
-  /{usr/,}bin/{,e}grep   rix,
+  @{bin}/{,e}grep   rix,
-  /{usr/,}bin/{m,g,}awk  rix,
+  @{bin}/{m,g,}awk  rix,
 
-  /{usr/,}bin/xrdb       rPx,
+  @{bin}/xrdb       rPx,
-  /{usr/,}bin/xdg-mime   rPx,
+  @{bin}/xdg-mime   rPx,
 
-  /{usr/,}bin/xdg-open   rCx -> open,
+  @{bin}/xdg-open   rCx -> open,
 
   # Megasync home files
   owner @{HOME}/ r,
@@ -76,8 +76,8 @@ profile megasync @{exec_path} {
   /usr/share/hwdata/pnp.ids r,
 
   # Allowed apps to open
-  /{usr/,}lib/firefox/firefox rPx,
+  @{lib}/firefox/firefox rPx,
-  /{usr/,}bin/spacefm         rPx,
+  @{bin}/spacefm         rPx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
@@ -87,12 +87,12 @@ profile megasync @{exec_path} {
     include <abstractions/base>
     include <abstractions/xdg-open>
 
-    /{usr/,}bin/xdg-open mr,
+    @{bin}/xdg-open mr,
 
-    /{usr/,}bin/{,ba,da}sh      rix,
+    @{bin}/{,ba,da}sh      rix,
-    /{usr/,}bin/{m,g,}awk       rix,
+    @{bin}/{m,g,}awk       rix,
-    /{usr/,}bin/readlink        rix,
+    @{bin}/readlink        rix,
-    /{usr/,}bin/basename        rix,
+    @{bin}/basename        rix,
 
     owner @{HOME}/ r,
     owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/" r,
@@ -100,8 +100,8 @@ profile megasync @{exec_path} {
     owner @{run}/user/@{uid}/ r,
 
     # Allowed apps to open
-    /{usr/,}lib/firefox/firefox rPx,
+    @{lib}/firefox/firefox rPx,
-    /{usr/,}bin/spacefm         rPx,
+    @{bin}/spacefm         rPx,
 
     # file_inherit
     owner "@{user_share_dirs}/data/Mega Limited/MEGAsync/logs/MEGAsync.log" rw,

apparmor.d/profiles-m-r/memtester

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/memtester
+@{exec_path} = @{bin}/memtester
 profile memtester @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/merkaartor

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/merkaartor
+@{exec_path} = @{bin}/merkaartor
 profile merkaartor @{exec_path} {
   include <abstractions/base>
   include <abstractions/gtk>

apparmor.d/profiles-m-r/mimetype

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mimetype
+@{exec_path} = @{bin}/mimetype
 profile mimetype @{exec_path} {
   include <abstractions/base>
   include <abstractions/perl>

apparmor.d/profiles-m-r/minitube

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/minitube
+@{exec_path} = @{bin}/minitube
 profile minitube @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -86,13 +86,13 @@ profile minitube @{exec_path} {
   owner /tmp/qtsingleapp-minitu-* rw,
   owner /tmp/qtsingleapp-minitu-*-lockfile rwk,
 
-  /{usr/,}bin/xdg-open         rCx -> open,
+  @{bin}/xdg-open         rCx -> open,
 
   # Be able to turn off the screensaver while playing movies
-  /{usr/,}bin/xdg-screensaver  rCx -> xdg-screensaver,
+  @{bin}/xdg-screensaver  rCx -> xdg-screensaver,
 
   # Allowed apps to open
-  /{usr/,}lib/firefox/firefox  rPx,
+  @{lib}/firefox/firefox  rPx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
@@ -102,19 +102,19 @@ profile minitube @{exec_path} {
     include <abstractions/base>
     include <abstractions/xdg-open>
 
-    /{usr/,}bin/xdg-open mr,
+    @{bin}/xdg-open mr,
 
-    /{usr/,}bin/{,ba,da}sh      rix,
+    @{bin}/{,ba,da}sh      rix,
-    /{usr/,}bin/{m,g,}awk       rix,
+    @{bin}/{m,g,}awk       rix,
-    /{usr/,}bin/readlink        rix,
+    @{bin}/readlink        rix,
-    /{usr/,}bin/basename        rix,
+    @{bin}/basename        rix,
 
     owner @{HOME}/ r,
 
     owner @{run}/user/@{uid}/ r,
 
     # Allowed apps to open
-    /{usr/,}lib/firefox/firefox rPUx,
+    @{lib}/firefox/firefox rPUx,
 
     # file_inherit
     owner @{HOME}/.xsession-errors w,
@@ -125,16 +125,16 @@ profile minitube @{exec_path} {
     include <abstractions/base>
     include <abstractions/consoles>
 
-    /{usr/,}bin/xdg-screensaver mr,
+    @{bin}/xdg-screensaver mr,
 
-    /{usr/,}bin/{,ba,da}sh   rix,
+    @{bin}/{,ba,da}sh   rix,
-    /{usr/,}bin/mv           rix,
+    @{bin}/mv           rix,
-    /{usr/,}bin/{,e}grep     rix,
+    @{bin}/{,e}grep     rix,
-    /{usr/,}bin/sed          rix,
+    @{bin}/sed          rix,
-    /{usr/,}bin/which{,.debianutils}        rix,
+    @{bin}/which{,.debianutils}        rix,
-    /{usr/,}bin/xset         rix,
+    @{bin}/xset         rix,
-    /{usr/,}bin/xautolock    rix,
+    @{bin}/xautolock    rix,
-    /{usr/,}bin/dbus-send    rix,
+    @{bin}/dbus-send    rix,
 
     owner @{HOME}/.Xauthority r,
 

apparmor.d/profiles-m-r/mission-control

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,telepathy/}mission-control-5
+@{exec_path} = @{lib}/{,telepathy/}mission-control-5
 profile mission-control @{exec_path} flags=(attach_disconnected)  {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/profiles-m-r/mke2fs

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4}
+@{exec_path} = @{bin}/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4}
 profile mke2fs @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
@@ -18,8 +18,8 @@ profile mke2fs @{exec_path} {
   @{exec_path} mr,
 
   # To check for badblocks
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
-  /{usr/,}{s,}bin/badblocks rPx,
+  @{bin}/badblocks  rPx,
 
   /usr/share/file/misc/magic.mgc r,
 

apparmor.d/profiles-m-r/mkfs-btrfs

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/mkfs.btrfs
+@{exec_path} = @{bin}/mkfs.btrfs
 profile mkfs-btrfs @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/mkfs-fat

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs}
+@{exec_path} = @{bin}/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs}
 profile mkfs-fat @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/mkinitramfs

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}sbin/mkinitramfs
+@{exec_path} = @{bin}/mkinitramfs
 profile mkinitramfs @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -19,49 +19,49 @@ profile mkinitramfs @{exec_path} {
   capability fsetid,
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}{s,}bin/       r,
+  @{bin}/       r,
-  /{usr/,}lib/           r,
+  @{lib}/           r,
-  /{usr/,}lib64/         r,
+  @{lib}64/         r,
 
