From b2d093e125de93bde7a46cafd31d3a20df5b49d6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 17 Aug 2023 21:24:02 +0100 Subject: [PATCH] feat(abs): restric abstraction by using new @{int} and @{rand} variables. --- apparmor.d/abstractions/chromium | 8 +- apparmor.d/abstractions/devices-usb | 12 +- apparmor.d/abstractions/disks-read | 118 +++++++++--------- apparmor.d/abstractions/disks-write | 78 ++++++------ .../abstractions/fontconfig-cache-write | 4 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/gstreamer | 16 +-- apparmor.d/abstractions/kde-open5.d/complete | 10 +- apparmor.d/abstractions/thumbnails-cache-read | 4 +- .../abstractions/thumbnails-cache-write | 4 +- apparmor.d/abstractions/trash.d/complete | 6 +- apparmor.d/abstractions/wayland.d/complete | 2 +- apparmor.d/abstractions/zsh | 2 +- 13 files changed, 135 insertions(+), 131 deletions(-) diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 5ff6a06d..4d2e273e 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -137,7 +137,7 @@ /var/tmp/ r, owner /tmp/.@{chromium_domain}.* rw, owner /tmp/.@{chromium_domain}*/{,**} rw, - owner /tmp/@{chromium_name}-crashlog-[0-9]*-[0-9]*.txt rw, + owner /tmp/@{chromium_name}-crashlog-@{int}-@{int}.txt rw, owner /tmp/scoped_dir*/{,**} rw, owner /tmp/tmp.* rw, owner /tmp/tmp.*/ rw, @@ -190,12 +190,12 @@ @{sys}/devices/virtual/tty/tty[0-9]/active r, /dev/ r, - /dev/hidraw[0-9]* rw, + /dev/hidraw@{int} rw, /dev/tty rw, - /dev/video[0-9]* rw, + /dev/video@{int} rw, # File Inherit - owner /dev/tty[0-9]* rw, + owner /dev/tty@{int} rw, # Silencer deny @{chromium_lib_dirs}/** w, diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 69a8afb0..cf2a39d3 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -6,8 +6,8 @@ /dev/ r, /dev/bus/usb/ r, - /dev/bus/usb/[0-9]*/ r, - /dev/bus/usb/[0-9]*/[0-9]* rwk, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{int}/@{int} rwk, @{sys}/class/ r, @{sys}/class/usbmisc/ r, @@ -16,12 +16,12 @@ @{sys}/bus/usb/ r, @{sys}/bus/usb/devices/{,**} r, - @{sys}/devices/**/usb[0-9]/{,**} rw, + @{sys}/devices/**/usb@{int}/{,**} rw, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:[0-9]* r, # USB modems - @{run}/udev/data/c18[0,8,9]:[0-9]* r, # USB devices & USB serial converters - @{run}/udev/data/c8[0-9]:[0-9]* r, + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c8[0-9]:@{int} r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 96852672..9aef7ff3 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -13,86 +13,86 @@ # Regular disk/partition devices /dev/{s,v}d[a-z]* rk, - /dev/{s,v}d[a-z]*[0-9]* rk, + /dev/{s,v}d[a-z]*@{int} rk, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, # SSD Nvme devices /dev/nvme* rk, - @{sys}/devices/pci[0-9]*/**/nvme/nvme[0-9]*/{,**} r, + @{sys}/devices/pci[0-9]*/**/nvme/nvme@{int}/{,**} r, # SD card devices - /dev/mmcblk[0-9]* rk, - /dev/mmcblk[0-9]*p[0-9]* rk, - @{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r, - @{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r, - @{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r, - @{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r, + /dev/mmcblk@{int} rk, + /dev/mmcblk@{int}p@{int} rk, + @{sys}/devices/pci[0-9]*/**/block/mmcblk@{int}/ r, + @{sys}/devices/pci[0-9]*/**/block/mmcblk@{int}/** r, + @{sys}/devices/pci[0-9]*/**/mmc@{int}/mmc*/ r, + @{sys}/devices/pci[0-9]*/**/mmc@{int}/mmc*/** r, # Loop devices - /dev/loop[0-9]* rk, - /dev/loop[0-9]*p[0-9]* rk, - @{sys}/devices/virtual/block/loop[0-9]*/ r, - @{sys}/devices/virtual/block/loop[0-9]*/** r, + /dev/loop@{int} rk, + /dev/loop@{int}p@{int} rk, + @{sys}/devices/virtual/block/loop@{int}/ r, + @{sys}/devices/virtual/block/loop@{int}/** r, # LUKS/LVM (device-mapper) devices - /dev/dm-[0-9]* rk, + /dev/dm-@{int} rk, /dev/mapper/{,*} r, - @{sys}/devices/virtual/block/dm-[0-9]*/ r, - @{sys}/devices/virtual/block/dm-[0-9]*/** r, + @{sys}/devices/virtual/block/dm-@{int}/ r, + @{sys}/devices/virtual/block/dm-@{int}/** r, # ZFS devices - /dev/zd[0-9]* rk, + /dev/zd@{int} rk, /dev/zvol/{,*/} r, /dev/*pool/ r, - @{sys}/devices/virtual/block/zd[0-9]*/ r, - @{sys}/devices/virtual/block/zd[0-9]*/** r, + @{sys}/devices/virtual/block/zd@{int}/ r, + @{sys}/devices/virtual/block/zd@{int}/** r, # ZRAM devices - /dev/zram[0-9]* rk, - @{sys}/devices/virtual/block/zram[0-9]*/ r, - @{sys}/devices/virtual/block/zram[0-9]*/** r, + /dev/zram@{int} rk, + @{sys}/devices/virtual/block/zram@{int}/ r, + @{sys}/devices/virtual/block/zram@{int}/** r, # NBD devices /dev/nbd* rk, - @{sys}/devices/virtual/block/nbd[0-9]*/ r, - @{sys}/devices/virtual/block/nbd[0-9]*/** r, + @{sys}/devices/virtual/block/nbd@{int}/ r, + @{sys}/devices/virtual/block/nbd@{int}/** r, # Floppy disks - /dev/fd[0-9]* rk, - @{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/ r, - @{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/** r, + /dev/fd@{int} rk, + @{sys}/devices/platform/floppy.@{int}/block/fd[0-9]/ r, + @{sys}/devices/platform/floppy.@{int}/block/fd[0-9]/** r, # Armbian / DietPi - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/} r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}hidden r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}dev r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}size r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}ro r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}removable r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}start r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}uevent r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}holders/ r, - @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}slaves/ r, - @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/ r, - @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/type r, - @{sys}/devices/virtual/block/ram[0-9]*/ r, - @{sys}/devices/virtual/block/ram[0-9]*/hidden r, - @{sys}/devices/virtual/block/ram[0-9]*/dev r, - @{sys}/devices/virtual/block/ram[0-9]*/size r, - @{sys}/devices/virtual/block/ram[0-9]*/ro r, - @{sys}/devices/virtual/block/ram[0-9]*/removable r, - @{sys}/devices/virtual/block/ram[0-9]*/holders/ r, - @{sys}/devices/virtual/block/ram[0-9]*/slaves/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/} r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}hidden r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}dev r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}size r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}ro r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}removable r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}start r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}uevent r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}holders/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk@{int}/{,mmcblk*/}slaves/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/mmc@{int}/mmc*/ r, + @{sys}/devices/platform/{soc,*.mmc}/**/mmc@{int}/mmc*/type r, + @{sys}/devices/virtual/block/ram@{int}/ r, + @{sys}/devices/virtual/block/ram@{int}/hidden r, + @{sys}/devices/virtual/block/ram@{int}/dev r, + @{sys}/devices/virtual/block/ram@{int}/size r, + @{sys}/devices/virtual/block/ram@{int}/ro r, + @{sys}/devices/virtual/block/ram@{int}/removable r, + @{sys}/devices/virtual/block/ram@{int}/holders/ r, + @{sys}/devices/virtual/block/ram@{int}/slaves/ r, # investigate -# /dev/ram[0-9]* r, +# /dev/ram@{int} r, # ?? - @{sys}/devices/pci[0-9]*/*/virtio[0-9]*/host[0-9]*/target*/*/type r, + @{sys}/devices/pci[0-9]*/*/virtio@{int}/host@{int}/target*/*/type r, # CD-ROM - /dev/sr[0-9]* rk, + /dev/sr@{int} rk, @{sys}/class/block/ r, @{sys}/block/ r, @@ -105,18 +105,18 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - @{run}/udev/data/b24[0-9]:[0-9]* r, - @{run}/udev/data/b25[0-4]:[0-9]* r, - @{run}/udev/data/b259:[0-9]* r, + @{run}/udev/data/b24[0-9]:@{int} r, + @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b259:@{int} r, - @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* - @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* - @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol* - @{run}/udev/data/b43:[0-9]* r, # for /dev/nbd* - @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* - @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* + @{run}/udev/data/b11:@{int} r, # for /dev/sr* + @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* + @{run}/udev/data/b230:@{int} r, # for /dev/zvol* + @{run}/udev/data/b43:@{int} r, # for /dev/nbd* + @{run}/udev/data/b7:@{int} r, # for /dev/loop* + @{run}/udev/data/b8:@{int} r, # for /dev/sd* - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/+usb:* r, # for ? diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index 3d2124e9..be9d5dba 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -13,57 +13,57 @@ # Regular disk/partition devices /dev/{s,v}d[a-z]* rwk, - /dev/{s,v}d[a-z]*[0-9]* rwk, + /dev/{s,v}d[a-z]*@{int} rwk, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r, @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r, # SSD Nvme devices - /dev/nvme[0-9]* rwk, - @{sys}/devices/pci[0-9]*/**/nvme/nvme[0-9]*/{,**} r, + /dev/nvme@{int} rwk, + @{sys}/devices/pci[0-9]*/**/nvme/nvme@{int}/{,**} r, # SD card devices - /dev/mmcblk[0-9]* rwk, - /dev/mmcblk[0-9]*p[0-9]* rwk, - @{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/ r, - @{sys}/devices/pci[0-9]*/**/block/mmcblk[0-9]*/** r, - @{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/ r, - @{sys}/devices/pci[0-9]*/**/mmc[0-9]*/mmc*/** r, + /dev/mmcblk@{int} rwk, + /dev/mmcblk@{int}p@{int} rwk, + @{sys}/devices/pci[0-9]*/**/block/mmcblk@{int}/ r, + @{sys}/devices/pci[0-9]*/**/block/mmcblk@{int}/** r, + @{sys}/devices/pci[0-9]*/**/mmc@{int}/mmc*/ r, + @{sys}/devices/pci[0-9]*/**/mmc@{int}/mmc*/** r, # Loop devices - /dev/loop[0-9]* rwk, - /dev/loop[0-9]*p[0-9]* rwk, - @{sys}/devices/virtual/block/loop[0-9]*/ r, - @{sys}/devices/virtual/block/loop[0-9]*/** r, + /dev/loop@{int} rwk, + /dev/loop@{int}p@{int} rwk, + @{sys}/devices/virtual/block/loop@{int}/ r, + @{sys}/devices/virtual/block/loop@{int}/** r, # LUKS/LVM (device-mapper) devices - /dev/dm-[0-9]* rwk, + /dev/dm-@{int} rwk, /dev/mapper/{,*} rw, - @{sys}/devices/virtual/block/dm-[0-9]*/ r, - @{sys}/devices/virtual/block/dm-[0-9]*/** r, + @{sys}/devices/virtual/block/dm-@{int}/ r, + @{sys}/devices/virtual/block/dm-@{int}/** r, # ZFS devices - /dev/zd[0-9]* rwk, - @{sys}/devices/virtual/block/zd[0-9]*/ r, - @{sys}/devices/virtual/block/zd[0-9]*/** r, + /dev/zd@{int} rwk, + @{sys}/devices/virtual/block/zd@{int}/ r, + @{sys}/devices/virtual/block/zd@{int}/** r, # ZRAM devices - /dev/zram[0-9]* rwk, - @{sys}/devices/virtual/block/zram[0-9]*/ r, - @{sys}/devices/virtual/block/zram[0-9]*/** r, + /dev/zram@{int} rwk, + @{sys}/devices/virtual/block/zram@{int}/ r, + @{sys}/devices/virtual/block/zram@{int}/** r, # NBD devices /dev/nbd* rwk, - @{sys}/devices/virtual/block/nbd[0-9]*/ r, - @{sys}/devices/virtual/block/nbd[0-9]*/** r, + @{sys}/devices/virtual/block/nbd@{int}/ r, + @{sys}/devices/virtual/block/nbd@{int}/** r, # Floppy disks - /dev/fd[0-9]* rwk, - @{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/ r, - @{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/** r, + /dev/fd@{int} rwk, + @{sys}/devices/platform/floppy.