From bb71f495983484834200da7207bc1542854eea8b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Jul 2023 13:20:25 +0100 Subject: [PATCH] refactor(profiles): use @{bin} and @{lib} in profiles (1) --- apparmor.d/abstractions/app-launcher-root | 4 +- apparmor.d/abstractions/app-launcher-user | 12 +- apparmor.d/abstractions/chromium | 42 +++--- apparmor.d/abstractions/gstreamer | 12 +- apparmor.d/abstractions/kde4 | 6 +- apparmor.d/abstractions/kde5-plasma5 | 6 +- apparmor.d/abstractions/python.d/complete | 4 +- apparmor.d/abstractions/zsh | 2 +- apparmor.d/groups/_full/systemd | 80 ++++++------ .../groups/akonadi/akonadi_akonotes_resource | 2 +- .../groups/akonadi/akonadi_archivemail_agent | 2 +- .../groups/akonadi/akonadi_birthdays_resource | 2 +- .../groups/akonadi/akonadi_contacts_resource | 2 +- apparmor.d/groups/akonadi/akonadi_control | 6 +- .../akonadi/akonadi_followupreminder_agent | 2 +- .../groups/akonadi/akonadi_ical_resource | 2 +- .../groups/akonadi/akonadi_indexing_agent | 2 +- .../groups/akonadi/akonadi_maildir_resource | 2 +- .../akonadi/akonadi_maildispatcher_agent | 2 +- .../groups/akonadi/akonadi_mailfilter_agent | 2 +- .../groups/akonadi/akonadi_mailmerge_agent | 2 +- .../groups/akonadi/akonadi_migration_agent | 2 +- .../akonadi/akonadi_newmailnotifier_agent | 2 +- apparmor.d/groups/akonadi/akonadi_notes_agent | 2 +- .../groups/akonadi/akonadi_sendlater_agent | 2 +- .../akonadi/akonadi_unifiedmailbox_agent | 2 +- apparmor.d/groups/apps/android-studio | 109 ++++++++-------- apparmor.d/groups/apps/atom | 70 +++++----- apparmor.d/groups/apps/calibre | 34 ++--- apparmor.d/groups/apps/code | 16 +-- apparmor.d/groups/apps/discord | 50 +++---- apparmor.d/groups/apps/dropbox | 42 +++--- apparmor.d/groups/apps/filezilla | 12 +- apparmor.d/groups/apps/flameshot | 16 +-- apparmor.d/groups/apps/freetube | 30 ++--- .../groups/apps/freetube-chrome-sandbox | 4 +- apparmor.d/groups/apps/geany | 20 +-- apparmor.d/groups/apps/okular | 20 +-- apparmor.d/groups/apps/signal-desktop | 4 +- apparmor.d/groups/apps/spotify | 2 +- apparmor.d/groups/apps/telegram-desktop | 38 +++--- apparmor.d/groups/apps/thunderbird | 84 ++++++------ apparmor.d/groups/apps/vlc | 24 ++-- apparmor.d/groups/apt/apt | 122 +++++++++--------- apparmor.d/groups/apt/apt-cache | 4 +- apparmor.d/groups/apt/apt-cdrom | 12 +- apparmor.d/groups/apt/apt-config | 4 +- apparmor.d/groups/apt/apt-extracttemplates | 4 +- apparmor.d/groups/apt/apt-file | 16 +-- apparmor.d/groups/apt/apt-forktracer | 8 +- apparmor.d/groups/apt/apt-ftparchive | 2 +- apparmor.d/groups/apt/apt-key | 58 ++++----- apparmor.d/groups/apt/apt-listbugs | 22 ++-- apparmor.d/groups/apt/apt-listbugs-aptcleanup | 4 +- .../groups/apt/apt-listbugs-migratepins | 10 +- apparmor.d/groups/apt/apt-listbugs-prefclean | 14 +- apparmor.d/groups/apt/apt-listchanges | 30 ++--- apparmor.d/groups/apt/apt-mark | 4 +- apparmor.d/groups/apt/apt-methods-cdrom | 2 +- apparmor.d/groups/apt/apt-methods-copy | 4 +- apparmor.d/groups/apt/apt-methods-file | 4 +- apparmor.d/groups/apt/apt-methods-ftp | 2 +- apparmor.d/groups/apt/apt-methods-gpgv | 42 +++--- apparmor.d/groups/apt/apt-methods-http | 4 +- apparmor.d/groups/apt/apt-methods-mirror | 2 +- apparmor.d/groups/apt/apt-methods-rred | 4 +- apparmor.d/groups/apt/apt-methods-rsh | 2 +- apparmor.d/groups/apt/apt-methods-store | 4 +- apparmor.d/groups/apt/apt-overlay | 14 +- apparmor.d/groups/apt/apt-show-versions | 12 +- apparmor.d/groups/apt/apt-sortpkgs | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 58 ++++----- apparmor.d/groups/apt/aptitude | 48 +++---- .../groups/apt/aptitude-changelog-parser | 4 +- .../groups/apt/aptitude-create-state-bundle | 12 +- .../groups/apt/aptitude-run-state-bundle | 14 +- apparmor.d/groups/apt/command-not-found | 10 +- apparmor.d/groups/apt/debconf-apt-progress | 18 +-- apparmor.d/groups/apt/debconf-show | 6 +- apparmor.d/groups/apt/deborphan | 2 +- apparmor.d/groups/apt/debsecan | 10 +- apparmor.d/groups/apt/debsign | 44 +++---- apparmor.d/groups/apt/debsums | 15 +-- apparmor.d/groups/apt/debtags | 8 +- apparmor.d/groups/apt/dpkg | 38 +++--- apparmor.d/groups/apt/dpkg-architecture | 18 +-- apparmor.d/groups/apt/dpkg-buildflags | 4 +- apparmor.d/groups/apt/dpkg-checkbuilddeps | 4 +- apparmor.d/groups/apt/dpkg-deb | 6 +- apparmor.d/groups/apt/dpkg-divert | 2 +- apparmor.d/groups/apt/dpkg-genbuildinfo | 4 +- apparmor.d/groups/apt/dpkg-genchanges | 4 +- apparmor.d/groups/apt/dpkg-preconfigure | 20 +-- apparmor.d/groups/apt/dpkg-query | 10 +- apparmor.d/groups/apt/dpkg-split | 4 +- apparmor.d/groups/apt/dpkg-trigger | 2 +- apparmor.d/groups/apt/dpkg-vendor | 2 +- apparmor.d/groups/apt/querybts | 30 ++--- apparmor.d/groups/apt/reportbug | 74 +++++------ apparmor.d/groups/apt/synaptic | 60 ++++----- apparmor.d/groups/apt/unattended-upgrade | 42 +++--- .../groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/apt/update-apt-xapian-index | 8 +- apparmor.d/groups/avahi/avahi-autoipd | 2 +- apparmor.d/groups/avahi/avahi-browse | 4 +- apparmor.d/groups/avahi/avahi-publish | 2 +- apparmor.d/groups/avahi/avahi-resolve | 2 +- apparmor.d/groups/avahi/avahi-set-host-name | 2 +- apparmor.d/groups/browsers/brave | 2 +- apparmor.d/groups/browsers/brave-wrapper | 14 +- apparmor.d/groups/browsers/chrome | 2 +- apparmor.d/groups/browsers/chrome-wrapper | 14 +- apparmor.d/groups/browsers/chromium | 2 +- .../groups/browsers/chromium-crashpad-handler | 2 +- apparmor.d/groups/browsers/chromium-sandbox | 4 +- apparmor.d/groups/browsers/chromium-wrapper | 30 ++--- apparmor.d/groups/browsers/firefox | 38 +++--- .../groups/browsers/firefox-crashreporter | 4 +- .../groups/browsers/firefox-kmozillahelper | 2 +- .../groups/browsers/firefox-minidump-analyzer | 2 +- apparmor.d/groups/browsers/firefox-pingsender | 2 +- .../groups/browsers/firefox-plugin-container | 2 +- apparmor.d/groups/browsers/opera | 2 +- .../groups/browsers/opera-crashreporter | 2 +- apparmor.d/groups/browsers/opera-sandbox | 2 +- 125 files changed, 955 insertions(+), 959 deletions(-) diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 0d3c8e5f..3f4c96bb 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -8,8 +8,8 @@ # Root app location / r, /usr/ r, - /{usr/,}{s,}bin/ r, - /{usr/,}{s,}bin/[a-z0-9]* rPUx, + @{bin}/ r, + @{bin}/[a-z0-9]* rPUx, /usr/local/{s,}bin/ r, /usr/local/{s,}bin/[a-zA-Z0-9]* rPUx, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 4ea2be84..4f137bd4 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -21,26 +21,26 @@ /usr/share/codium/codium rPUx, # Firefox - /{usr/,}bin/firefox{,.sh,-esr,-bin} rPx, - /{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, + @{bin}/firefox{,.sh,-esr,-bin} rPx, + @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, # Thunderbird - /{usr/,}bin/thunderbird{,.sh,-esr,-bin} rPx, - /{usr/,}lib{,32,64}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx, + @{bin}/thunderbird{,.sh,-esr,-bin} rPx, + @{lib}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx, /opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx, # Brave /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx, # Chromium - /{usr/,}lib/chromium/chromium rPx, + @{lib}/chromium/chromium rPx, # Chrome /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable} rPx, # Opera - /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx, + @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx, # Discord /usr/share/ r, diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index fb06fabe..5ff6a06d 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -8,7 +8,7 @@ # This abstraction requires the following variables definied in the profile header: # @{chromium_name} = chromium # @{chromium_domain} = org.chromium.Chromium -# @{chromium_lib_dirs} = /{usr/,}lib/chromium +# @{chromium_lib_dirs} = @{lib}/chromium # @{chromium_config_dirs} = @{user_config_dirs}/chromium # @{chromium_cache_dirs} = @{user_cache_dirs}/chromium @@ -60,32 +60,32 @@ @{chromium_lib_dirs}/chrome-sandbox rPx, # Desktop integration - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-desktop-menu rPx, - /{usr/,}bin/xdg-email rPx, - /{usr/,}bin/xdg-icon-resource rPx, - /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}bin/xdg-settings rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-desktop-menu rPx, + @{bin}/xdg-email rPx, + @{bin}/xdg-icon-resource rPx, + @{bin}/xdg-mime rPx, + @{bin}/xdg-open rPx -> child-open, + @{bin}/xdg-settings rPx, # Installing/removing extensions & applications - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/touch rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/touch rix, # For storing passwords externally - /{usr/,}bin/keepassxc-proxy rix, # as a temporary solution - see issue #128 - /{usr/,}bin/browserpass rPx, + @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 + @{bin}/browserpass rPx, # Gnome shell integration - /{usr/,}bin/chrome-gnome-shell rPx, - /{usr/,}bin/gnome-browser-connector-host rPx, + @{bin}/chrome-gnome-shell rPx, + @{bin}/gnome-browser-connector-host rPx, /usr/share/@{chromium_name}/{,**} r, /usr/share/chromium/extensions/{,**} r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index dbfca0ee..0298d054 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -42,12 +42,12 @@ #owner /tmp/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, - /{usr/,}lib/frei0r-[0-9]/*.so mr, - /{usr/,}lib{,exec}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, - /{usr/,}lib{,exec}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, - /{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr, - /{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr, - /{usr/,}lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, + @{lib}/frei0r-[0-9]/*.so mr, + @{lib}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, + @{lib}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix, + @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, + @{lib}/@{multiarch}/libproxy/*/pxgsettings ixr, + @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw, owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, diff --git a/apparmor.d/abstractions/kde4 b/apparmor.d/abstractions/kde4 index 548e7034..17c9466f 100644 --- a/apparmor.d/abstractions/kde4 +++ b/apparmor.d/abstractions/kde4 @@ -6,9 +6,9 @@ /usr/share/kde4/** r, - /{usr/,}lib/kde4/*.so mr, - /{usr/,}lib/kde4/plugins/*/ r, - /{usr/,}lib/kde4/plugins/*/*.so mr, + @{lib}/kde4/*.so mr, + @{lib}/kde4/plugins/*/ r, + @{lib}/kde4/plugins/*/*.so mr, # Create home KDE directory structure owner @{HOME}/.kde{,4}/ rw, diff --git a/apparmor.d/abstractions/kde5-plasma5 b/apparmor.d/abstractions/kde5-plasma5 index db4af302..e45c72e4 