-  /{usr/,}bin/{,e}grep   rix,
+  @{bin}/{,e}grep   rix,
-  /{usr/,}bin/basename   rix,
+  @{bin}/basename   rix,
-  /{usr/,}bin/bzip2      rix,
+  @{bin}/bzip2      rix,
-  /{usr/,}bin/cat        rix,
+  @{bin}/cat        rix,
-  /{usr/,}bin/chmod      rix,
+  @{bin}/chmod      rix,
-  /{usr/,}bin/cp         rix,
+  @{bin}/cp         rix,
-  /{usr/,}bin/cpio       rix,
+  @{bin}/cpio       rix,
-  /{usr/,}bin/dirname    rix,
+  @{bin}/dirname    rix,
-  /{usr/,}bin/env        rix,
+  @{bin}/env        rix,
-  /{usr/,}bin/getopt     rix,
+  @{bin}/getopt     rix,
-  /{usr/,}bin/gzip       rix,
+  @{bin}/gzip       rix,
-  /{usr/,}bin/id         rix,
+  @{bin}/id         rix,
-  /{usr/,}bin/ln         rix,
+  @{bin}/ln         rix,
-  /{usr/,}bin/lzma       rix,
+  @{bin}/lzma       rix,
-  /{usr/,}bin/lzop       rix,
+  @{bin}/lzop       rix,
-  /{usr/,}bin/mkdir      rix,
+  @{bin}/mkdir      rix,
-  /{usr/,}bin/mktemp     rix,
+  @{bin}/mktemp     rix,
-  /{usr/,}bin/readlink   rix,
+  @{bin}/readlink   rix,
-  /{usr/,}bin/rm         rix,
+  @{bin}/rm         rix,
-  /{usr/,}bin/rmdir      rix,
+  @{bin}/rmdir      rix,
-  /{usr/,}bin/sed        rix,
+  @{bin}/sed        rix,
-  /{usr/,}bin/sort       rix,
+  @{bin}/sort       rix,
-  /{usr/,}bin/touch      rix,
+  @{bin}/touch      rix,
-  /{usr/,}bin/tr         rix,
+  @{bin}/tr         rix,
-  /{usr/,}bin/tsort      rix,
+  @{bin}/tsort      rix,
-  /{usr/,}bin/xargs      rix,
+  @{bin}/xargs      rix,
-  /{usr/,}bin/xz         rix,
+  @{bin}/xz         rix,
-  /{usr/,}bin/zstd       rix,
+  @{bin}/zstd       rix,
 
-  /{usr/,}bin/ldd                  rCx -> ldd,
+  @{bin}/find                 rCx -> find,
-  /{usr/,}lib{32,64}/ld-linux.so.2 rCx -> ldd,
+  @{bin}/kmod                 rCx -> kmod,
-  /{usr/,}sbin/ldconfig            rCx -> ldconfig,
+  @{bin}/ldconfig             rCx -> ldconfig,
-  /{usr/,}bin/find                 rCx -> find,
+  @{bin}/ldd                  rCx -> ldd,
-  /{usr/,}bin/kmod                 rCx -> kmod,
+  @{lib}/ld-linux.so.2        rCx -> ldd,
 
-  /{usr/,}bin/dpkg          rPx -> child-dpkg,
+  @{bin}/dpkg          rPx -> child-dpkg,
-  /{usr/,}bin/linux-version rPx,
+  @{bin}/linux-version rPx,
 
   # What to do with it? (#FIXME#)
   /usr/share/initramfs-tools/hooks/*     rPUx,
@@ -98,14 +98,14 @@ profile mkinitramfs @{exec_path} {
     include <abstractions/consoles>
     include <abstractions/nameservice-strict>
 
-    /{usr/,}bin/ldd mr,
+    @{bin}/ldd mr,
 
-    /{usr/,}bin/{,ba,da}sh rix,
+    @{bin}/{,ba,da}sh rix,
-    /{usr/,}bin/kmod mr,
+    @{bin}/kmod mr,
-    /{usr/,}lib/initramfs-tools/bin/* mr,
+    @{lib}/initramfs-tools/bin/* mr,
 
-    /{usr/,}lib/@{multiarch}/ld-*.so*  rix,
+    @{lib}/@{multiarch}/ld-*.so*  rix,
-    /{usr/,}lib{,x}32/ld-*.so{,.2}     rix,
+    @{lib}{,x}32/ld-*.so{,.2}     rix,
 
   }
 
@@ -115,10 +115,10 @@ profile mkinitramfs @{exec_path} {
 
     capability sys_chroot,
 
-    /{usr/,}{s,}bin/ldconfig  mr,
+    @{bin}/ldconfig  mr,
 
-    /{usr/,}{s,}bin/ldconfig.real rix,
+    @{bin}/{,ba,da}sh        rix,
-    /{usr/,}bin/{,ba,da}sh        rix,
+    @{bin}/ldconfig.real     rix,
 
     owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
     owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
@@ -139,7 +139,7 @@ profile mkinitramfs @{exec_path} {
     include <abstractions/base>
     include <abstractions/consoles>
 
-    /{usr/,}bin/find mr,
+    @{bin}/find mr,
 
     # pwd dir
     / r,
@@ -158,7 +158,7 @@ profile mkinitramfs @{exec_path} {
     include <abstractions/consoles>
     include <abstractions/openssl>
 
-    /{usr/,}bin/kmod mr,
+    @{bin}/kmod mr,
 
     @{PROC}/cmdline r,
 

apparmor.d/profiles-m-r/mkntfs

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/{mkntfs,mkfs.ntfs}
+@{exec_path} = @{bin}/{mkntfs,mkfs.ntfs}
 profile mkntfs @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/mkswap

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/mkswap
+@{exec_path} = @{bin}/mkswap
 profile mkswap @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/mkvmerge

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mkvmerge
+@{exec_path} = @{bin}/mkvmerge
 profile mkvmerge @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>

apparmor.d/profiles-m-r/mkvtoolnix-gui

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mkvtoolnix-gui
+@{exec_path} = @{bin}/mkvtoolnix-gui
 profile mkvtoolnix-gui @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-enumerate>
@@ -28,8 +28,8 @@ profile mkvtoolnix-gui @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/mkvmerge      rPx,
+  @{bin}/mkvmerge      rPx,
-  /{usr/,}bin/mediainfo-gui rPx,
+  @{bin}/mediainfo-gui rPx,
 
   /usr/share/qt5ct/** r,
   /usr/share/hwdata/pnp.ids r,

apparmor.d/profiles-m-r/mlocate

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mlocate
+@{exec_path} = @{bin}/mlocate
 profile mlocate @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-m-r/modprobed-db

