From 7f38dd255e89851cd657b028268dc4c6fcbf4e7f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 1 Dec 2023 13:22:45 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/freedesktop/pipewire | 8 +- .../groups/gnome/epiphany-search-provider | 5 + .../gnome/evolution-addressbook-factory | 2 - .../groups/gnome/evolution-alarm-notify | 2 +- apparmor.d/groups/gnome/gdm-xsession | 3 - apparmor.d/groups/gnome/gnome-extension-ding | 4 +- apparmor.d/groups/gnome/gnome-terminal-server | 9 +- apparmor.d/groups/gnome/gsd-printer | 14 +- apparmor.d/groups/systemd/coredumpctl | 5 +- .../groups/systemd/systemd-generator-fstab | 1 + apparmor.d/groups/ubuntu/apport-checkreports | 1 + apparmor.d/profiles-a-f/font-manager | 16 +- apparmor.d/profiles-g-l/glxinfo | 10 +- apparmor.d/profiles-m-r/qbittorrent | 192 +++++------------- apparmor.d/profiles-s-z/snapd-apparmor | 3 +- apparmor.d/profiles-s-z/spice-vdagent | 2 +- apparmor.d/profiles-s-z/wireplumber | 2 + 17 files changed, 93 insertions(+), 186 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 97b85bf6..772301a4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -49,13 +49,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{bin}/pactl rix, @{bin}/pipewire-media-session rPx, - /usr/share/pipewire/pipewire*.conf r, + /usr/share/pipewire/{,**} r, - /etc/gnutls/config r, - /etc/pipewire/client.conf r, - /etc/pipewire/pipewire-pulse.conf.d/{,*} r, - /etc/pipewire/pipewire.conf r, - /etc/pipewire/pipewire.conf.d/{,*} r, + /etc/pipewire/{,**} r, /var/lib/gdm{3,}/.config/pulse/cookie rk, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 6a316a27..ca4c2ee3 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -12,6 +12,7 @@ profile epiphany-search-provider @{exec_path} { include include include + include include include include @@ -35,15 +36,19 @@ profile epiphany-search-provider @{exec_path} { owner @{user_cache_dirs}/epiphany/{,**} rwk, owner @{user_share_dirs}/epiphany/{,**} rwk, + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{PROC}/driver/nvidia/params r, @{PROC}/modules r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index da7e5239..b77fd63f 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -63,8 +63,6 @@ profile evolution-addressbook-factory @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, - /etc/gnutls/config r, - owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 1d412316..2eaf5366 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 0ff4b066..339e9bdf 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -61,7 +61,6 @@ profile gdm-xsession @{exec_path} { owner /tmp/gdm{3,}-config-err-@{rand6} rw, - # file_inherit /dev/tty@{int} rw, profile dbus { @@ -81,10 +80,8 @@ profile gdm-xsession @{exec_path} { member=SetEnvironment peer=(name=org.freedesktop.systemd[0-9]*), - # file_inherit /dev/tty rw, /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 16ab52de..63104097 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js +@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}ding.js profile gnome-extension-ding @{exec_path} { include include @@ -150,7 +150,7 @@ profile gnome-extension-ding @{exec_path} { @{bin}/gnome-control-center rPx, @{bin}/nautilus rPx, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, + /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}* r, /usr/share/thumbnailers/{,*.thumbnailer} r, /usr/share/X11/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index ecaeca02..abcc7450 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} { include include include + include signal (send) set=(term hup kill) peer=unconfined, ptrace (read) peer=unconfined, @@ -43,13 +44,15 @@ profile gnome-terminal-server @{exec_path} { /var/lib/flatpak/exports/share/icons/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, + /etc/pulse/client.conf r, + /etc/pulse/client.conf.d/{,**} r, /etc/shells r, owner @{user_config_dirs}/*xdg-terminals.list* rw, + owner @{user_config_dirs}/pulse/cookie r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - - owner /tmp/#@{int} rw, + owner @{run}/user/@{uid}/pulse/ r, + owner @{run}/user/@{uid}/pulse/native rw, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 59780e66..def8a6eb 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -16,15 +16,9 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={ReleaseName,RequestName}, + dbus bind bus=system name=com.redhat.NewPrinterNotification, - dbus bind bus=system - name=com.redhat.NewPrinterNotification, - - dbus bind bus=system - name=com.redhat.PrinterDriversInstaller, + dbus