100644 --- a/apparmor.d/abstractions/kde5-plasma5 +++ b/apparmor.d/abstractions/kde5-plasma5 @@ -7,8 +7,8 @@ include # KDE/Plasma5 themes - #/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr, - #/{usr/,}lib/@{multiarch}/qt5/plugins/styles/breeze.so mr, + #@{lib}/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr, + #@{lib}/@{multiarch}/qt5/plugins/styles/breeze.so mr, #/usr/share/plasma/look-and-feel/** r, #/usr/share/color-schemes/*.colors r, @@ -34,7 +34,7 @@ #owner /**/.directory r, # For bookmarks - #/{usr/,}bin/keditbookmarks rPUx, + #@{bin}/keditbookmarks rPUx, #owner @{user_share_dirs}/kfile/ rw, #owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw, #owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9], diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index 0a333525..f04510ed 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -3,8 +3,8 @@ # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - /{usr/,}bin/ r, - /{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, + @{bin}/ r, + @{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr, owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index c9d582fe..b3508749 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -8,7 +8,7 @@ /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, - /{usr/,}lib/@{multiarch}/zsh/[0-9]*/zsh/*.so mr, + @{lib}/@{multiarch}/zsh/[0-9]*/zsh/*.so mr, /etc/zsh/zshenv r, /etc/zsh/zshrc r, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 18e5d68b..eeb1181f 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -15,8 +15,8 @@ abi , include -@{exec_path} = /{usr/,}lib/systemd/systemd -profile systemd /{usr/,}lib/systemd/systemd flags=(complain) { +@{exec_path} = @{lib}/systemd/systemd +profile systemd @{lib}/systemd/systemd flags=(complain) { include include include @@ -30,56 +30,56 @@ profile systemd /{usr/,}lib/systemd/systemd flags=(complain) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/systemctl rCx -> systemctl, + @{bin}/{,ba,da}sh rix, + @{bin}/systemctl rCx -> systemctl, - /{usr/,}lib/systemd/user-environment-generators/* rPx, - /{usr/,}lib/systemd/user-environment-generators/* rPx, - /{usr/,}lib/systemd/user-generators/* rPx, + @{lib}/systemd/user-environment-generators/* rPx, + @{lib}/systemd/user-environment-generators/* rPx, + @{lib}/systemd/user-generators/* rPx, # Server - /{usr/,}lib/openssh/agent-launch rPx, + @{lib}/openssh/agent-launch rPx, # Dbus - @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - /{usr/,}bin/dbus-daemon rPx, + @{bin}/dbus-daemon rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, # Desktop - @{libexec}/xdg-desktop-portal* rPx, - @{libexec}/xdg-document-portal rPx, - @{libexec}/xdg-permission-store rPx, - /{usr/,}bin/xdg-user-dirs-update rPx, + @{bin}/xdg-user-dirs-update rPx, + @{lib}/xdg-desktop-portal* rPx, + @{lib}/xdg-document-portal rPx, + @{lib}/xdg-permission-store rPx, # Audio - /{usr/,}bin/pipewire rux, # FIXME: no new privs - /{usr/,}bin/pipewire-pulse rux, # FIXME: no new privs - /{usr/,}bin/pulseaudio rux, # FIXME: no new privs - /{usr/,}bin/wireplumber rux, # FIXME: no new privs + @{bin}/pipewire rux, # FIXME: no new privs + @{bin}/pipewire-pulse rux, # FIXME: no new privs + @{bin}/pulseaudio rux, # FIXME: no new privs + @{bin}/wireplumber rux, # FIXME: no new privs # Gnome - @{libexec}/{,dconf/}dconf-service rPx, - @{libexec}/evolution-addressbook-factory rPx, - @{libexec}/evolution-calendar-factory rPx, - @{libexec}/evolution-source-registry rPx, - @{libexec}/gnome-session-binary rPx, - @{libexec}/gnome-session-ctl rPx, - @{libexec}/gnome-terminal-server rPx, - @{libexec}/goa-* rPx, - @{libexec}/gsd-* rPx, - @{libexec}/gvfs-* rPx, - @{libexec}/gvfsd* rPx, - @{libexec}/tracker-extract-* rPx, - @{libexec}/tracker-miner-* rPx, - /{usr/,}bin/gjs rPx, - /{usr/,}bin/gnome-keyring-daemon rPx, - /{usr/,}bin/gnome-shell rPx, - /{usr/,}bin/gsettings rPx, - /{usr/,}lib/dconf/dconf-service rPx, - /{usr/,}lib/gvfs/gvfs-* rPx, - /{usr/,}lib/gvfs/gvfsd* rPx, + @{bin}/gjs rPx, + @{bin}/gnome-keyring-daemon rPx, + @{bin}/gnome-shell rPx, + @{bin}/gsettings rPx, + @{lib}/{,dconf/}dconf-service rPx, + @{lib}/dconf/dconf-service rPx, + @{lib}/evolution-addressbook-factory rPx, + @{lib}/evolution-calendar-factory rPx, + @{lib}/evolution-source-registry rPx, + @{lib}/gnome-session-binary rPx, + @{lib}/gnome-session-ctl rPx, + @{lib}/gnome-terminal-server rPx, + @{lib}/goa-* rPx, + @{lib}/gsd-* rPx, + @{lib}/gvfs-* rPx, + @{lib}/gvfs/gvfs-* rPx, + @{lib}/gvfs/gvfsd* rPx, + @{lib}/gvfsd* rPx, + @{lib}/tracker-extract-* rPx, + @{lib}/tracker-miner-* rPx, # Ubuntu - /{usr/,}bin/snap rPx, + @{bin}/snap rPx, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, @@ -123,7 +123,7 @@ profile systemd /{usr/,}lib/systemd/systemd flags=(complain) { profile systemctl { include - /{usr/,}bin/systemctl mr, + @{bin}/systemctl mr, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource index ab45b9ae..f25c3e1b 100644 --- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource +++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_akonotes_resource +@{exec_path} = @{bin}/akonadi_akonotes_resource profile akonadi_akonotes_resource @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index 90ecb0ba..588ee2e1 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_archivemail_agent +@{exec_path} = @{bin}/akonadi_archivemail_agent profile akonadi_archivemail_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource index cc8e6918..2aa2007f 100644 --- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource +++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_birthdays_resource +@{exec_path} = @{bin}/akonadi_birthdays_resource profile akonadi_birthdays_resource @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index 6333715e..b73f6f85 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_contacts_resource +@{exec_path} = @{bin}/akonadi_contacts_resource profile akonadi_contacts_resource @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control index 90e121eb..8f7b6207 100644 --- a/apparmor.d/groups/akonadi/akonadi_control +++ b/apparmor.d/groups/akonadi/akonadi_control @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_control +@{exec_path} = @{bin}/akonadi_control profile akonadi_control @{exec_path} { include include @@ -21,8 +21,8 @@ profile akonadi_control @{exec_path} { @{exec_path} mr, - /{usr/,}bin/akonadi_* rPUx, - /{usr/,}bin/akonadiserver rPx, + @{bin}/akonadi_* rPUx, + @{bin}/akonadiserver rPx, /usr/share/akonadi/{,**} r, /usr/share/hwdata/*.ids r, diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent index 749f1586..8f949e17 100644 --- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent +++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_followupreminder_agent +@{exec_path} = @{bin}/akonadi_followupreminder_agent profile akonadi_followupreminder_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index 6092c23e..b29c2edf 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_ical_resource +@{exec_path} = @{bin}/akonadi_ical_resource profile akonadi_ical_resource @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent index 290d29cf..968e255e 100644 --- a/apparmor.d/groups/akonadi/akonadi_indexing_agent +++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_indexing_agent +@{exec_path} = @{bin}/akonadi_indexing_agent profile akonadi_indexing_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index 4fe49c0c..4d3584e4 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_maildir_resource +@{exec_path} = @{bin}/akonadi_maildir_resource profile akonadi_maildir_resource @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent index f3b3e199..4e0965f3 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent +++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_maildispatcher_agent +@{exec_path} = @{bin}/akonadi_maildispatcher_agent profile akonadi_maildispatcher_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index ea168fde..0e374696 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_mailfilter_agent +@{exec_path} = @{bin}/akonadi_mailfilter_agent profile akonadi_mailfilter_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent index 0ef64967..01f2f42c 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_mailmerge_agent +@{exec_path} = @{bin}/akonadi_mailmerge_agent profile akonadi_mailmerge_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent index ce936f96..cf454f5d 100644 --- a/apparmor.d/groups/akonadi/akonadi_migration_agent +++ b/apparmor.d/groups/akonadi/akonadi_migration_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_migration_agent +@{exec_path} = @{bin}/akonadi_migration_agent profile akonadi_migration_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index 3fa0a208..bdce6058 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_newmailnotifier_agent +@{exec_path} = @{bin}/akonadi_newmailnotifier_agent profile akonadi_newmailnotifier_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_notes_agent b/apparmor.d/groups/akonadi/akonadi_notes_agent index 93766beb..35db0818 100644 --- a/apparmor.d/groups/akonadi/akonadi_notes_agent +++ b/apparmor.d/groups/akonadi/akonadi_notes_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_notes_agent +@{exec_path} = @{bin}/akonadi_notes_agent profile akonadi_notes_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_sendlater_agent b/apparmor.d/groups/akonadi/akonadi_sendlater_agent index 5bef31fc..d16cbffa 100644 --- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent +++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_sendlater_agent +@{exec_path} = @{bin}/akonadi_sendlater_agent profile akonadi_sendlater_agent @{exec_path} { include include diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent index b8ef74a5..298cec03 100644 --- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent +++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/akonadi_unifiedmailbox_agent +@{exec_path} = @{bin}/akonadi_unifiedmailbox_agent profile akonadi_unifiedmailbox_agent @{exec_path} { include include diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index 14a7700d..593884ea 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -44,40 +44,38 @@ profile android-studio @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/python3.[0-9]* rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/cat rix, + @{bin}/chattr rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kill rix, + @{bin}/ldconfig rix, + @{bin}/mktemp rix, + @{bin}/nice rix, + @{bin}/python3.