@@ -6,27 +6,27 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/modprobed-db
+@{exec_path} = @{bin}/modprobed-db
 profile modprobed-db @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh    rix,
+  @{bin}/{,ba,da}sh    rix,
-  /{usr/,}bin/cat           rix,
+  @{bin}/cat           rix,
-  /{usr/,}bin/cp            rix,
+  @{bin}/cp            rix,
-  /{usr/,}bin/cut           rix,
+  @{bin}/cut           rix,
-  /{usr/,}bin/gawk          rix,
+  @{bin}/gawk          rix,
-  /{usr/,}bin/getent        rix,
+  @{bin}/getent        rix,
-  /{usr/,}bin/grep          rix,
+  @{bin}/grep          rix,
-  /{usr/,}bin/logname       rix,
+  @{bin}/logname       rix,
-  /{usr/,}bin/md5sum        rix,
+  @{bin}/md5sum        rix,
-  /{usr/,}bin/rm            rix,
+  @{bin}/rm            rix,
-  /{usr/,}bin/sed           rix,
+  @{bin}/sed           rix,
-  /{usr/,}bin/sort          rix,
+  @{bin}/sort          rix,
-  /{usr/,}bin/uniq          rix,
+  @{bin}/uniq          rix,
-  /{usr/,}bin/wc            rix,
+  @{bin}/wc            rix,
 
   /usr/share/terminfo/x/xterm-256color r,
 

apparmor.d/profiles-m-r/molly-guard

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/molly-guard/molly-guard
+@{exec_path} = @{lib}/molly-guard/molly-guard
 profile molly-guard @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -17,13 +17,13 @@ profile molly-guard @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
+  @{bin}/{,ba,da}sh  rix,
-  /{usr/,}bin/hostname    rix,
+  @{bin}/hostname    rix,
-  /{usr/,}bin/{,e,p}grep  rix,
+  @{bin}/{,e,p}grep  rix,
-  /{usr/,}bin/run-parts   rix,
+  @{bin}/run-parts   rix,
-  /{usr/,}bin/systemctl   rPx -> child-systemctl,
+  @{bin}/systemctl   rPx -> child-systemctl,
-  /{usr/,}bin/tr          rix,
+  @{bin}/tr          rix,
-  /{usr/,}bin/tty         rix,
+  @{bin}/tty         rix,
 
   /etc/molly-guard/{,**} r,
   /etc/molly-guard/run.d/* rix,

apparmor.d/profiles-m-r/monitorix

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/monitorix
+@{exec_path} = @{bin}/monitorix
 profile monitorix @{exec_path} {
   include <abstractions/base>
   include <abstractions/perl>
@@ -33,20 +33,20 @@ profile monitorix @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh         rix,
+  @{bin}/{,ba,da}sh         rix,
-  /{usr/,}bin/{,e}grep           rix,
+  @{bin}/{,e}grep           rix,
-  /{usr/,}bin/df                 rix,
+  @{bin}/df                 rix,
-  /{usr/,}bin/cat                rix,
+  @{bin}/cat                rix,
-  /{usr/,}bin/tail               rix,
+  @{bin}/tail               rix,
-  /{usr/,}bin/{m,g,}awk          rix,
+  @{bin}/{m,g,}awk          rix,
-  /{usr/,}bin/free               rix,
+  @{bin}/free               rix,
-  /{usr/,}bin/ss                 rix,
+  @{bin}/ss                 rix,
-  /{usr/,}bin/who                rix,
+  @{bin}/who                rix,
-  /{usr/,}sbin/lvm               rix,
+  @{bin}/lvm               rix,
-  /{usr/,}sbin/xtables-nft-multi rix,
+  @{bin}/xtables-nft-multi rix,
-  /{usr/,}bin/sensors            rix,
+  @{bin}/sensors            rix,
-  /{usr/,}bin/getconf            rix,
+  @{bin}/getconf            rix,
-  /{usr/,}bin/ps                 rix,
+  @{bin}/ps                 rix,
 
   /etc/monitorix/monitorix.conf r,
   /etc/monitorix/conf.d/ r,

apparmor.d/profiles-m-r/mono-sgen

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mono-sgen
+@{exec_path} = @{bin}/mono-sgen
 profile mono-sgen @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -26,9 +26,9 @@ profile mono-sgen @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ r,
+  @{bin}/ r,
   /{usr/,}local/bin/ r,
-  /{usr/,}bin/* rPUx,
+  @{bin}/* rPUx,
 
   /usr/share/.mono/{,**} rw,
 

apparmor.d/profiles-m-r/mount

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/mount
+@{exec_path} = @{bin}/mount
 profile mount @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -33,10 +33,10 @@ profile mount @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/lowntfs-3g rPx,
+  @{bin}/lowntfs-3g     rPx,
-  /{usr/,}{s,}bin/mount.*    rPx,
+  @{bin}/mount.*        rPx,
-  /{usr/,}bin/ntfs-3g        rPx,
+  @{bin}/ntfs-3g        rPx,
-  /{usr/,}bin/sshfs          rPx,
+  @{bin}/sshfs          rPx,
 
   /etc/fstab r,
 

apparmor.d/profiles-m-r/mount-cifs

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/mount.cifs
+@{exec_path} = @{bin}/mount.cifs
 profile mount-cifs @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -24,7 +24,7 @@ profile mount-cifs @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/systemd-ask-password rPUx,
+  @{bin}/systemd-ask-password rPUx,
 
   /etc/fstab r,
 

apparmor.d/profiles-m-r/mount-nfs

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/mount.nfs
+@{exec_path} = @{bin}/mount.nfs
 profile mount-nfs @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -27,9 +27,9 @@ profile mount-nfs @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/start-statd  rix,
+  @{bin}/{,ba,da}sh       rix,
-  /{usr/,}bin/{,ba,da}sh       rix,
+  @{bin}/flock            rix,
-  /{usr/,}bin/flock            rix,
+  @{bin}/start-statd      rix,
 
   /usr/bin/systemctl           rPx -> child-systemctl,
 

apparmor.d/profiles-m-r/mount-zfs

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/mount.zfs
+@{exec_path} = @{bin}/mount.zfs
 profile mount-zfs @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-m-r/mpsyt

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mpsyt
+@{exec_path} = @{bin}/mpsyt
 profile mpsyt @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
@@ -24,16 +24,16 @@ profile mpsyt @{exec_path} {
   network netlink raw,
 
   @{exec_path} r,
-  /{usr/,}bin/python3.[0-9]* r,
+  @{bin}/python3.[0-9]* r,
 
-  /{usr/,}bin/ r,
+  @{bin}/ r,
-  /{usr/,}bin/tset      rix,
+  @{bin}/ldconfig  rix,
-  /{usr/,}{s,}bin/ldconfig rix,
+  @{bin}/tset      rix,
-  /{usr/,}bin/uname     rix,
+  @{bin}/uname     rix,
 
-  /{usr/,}bin/mpv      rPUx,
+  @{bin}/mpv      rPUx,
-  /{usr/,}bin/ffmpeg   rPUx,
+  @{bin}/ffmpeg   rPUx,
-  /{usr/,}bin/ffprobe  rPUx,
+  @{bin}/ffprobe  rPUx,
 