bind bus=system name=com.redhat.PrinterDriversInstaller, dbus (send,receive) bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager @@ -52,10 +46,6 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/gnutls/config r, - - owner /tmp/[a-z0-9]* rw, - owner @{PROC}/@{pid}/cgroup r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 409e170e..f21a12e6 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -12,7 +12,9 @@ profile coredumpctl @{exec_path} flags=(complain) { include include + capability dac_read_search, capability net_admin, + capability sys_resource, signal (send) peer=child-pager, @@ -40,6 +42,7 @@ profile coredumpctl @{exec_path} flags=(complain) { owner /var/tmp/coredump-* rw, @{PROC}/1/cgroup r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, profile gdb { @@ -67,7 +70,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab index 2ce7c16a..398d5efd 100644 --- a/apparmor.d/groups/systemd/systemd-generator-fstab +++ b/apparmor.d/groups/systemd/systemd-generator-fstab @@ -12,6 +12,7 @@ profile systemd-generator-fstab @{exec_path} { include capability dac_override, + capability dac_read_search, @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 18bd53aa..d1c9a8c2 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -23,6 +23,7 @@ profile apport-checkreports @{exec_path} { /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, + /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index e6a60fd1..8239fdb0 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -50,17 +51,14 @@ profile font-manager @{exec_path} { @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/{,**} r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/smaps r, @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/statm r, - # Silencer - owner /var/cache/fontconfig/ w, - deny /var/cache/fontconfig/ w, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index 86dcffdd..a0032366 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -16,18 +16,12 @@ profile glxinfo @{exec_path} { include include include + include capability sys_admin, audit capability sys_nice, @{exec_path} mr, - /usr/share/X11/XErrorDB r, - - owner @{HOME}/.Xauthority r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - include if exists } diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index d8edda56..1d3c1fc6 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2022 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -47,22 +48,17 @@ profile qbittorrent @{exec_path} { network netlink dgram, network netlink raw, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-daemon), - - dbus send bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.kde.StatusNotifierWatcher), - dbus send bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem peer=(name=org.kde.StatusNotifierWatcher), - dbus send bus=session path=/StatusNotifierItem + dbus send bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member={NewToolTip,NewIcon} peer=(name=org.freedesktop.DBus), @@ -72,7 +68,7 @@ profile qbittorrent @{exec_path} { member=Activate peer=(name=:*), - dbus send bus=session path=/StatusNotifierWatcher + dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.kde.StatusNotifierWatcher), @@ -82,7 +78,7 @@ profile qbittorrent @{exec_path} { member=GetAll peer=(name=:*), - dbus send bus=session path=/MenuBar + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member=ItemsPropertiesUpdated peer=(name=org.freedesktop.DBus), @@ -96,68 +92,8 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, - # For "search engine" - @{bin}/python3.[0-9]* rCx -> python3, - - # Qbittorrent home dirs - owner @{user_config_dirs}/qBittorrent/ rw, - owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, - owner @{user_share_dirs}/data/ rw, - owner @{user_share_dirs}/{,data/}qBittorrent/ rw, - owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#@{int}, - # Old dir, not recommended to use: -# deny owner @{user_share_dirs}/data/qBittorrent/ rw, - - # Cache dir - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/qBittorrent/{,**} rw, - - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration - owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - - # Torrent files - owner @{user_torrents_dirs}/ r, - owner @{user_torrents_dirs}/** rw, - - # GeoIP settings - /usr/share/GeoIP/GeoIP.dat r, - - /dev/disk/by-label/ r, - - /dev/shm/#@{int} rw, - - owner @{PROC}/@{pids}/fd/ r, - deny owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/mounts r, - owner @{PROC}/@{pids}/comm r, - deny @{PROC}/sys/kernel/random/boot_id r, - - /usr/share/hwdata/pnp.ids r, - - # TMP - owner /tmp/qtsingleapp-qBitto-* rw, - owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, - owner /tmp/.qBittorrent/ rw, - owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, - owner /tmp/mozilla_*/*.torrent rw, - owner /tmp/*.torrent rw, - # To load/add torrents from the search engine - owner /tmp/tmp* rw, - owner /tmp/.