[0-9]* rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/setsid rix, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xargs rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/sed rix, + @{bin}/git rPx, + @{bin}/lsusb rPx, + @{bin}/ps rPx, + @{bin}/xdg-mime rPx, + @{bin}/xprop rPx, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/chattr rix, - /{usr/,}bin/setsid rix, - /{usr/,}bin/nice rix, - /{usr/,}bin/kill rix, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/lsb_release rCx -> lsb-release, + @{bin}/xdg-open rCx -> open, - /{usr/,}bin/lsusb rPx, - /{usr/,}bin/xprop rPx, - /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/ps rPx, - /{usr/,}bin/git rPx, - - /{usr/,}bin/lsb_release rCx -> lsb-release, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/xdg-open rCx -> open, - - /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix, + @{lib}/jvm/java-[0-9]*-openjdk-*/jre/bin/* rix, /etc/java-[0-9]*-openjdk/** r, /usr/share/java/java-atk-wrapper.jar r, @@ -89,8 +87,7 @@ profile android-studio @{exec_path} { @{MOUNTS}/ r, @{MOUNTS}/*/ r, /usr/ r, - /{usr/,}lib/ r, - /{usr/,}lib{x32,32,64}/ r, + @{lib}/ r, @{AS_LIBDIR}/ rw, @{AS_LIBDIR}/** mrwkix, @@ -99,12 +96,12 @@ profile android-studio @{exec_path} { # Currently there is only the target platform of API Level 23 packaged, so only apps targeted at # android-23 can be built with only Debian packages. Only Build-Tools 24.0.0 is available, so in # order to use the SDK, build scripts need to be modified. - /{usr/,}lib/android-sdk/ r, - /{usr/,}lib/android-sdk/** mrkix, + @{lib}/android-sdk/ r, + @{lib}/android-sdk/** mrkix, /usr/share/android-sdk-platform-*/{,**} r, - deny /{usr/,}lib/android-sdk/build-tools/*/package.xml w, - deny /{usr/,}lib/android-sdk/platforms/android-*/package.xml w, - deny /{usr/,}lib/android-sdk/.knownPackages w, + deny @{lib}/android-sdk/build-tools/*/package.xml w, + deny @{lib}/android-sdk/platforms/android-*/package.xml w, + deny @{lib}/android-sdk/.knownPackages w, # This one is used if the standard android SDK location is missing @{AS_SDKDIR}/ rw, @@ -220,7 +217,7 @@ profile android-studio @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -234,11 +231,11 @@ profile android-studio @{exec_path} { signal (receive) set=(term, kill) peer=android-studio, - /{usr/,}bin/lsb_release r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/lsb_release r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/apt-cache rPx, + @{bin}/ r, + @{bin}/apt-cache rPx, owner @{PROC}/@{pid}/fd/ r, @@ -259,27 +256,27 @@ profile android-studio @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/mpv rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/ebook-viewer rPx, - /{usr/,}lib/firefox/firefox rPx, + @{bin}/spacefm rPx, + @{bin}/smplayer rPx, + @{bin}/vlc rPx, + @{bin}/mpv rPx, + @{bin}/geany rPx, + @{bin}/viewnior rPUx, + @{bin}/qpdfview rPx, + @{bin}/ebook-viewer rPx, + @{lib}/firefox/firefox rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 5a0cfabf..52929603 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom +@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom @{bin}/atom profile atom @{exec_path} { include include @@ -40,40 +40,40 @@ profile atom @{exec_path} { /usr/share/atom/resources/**/libexec/** rix, deny /{usr/,}local/bin/ r, - deny /{usr/,}bin/ r, - #/{usr/,}bin/{,ba,da}sh rix, - #/{usr/,}bin/zsh rix, - #/{usr/,}bin/env rix, - #/{usr/,}bin/rmdir rix, - #/{usr/,}bin/{,e}grep rix, - #/{usr/,}bin/ls rix, - #/{usr/,}bin/{m,g,}awk rix, - #/{usr/,}bin/tty rix, - #/{usr/,}bin/dircolors rix, - #/{usr/,}bin/cut rix, - #/{usr/,}bin/xwininfo rix, - #/{usr/,}bin/date rix, + deny @{bin}/ r, + #@{bin}/{,ba,da}sh rix, + #@{bin}/zsh rix, + #@{bin}/env rix, + #@{bin}/rmdir rix, + #@{bin}/{,e}grep rix, + #@{bin}/ls rix, + #@{bin}/{m,g,}awk rix, + #@{bin}/tty rix, + #@{bin}/dircolors rix, + #@{bin}/cut rix, + #@{bin}/xwininfo rix, + #@{bin}/date rix, # The expr and uname tools are needed or Atom won't start with the following error: # Your platform () is not supported. - /{usr/,}bin/expr rix, - /{usr/,}bin/uname rix, + @{bin}/expr rix, + @{bin}/uname rix, # The following also are needed to start Atom - /{usr/,}bin/basename rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/nohup rix, - /{usr/,}bin/cat rix, + @{bin}/basename rix, + @{bin}/readlink rix, + @{bin}/dirname rix, + @{bin}/mkdir rix, + @{bin}/nohup rix, + @{bin}/cat rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rCx -> open, - /{usr/,}bin/xdg-settings rPx, + @{bin}/xdg-settings rPx, - /{usr/,}bin/git rPx, + @{bin}/git rPx, # Needed to sign commits - /{usr/,}bin/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, # /home/ r, # Reading of the user home dir is required or the following error will be printed: @@ -139,7 +139,7 @@ profile atom @{exec_path} { owner /tmp/net-export/ rw, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, profile gpg { @@ -148,7 +148,7 @@ profile atom @{exec_path} { include include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -163,19 +163,19 @@ profile atom @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index adff3f66..6696f90a 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -7,12 +7,12 @@ abi , include -@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} -@{exec_path} += /{usr/,}bin/calibredb -@{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert} -@{exec_path} += /{usr/,}bin/fetch-ebook-metadata -@{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer -@{exec_path} += /{usr/,}bin/web2disk +@{exec_path} = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} +@{exec_path} += @{bin}/calibredb +@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert} +@{exec_path} += @{bin}/fetch-ebook-metadata +@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer +@{exec_path} += @{bin}/web2disk profile calibre @{exec_path} { include include @@ -83,20 +83,20 @@ profile calibre @{exec_path} { peer=(name=:*), @{exec_path} mrix, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}{s,}bin/ldconfig{,.real} rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/file rix, - /{usr/,}bin/uname rix, - /{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, + @{bin}/ldconfig{,.real} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/file rix, + @{bin}/uname rix, + @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, - /{usr/,}bin/pdftoppm rPUx, # (#FIXME#) - /{usr/,}bin/pdfinfo rPUx, - /{usr/,}bin/pdftohtml rPUx, + @{bin}/pdftoppm rPUx, # (#FIXME#) + @{bin}/pdfinfo rPUx, + @{bin}/pdftohtml rPUx, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}bin/xdg-mime rPx, + @{bin}/xdg-open rPx -> child-open, + @{bin}/xdg-mime rPx, /usr/share/calibre/{,**} r, /usr/share/hwdata/pnp.ids r, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index b0283e92..52177aa3 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/code /usr/share/code/{bin/,}code +@{exec_path} = @{bin}/code /usr/share/code/{bin/,}code profile code @{exec_path} { include include @@ -24,16 +24,16 @@ profile code @{exec_path} { @{exec_path} mrix, - /{usr/,}lib/code/extensions/git/dist/askpass.sh rPx, - /{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx, + @{lib}/code/extensions/git/dist/askpass.sh rPx, + @{lib}/code/extensions/git/dist/git-editor.sh rPx, # The shell is not confined on purpose. - /{usr/,}bin/{,b,d,rb}ash rUx, - /{usr/,}bin/{c,k,tc,z}sh rUx, + @{bin}/{,b,d,rb}ash rUx, + @{bin}/{c,k,tc,z}sh rUx, - /{usr/,}bin/git rPx, - /{usr/,}bin/gpg{,2} rPUx, - /{usr/,}bin/lsb_release rPx -> lsb_release, + @{bin}/git rPx, + @{bin}/gpg{,2} rPUx, + @{bin}/lsb_release rPx -> lsb_release, # /usr/share/code/** r, # /usr/share/code/libffmpeg.so mr, diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index 23a04ed8..af2251b4 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -12,7 +12,7 @@ include @{DISCORD_HOMEDIR} += @{HOME}/.config/discordptb @{DISCORD_CACHEDIR} = @{HOME}/.cache/discord -@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} /{usr/,}bin/discord{,-ptb} +@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} @{bin}/discord{,-ptb} profile discord @{exec_path} { include include @@ -42,13 +42,13 @@ profile discord @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/xdg-open rCx -> open, - #/{usr/,}bin/lsb_release rCx -> lsb_release, - #/{usr/,}bin/xdg-mime rCx -> xdg-mime, - deny /{usr/,}bin/lsb_release mrx, - deny /{usr/,}bin/xdg-mime mrx, + @{bin}/xdg-open rCx -> open, + #@{bin}/lsb_release rCx -> lsb_release, + #@{bin}/xdg-mime rCx -> xdg-mime, + deny @{bin}/lsb_release mrx, + deny @{bin}/xdg-mime mrx, @{DISCORD_LIBDIR}/ r, @{DISCORD_LIBDIR}/** r, @@ -107,7 +107,7 @@ profile discord @{exec_path} { /etc/machine-id r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, + @{lib}/firefox/firefox rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -117,14 +117,14 @@ profile discord @{exec_path} { include include - /{usr/,}bin/xdg-mime mr, + @{bin}/xdg-mime mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/head rix, - /{usr/,}bin/sed rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/cut rix, + @{bin}/{,e}grep rix, + @{bin}/head rix, + @{bin}/sed rix, # file_inherit /usr/share/discord/** r, @@ -142,11 +142,11 @@ profile discord @{exec_path} { signal (receive) set=(kill, term) peer=discord, - /{usr/,}bin/lsb_release r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/lsb_release r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/apt-cache rPx, + @{bin}/ r, + @{bin}/apt-cache rPx, owner @{PROC}/@{pid}/fd/ r, @@ -167,19 +167,19 @@ profile discord @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, + @{lib}/firefox/firefox rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index 893470b4..47bb83ec 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -10,7 +10,7 @@ include @{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/ @{DROPBOX_SHARE_DIR}=@{HOME}/Dropbox*/ -@{exec_path} = /{usr/,}bin/dropbox +@{exec_path} = @{bin}/dropbox profile dropbox @{exec_path} { include include @@ -28,8 +28,8 @@ profile dropbox @{exec_path} { @{exec_path} r, - /{usr/,}bin/ r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/ r, + @{bin}/python3.