   # MPV config files
   /etc/mpv/* r,

apparmor.d/profiles-m-r/mpv

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mpv
+@{exec_path} = @{bin}/mpv
 profile mpv @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -36,10 +36,10 @@ profile mpv @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
+  @{bin}/xdg-screensaver rCx -> xdg-screensaver,
 
-  /{usr/,}bin/youtube-dl rPx,
+  @{bin}/youtube-dl rPx,
-  /{usr/,}bin/yt-dlp     rPx,
+  @{bin}/yt-dlp     rPx,
 
   /etc/mpv/* r,
   /etc/samba/smb.conf r,
@@ -90,17 +90,17 @@ profile mpv @{exec_path} {
     include <abstractions/base>
     include <abstractions/consoles>
 
-    /{usr/,}bin/xdg-screensaver mr,
+    @{bin}/xdg-screensaver mr,
 
-    /{usr/,}bin/{,ba,da}sh   rix,
+    @{bin}/{,ba,da}sh   rix,
-    /{usr/,}bin/mv           rix,
+    @{bin}/mv           rix,
-    /{usr/,}bin/{,e}grep     rix,
+    @{bin}/{,e}grep     rix,
-    /{usr/,}bin/sed          rix,
+    @{bin}/sed          rix,
-    /{usr/,}bin/which{,.debianutils}        rix,
+    @{bin}/which{,.debianutils}        rix,
-    /{usr/,}bin/xset         rix,
+    @{bin}/xset         rix,
-    /{usr/,}bin/xautolock    rix,
+    @{bin}/xautolock    rix,
-    /{usr/,}bin/dbus-send    rix,
+    @{bin}/dbus-send    rix,
-    /{usr/,}bin/xscreensaver-command rix,
+    @{bin}/xscreensaver-command rix,
 
     owner @{HOME}/.Xauthority r,
 

apparmor.d/profiles-m-r/mtools

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip}
+@{exec_path} = @{bin}/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip}
 profile mtools @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/mtr

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mtr
+@{exec_path} = @{bin}/mtr
 profile mtr @{exec_path} {
   include <abstractions/base>
   include <abstractions/gtk>
@@ -23,7 +23,7 @@ profile mtr @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/mtr-packet rPx,
+  @{bin}/mtr-packet rPx,
 
   include if exists <local/mtr>
 }

apparmor.d/profiles-m-r/mtr-packet

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mtr-packet
+@{exec_path} = @{bin}/mtr-packet
 profile mtr-packet @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/mumble

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mumble
+@{exec_path} = @{bin}/mumble
 profile mumble @{exec_path} {
   include <abstractions/base>
   include <abstractions/X>
@@ -34,8 +34,8 @@ profile mumble @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/lsb_release rPx -> lsb_release,
+  @{bin}/lsb_release rPx -> lsb_release,
-  /{usr/,}bin/xdg-open    rCx -> open,
+  @{bin}/xdg-open    rCx -> open,
 
   # Mumble home files
   owner @{HOME}/ r,
@@ -71,7 +71,7 @@ profile mumble @{exec_path} {
   /usr/share/hwdata/pnp.ids r,
 
   # Allowed apps to open
-  /{usr/,}lib/firefox/firefox rPUx,
+  @{lib}/firefox/firefox rPUx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
@@ -81,19 +81,19 @@ profile mumble @{exec_path} {
     include <abstractions/base>
     include <abstractions/xdg-open>
 
-    /{usr/,}bin/xdg-open mr,
+    @{bin}/xdg-open mr,
 
-    /{usr/,}bin/{,ba,da}sh      rix,
+    @{bin}/{,ba,da}sh      rix,
-    /{usr/,}bin/{m,g,}awk       rix,
+    @{bin}/{m,g,}awk       rix,
-    /{usr/,}bin/readlink        rix,
+    @{bin}/readlink        rix,
-    /{usr/,}bin/basename        rix,
+    @{bin}/basename        rix,
 
     owner @{HOME}/ r,
 
     owner @{run}/user/@{uid}/ r,
 
     # Allowed apps to open
-    /{usr/,}lib/firefox/firefox rPUx,
+    @{lib}/firefox/firefox rPUx,
 
     # file_inherit
     owner @{HOME}/.xsession-errors w,

apparmor.d/profiles-m-r/mumble-overlay

@@ -6,18 +6,18 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mumble-overlay
+@{exec_path} = @{bin}/mumble-overlay
 profile mumble-overlay @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/file       rix,
+  @{bin}/file       rix,
-  /{usr/,}bin/which{,.debianutils}      rix,
+  @{bin}/which{,.debianutils}      rix,
 
-  /{usr/,}bin/glxgears   rPx,
+  @{bin}/glxgears   rPx,
 
   /etc/magic r,
 

apparmor.d/profiles-m-r/needrestart

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/needrestart
+@{exec_path} = @{bin}/needrestart
 profile needrestart @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -23,23 +23,23 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/{,ba,da}sh                        rix,
+  @{bin}/{,ba,da}sh                        rix,
-  /{usr/,}bin/dpkg-query                        rpx,
+  @{bin}/dpkg-query                        rpx,
-  /{usr/,}bin/fail2ban-server                   rPx,
+  @{bin}/fail2ban-server                   rPx,
-  /{usr/,}bin/locale                            rix,
+  @{bin}/locale                            rix,
-  /{usr/,}bin/python3.[0-9]*                    rix,
+  @{bin}/python3.[0-9]*                    rix,
-  /{usr/,}bin/sed                               rix,
+  @{bin}/sed                               rix,
-  /{usr/,}bin/stty                              rix,
+  @{bin}/stty                              rix,
-  /{usr/,}bin/systemctl                         rPx,
+  @{bin}/systemctl                         rPx,
-  /{usr/,}bin/systemd-detect-virt               rPx,
+  @{bin}/systemd-detect-virt               rPx,
-  /{usr/,}bin/udevadm                           rPx,
+  @{bin}/udevadm                           rPx,
-  /{usr/,}bin/whiptail                          rPx,
+  @{bin}/whiptail                          rPx,
-  /{usr/,}bin/who                               rix,
+  @{bin}/who                               rix,
-  /{usr/,}lib/needrestart/iucode-scan-versions  rPx,
+  @{lib}/needrestart/iucode-scan-versions  rPx,
   /usr/share/debconf/frontend              rix,
 
-  /{usr/,}bin/networkd-dispatcher r,
+  @{bin}/networkd-dispatcher r,
-  /{usr/,}bin/gettext.sh r,
+  @{bin}/gettext.sh r,
   /usr/share/needrestart/{,**} r,
   /usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
 

apparmor.d/profiles-m-r/needrestart-apt-pinvoke

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/needrestart/apt-pinvoke
+@{exec_path} = @{lib}/needrestart/apt-pinvoke
 profile needrestart-apt-pinvoke @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -14,10 +14,10 @@ profile needrestart-apt-pinvoke @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/needrestart  rPx,
+  @{bin}/{,ba,da}sh       rix,
-  /{usr/,}bin/{,ba,da}sh       rix,
+  @{bin}/dbus-send        rix,
-  /{usr/,}bin/dbus-send        rix,
+  @{bin}/needrestart      rPx,
-  /{usr/,}bin/rm               rix,
+  @{bin}/rm               rix,
 