*/{,s} rw, - - owner /tmp/xauth-[0-9]*-_[0-9] rw, - - # file_inherit - owner /dev/tty@{int} rw, - - # gnome-tiny - /usr/share/gvfs/remote-volume-monitors/{,*} r, - - # Launch external apps - @{bin}/xdg-{open,mime} rCx -> open, + @{bin}/xdg-{open,mime} rPx -> child-open, + @{bin}/python3.[0-9]* rCx -> python, # For "search engine" # Allowed apps to open @{bin}/spacefm rPx, @@ -169,69 +105,53 @@ profile qbittorrent @{exec_path} { @{bin}/qpdfview rPx, @{bin}/ebook-viewer rPx, @{bin}/nautilus rPx, - @{FIREFOX_BIN} rPx, + @{FIREFOX_BIN} rPx, - profile open { + /usr/share/GeoIP/GeoIP.dat r, + /usr/share/gvfs/remote-volume-monitors/{,*} r, + /usr/share/hwdata/*.ids r, + /usr/share/qt5ct/** r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/qBittorrent/{,**} rw, + + owner @{user_config_dirs}/qBittorrent/ rw, + owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int}, + owner @{user_config_dirs}/qt5ct/{,**} r, + + owner @{user_share_dirs}/{,data/}qBittorrent/ rw, + owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#@{int}, + owner @{user_share_dirs}/data/ rw, + + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, + + owner /dev/shm/#@{int} rw, + owner /tmp/.*/{,s} rw, + owner /tmp/.qBittorrent/ rw, + owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*, + owner /tmp/*.torrent rw, + owner /tmp/mozilla_*/*.torrent rw, + owner /tmp/qtsingleapp-qBitto-* rw, + owner /tmp/qtsingleapp-qBitto-*-lockfile rwk, + owner /tmp/tmp* rw, + + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/comm r, + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/mounts r, + + owner /dev/tty@{int} rw, + + profile python { include - include - include - - dbus send bus=session path=/org/gnome/{Nautilus,Totem,gedit} - interface=org.freedesktop.Application - member=Open - peer=(name="org.gnome.{Nautilus,Totem,gedit}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - - @{bin}/xdg-open mr, - - # Allowed apps to open - @{bin}/spacefm rPx, - @{bin}/smplayer rPx, - @{bin}/vlc rPx, - @{bin}/mpv rPx, - @{bin}/geany rPx, - @{bin}/viewnior rPUx, - @{bin}/qpdfview rPx, - @{bin}/ebook-viewer rPx, - @{bin}/engrampa rPx, - @{FIREFOX_BIN} rPx, - - @{bin}/{ba,da,}sh rix, - @{bin}/{g,m,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xfce4-mime-helper rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # file_inherit - owner @{MOUNTS}/torrent/** r, - owner @{MOUNTS}/torrent/**.@{hex}.parts rw, - owner "@{MOUNTS}/torrent/**.!qB" rw, - - owner @{HOME}/.xsession-errors w, - - include if exists - } - - profile python3 { - include - include - include - include include + include + include + include signal (receive) set=(term, kill) peer=qbittorrent, @@ -245,19 +165,17 @@ profile qbittorrent @{exec_path} { owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, - # Used while searching for torrents + owner @{user_torrents_dirs}/** r, + owner /dev/shm/sem.mp-* rwl -> /dev/shm/@{int}, owner /dev/shm/* rw, - # To load/add torrents from the search engine owner /tmp/@{int} rw, owner /tmp/tmp* rw, - # file_inherit - owner @{MOUNTS}/torrent/** r, deny /dev/dri/card@{int} rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index 2f4556cf..a66335bb 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -22,8 +22,9 @@ profile snapd-apparmor @{exec_path} { /var/lib/snapd/apparmor/profiles/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{PROC}/cmdline r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 779b5468..32e092bd 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -42,7 +42,7 @@ profile spice-vdagent @{exec_path} { @{run}/spice-vdagentd/spice-vdagent-sock rw, - @{sys}/devices/pci[0-9]*/**/{device,vendor} r, + @{sys}/devices/@{pci}/{device,vendor} r, owner @{PROC}/@{pids}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index a92aa2ed..fb124696 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -44,6 +44,8 @@ profile wireplumber @{exec_path} { owner @{user_state_dirs}/ w, owner @{user_state_dirs}/wireplumber/{,**} rw, + @{run}/user/@{uid}/pipewire-@{int} rw, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS)