diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 987dd621..a3ca557c 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -43,6 +43,7 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path}-subprocess rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icu/{,**} r, owner @{user_share_dirs}/evolution/{,**} rwk, owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 1a9eb6f9..3e69147a 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -22,7 +22,7 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/evolution-data-server/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/ubuntu/applications/ r, - /usr/share/zoneinfo-icu/{,**} r, + /usr/share/{,zoneinfo-}icu/{,**} r, include if exists } diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 721afb84..73190c9e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -15,6 +15,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { include capability chown, + capability dac_read_search, capability fsetid, capability kill, capability net_admin, @@ -65,12 +66,14 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}{s,}bin/prime-switch rPUx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/plymouth rPx, - /etc/gdm{3,}/PrimeOff/Default rix, - @{libexec}/gdm-session-worker rPx, - + @{libexec}/{,gdm/}gdm-session-worker rPx, + /{usr/,}{s,}bin/prime-switch rPUx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/pidof rPx, + /{usr/,}bin/plymouth rPx, + /{usr/,}bin/sleep rix, + /etc/gdm{3,}/PrimeOff/Default rix, + /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, @@ -79,6 +82,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, + /etc/sysconfig/displaymanager r, + /etc/sysconfig/windowmanager r, /var/{lib,log}/gdm{3,}/ rw, @@ -97,12 +102,14 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/boot_vga r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index e36e550d..da788324 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -62,7 +62,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{libexec}/{,gdm/}gdm-x-session rPx, /{usr/,}bin/gnome-keyring-daemon rPx, /etc/gdm{3,}/{Pre,Post}Session/Default rix, + /etc/gdm{3,}/PostLogin/Default rix, /etc/gdm{3,}/PrimeOff/Default rix, + @{etc_ro}/X11/xdm/Xstartup rPUx, /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, @@ -77,6 +79,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/motd r, /etc/motd.d/ r, /etc/shells r, + /etc/sysconfig/displaymanager r, + /etc/sysconfig/windowmanager r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index f6b6e8ad..01ff3025 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -42,6 +42,7 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/env rix, /{usr/,}bin/gettext rix, + /{usr/,}bin/gettext.sh r, /{usr/,}bin/gnome-session rix, /{usr/,}bin/grep rix, /{usr/,}bin/gsettings rix, @@ -49,36 +50,51 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/id rix, /{usr/,}bin/locale rix, /{usr/,}bin/locale-check rix, + /{usr/,}bin/manpath rix, /{usr/,}bin/qmake rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, /{usr/,}bin/tr rix, /{usr/,}bin/tty rix, + /{usr/,}bin/uname rix, /{usr/,}bin/zsh rix, + @{libexec}/gnome-session-binary rPx, /{usr/,}bin/dbus-daemon rPx, /{usr/,}bin/dbus-run-session rPx, /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/flatpak rPUx, - @{libexec}/gnome-session-binary rPx, - /{usr/,}bin/gettext.sh r, + /usr/share/bash-completion/{,**} r, + /usr/share/gdm/gdm.schemas r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/{,**} r, + /usr/share/xsessions/gnome.desktop r, @{etc_ro}/profile.d/{,*} r, /etc/debuginfod/{,*} r, /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, + /etc/locale.conf r, + /etc/manpath.config r, /etc/shells r, + /etc/sysconfig/console r, + /etc/sysconfig/displaymanager r, + /etc/sysconfig/language r, + /etc/sysconfig/mail r, + /etc/sysconfig/proxy r, + /etc/sysconfig/windowmanager r, /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, - /usr/share/gdm/gdm.schemas r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{HOME}/.alias r, + owner @{HOME}/.i18n r, @{run}/gdm{3,}/custom.conf r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session index b48e1d79..e05bbdca 100644 --- a/apparmor.d/groups/gnome/gdm-x-session +++ b/apparmor.d/groups/gnome/gdm-x-session @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/gdm-x-session +@{exec_path} = @{libexec}/{,gdm/}gdm-x-session profile gdm-x-session @{exec_path} flags=(attach_disconnected) { include include @@ -40,9 +40,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) { /etc/gdm{3,}/Xsession rPx, /etc/gdm{3,}/Prime/Default rix, + /usr/share/gdm/gdm.schemas r, + /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, - /usr/share/gdm/gdm.schemas r, + /etc/sysconfig/displaymanager r, /var/lib/gdm{3,}/.cache/gdm/Xauthority rw, /var/lib/gdm{3,}/.cache/gdm/ rw, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index f512ba1c..e2448f6e 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/gdm{3,}/Xsession +@{exec_path} = @{etc_ro}/gdm{3,}/Xsession profile gdm-xsession @{exec_path} { include include @@ -35,6 +35,7 @@ profile gdm-xsession @{exec_path} { /{usr/,}bin/tty rix, /{usr/,}bin/zsh rix, + @{etc_ro}/X11/xdm/Xsession rPx, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, /{usr/,}bin/flatpak rPUx, /{usr/,}bin/systemctl rPx -> child-systemctl, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index c494aded..cb789bc8 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -84,6 +84,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, + /usr/share/icu/{,**} r, /usr/share/X11/xkb/** r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index b64f205f..99763c7e 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -23,10 +23,11 @@ profile gnome-characters @{exec_path} { /{usr/,}bin/gjs-console rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icu/{,**} r, + /usr/share/libdrm/*.ids r, /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, - /usr/share/libdrm/*.ids r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 465bc107..adcf3654 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -104,14 +104,16 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, + /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, + /etc/cups/client.conf r, /etc/machine-info r, /etc/pipewire/client.conf.d/ r, + /etc/rygel.conf r, /etc/security/pwquality.conf r, /etc/security/pwquality.conf.d/{,**} r, - /etc/rygel.conf r, /etc/fstab r, /etc/machine-id r, @@ -119,9 +121,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/ r, + /var/cache/cracklib/cracklib_dict.* r, /var/cache/samba/ rw, /var/lib/AccountsService/icons/* r, - /var/cache/cracklib/cracklib_dict.