   @{run}/needrestart/{,**} rw,
 

apparmor.d/profiles-m-r/needrestart-dpkg-status

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/needrestart/dpkg-status
+@{exec_path} = @{lib}/needrestart/dpkg-status
 profile needrestart-dpkg-status @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -15,9 +15,9 @@ profile needrestart-dpkg-status @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
+  @{bin}/{,ba,da}sh  rix,
-  /{usr/,}bin/mkdir       rix,
+  @{bin}/mkdir       rix,
-  /{usr/,}bin/touch       rix,
+  @{bin}/touch       rix,
 
   @{run}/needrestart/{,**} rw,
 

apparmor.d/profiles-m-r/needrestart-iucode-scan-versions

@@ -6,17 +6,17 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions
+@{exec_path} = @{lib}/needrestart/iucode-scan-versions
 profile needrestart-iucode-scan-versions @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/iucode_tool  rix,
+  @{bin}/iucode_tool  rix,
-  /{usr/,}bin/{,ba,da}sh       rix,
+  @{bin}/{,ba,da}sh       rix,
-  /{usr/,}bin/{,e}grep         rix,
+  @{bin}/{,e}grep         rix,
-  /{usr/,}bin/bsdtar           rix,
+  @{bin}/bsdtar           rix,
-  /{usr/,}bin/cat              rix,
+  @{bin}/cat              rix,
 
   /usr/share/misc/ r,
   /usr/share/misc/intel-microcode* r,

apparmor.d/profiles-m-r/nemo

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/nemo
+@{exec_path} = @{bin}/nemo
 profile nemo @{exec_path} {
   include <abstractions/base>
   include <abstractions/gtk>
@@ -32,9 +32,9 @@ profile nemo @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/@{multiarch}/nemo/** mrix,
+  @{lib}/@{multiarch}/nemo/** mrix,
 
-  /usr/libexec/gvfsd-*              rPx,
+  @{lib}/gvfsd-*              rPx,
 
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-m-r/netcap

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/netcap
+@{exec_path} = @{bin}/netcap
 profile netcap @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/nethogs

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/nethogs
+@{exec_path} = @{bin}/nethogs
 profile nethogs @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-m-r/netstat

@@ -9,7 +9,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/netstat
+@{exec_path} = @{bin}/netstat
 profile netstat @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/newgidmap

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/newgidmap
+@{exec_path} = @{bin}/newgidmap
 profile newgidmap @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-m-r/newgrp

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/newgrp
+@{exec_path} = @{bin}/newgrp
 profile newgrp @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -27,8 +27,8 @@ profile newgrp @{exec_path} {
   @{exec_path} mr,
 
   # Shells to use
-  /{usr/,}bin/{,b,d,rb}ash rPUx,
+  @{bin}/{,b,d,rb}ash rPUx,
-  /{usr/,}bin/{c,k,tc,z}sh rPUx,
+  @{bin}/{c,k,tc,z}sh rPUx,
 
   /etc/{passwd,group,shadow,gshadow} r,
 

apparmor.d/profiles-m-r/newuidmap

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/newuidmap
+@{exec_path} = @{bin}/newuidmap
 profile newuidmap @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-m-r/nfsdcld

@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/nfsdcld
+profile nfsdcld @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/nfsdcld>
+}

apparmor.d/profiles-m-r/nft

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/nft
+@{exec_path} = @{bin}/nft
 profile nft @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-m-r/nmap

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/nmap
+@{exec_path} = @{bin}/nmap
 profile nmap @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/nologin

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/nologin
+@{exec_path} = @{bin}/nologin
 profile nologin @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/ntfs-3g

@@ -7,8 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/{low,}ntfs{,-3g}
+@{exec_path}  = @{bin}/{low,}ntfs{,-3g}
-@{exec_path} += /{usr/,}{s,}bin/mount.{low,}ntfs{,-3g}
+@{exec_path} += @{bin}/mount.{low,}ntfs{,-3g}
 profile ntfs-3g @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
@@ -23,7 +23,7 @@ profile ntfs-3g @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/kmod rPx,  # To load the fuse kernel module
+  @{bin}/kmod rPx,  # To load the fuse kernel module
 
   # Mount points
   @{MOUNTDIRS}/ r,

apparmor.d/profiles-m-r/ntfs-3g-probe

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfs-3g.probe
+@{exec_path} = @{bin}/ntfs-3g.probe
 profile ntfs-3g-probe @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfscat

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfscat
+@{exec_path} = @{bin}/ntfscat
 profile ntfscat @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/profiles-m-r/ntfsclone

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/ntfsclone
+@{exec_path} = @{bin}/ntfsclone
 profile ntfsclone @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfscluster

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfscluster
+@{exec_path} = @{bin}/ntfscluster
 profile ntfscluster @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/profiles-m-r/ntfscmp

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfscmp
+@{exec_path} = @{bin}/ntfscmp
 profile ntfscmp @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/profiles-m-r/ntfscp

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/ntfscp
+@{exec_path} = @{bin}/ntfscp
 profile ntfscp @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfsdecrypt

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfsdecrypt
+@{exec_path} = @{bin}/ntfsdecrypt
 profile ntfsdecrypt @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/profiles-m-r/ntfsfallocate

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfsfallocate
+@{exec_path} = @{bin}/ntfsfallocate
 profile ntfsfallocate @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfsfix

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfsfix
+@{exec_path} = @{bin}/ntfsfix
 profile ntfsfix @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfsinfo

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfsinfo
+@{exec_path} = @{bin}/ntfsinfo
 profile ntfsinfo @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/profiles-m-r/ntfslabel

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/ntfslabel
+@{exec_path} = @{bin}/ntfslabel
 profile ntfslabel @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfsls

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfsls
+@{exec_path} = @{bin}/ntfsls
 profile ntfsls @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/profiles-m-r/ntfsmove

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfsmove
+@{exec_path} = @{bin}/ntfsmove
 profile ntfsmove @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfsrecover

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfsrecover
+@{exec_path} = @{bin}/ntfsrecover
 profile ntfsrecover @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfsresize

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/ntfsresize
+@{exec_path} = @{bin}/ntfsresize
 profile ntfsresize @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfssecaudit

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfssecaudit
+@{exec_path} = @{bin}/ntfssecaudit
 profile ntfssecaudit @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfstruncate

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfstruncate
+@{exec_path} = @{bin}/ntfstruncate
 profile ntfstruncate @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/ntfsundelete

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/ntfsundelete
+@{exec_path} = @{bin}/ntfsundelete
 profile ntfsundelete @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/profiles-m-r/ntfsusermap