@{int}/block/fd[0-9]/ r, + @{sys}/devices/platform/floppy.@{int}/block/fd[0-9]/** r, # CD-ROM - /dev/sr[0-9]* rwk, + /dev/sr@{int} rwk, @{sys}/class/block/ r, @{sys}/block/ r, @@ -76,19 +76,19 @@ # changes, it's better to allow the whole range (240-254) instead of the single major numbers # visible in the /proc/devices file. # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - @{run}/udev/data/b24[0-9]:[0-9]* r, - @{run}/udev/data/b25[0-4]:[0-9]* r, - @{run}/udev/data/b259:[0-9]* r, + @{run}/udev/data/b24[0-9]:@{int} r, + @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b259:@{int} r, - @{run}/udev/data/b11:[0-9]* r, # for /dev/sr* - @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk* - @{run}/udev/data/b2:[0-9]* r, # for /dev/fd* - @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol* - @{run}/udev/data/b43:[0-9]* r, # for /dev/nbd* - @{run}/udev/data/b7:[0-9]* r, # for /dev/loop* - @{run}/udev/data/b8:[0-9]* r, # for /dev/sd* + @{run}/udev/data/b11:@{int} r, # for /dev/sr* + @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* + @{run}/udev/data/b2:@{int} r, # for /dev/fd* + @{run}/udev/data/b230:@{int} r, # for /dev/zvol* + @{run}/udev/data/b43:@{int} r, # for /dev/nbd* + @{run}/udev/data/b7:@{int} r, # for /dev/loop* + @{run}/udev/data/b8:@{int} r, # for /dev/sd* - @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/+usb:* r, # for ? diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index db2be5ac..171a5305 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -29,8 +29,8 @@ /var/cache/fontconfig/ rw, owner /var/cache/fontconfig/** rw, - owner /var/cache/fontconfig/*.cache-[0-9]* rwk, - owner /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl, + owner /var/cache/fontconfig/*.cache-@{int} rwk, + owner /var/cache/fontconfig/*.cache-@{int}.LCK rwl, owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl, # For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars) diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index db93e52b..c2fcfab5 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -4,4 +4,4 @@ include - /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, + /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 2b3afac8..46e2a69c 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -4,16 +4,16 @@ # SPDX-License-Identifier: GPL-2.0-only @{lib}/frei0r-[0-9]/*.so mr, - @{lib}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner{,x86_64} mrix, - @{lib}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner{,x86_64} mrix, + @{lib}/gstreamer-@{int}.@{int}/gst-plugin-scanner{,x86_64} mrix, + @{lib}/@{multiarch}/gstreamer@{int}.@{int}/gstreamer-@{int}.@{int}/gst-plugin-scanner{,x86_64} mrix, @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, @{lib}/@{multiarch}/libproxy/*/pxgsettings ixr, @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, /etc/openni2/OpenNI.ini r, - owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw, - owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw, + owner @{HOME}/{.cache/,.}gstreamer-@{int}/ rw, + owner @{HOME}/{.cache/,.}gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, /tmp/ r, /var/tmp/ r, @@ -28,9 +28,9 @@ @{run}/udev/data/+drm:* r, # For screen outputs @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** - @{run}/udev/data/c81:[0-9]* r, # For video4linux - @{run}/udev/data/c189:[0-9]* r, # For USB serial converters - @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c189:@{int} r, # For USB serial converters + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/media/devices/ r, @@ -40,7 +40,7 @@ @{sys}/class/video4linux/ r, @{sys}/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]*/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, /dev/ r, /dev/bus/usb/ r, diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index 73faa281..8497bce9 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -1,5 +1,9 @@ -@{bin}/kde-open rix, +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only -owner @{user_config_dirs}/menus/{,**} r, + @{bin}/kde-open rix, -owner @{run}/user/@{uid}/kioclient*.[0-9]*.kioworker.socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9], + owner @{user_config_dirs}/menus/{,**} r, + + owner @{run}/user/@{uid}/kioclient*.[0-9]*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index 0127ef4c..c8a65d3b 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -7,10 +7,10 @@ owner @{HOME}/thumbnails/ r, owner @{HOME}/thumbnails/{large,normal}/ r, - owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png r, + owner @{HOME}/thumbnails/{large,normal}/@{hex}.png r, owner @{user_cache_dirs}/thumbnails/ r, owner @{user_cache_dirs}/thumbnails/{*large,normal}/ r, - owner @{user_cache_dirs}/thumbnails/{*large,normal}/[a-f0-9]*.png r, + owner @{user_cache_dirs}/thumbnails/{*large,normal}/@{hex}.png r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 19944649..59307d37 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -7,11 +7,11 @@ owner @{HOME}/thumbnails/ rw, owner @{HOME}/thumbnails/{large,normal}/ rw, owner @{HOME}/thumbnails/{large,normal}/#@{int} rw, - owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int}, + owner @{HOME}/thumbnails/{large,normal}/@{hex}.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int}, owner @{user_cache_dirs}/thumbnails/ rw, owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw, owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw, - owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int}, + owner @{user_cache_dirs}/thumbnails/{large,normal}/@{hex}.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int}, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/trash.d/complete b/apparmor.d/abstractions/trash.d/complete index c15fc1ae..80243f4d 100644 --- a/apparmor.d/abstractions/trash.d/complete +++ b/apparmor.d/abstractions/trash.d/complete @@ -9,7 +9,7 @@ owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/trash.so*.@{int}.slave-socket rwl -> @{run}/user/@{uid}/#@{int}, # Home trash location owner @{user_share_dirs}/Trash/{,**} rwl, @@ -18,10 +18,10 @@ owner /{media,mnt}/*/.Trash/{,**} rwl, # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir - owner /{media,mnt}/*/.Trash-[0-9]*/{,**} rwl, + owner /{media,mnt}/*/.Trash-@{int}/{,**} rwl, # Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir owner /{media,mnt}/*/*/.Trash/{,**} rwl, # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir - owner /{media,mnt}/*/*/.Trash-[0-9]*/{,**} rwl, + owner /{media,mnt}/*/*/.Trash-@{int}/{,**} rwl, diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index 0be182d2..982530f5 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -3,4 +3,4 @@ # SPDX-License-Identifier: GPL-2.0-only owner /dev/shm/sway* rw, - owner /dev/shm/dunst-?????? rw, + owner /dev/shm/dunst-@{rand6} rw, diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index b3508749..b314e739 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -8,7 +8,7 @@ /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, - @{lib}/@{multiarch}/zsh/[0-9]*/zsh/*.so mr, + @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, /etc/zsh/zshenv r, /etc/zsh/zshrc r,