[0-9]* r, # Dropbox home files owner @{HOME}/ r, @@ -50,14 +50,14 @@ profile dropbox @{exec_path} { owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw, owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/uname rix, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}bin/{,@{multiarch}-}objdump rix, + @{bin}/{,ba,da}sh rix, + @{bin}/readlink rix, + @{bin}/dirname rix, + @{bin}/uname rix, + @{bin}/ldconfig rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}objdump rix, # Needed for updating Dropbox owner /tmp/.dropbox-dist-new-*/{,**} rw, @@ -72,7 +72,7 @@ profile dropbox @{exec_path} { deny owner @{user_config_dirs}/autostart/dropbox.desktop rw, # What's this for? - /{usr/,}bin/mount mrix, + @{bin}/mount mrix, @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r, @{sys}/devices/virtual/block/loop[0-9]/ r, @{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r, @@ -115,30 +115,30 @@ profile dropbox @{exec_path} { deny @{sys}/module/apparmor/parameters/enabled r, # External apps - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rCx -> open, + @{bin}/lsb_release rPx -> lsb_release, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, profile open { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla index ac97ac6e..630a1cef 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/filezilla +@{exec_path} = @{bin}/filezilla profile filezilla @{exec_path} { include include @@ -20,13 +20,13 @@ profile filezilla @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, + @{bin}/{,ba,da}sh rix, + @{bin}/uname rix, # When using SFTP protocol - /{usr/,}bin/fzsftp rPx, + @{bin}/fzsftp rPx, - /{usr/,}bin/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx -> lsb_release, owner @{HOME}/ r, owner @{user_config_dirs}/filezilla/ rw, @@ -53,7 +53,7 @@ profile filezilla @{exec_path} { owner /tmp/fz[0-9]temp-[0-9]*/empty_file_* rw, # External apps - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # FTP share folder owner @{MOUNTS}/ftp/ r, diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index d3186924..3c0054bc 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/flameshot +@{exec_path} = @{bin}/flameshot profile flameshot @{exec_path} { include include @@ -33,9 +33,9 @@ profile flameshot @{exec_path} { @{exec_path} mr, - /{usr/,}bin/whoami rix, + @{bin}/whoami rix, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # Flameshot home files owner @{user_config_dirs}/flameshot/ rw, @@ -73,12 +73,12 @@ profile flameshot @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index 2290a8a5..be20c66a 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -6,8 +6,8 @@ abi , include -@{FT_LIBDIR} = /{usr/,}lib/freetube -@{FT_LIBDIR} += /{usr/,}lib/freetube-vue +@{FT_LIBDIR} = @{lib}/freetube +@{FT_LIBDIR} += @{lib}/freetube-vue @{FT_LIBDIR} += /opt/FreeTube @{FT_LIBDIR} += /opt/FreeTube-Vue @@ -83,14 +83,14 @@ profile freetube @{exec_path} { owner @{run}/user/@{uid}/ r, # no new privs - /{usr/,}bin/xdg-settings rPx, + @{bin}/xdg-settings rPx, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/mpv rPx, - /{usr/,}bin/vlc rPx, + @{lib}/firefox/firefox rPx, + @{bin}/mpv rPx, + @{bin}/vlc rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -100,21 +100,21 @@ profile freetube @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/mpv rPx, - /{usr/,}bin/vlc rPx, + @{lib}/firefox/firefox rPx, + @{bin}/mpv rPx, + @{bin}/vlc rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/freetube-chrome-sandbox b/apparmor.d/groups/apps/freetube-chrome-sandbox index 1aff2ad8..9e37bdc3 100644 --- a/apparmor.d/groups/apps/freetube-chrome-sandbox +++ b/apparmor.d/groups/apps/freetube-chrome-sandbox @@ -6,8 +6,8 @@ abi , include -@{FT_LIBDIR} = /{usr/,}lib/freetube -@{FT_LIBDIR} += /{usr/,}lib/freetube-vue +@{FT_LIBDIR} = @{lib}/freetube +@{FT_LIBDIR} += @{lib}/freetube-vue @{FT_LIBDIR} += /opt/FreeTube @{FT_LIBDIR} += /opt/FreeTube-Vue diff --git a/apparmor.d/groups/apps/geany b/apparmor.d/groups/apps/geany index 4fec00d4..c9789165 100644 --- a/apparmor.d/groups/apps/geany +++ b/apparmor.d/groups/apps/geany @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/geany +@{exec_path} = @{bin}/geany profile geany @{exec_path} { include include @@ -27,10 +27,10 @@ profile geany @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, # For the sorting feature - /{usr/,}bin/sort rix, + @{bin}/sort rix, # When geany is run as root, it wants to exec dbus-launch, and hence it creates the two following # root processes: @@ -38,10 +38,10 @@ profile geany @{exec_path} { # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session # # Should this be allowed? Geany works fine without this. - #/{usr/,}bin/dbus-launch rCx -> dbus, - #/{usr/,}bin/dbus-send rCx -> dbus, - deny /{usr/,}bin/dbus-launch rx, - deny /{usr/,}bin/dbus-send rx, + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, @@ -105,9 +105,9 @@ profile geany @{exec_path} { include include - /{usr/,}bin/dbus-launch mr, - /{usr/,}bin/dbus-send mr, - /{usr/,}bin/dbus-daemon rPUx, + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, # for dbus-launch owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, diff --git a/apparmor.d/groups/apps/okular b/apparmor.d/groups/apps/okular index bb902532..c4aba3b7 100644 --- a/apparmor.d/groups/apps/okular +++ b/apparmor.d/groups/apps/okular @@ -8,7 +8,7 @@ include @{okular_ext} = [pP][dD][fF] -@{exec_path} = /{usr/,}bin/okular +@{exec_path} = @{bin}/okular profile okular @{exec_path} { include include @@ -78,13 +78,13 @@ profile okular @{exec_path} { /etc/machine-id r, # Search phrase in google - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, /usr/share/kservices5/searchproviders/{,*.desktop} r, /usr/share/kservices5/{,*.protocol} r, /etc/xdg/kshorturifilterrc r, # Print to pdf - /{usr/,}bin/ps2pdf rPUx, + @{bin}/ps2pdf rPUx, owner /tmp/@{hex} rw, owner /tmp/#[0-9]*[0-9] rw, owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9], @@ -93,26 +93,26 @@ profile okular @{exec_path} { /usr/share/kf5/licenses/GPL_V2 r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, profile open { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop index 5f8d5e79..7de74718 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -76,9 +76,9 @@ profile signal-desktop @{exec_path} { /etc/machine-id r, # No new privs - /{usr/,}bin/xdg-settings rPx, + @{bin}/xdg-settings rPx, - /{usr/,}bin/getconf rix, + @{bin}/getconf rix, include if exists } diff --git a/apparmor.d/groups/apps/spotify b/apparmor.d/groups/apps/spotify index 1259e0f5..0f85a29e 100644 --- a/apparmor.d/groups/apps/spotify +++ b/apparmor.d/groups/apps/spotify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify +@{exec_path} = @{bin}/spotify /usr/share/spotify/spotify profile spotify @{exec_path} { include include diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index 738f39b7..c2234b09 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -8,7 +8,7 @@ include @{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram -@{exec_path} = /{usr/,}bin/telegram-desktop +@{exec_path} = @{bin}/telegram-desktop profile telegram-desktop @{exec_path} { include include @@ -38,13 +38,13 @@ profile telegram-desktop @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, # Launch external apps - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, # What's this for? - deny /{usr/,}bin/fc-list rx, + deny @{bin}/fc-list rx, # Telegram files /usr/share/TelegramDesktop/{,**} r, @@ -81,11 +81,11 @@ profile telegram-desktop @{exec_path} { /usr/share/qt5ct/** r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/geany rPx, + @{lib}/firefox/firefox rPx, + @{bin}/smplayer rPx, + @{bin}/viewnior rPUx, + @{bin}/qpdfview rPx, + @{bin}/geany rPx, # file_inherit owner /dev/tty[0-9]* rw, @@ -95,23 +95,23 @@ profile telegram-desktop @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{TELEGRAM_WORK_DIR}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/geany rPx, + @{lib}/firefox/firefox rPx, + @{bin}/smplayer rPx, + @{bin}/qpdfview rPx, + @{bin}/viewnior rPUx, + @{bin}/geany rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index cafc7a93..023a0796 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -8,15 +8,15 @@ abi , include -@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox +@{FIREFOX_BIN} = @{lib}/firefox{,-esr}/firefox @{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox -@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird +@{MOZ_LIBDIR} = @{lib}/thunderbird @{MOZ_HOMEDIR} = @{HOME}/.thunderbird @{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird @{exec_path} = @{MOZ_LIBDIR}/thunderbird{,-bin} -@{exec_path} += /{usr/,}bin/thunderbird +@{exec_path} += @{bin}/thunderbird profile thunderbird @{exec_path} { include include @@ -103,14 +103,14 @@ profile thunderbird @{exec_path} { @{exec_path} mrix, @{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/date rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/sed rix, + @{bin}/date rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, - /{usr/,}bin/ps rPx, - /{usr/,}bin/dig rix, + @{bin}/ps rPx, + @{bin}/dig rix, # Thunderbird files /usr/share/thunderbird/{,**} r, @@ -146,14 +146,14 @@ profile thunderbird @{exec_path} { owner @{user_share_dirs}/ r, # Spellcheck - /{usr/,}bin/locale rix, + @{bin}/locale rix, # System integration /etc/mime.types r, owner @{user_config_dirs}/mimeapps.list.* rw, # KDE system keyring - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /usr/share/xul-ext/kwallet5/* r, /etc/xul-ext/kwallet5.js r, owner @{user_config_dirs}/kwalletrc r, @@ -216,25 +216,25 @@ profile thunderbird @{exec_path} { /usr/share/sounds/freedesktop/stereo/*.oga r, # Silencer - deny /{usr/,}lib/thunderbird/** w, + deny @{lib}/thunderbird/** w, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-{open,mime} rCx -> open, - /{usr/,}bin/exo-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-{open,mime} rCx -> open, + @{bin}/exo-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, # Needed for enigmail /usr/share/xul-ext/enigmail/{,**} r, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpg-connect-agent rCx -> gpg, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpg-connect-agent rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, # Allowed apps to open - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/geany rPx, + @{bin}/qpdfview rPx, + @{bin}/viewnior rPUx, + @{bin}/engrampa rPx, + @{bin}/geany rPx, @{FIREFOX_BIN} rPx, # file_inherit @@ -252,11 +252,11 @@ profile thunderbird @{exec_path} { network inet6 stream, network netlink raw, - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpg-connect-agent mr, - /{usr/,}bin/gpgsm mr, - /{usr/,}bin/gpg-agent rix, + @{bin}/gpgconf mr, + @{bin}/gpg{,2} mr, + @{bin}/gpg-connect-agent mr, + @{bin}/gpgsm mr, + @{bin}/gpg-agent rix, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -298,25 +298,25 @@ profile thunderbird @{exec_path} { include include - /{usr/,}bin/xdg-open mr, - /{usr/,}bin/exo-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{bin}/xdg-open mr, + @{bin}/exo-open mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,m,g}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/xfce4-mime-helper rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,m,g}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + @{bin}/xfce4-mime-helper rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/geany rPx, + @{bin}/qpdfview rPx, + @{bin}/viewnior rPUx, + @{bin}/engrampa rPx, + @{bin}/geany rPx, @{FIREFOX_BIN} rPx, # file_inherit diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index b321a4a7..c80f106f 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/{c,}vlc +@{exec_path} = @{bin}/{c,}vlc profile vlc @{exec_path} { include include @@ -145,7 +145,7 @@ profile vlc @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, + @{bin}/xdg-screensaver rCx -> xdg-screensaver, /usr/share/hwdata/pnp.ids r, /usr/share/qt5ct/** r, @@ -197,22 +197,22 @@ profile vlc @{exec_path} { owner /dev/tty[0-9]* rw, # Silencer - deny /{usr/,}lib/@{multiarch}/vlc/{,**} w, + deny @{lib}/@{multiarch}/vlc/{,**} w, profile xdg-screensaver { include include - /{usr/,}bin/xdg-screensaver mr, + @{bin}/xdg-screensaver mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/xset rix, - /{usr/,}bin/xautolock rix, - /{usr/,}bin/dbus-send rix, + @{bin}/{,ba,da}sh rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xset rix, + @{bin}/xautolock rix, + @{bin}/dbus-send rix, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 80908a54..eac75559 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include include @@ -62,57 +62,57 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}{s,}bin/ r, + @{bin}/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/gdbus rix, - /{usr/,}bin/id rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/test rix, - /{usr/,}bin/touch rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/echo rix, + @{bin}/gdbus rix, + @{bin}/id rix, + @{bin}/ischroot rix, + @{bin}/test rix, + @{bin}/touch rix, - /{usr/,}{s,}bin/dpkg-preconfigure rPx, - /{usr/,}{s,}bin/localepurge rPx, - /{usr/,}{s,}bin/update-command-not-found rPx, - /{usr/,}bin/adequate rPx, - /{usr/,}bin/appstreamcli rPx, - /{usr/,}bin/apt-listbugs rPx, - /{usr/,}bin/apt-listchanges rPx, - /{usr/,}bin/apt-show-versions rPx, - /{usr/,}bin/debtags rPx, - /{usr/,}bin/df rPx, - /{usr/,}bin/dmesg rPx, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/dpkg-source rcx -> dpkg-source, - /{usr/,}bin/etckeeper rPx, - /{usr/,}bin/ps rPx, - /{usr/,}bin/snap rPUx, - /{usr/,}bin/systemctl rCx -> systemctl, - /{usr/,}lib/cnf-update-db rPx, - /{usr/,}lib/needrestart/apt-pinvoke rPx, - @{libexec}/zsys-system-autosnapshot rPx, + @{bin}/adequate rPx, + @{bin}/appstreamcli rPx, + @{bin}/apt-listbugs rPx, + @{bin}/apt-listchanges rPx, + @{bin}/apt-show-versions rPx, + @{bin}/debtags rPx, + @{bin}/df rPx, + @{bin}/dmesg rPx, + @{bin}/dpkg rPx, + @{bin}/dpkg-preconfigure rPx, + @{bin}/dpkg-source rcx -> dpkg-source, + @{bin}/etckeeper rPx, + @{bin}/localepurge rPx, + @{bin}/ps rPx, + @{bin}/snap rPUx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/update-command-not-found rPx, + @{lib}/cnf-update-db rPx, + @{lib}/needrestart/apt-pinvoke rPx, + @{lib}/zsys-system-autosnapshot rPx, # For building the source after the download process is finished (apt-get source --compile) - /{usr/,}bin/dpkg-buildpackage rPUx, + @{bin}/dpkg-buildpackage rPUx, # Methods to use to download packages from the net - /{usr/,}lib/apt/methods/* rPx, + @{lib}/apt/methods/* rPx, # Ubuntu specificities - /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, - /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx, - /{usr/,}lib/update-notifier/update-motd-updates-available rPx, - /usr/share/command-not-found/cnf-update-db rPx, - /usr/share/language-tools/language-options rPx, + @{lib}/ubuntu-advantage/apt-esm-hook rPx, + @{lib}/ubuntu-advantage/apt-esm-json-hook rPx, + @{lib}/update-notifier/update-motd-updates-available rPx, + /usr/share/command-not-found/cnf-update-db rPx, + /usr/share/language-tools/language-options rPx, # For editing the sources.list file - /{usr/,}bin/sensible-editor rCx -> editor, - /{usr/,}bin/vim.* rCx -> editor, + @{bin}/sensible-editor rCx -> editor, + @{bin}/vim.* rCx -> editor, # For changelogs - /{usr/,}bin/sensible-pager rCx -> pager, + @{bin}/sensible-pager rCx -> pager, /usr/share/xml/iso-codes/{,**} r, /usr/share/language-selector/data/pkg_depends r, @@ -161,10 +161,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { include include - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/sensible-editor mr, - /{usr/,}bin/vim.* mrix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/sensible-editor mr, + @{bin}/vim.* mrix, + @{bin}/which{,.debianutils} rix, /usr/share/vim/{,**} r, @@ -184,11 +184,11 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/less rix, - /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/less rix, + @{bin}/sensible-pager mr, + @{bin}/which{,.debianutils} rix, /root/ r, # For shell pwd @@ -204,17 +204,17 @@ profile apt @{exec_path} flags=(attach_disconnected) { include include - /{usr/,}bin/dpkg-source mr, - /{usr/,}bin/perl r, + @{bin}/dpkg-source mr, + @{bin}/perl r, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/patch rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/xz rix, + @{bin}/bunzip2 rix, + @{bin}/chmod rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/patch rix, + @{bin}/rm rix, + @{bin}/tar rix, + @{bin}/xz rix, /etc/dpkg/origins/debian r, @@ -235,9 +235,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { ptrace (read), - /{usr/,}bin/systemctl mr, + @{bin}/systemctl mr, - /{usr/,}bin/systemd-tty-ask-password-agent rix, + @{bin}/systemd-tty-ask-password-agent rix, owner @{run}/systemd/ask-password-block/* rw, owner @{run}/systemd/ask-password/ rw, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index d1205544..e0a3ace9 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-cache +@{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include include @@ -15,7 +15,7 @@ profile apt-cache @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 48c0f8af..55d1629d 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-cdrom +@{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include include @@ -16,10 +16,10 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, - /{usr/,}bin/mount rCx -> mount, - /{usr/,}bin/umount rCx -> umount, + @{bin}/mount rCx -> mount, + @{bin}/umount rCx -> umount, /etc/fstab r, @@ -58,7 +58,7 @@ profile apt-cdrom @{exec_path} flags=(complain) { profile mount flags=(complain) { include - /{usr/,}bin/mount mr, + @{bin}/mount mr, /etc/fstab r, @@ -71,7 +71,7 @@ profile apt-cdrom @{exec_path} flags=(complain) { capability sys_admin, - /{usr/,}bin/umount mr, + @{bin}/umount mr, @{run}/mount/utab{,.*} rw, @{run}/mount/utab.lock rwk, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 256d0883..98cbc8ea 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-config +@{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include include @@ -15,7 +15,7 @@ profile apt-config @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, owner /tmp/tmp*/apt.conf r, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index d12e7816..3d718d03 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include include @@ -15,7 +15,7 @@ profile apt-extracttemplates @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, /var/cache/apt/ r, /var/cache/apt/** rwk, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 727e3f3c..f636fb58 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -7,22 +7,22 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-file +@{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/fgrep rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/xargs rix, - /{usr/,}lib/apt/apt-helper rix, + @{bin}/fgrep rix, + @{bin}/{,e}grep rix, + @{bin}/xargs rix, + @{lib}/apt/apt-helper rix, - /{usr/,}bin/apt-get rPx, - /{usr/,}bin/apt rPx, + @{bin}/apt-get rPx, + @{bin}/apt rPx, /etc/apt/apt-file.conf r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index c9061155..2eb25087 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-forktracer +@{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include include @@ -15,9 +15,9 @@ profile apt-forktracer @{exec_path} { @{exec_path} mr, - /{usr/,}bin/ r, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/apt-cache rPx, + @{bin}/ r, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/apt-cache rPx, /usr/share/apt-forktracer/{,**} r, /usr/share/distro-info/debian.csv r, diff --git a/apparmor.d/groups/apt/apt-ftparchive b/apparmor.d/groups/apt/apt-ftparchive index 22c62f6c..ea4db977 100644 --- a/apparmor.d/groups/apt/apt-ftparchive +++ b/apparmor.d/groups/apt/apt-ftparchive @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-ftparchive +@{exec_path} = @{bin}/apt-ftparchive profile apt-ftparchive @{exec_path} { include diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index e05ee394..8cacc89b 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -7,42 +7,42 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-key +@{exec_path} = @{bin}/apt-key profile apt-key @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/comm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/find rix, - /{usr/,}bin/id rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/wc rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cmp rix, + @{bin}/comm rix, + @{bin}/cp rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/id rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uniq rix, + @{bin}/wc rix, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, # - /{usr/,}bin/apt-config rPx, + @{bin}/apt-config rPx, # For shell pwd / r, @@ -67,12 +67,12 @@ profile apt-key @{exec_path} { network inet stream, network inet6 stream, - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgconf mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, - /{usr/,}bin/dirmngr rix, - /{usr/,}bin/gpg-agent rix, - /{usr/,}bin/gpg-connect-agent rix, + @{bin}/dirmngr rix, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, /usr/share/gnupg/sks-keyservers.netCA.pem r, diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index ae1c3750..ebec43fc 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-listbugs +@{exec_path} = @{bin}/apt-listbugs profile apt-listbugs @{exec_path} { include include @@ -23,25 +23,25 @@ profile apt-listbugs @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/ruby[0-9].[0-9]* rix, + @{bin}/ruby[0-9].