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfsusermap
+@{exec_path} = @{bin}/ntfsusermap
 profile ntfsusermap @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/profiles-m-r/ntfswipe

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ntfswipe
+@{exec_path} = @{bin}/ntfswipe
 profile ntfswipe @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/profiles-m-r/nullmailer-send

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/nullmailer-send
+@{exec_path} = @{bin}/nullmailer-send
 profile nullmailer-send @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -14,7 +14,7 @@ profile nullmailer-send @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/nullmailer/smtp  rix,
+  @{lib}/nullmailer/smtp  rix,
 
   /etc/mailname r,
   /etc/nullmailer/{,*} r,

apparmor.d/profiles-m-r/numlockx

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/numlockx
+@{exec_path} = @{bin}/numlockx
 profile numlockx @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/nvidia-settings

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/nvidia-settings
+profile nvidia-settings @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/fonts>
+  include <abstractions/opencl-nvidia>
+
+  @{exec_path} mr,
+
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/icons/{,**} r,
+  /usr/share/mime/mime.cache r,
+  /usr/share/pixmaps/{,**} r,
+  /usr/share/X11/xkb/{,**} r,
+
+  include if exists <local/nvidia-settings>
+}

apparmor.d/profiles-m-r/nvtop

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/nvtop
+@{exec_path} = @{bin}/nvtop
 profile nvtop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/obamenu

@@ -6,15 +6,15 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obamenu
+@{exec_path} = @{bin}/obamenu
 profile obamenu @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
 
   @{exec_path} r,
-  /{usr/,}bin/python3.[0-9]* rix,
+  @{bin}/python3.[0-9]* rix,
 
-  /{usr/,}bin/ r,
+  @{bin}/ r,
 
   /usr/share/*/*.desktop r,
 

apparmor.d/profiles-m-r/obconf

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obconf
+@{exec_path} = @{bin}/obconf
 profile obconf @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/profiles-m-r/obex-folder-listing

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obex-folder-listing
+@{exec_path} = @{bin}/obex-folder-listing
 profile obex-folder-listing @{exec_path} {
   include <abstractions/base>
   include <abstractions/private-files-strict>

apparmor.d/profiles-m-r/obexautofs

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obexautofs
+@{exec_path} = @{bin}/obexautofs
 profile obexautofs @{exec_path} {
   include <abstractions/base>
 
@@ -17,7 +17,7 @@ profile obexautofs @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
+  @{bin}/fusermount{,3} rCx -> fusermount,
 
   owner @{HOME}/*/ r,
   owner @{HOME}/*/*/ r,
@@ -47,7 +47,7 @@ profile obexautofs @{exec_path} {
     # To mount anything:
     capability sys_admin,
 
-    /{usr/,}bin/fusermount{,3} mr,
+    @{bin}/fusermount{,3} mr,
 
     /etc/fuse.conf r,
 

apparmor.d/profiles-m-r/obexctl

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obexctl
+@{exec_path} = @{bin}/obexctl
 profile obexctl @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/obexd

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/bluetooth/obexd
+@{exec_path} = @{lib}/bluetooth/obexd
 profile obexd @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>

apparmor.d/profiles-m-r/obexfs

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obexfs
+@{exec_path} = @{bin}/obexfs
 profile obexfs @{exec_path} {
   include <abstractions/base>
 
@@ -16,7 +16,7 @@ profile obexfs @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
+  @{bin}/fusermount{,3} rCx -> fusermount,
 
   owner @{HOME}/*/ r,
   owner @{HOME}/*/*/ r,
@@ -36,7 +36,7 @@ profile obexfs @{exec_path} {
 
     network bluetooth stream,
 
-    /{usr/,}bin/fusermount{,3} mr,
+    @{bin}/fusermount{,3} mr,
 
     /etc/fuse.conf r,
 

apparmor.d/profiles-m-r/obexpush-atd

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obexpush_atd
+@{exec_path} = @{bin}/obexpush_atd
 profile obexpush-atd @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/obexpushd

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obexpushd
+@{exec_path} = @{bin}/obexpushd
 profile obexpushd @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/obxprop

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/obxprop
+@{exec_path} = @{bin}/obxprop
 profile obxprop @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/on-ac-power

@@ -6,15 +6,15 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/on_ac_power
+@{exec_path} = @{bin}/on_ac_power
 profile on-ac-power @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/{m,g,}awk  rix,
+  @{bin}/{m,g,}awk  rix,
-  /{usr/,}bin/cat        rix,
+  @{bin}/cat        rix,
 
   @{sys}/class/power_supply/ r,
   @{sys}/devices/**/power_supply/**/{online,type} r,

apparmor.d/profiles-m-r/onefetch

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/onefetch
+@{exec_path} = @{bin}/onefetch
 profile onefetch @{exec_path} {
   include <abstractions/base>
   include <abstractions/openssl>
@@ -14,7 +14,7 @@ profile onefetch @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/git  rPx,
+  @{bin}/git  rPx,
 
   owner @{user_config_dirs}/git/{,**} r,
   owner @{user_projects_dirs}/{,**} r,

apparmor.d/profiles-m-r/openbox

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/openbox
+@{exec_path} = @{bin}/openbox
 profile openbox @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
@@ -18,14 +18,13 @@ profile openbox @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/@{multiarch}/openbox-autostart rCx -> autostart,
+  @{lib}/@{multiarch}/openbox-autostart rCx -> autostart,
 
   # Apps allowed to run
-  /{usr/,}sbin/*                     rPUx,
+  @{bin}/*                     rPUx,
-  /{usr/,}bin/*                      rPUx,
+  @{lib}/@{multiarch}/*/**     rPUx,
+  @{lib}/*                     rPUx,
   /usr/local/bin/*             rPUx,
-  @{libexec}/*               rPUx,
-  /{usr/,}lib/@{multiarch}/*/**      rPUx,
 
   /usr/share/themes/*/openbox-3/themerc r,
 
@@ -54,18 +53,17 @@ profile openbox @{exec_path} {
   profile autostart {
     include <abstractions/base>
 
-    /{usr/,}lib/@{multiarch}/openbox-autostart mr,
+    @{lib}/@{multiarch}/openbox-autostart mr,
-    /{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix,
+    @{lib}/@{multiarch}/openbox-xdg-autostart rix,
 
-    /{usr/,}bin/{,ba,da}sh rix,
+    @{bin}/{,ba,da}sh rix,
-    /{usr/,}bin/which{,.debianutils}      rix,
+    @{bin}/which{,.debianutils}      rix,
 
     # Apps allowed to run
-    /{usr/,}sbin/*                     rPUx,
+    @{bin}/*                      rPUx,
-    /{usr/,}bin/*                      rPUx,
     /usr/local/bin/*              rPUx,
-    @{libexec}/*               rPUx,
+    @{lib}/*                      rPUx,
-    /{usr/,}lib/@{multiarch}/*/**      rPUx,
+    @{lib}/@{multiarch}/*/**      rPUx,
 