* r, owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 3b77eb93..1517e26f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -27,6 +27,8 @@ profile gnome-control-center-search-provider @{exec_path} { /etc/gnome/defaults.list r, + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, + owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index 5de712c5..c7598ebf 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -14,6 +14,7 @@ profile gnome-extensions-app @{exec_path} { include include include + include include include include @@ -24,9 +25,10 @@ profile gnome-extensions-app @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gjs-console rix, - /usr/share/terminfo/x/xterm-256color r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/org.gnome.Extensions* r, + /usr/share/icu/{,**} r, + /usr/share/terminfo/x/xterm-256color r, /usr/share/X11/xkb/{,**} r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 7534a6d6..7a863833 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -75,6 +75,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/ssh-add rix, /{usr/,}bin/ssh-agent rPx, + /etc/gcrypt/hwf.deny r, + /var/lib/gdm{3,}/.local/share/keyrings/ rw, # Keyrings location diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 304741db..1a9e1fb4 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -33,6 +33,7 @@ profile gnome-music @{exec_path} { @{exec_path} mr, /{usr/,}bin/ r, /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}lib/python3.[0-9]*/site-packages//gnomemusic/__pycache__/{,**} rw, /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 6fb8633a..83d49cfd 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -211,6 +211,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.local/share/session_migration-* r, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, /var/lib/flatpak/exports/share/applications/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bca241e3..a8a49ae7 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -486,31 +486,36 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /opt/*/**/*.png r, /snap/*/@{uid}/**.png r, + /usr/share/{,zoneinfo-}icu/{,**} r, + /usr/share/*ubuntu/applications/{,*.desktop} r, /usr/share/app-info/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, + /usr/share/desktop-base/** r, /usr/share/desktop-directories/{,*.directory} r, /usr/share/egl/{,**} r, /usr/share/evolution-data-server/icons/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, + /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, - /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, + /usr/share/libdrm/*.ids r, /usr/share/libgweather/Locations.xml r, - /usr/share/libinput/ r, - /usr/share/libinput/[0-9][0-9]-*.quirks r, + /usr/share/libinput*/ r, + /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r, + /usr/share/libinput*/libinput/ r, /usr/share/libwacom/{,*.stylus,*.tablet} r, /usr/share/plymouth/*.png r, - /usr/share/*ubuntu/applications/{,*.desktop} r, + /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - /usr/share/desktop-base/** r, - /usr/share/libdrm/*.ids r, + /usr/share/gnome-packagekit/icons/hicolor/{,**} r, /.flatpak-info r, /etc/fstab r, + /etc/udev/hwdb.bin r, /etc/xdg/menus/gnome-applications.menu r, /var/lib/gdm{3,}/.cache/ w, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 23de998a..7b7f0114 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -19,8 +19,9 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/zoneinfo-icu/{,**} r, + /usr/share/{,zoneinfo-}icu/{,**} r, + /etc/sysconfig/clock r, /etc/timezone r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 93340d69..3ebeddca 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -58,6 +58,10 @@ profile gnome-software @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + /var/cache/app-info/icons/**.png r, + /var/cache/app-info/xmls/{,**} r, + /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, + /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/appstream/{,**} r, /var/lib/flatpak/repo/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index f891e9fc..514480b5 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -34,6 +34,7 @@ profile gnome-terminal-server @{exec_path} { /{usr/,}bin/nvtop rPx, /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icu/{,**} r, /usr/share/X11/xkb/{,**} r, /var/lib/flatpak/exports/share/icons/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 6f17f4b4..c0a29be6 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,9 +9,9 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include - include include + include + include include include include @@ -120,12 +120,13 @@ profile gsd-xsettings @{exec_path} { /{usr/,}bin/cat rix, /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/run-parts rCx -> run-parts, + @{libexec}/ibus-x11 rPx, /{usr/,}bin/busctl rPx, /{usr/,}bin/pactl rPx, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/xprop rPx, /{usr/,}bin/xrdb rPx, /{usr/,}lib/ibus/ibus-x11 rPx, - @{libexec}/ibus-x11 rPx, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 21263d15..0d59c21f 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -47,15 +47,16 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/gio-launch-desktop rPx -> child-open, /usr/share/*ubuntu/applications/{,**} r, + /usr/share/icu/{,**} r, /usr/share/libdrm/*.ids r, /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/terminfo/ r, /usr/share/thumbnailers/{,**} r, - /usr/share/tracker/domain-ontologies/*.rule r, - /usr/share/tracker3/{,**} r, + /usr/share/tracker*/{,**} r, + /var/cache/fontconfig/ r, /var/lib/snapd/desktop/icons/{,**} r, # Full access to user's data diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 42df215a..fa95bf56 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -13,6 +13,7 @@ profile seahorse @{exec_path} { include include include + include include include @@ -44,6 +45,9 @@ profile seahorse @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/ubuntu/applications/ r, + /etc/pki/trust/blocklist/ r, + /etc/gcrypt/hwf.deny r, + /var/lib/snapd/desktop/icons/ r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 5e071756..5e9bf967 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -104,13 +104,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/tracker3/{,**} rwk, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, + @{run}/blkid/blkid.tab r, + @{run}/mount/utab r, + + @{PROC}/sys/fs/fanotify/max_user_marks r, + @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/fs/inotify/max_user_watches r, - - @{run}/blkid/blkid.tab r, - - @{run}/mount/utab r, # file_inherit owner /dev/tty[0-9]* rw,