[0-9]* rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/logname rix, + @{bin}/{,ba,da}sh rix, + @{bin}/logname rix, - /{usr/,}bin/apt-config rPx, + @{bin}/apt-config rPx, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, - /{usr/,}lib/ruby/gems/*/specifications/ r, - /{usr/,}lib/ruby/gems/*/specifications/** r, - /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, + @{lib}/ruby/gems/*/specifications/ r, + @{lib}/ruby/gems/*/specifications/** r, + @{lib}/ruby/gems/*/specifications/**.gemspec rwk, /etc/apt/listbugs/{,*} r, @@ -53,8 +53,8 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/apt-listbugs-aptcleanup b/apparmor.d/groups/apt/apt-listbugs-aptcleanup index a192732b..64dd14fd 100644 --- a/apparmor.d/groups/apt/apt-listbugs-aptcleanup +++ b/apparmor.d/groups/apt/apt-listbugs-aptcleanup @@ -6,14 +6,14 @@ abi , include -@{exec_path} = @{libexec}/apt-listbugs/aptcleanup +@{exec_path} = @{lib}/apt-listbugs/aptcleanup profile apt-listbugs-aptcleanup @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/ruby2.[0-9]* rix, + @{bin}/ruby2.[0-9]* rix, include if exists } diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index cc5beefe..37bb6253 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -6,21 +6,21 @@ abi , include -@{exec_path} = @{libexec}/apt-listbugs/migratepins +@{exec_path} = @{lib}/apt-listbugs/migratepins profile apt-listbugs-migratepins @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/ruby[0-9].[0-9]* rix, + @{bin}/ruby[0-9].[0-9]* rix, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, - /{usr/,}lib/ruby/gems/*/specifications/ r, - /{usr/,}lib/ruby/gems/*/specifications/** r, - /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, + @{lib}/ruby/gems/*/specifications/ r, + @{lib}/ruby/gems/*/specifications/** r, + @{lib}/ruby/gems/*/specifications/**.gemspec rwk, /etc/apt/preferences r, diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean index b4afe3d1..d0e12914 100644 --- a/apparmor.d/groups/apt/apt-listbugs-prefclean +++ b/apparmor.d/groups/apt/apt-listbugs-prefclean @@ -6,20 +6,20 @@ abi , include -@{exec_path} = /usr/libexec/apt-listbugs/prefclean +@{exec_path} = @{lib}/apt-listbugs/prefclean profile apt-listbugs-prefclean @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/ruby[0-9].[0-9]* rix, + @{bin}/ruby[0-9].[0-9]* rix, - /{usr/,}bin/date rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, + @{bin}/date rix, + @{bin}/cat rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/cp rix, / r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 6647ca09..2f44cb10 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-listchanges +@{exec_path} = @{bin}/apt-listchanges profile apt-listchanges @{exec_path} { include include @@ -16,20 +16,20 @@ profile apt-listchanges @{exec_path} { #capability sys_tty_config, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/tar rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/tar rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-deb rpx, + @{bin}/dpkg-deb rpx, # - /{usr/,}bin/sensible-pager rCx -> pager, + @{bin}/sensible-pager rCx -> pager, # Send results using email - /{usr/,}sbin/exim4 rPx, + @{bin}/exim4 rPx, /usr/share/apt-listchanges/{,**} r, @@ -69,8 +69,8 @@ profile apt-listchanges @{exec_path} { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, @@ -82,12 +82,12 @@ profile apt-listchanges @{exec_path} { capability dac_read_search, #capability sys_tty_config, - /{usr/,}bin/sensible-pager mr, + @{bin}/sensible-pager mr, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/less rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/which{,.debianutils} rix, + @{bin}/less rix, owner @{HOME}/.less* rw, diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index 5fd24129..db2c672a 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -7,14 +7,14 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-mark +@{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + @{bin}/dpkg rPx, /etc/machine-id r, diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 09a5cb16..ac1036e8 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/cdrom +@{exec_path} = @{lib}/apt/methods/cdrom profile apt-methods-cdrom @{exec_path} { include include diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index d831b772..304f1db0 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/copy +@{exec_path} = @{lib}/apt/methods/copy profile apt-methods-copy @{exec_path} { include include @@ -27,7 +27,7 @@ profile apt-methods-copy @{exec_path} { @{exec_path} mr, # apt-helper gets "no new privs" so "rix" it - /{usr/,}lib/apt/apt-helper rix, + @{lib}/apt/apt-helper rix, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 21e6ab06..48a782bd 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/file +@{exec_path} = @{lib}/apt/methods/file profile apt-methods-file @{exec_path} { include include @@ -27,7 +27,7 @@ profile apt-methods-file @{exec_path} { @{exec_path} mr, # apt-helper gets "no new privs" so "rix" it - /{usr/,}lib/apt/apt-helper rix, + @{lib}/apt/apt-helper rix, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index 54b53194..94bb0149 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/ftp +@{exec_path} = @{lib}/apt/methods/ftp profile apt-methods-ftp @{exec_path} { include include diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 0031eba3..c77f7e6d 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/gpgv +@{exec_path} = @{lib}/apt/methods/gpgv profile apt-methods-gpgv @{exec_path} { include include @@ -28,27 +28,27 @@ profile apt-methods-gpgv @{exec_path} { @{exec_path} mr, # The following get "no new privs" so "rix" them - /{usr/,}bin/apt-config rix, - /{usr/,}bin/apt-key rix, - /{usr/,}bin/dpkg rix, - /{usr/,}bin/find rix, - /{usr/,}bin/gpg-connect-agent rix, - /{usr/,}bin/gpgconf rix, - /{usr/,}bin/gpgv rix, + @{bin}/apt-config rix, + @{bin}/apt-key rix, + @{bin}/dpkg rix, + @{bin}/find rix, + @{bin}/gpg-connect-agent rix, + @{bin}/gpgconf rix, + @{bin}/gpgv rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/base64 rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/head rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/touch rix, + @{bin}/{m,g,}awk rix, + @{bin}/base64 rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/head rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index b83077e9..62035fc8 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/http{,s} +@{exec_path} = @{lib}/apt/methods/http{,s} profile apt-methods-http @{exec_path} { include include @@ -36,7 +36,7 @@ profile apt-methods-http @{exec_path} { @{exec_path} mr, # apt-helper gets "no new privs" so "rix" it - /{usr/,}lib/apt/apt-helper rix, + @{lib}/apt/apt-helper rix, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 8b94a8e2..66d9af94 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*} +@{exec_path} = @{lib}/apt/methods/mirror{,+*} profile apt-methods-mirror @{exec_path} { include include diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index d6e2850e..88871d63 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/rred +@{exec_path} = @{lib}/apt/methods/rred profile apt-methods-rred @{exec_path} { include include @@ -27,7 +27,7 @@ profile apt-methods-rred @{exec_path} { @{exec_path} mr, # apt-helper gets "no new privs" so "rix" it - /{usr/,}lib/apt/apt-helper rix, + @{lib}/apt/apt-helper rix, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 256742c4..bb405268 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh +@{exec_path} = @{lib}/apt/methods/{r,s}sh profile apt-methods-rsh @{exec_path} { include include diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index d425e5cb..e7260fec 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/methods/store +@{exec_path} = @{lib}/apt/methods/store profile apt-methods-store @{exec_path} { include include @@ -27,7 +27,7 @@ profile apt-methods-store @{exec_path} { @{exec_path} mr, # apt-helper gets "no new privs" so "rix" it - /{usr/,}lib/apt/apt-helper rix, + @{lib}/apt/apt-helper rix, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index da13d899..3f0c1c1a 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -6,20 +6,20 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-overlay +@{exec_path} = @{bin}/apt-overlay profile apt-overlay @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/apt-get rPx, - /{usr/,}bin/ruby* mrix, + @{bin}/apt-get rPx, + @{bin}/ruby* mrix, - /{usr/,}sbin/apt-overlay r, + @{bin}/apt-overlay r, - /{usr/,}lib/ruby/{,**} r, - /{usr/,}lib/locale/locale-archive r, - /{usr/,}lib/ruby/gems/3.0.0/specifications/default/*.gemspec rwk, + @{lib}/ruby/{,**} r, + @{lib}/locale/locale-archive r, + @{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk, /usr/share/rubygems-integration/{,**} r, diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 43ba3f3e..4bbd917d 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-show-versions +@{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include include @@ -14,14 +14,14 @@ profile apt-show-versions @{exec_path} { include @{exec_path} r, - /{usr/,}bin/perl r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/perl r, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/apt-get rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/apt-get rPx, # apt-helper gets "no new privs" so "rix" it - /{usr/,}lib/apt/apt-helper rix, + @{lib}/apt/apt-helper rix, owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw, owner /var/cache/apt-show-versions/files rw, diff --git a/apparmor.d/groups/apt/apt-sortpkgs b/apparmor.d/groups/apt/apt-sortpkgs index d6d6afcf..3414a84b 100644 --- a/apparmor.d/groups/apt/apt-sortpkgs +++ b/apparmor.d/groups/apt/apt-sortpkgs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt-sortpkgs +@{exec_path} = @{bin}/apt-sortpkgs profile apt-sortpkgs @{exec_path} { include diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 0d7c99b5..2269d047 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -7,43 +7,43 @@ abi , include -@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily +@{exec_path} = @{lib}/apt/apt.systemd.daily profile apt-systemd-daily @{exec_path} { include capability dac_read_search, @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/du rix, - /{usr/,}bin/env rix, - /{usr/,}bin/find rix, - /{usr/,}bin/flock rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/savelog rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/stat rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/xargs rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/du rix, + @{bin}/env rix, + @{bin}/find rix, + @{bin}/flock rix, + @{bin}/grep rix, + @{bin}/gzip rix, + @{bin}/ls rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/seq rix, + @{bin}/sort rix, + @{bin}/stat rix, + @{bin}/touch rix, + @{bin}/uniq rix, + @{bin}/wc rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xargs rix, - /{usr/,}bin/apt-config rPx, - /{usr/,}bin/apt-get rPx, - /{usr/,}bin/apt-overlay rPx, - /{usr/,}bin/unattended-upgrade rPx, + @{bin}/apt-config