     /usr/local/lib/python*/dist-packages/ r,
 
@@ -76,7 +74,7 @@ profile openbox @{exec_path} {
     /etc/xdg/autostart/{,*} r,
 
     # Silencer
-    deny /{usr/,}lib/python3/** w,
+    deny @{lib}/python3/** w,
     deny owner @{HOME}/.local/lib/python*/site-packages/ r,
 
     # file_inherit

apparmor.d/profiles-m-r/openbox-session

@@ -6,15 +6,15 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/openbox-session
+@{exec_path} = @{bin}/openbox-session
 profile openbox-session @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/xprop      rPx,
+  @{bin}/xprop      rPx,
-  /{usr/,}bin/openbox    rPx,
+  @{bin}/openbox    rPx,
 
   /etc/xdg/openbox/environment r,
   owner @{user_config_dirs}/openbox/environment r,

apparmor.d/profiles-m-r/orage

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/orage
+@{exec_path} = @{bin}/orage
 profile orage @{exec_path} {
   include <abstractions/base>
   include <abstractions/gtk>
@@ -18,11 +18,11 @@ profile orage @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/globaltime rPx,
+  @{bin}/globaltime rPx,
 
-  /{usr/,}bin/xdg-open   rCx -> open,
+  @{bin}/xdg-open   rCx -> open,
-  /{usr/,}bin/exo-open   rCx -> open,
+  @{bin}/exo-open   rCx -> open,
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
 
   owner @{user_config_dirs}/orage/ rw,
   owner @{user_config_dirs}/orage/* rw,
@@ -37,7 +37,7 @@ profile orage @{exec_path} {
   /etc/fstab r,
 
   # Allowed apps to open
-  /{usr/,}lib/firefox/firefox rPUx,
+  @{lib}/firefox/firefox rPUx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
@@ -47,19 +47,19 @@ profile orage @{exec_path} {
     include <abstractions/base>
     include <abstractions/xdg-open>
 
-    /{usr/,}bin/xdg-open mr,
+    @{bin}/xdg-open mr,
 
-    /{usr/,}bin/{,ba,da}sh      rix,
+    @{bin}/{,ba,da}sh      rix,
-    /{usr/,}bin/{m,g,}awk       rix,
+    @{bin}/{m,g,}awk       rix,
-    /{usr/,}bin/readlink        rix,
+    @{bin}/readlink        rix,
-    /{usr/,}bin/basename        rix,
+    @{bin}/basename        rix,
 
     owner @{HOME}/ r,
 
     owner @{run}/user/@{uid}/ r,
 
     # Allowed apps to open
-    /{usr/,}lib/firefox/firefox rPUx,
+    @{lib}/firefox/firefox rPUx,
 
     # file_inherit
     owner @{HOME}/.xsession-errors w,

apparmor.d/profiles-m-r/os-prober

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/os-prober
+@{exec_path} = @{bin}/os-prober
 profile os-prober @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -18,32 +18,32 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}{s,}bin/blkid         rPx,
+  @{bin}/{,ba,da}sh        rix,
-  /{usr/,}{s,}bin/dmraid       rPUx,
+  @{bin}/{e,f,}grep        rix,
-  /{usr/,}{s,}bin/lvm           rPx,
+  @{bin}/blkid             rPx,
-  /{usr/,}bin/{,ba,da}sh        rix,
+  @{bin}/cut               rix,
-  /{usr/,}bin/{e,f,}grep        rix,
+  @{bin}/dmraid           rPUx,
-  /{usr/,}bin/cut               rix,
+  @{bin}/find              rix,
-  /{usr/,}bin/find              rix,
+  @{bin}/grub-mount        rPx,
-  /{usr/,}bin/grub-mount        rPx,
+  @{bin}/grub-probe        rPx,
-  /{usr/,}bin/grub-probe        rPx,
+  @{bin}/head              rix,
-  /{usr/,}bin/head              rix,
+  @{bin}/kmod              rPx,
-  /{usr/,}bin/kmod              rPx,
+  @{bin}/logger            rix,
-  /{usr/,}bin/logger            rix,
+  @{bin}/ls                rix,
-  /{usr/,}bin/ls                rix,
+  @{bin}/lsblk             rPx,
-  /{usr/,}bin/lsblk             rPx,
+  @{bin}/lvm               rPx,
-  /{usr/,}bin/mkdir             rix,
+  @{bin}/mkdir             rix,
-  /{usr/,}bin/mktemp            rix,
+  @{bin}/mktemp            rix,
-  /{usr/,}bin/readlink          rix,
+  @{bin}/readlink          rix,
-  /{usr/,}bin/rm                rix,
+  @{bin}/rm                rix,
-  /{usr/,}bin/rmdir             rix,
+  @{bin}/rmdir             rix,
-  /{usr/,}bin/sed               rix,
+  @{bin}/sed               rix,
-  /{usr/,}bin/udevadm           rPx,
+  @{bin}/udevadm           rPx,
-  /{usr/,}bin/umount            rix,
+  @{bin}/umount            rix,
-  /{usr/,}bin/uname             rix,
+  @{bin}/uname             rix,
-  /{usr/,}lib/newns             rix,
+  @{lib}/newns             rix,
-  /{usr/,}lib/os-prober/*       rix,
+  @{lib}/os-prober/*       rix,
-  /{usr/,}lib/os-probes/{,**}   rix,
+  @{lib}/os-probes/{,**}   rix,
 
   /usr/share/os-prober/common.sh r,
   /usr/share/terminfo/x/xterm-256color r,

apparmor.d/profiles-m-r/packagekitd

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/packagekitd
+@{exec_path} = @{lib}/packagekitd
 profile packagekitd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -82,32 +82,32 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   
   @{exec_path} mr,
 
-  /{usr/,}bin/gpg{,2}  rCx -> gpg,
+  @{bin}/gpg{,2}  rCx -> gpg,
-  /{usr/,}bin/gpgconf  rCx -> gpg,
+  @{bin}/gpgconf  rCx -> gpg,
-  /{usr/,}bin/gpgsm    rCx -> gpg,
+  @{bin}/gpgsm    rCx -> gpg,
 
-  /{usr/,}{s,}bin/ldconfig   rix,
+  @{bin}/{,ba,da}sh     rix,
-  /{usr/,}bin/{,ba,da}sh     rix,
+  @{bin}/cp             rix,
-  /{usr/,}bin/cp             rix,
+  @{bin}/echo           rix,
-  /{usr/,}bin/echo           rix,
+  @{bin}/gdbus          rix,
-  /{usr/,}bin/gdbus          rix,
+  @{bin}/gzip           rix,
-  /{usr/,}bin/gzip           rix,
+  @{bin}/ischroot       rix,
-  /{usr/,}bin/ischroot       rix,
+  @{bin}/ldconfig       rix,
-  /{usr/,}bin/repo2solv      rix,
+  @{bin}/repo2solv      rix,
-  /{usr/,}bin/tar            rix,
+  @{bin}/tar            rix,
-  /{usr/,}bin/test           rix,
+  @{bin}/test           rix,
-  /{usr/,}bin/touch          rix,
+  @{bin}/touch          rix,
 
-  /{usr/,}bin/appstreamcli                rPx,
+  @{bin}/appstreamcli                rPx,
-  /{usr/,}bin/arch-audit                  rPx,
+  @{bin}/arch-audit                  rPx,
-  /{usr/,}bin/dpkg                        rPx -> child-dpkg,
+  @{bin}/dpkg                        rPx -> child-dpkg,
-  /{usr/,}bin/glib-compile-schemas        rPx,
+  @{bin}/glib-compile-schemas        rPx,
-  /{usr/,}bin/systemd-inhibit             rPx,
+  @{bin}/systemd-inhibit             rPx,
-  /{usr/,}bin/update-desktop-database     rPx,
+  @{bin}/update-desktop-database     rPx,
-  /{usr/,}lib/apt/methods/*               rPx,
+  @{lib}/apt/methods/*               rPx,
-  /{usr/,}lib/cnf-update-db               rPx,
+  @{lib}/cnf-update-db               rPx,
-  /{usr/,}lib/update-notifier/update-motd-updates-available  rPx,
+  @{lib}/update-notifier/update-motd-updates-available  rPx,
-  /{usr/,}lib/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
+  @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
   /usr/share/libalpm/scripts/*            rPx,
 
   # Install/update packages
@@ -146,12 +146,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
 
     capability dac_read_search,
 
-    /{usr/,}bin/gpg{,2}  mr,
+    @{bin}/gpg{,2}  mr,
-    /{usr/,}bin/gpgconf  mr,
+    @{bin}/gpgconf  mr,
-    /{usr/,}bin/gpgsm    mr,
+    @{bin}/gpgsm    mr,
 
-    /{usr/,}bin/gpg-agent rix,
+    @{bin}/gpg-agent rix,
-    /{usr/,}bin/scdaemon  rix,
+    @{bin}/scdaemon  rix,
 
     /etc/gcrypt/hwf.deny r,
 

apparmor.d/profiles-m-r/pacmd

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pacmd
+@{exec_path} = @{bin}/pacmd
 profile pacmd @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/pactl

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pactl
+@{exec_path} = @{bin}/pactl
 profile pactl @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>

apparmor.d/profiles-m-r/pagesize

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pagesize
+@{exec_path} = @{bin}/pagesize
 profile pagesize @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/pam-auth-update

@@ -6,17 +6,17 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/pam-auth-update
+@{exec_path} = @{bin}/pam-auth-update
 profile pam-auth-update @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/perl>
 
   @{exec_path} mr,
-  /{usr/,}bin/perl r,
+  @{bin}/perl r,
 
-  /{usr/,}bin/md5sum rix,
+  @{bin}/md5sum rix,
-  /{usr/,}bin/cp     rix,
+  @{bin}/cp     rix,
 
   # Think what to do about this (#FIXME#)
   /usr/share/debconf/frontend     rPx,
@@ -34,13 +34,13 @@ profile pam-auth-update @{exec_path} flags=(complain) {
     include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
-    /{usr/,}bin/perl r,
+    @{bin}/perl r,
 
-    /{usr/,}{s,}bin/pam-auth-update rPx,
+    @{bin}/pam-auth-update rPx,
 
-    /{usr/,}bin/{,ba,da}sh       rix,
+    @{bin}/{,ba,da}sh       rix,
-    /{usr/,}bin/stty             rix,
+    @{bin}/stty             rix,
-    /{usr/,}bin/locale           rix,
+    @{bin}/locale           rix,
 
     /etc/debconf.conf r,
     owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
@@ -52,8 +52,8 @@ profile pam-auth-update @{exec_path} flags=(complain) {
     include <abstractions/fontconfig-cache-read>
     include <abstractions/freedesktop.org>
     capability dac_read_search,
-    /{usr/,}bin/lsb_release rPx -> lsb_release,
+    @{bin}/lsb_release rPx -> lsb_release,
-    /{usr/,}bin/hostname    rix,
+    @{bin}/hostname    rix,
     owner @{PROC}/@{pid}/mounts r,
     @{HOME}/.Xauthority r,
 

apparmor.d/profiles-m-r/pam/mappings

@@ -21,8 +21,8 @@
   /etc/default/su r,
   @{etc_ro}/environment r,
   @{HOMEDIRS}/.xauth* w,
-  /{usr/,}bin/{,b,d,rb}ash Px -> default_user,
+  @{bin}/{,b,d,rb}ash Px -> default_user,
-  /{usr/,}bin/{c,k,tc,z}sh Px -> default_user,
+  @{bin}/{c,k,tc,z}sh Px -> default_user,
 }
 
 # USER is a confined user. The hat contains only the permissions necessary
@@ -37,8 +37,8 @@
   capability setgid,
   capability setuid,
 
-  /{usr/,}bin/{,b,d,rb}ash Px -> confined_user,
+  @{bin}/{,b,d,rb}ash Px -> confined_user,
-  /{usr/,}bin/{c,k,tc,z}sh Px -> confined_user,
+  @{bin}/{c,k,tc,z}sh Px -> confined_user,
 
   /etc/default/su r,
   @{etc_ro}/environment r,
@@ -59,8 +59,8 @@
   capability setgid,
   capability setuid,
 
-  /{usr/,}bin/{,b,d,rb}ash Ux,
+  @{bin}/{,b,d,rb}ash Ux,
-  /{usr/,}bin/{c,k,tc,z}sh Ux,
+  @{bin}/{c,k,tc,z}sh Ux,
 
   /etc/default/su r,
   @{etc_ro}/environment r,

apparmor.d/profiles-m-r/pam_roles

@@ -23,7 +23,7 @@ profile default_user flags=(complain) {
 
   deny capability sys_ptrace,
 
-  /{usr/,}bin/**  Pixmr,
+  @{bin}/**  Pixmr,
 
   owner /** rkl,
   @{PROC}/** r,
@@ -43,7 +43,7 @@ profile confined_user flags=(complain) {
 
   deny capability sys_ptrace,
 
-  /{usr/,}bin/**  Pixmr,
+  @{bin}/**  Pixmr,
   owner @{HOMEDIRS}/bin/** ixmr,
   owner @{user_bin_dirs}/** ixmr,
 

apparmor.d/profiles-m-r/parted

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/parted
+@{exec_path} = @{bin}/parted
 profile parted @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
@@ -28,11 +28,11 @@ profile parted @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/udevadm    rCx -> udevadm,
+  @{bin}/udevadm    rCx -> udevadm,
 
-  /{usr/,}{s,}bin/dmidecode rPx,
+  @{bin}/dmidecode rPx,
 
   /etc/inputrc r,
 
@@ -51,7 +51,7 @@ profile parted @{exec_path} {
 
     ptrace (read),
 
-    /{usr/,}bin/udevadm mr,
+    @{bin}/udevadm mr,
 
     /etc/udev/udev.conf r,