rPx, + @{bin}/apt-get rPx, + @{bin}/apt-overlay rPx, + @{bin}/unattended-upgrade rPx, /etc/default/locale r, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 0e37509e..13586224 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/aptitude{,-curses} +@{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include include @@ -65,25 +65,25 @@ profile aptitude @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + @{bin}/{,ba,da}sh rix, + @{bin}/test rix, + @{bin}/{,e}grep rix, - /{usr/,}bin/ps rPx, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/apt-listbugs rPx, - /{usr/,}bin/apt-listchanges rPx, - /{usr/,}bin/apt-show-versions rPx, - /{usr/,}sbin/dpkg-preconfigure rPx, - /{usr/,}bin/debtags rPx, - /{usr/,}sbin/localepurge rPx, - /{usr/,}bin/appstreamcli rPx, - /{usr/,}bin/adequate rPx, - /{usr/,}sbin/update-command-not-found rPx, + @{bin}/ps rPx, + @{bin}/dpkg rPx, + @{bin}/apt-listbugs rPx, + @{bin}/apt-listchanges rPx, + @{bin}/apt-show-versions rPx, + @{bin}/dpkg-preconfigure rPx, + @{bin}/debtags rPx, + @{bin}/localepurge rPx, + @{bin}/appstreamcli rPx, + @{bin}/adequate rPx, + @{bin}/update-command-not-found rPx, /usr/share/command-not-found/cnf-update-db rPx, # Methods to use to download packages from the net - /{usr/,}lib/apt/methods/* rPx, + @{lib}/apt/methods/* rPx, /var/lib/apt/lists/** rw, /var/lib/apt/lists/lock rwk, @@ -94,7 +94,7 @@ profile aptitude @{exec_path} flags=(complain) { /var/log/aptitude w, # For downloading the source of packages (showsrc/source options) - /{usr/,}bin/apt rPx, + @{bin}/apt rPx, # For changelogs owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw, @@ -104,7 +104,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, owner @{user_cache_dirs}/aptitude/metadata-download rwk, - /{usr/,}bin/sensible-pager rCx -> pager, + @{bin}/sensible-pager rCx -> pager, # For aptitude-run-state-bundle owner /tmp/aptitudebug.*/ r, @@ -137,7 +137,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{HOME}/.aptitude/config@{pid} rw, /tmp/apt-changelog-*/ rw, /var/lib/debtags/vocabulary r, - /{usr/,}bin/su rPx, + @{bin}/su rPx, @{run}/lock/aptitude rwk, /usr/share/aptitude/ r, @@ -170,12 +170,12 @@ profile aptitude @{exec_path} flags=(complain) { include include - /{usr/,}bin/ r, - /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/ r, + @{bin}/sensible-pager mr, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/less rix, + @{bin}/which{,.debianutils} rix, + @{bin}/less rix, owner @{HOME}/.less* rw, diff --git a/apparmor.d/groups/apt/aptitude-changelog-parser b/apparmor.d/groups/apt/aptitude-changelog-parser index 8c4e558f..ca76e410 100644 --- a/apparmor.d/groups/apt/aptitude-changelog-parser +++ b/apparmor.d/groups/apt/aptitude-changelog-parser @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/aptitude-changelog-parser +@{exec_path} = @{bin}/aptitude-changelog-parser profile aptitude-changelog-parser @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index 23fbdf43..d270de15 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -6,19 +6,19 @@ abi , include -@{exec_path} = /{usr/,}bin/aptitude-create-state-bundle +@{exec_path} = @{bin}/aptitude-create-state-bundle profile aptitude-create-state-bundle @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/gzip rix, + @{bin}/which{,.debianutils} rix, + @{bin}/tar rix, + @{bin}/bzip2 rix, + @{bin}/gzip rix, # Files included in the bundle owner @{HOME}/.aptitude/{,*} r, diff --git a/apparmor.d/groups/apt/aptitude-run-state-bundle b/apparmor.d/groups/apt/aptitude-run-state-bundle index c1efa6c9..6f572a01 100644 --- a/apparmor.d/groups/apt/aptitude-run-state-bundle +++ b/apparmor.d/groups/apt/aptitude-run-state-bundle @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/aptitude-run-state-bundle +@{exec_path} = @{bin}/aptitude-run-state-bundle profile aptitude-run-state-bundle @{exec_path} { include include @@ -14,14 +14,14 @@ profile aptitude-run-state-bundle @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, + @{bin}/tar rix, + @{bin}/bzip2 rix, + @{bin}/mktemp rix, + @{bin}/rm rix, - /{usr/,}bin/aptitude-curses rPx, + @{bin}/aptitude-curses rPx, owner /tmp/aptitudebug.*/{,**} rw, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 8994edbc..619a550e 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -8,8 +8,8 @@ abi , include @{exec_path} = /usr/share/command-not-found/command-not-found -@{exec_path} += /{usr/,}bin/command-not-found -@{exec_path} += /{usr/,}lib/command-not-found +@{exec_path} += @{bin}/command-not-found +@{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include include @@ -18,10 +18,10 @@ profile command-not-found @{exec_path} { include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/snap rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/snap rPx, /var/lib/command-not-found/commands.db rwk, diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index 40355574..f7d451b2 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}bin/debconf-apt-progress +@{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/apt-get rPx, + @{bin}/apt-get rPx, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -28,16 +28,16 @@ profile debconf-apt-progress @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/debconf-apt-progress rPx, + @{bin}/debconf-apt-progress rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. - /{usr/,}bin/whiptail rPx, + @{bin}/whiptail rPx, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, diff --git a/apparmor.d/groups/apt/debconf-show b/apparmor.d/groups/apt/debconf-show index b3365eba..05a63c42 100644 --- a/apparmor.d/groups/apt/debconf-show +++ b/apparmor.d/groups/apt/debconf-show @@ -6,16 +6,16 @@ abi , include -@{exec_path} = /{usr/,}bin/debconf-show +@{exec_path} = @{bin}/debconf-show profile debconf-show @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/locale rix, + @{bin}/locale rix, /etc/debconf.conf r, diff --git a/apparmor.d/groups/apt/deborphan b/apparmor.d/groups/apt/deborphan index acf5bac7..bdd1f760 100644 --- a/apparmor.d/groups/apt/deborphan +++ b/apparmor.d/groups/apt/deborphan @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/deborphan +@{exec_path} = @{bin}/deborphan profile deborphan @{exec_path} { include diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index fa35482c..f09a49f8 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/debsecan +@{exec_path} = @{bin}/debsecan profile debsecan @{exec_path} { include include @@ -21,13 +21,13 @@ profile debsecan @{exec_path} { network inet6 stream, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, # Send results using email - /{usr/,}{s,}bin/exim4 rPx, + @{bin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 922406c2..adf296b4 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -7,33 +7,33 @@ abi , include -@{exec_path} = /{usr/,}bin/debsign +@{exec_path} = @{bin}/debsign profile debsign @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cu rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/head rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sha{1,256,512}sum rix, - /{usr/,}bin/stty rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/cu rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/getopt rix, + @{bin}/head rix, + @{bin}/md5sum rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/perl rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sha{1,256,512}sum rix, + @{bin}/stty rix, - /{usr/,}bin/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, /etc/devscripts.conf r, @@ -47,7 +47,7 @@ profile debsign @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 872738ff..9121ba7b 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/debsums +@{exec_path} = @{bin}/debsums profile debsums @{exec_path} { include include @@ -16,8 +16,8 @@ profile debsums @{exec_path} { @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, @@ -29,18 +29,17 @@ profile debsums @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, # - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, # For shell pwd / r, /root/ r, # Scanning files - /{usr/,}bin/{,*} r, - /{usr/,}sbin/{,*} r, + @{bin}/{,*} r, /usr/{,**} r, /etc/{,**} r, /var/lib/{,**} r, diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index e6fbc963..e9d2a4a3 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/debtags +@{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include include @@ -16,10 +16,10 @@ profile debtags @{exec_path} { #capability sys_tty_config, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/ r, + @{bin}/dpkg rPx -> child-dpkg, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 282cbe04..3735ab72 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg +@{exec_path} = @{bin}/dpkg profile dpkg @{exec_path} { include include @@ -28,20 +28,20 @@ profile dpkg @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/rm rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/rm rix, - /{usr/,}bin/dpkg-deb rpx, - /{usr/,}bin/dpkg-query rpx, - /{usr/,}bin/dpkg-split rPx, - /{usr/,}lib/needrestart/dpkg-status rPx, + @{bin}/dpkg-deb rpx, + @{bin}/dpkg-query rpx, + @{bin}/dpkg-split rPx, + @{lib}/needrestart/dpkg-status rPx, /usr/share/debian-security-support/check-support-status.hook rPx, - /{usr/,}bin/pager rCx -> diff, - /{usr/,}bin/less rCx -> diff, - /{usr/,}bin/more rCx -> diff, - /{usr/,}bin/diff rCx -> diff, + @{bin}/pager rCx -> diff, + @{bin}/less rCx -> diff, + @{bin}/more rCx -> diff, + @{bin}/diff rCx -> diff, /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, @@ -122,11 +122,11 @@ profile dpkg @{exec_path} { include include - /{usr/,}bin/ r, - /{usr/,}bin/pager mr, - /{usr/,}bin/less mr, - /{usr/,}bin/more mr, - /{usr/,}bin/diff mr, + @{bin}/ r, + @{bin}/pager mr, + @{bin}/less mr, + @{bin}/more mr, + @{bin}/diff mr, /etc/** r, # Diff changed config files /root/ r, # For shell pwd @@ -138,8 +138,8 @@ profile dpkg @{exec_path} { profile scripts { include - /{usr/,}{s,}bin/ r, - /{usr/,}{s,}bin/* rPUx, + @{bin}/ r, + @{bin}/* rPUx, /var/lib/dpkg/info/*.config r, /var/lib/dpkg/info/*.{preinst,postinst} r, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index 22c414b7..6cc76ee5 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-architecture +@{exec_path} = @{bin}/dpkg-architecture profile dpkg-architecture @{exec_path} { include include @@ -17,11 +17,11 @@ profile dpkg-architecture @{exec_path} { @{exec_path} r, /usr/bin/perl r, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{lib}/llvm-[0-9]*/bin/clang rix, - /{usr/,}bin/ccache rCx -> ccache, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/ccache rCx -> ccache, + @{bin}/dpkg rPx -> child-dpkg, /usr/share/dpkg/** r, @@ -34,11 +34,11 @@ profile dpkg-architecture @{exec_path} { profile ccache { include - /{usr/,}bin/ccache mr, + @{bin}/ccache mr, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index b6c0ba3a..a519e0a5 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-buildflags +@{exec_path} = @{bin}/dpkg-buildflags profile dpkg-buildflags @{exec_path} flags=(complain) { include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index ce110c04..97ac47d7 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps +@{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 4345c2d1..948e6dff 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-deb +@{exec_path} = @{bin}/dpkg-deb profile dpkg-deb @{exec_path} { include include @@ -18,8 +18,8 @@ profile dpkg-deb @{exec_path} { @{exec_path} mr, - /{usr/,}bin/tar rix, - /{usr/,}bin/rm rix, + @{bin}/tar rix, + @{bin}/rm rix, owner /var/lib/dpkg/tmp.ci/ w, owner /var/lib/dpkg/tmp.ci/* w, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index 37bc7421..ee4ebd6c 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-divert +@{exec_path} = @{bin}/dpkg-divert profile dpkg-divert @{exec_path} { include include diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index 09027e8d..caae59bb 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-genbuildinfo +@{exec_path} = @{bin}/dpkg-genbuildinfo profile dpkg-genbuildinfo @{exec_path} flags=(complain) { include include @@ -17,7 +17,7 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) { capability dac_override, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index bd9495ff..a49e4b50 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -7,14 +7,14 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-genchanges +@{exec_path} = @{bin}/dpkg-genchanges profile dpkg-genchanges @{exec_path} flags=(complain) { include include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 79c4f042..48f61d92 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/dpkg-preconfigure +@{exec_path} = @{bin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include @@ -17,15 +17,15 @@ profile dpkg-preconfigure @{exec_path} { #capability sys_tty_config, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/stty rix, + @{bin}/{,ba,da}sh rix, + @{bin}/locale rix, + @{bin}/stty rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/apt-extracttemplates rPx, - /{usr/,}bin/whiptail rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/apt-extracttemplates rPx, + @{bin}/whiptail rPx, /etc/shadow r, @@ -46,8 +46,8 @@ profile dpkg-preconfigure @{exec_path} { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/hostname rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, @{HOME}/.Xauthority r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index 8a52dd1e..d18cde27 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -6,18 +6,18 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-query +@{exec_path} = @{bin}/dpkg-query profile dpkg-query @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index 9efa43c5..8b9bb822 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-split +@{exec_path} = @{bin}/dpkg-split profile dpkg-split @{exec_path} { include include @@ -19,7 +19,7 @@ profile dpkg-split @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-deb rpx, + @{bin}/dpkg-deb rpx, /var/lib/dpkg/parts/ r, /var/lib/dpkg/parts/* r, diff --git a/apparmor.d/groups/apt/dpkg-trigger b/apparmor.d/groups/apt/dpkg-trigger index da636f74..e1e8c752 100644 --- a/apparmor.d/groups/apt/dpkg-trigger +++ b/apparmor.d/groups/apt/dpkg-trigger @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-trigger +@{exec_path} = @{bin}/dpkg-trigger profile dpkg-trigger @{exec_path} { include include diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index cff609ca..63083a8e 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/dpkg-vendor +@{exec_path} = @{bin}/dpkg-vendor profile dpkg-vendor @{exec_path} { include include diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index f423a5c4..a8062c1c 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/querybts +@{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include include @@ -26,16 +26,16 @@ profile querybts @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}{s,}bin/ldconfig rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/ldconfig rix, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/xdg-open rCx -> open, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, /etc/reportbug.conf r, owner @{HOME}/.reportbugrc r, @@ -56,26 +56,26 @@ profile querybts @{exec_path} { /etc/machine-id r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, profile open { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index 32133ae6..a6cc7afd 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/reportbug +@{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include include @@ -30,39 +30,39 @@ profile reportbug @{exec_path} { @{exec_path} r, - /{usr/,}bin/ r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/ r, + @{bin}/python3.[0-9]* r, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}{s,}bin/selinuxenabled rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/aa-enabled rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/stty rix, + @{bin}/ldconfig rix, + @{bin}/selinuxenabled rix, + @{bin}/{,ba,da}sh rix, + @{bin}/aa-enabled rix, + @{bin}/locale rix, + @{bin}/md5sum rix, + @{bin}/readlink rix, + @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - /{usr/,}{s,}bin/exim4 rPx, - /{usr/,}bin/apt-cache rPx, - /{usr/,}bin/debconf-show rPx, - /{usr/,}bin/debsums rPx, - /{usr/,}bin/dlocate rPx, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/dpkg-query rpx, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/more rPx -> child-pager, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}lib/firefox/firefox rPUx, # App allowed to open - /usr/share/bug/* rPUx, + @{bin}/exim4 rPx, + @{bin}/apt-cache rPx, + @{bin}/debconf-show rPx, + @{bin}/debsums rPx, + @{bin}/dlocate rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/less rPx -> child-pager, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/systemctl rPx -> child-systemctl, + @{lib}/firefox/firefox rPUx, # App allowed to open + /usr/share/bug/* rPUx, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/xdg-open rCx -> open, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/run-parts rCx -> run-parts, + @{bin}/xdg-open rCx -> open, - /{usr/,}lib/python3/dist-packages/pylocales/locales.db rk, + @{lib}/python3/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, /usr/share/X11/xkb/** r, @@ -92,14 +92,14 @@ profile reportbug @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, } profile gpg { include - /{usr/,}bin/gpg{,2} mr, + @{bin}/gpg{,2} mr, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -113,19 +113,19 @@ profile reportbug @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index b9acd1ea..e0439c64 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/synaptic /{usr/,}bin/synaptic-pkexec +@{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include include @@ -63,13 +63,13 @@ profile synaptic @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + @{bin}/{,ba,da}sh rix, + @{bin}/test rix, + @{bin}/{,e}grep rix, # For update-apt-xapian-index - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + @{bin}/nice rix, + @{bin}/ionice rix, # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -77,31 +77,31 @@ profile synaptic @{exec_path} { # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session # # Should this be allowed? Synaptic works fine without this. - #/{usr/,}bin/dbus-launch rCx -> dbus, - #/{usr/,}bin/dbus-send rCx -> dbus, - deny /{usr/,}bin/dbus-launch rx, - deny /{usr/,}bin/dbus-send rx, + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, - /{usr/,}bin/ps rPx, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/apt-listbugs rPx, - /{usr/,}bin/apt-listchanges rPx, - /{usr/,}bin/apt-show-versions rPx, - /{usr/,}sbin/dpkg-preconfigure rPx, - /{usr/,}bin/debtags rPx, - /{usr/,}sbin/localepurge rPx, - /{usr/,}bin/appstreamcli rPx, - /{usr/,}bin/adequate rPx, - /{usr/,}sbin/update-command-not-found rPx, + @{bin}/ps rPx, + @{bin}/dpkg rPx, + @{bin}/apt-listbugs rPx, + @{bin}/apt-listchanges rPx, + @{bin}/apt-show-versions rPx, + @{bin}/dpkg-preconfigure rPx, + @{bin}/debtags rPx, + @{bin}/localepurge rPx, + @{bin}/appstreamcli rPx, + @{bin}/adequate rPx, + @{bin}/update-command-not-found rPx, /usr/share/command-not-found/cnf-update-db rPx, - /{usr/,}sbin/update-apt-xapian-index rPx, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/deborphan rPx, - /{usr/,}bin/tasksel rPx, - /{usr/,}bin/pkexec rPx, + @{bin}/update-apt-xapian-index rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/deborphan rPx, + @{bin}/tasksel rPx, + @{bin}/pkexec rPx, # Methods to use to download packages from the net - /{usr/,}lib/apt/methods/* rPx, + @{lib}/apt/methods/* rPx, /var/lib/apt/lists/** rw, /var/lib/apt/lists/lock rwk, @@ -163,9 +163,9 @@ profile synaptic @{exec_path} { include include - /{usr/,}bin/dbus-launch mr, - /{usr/,}bin/dbus-send mr, - /{usr/,}bin/dbus-daemon rPUx, + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, # for dbus-launch owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fad95e44..972a146c 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/unattended-upgrade +@{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include include @@ -53,28 +53,28 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/ r, + @{bin}/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/gdbus rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/test rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/uname rix, + @{bin}/{,ba,da}sh rix, + @{bin}/echo rix, + @{bin}/gdbus rix, + @{bin}/ischroot rix, + @{bin}/python3.[0-9]* rix, + @{bin}/test rix, + @{bin}/touch rix, + @{bin}/uname rix, - /{usr/,}{s,}bin/dpkg-preconfigure rPx, - /{usr/,}{s,}bin/on_ac_power rPx, - /{usr/,}{s,}bin/sendmail rPUx, - /{usr/,}bin/apt-listchanges rPx, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/etckeeper rPx, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}lib/apt/methods/http{,s} rPx, - /{usr/,}lib/needrestart/apt-pinvoke rPx, - /{usr/,}lib/update-notifier/update-motd-updates-available rPx, - @{libexec}/zsys-system-autosnapshot rPx, + @{bin}/dpkg-preconfigure rPx, + @{bin}/on_ac_power rPx, + @{bin}/sendmail rPUx, + @{bin}/apt-listchanges rPx, + @{bin}/dpkg rPx, + @{bin}/etckeeper rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{lib}/apt/methods/http{,s} rPx, + @{lib}/needrestart/apt-pinvoke rPx, + @{lib}/update-notifier/update-motd-updates-available rPx, + @{lib}/zsys-system-autosnapshot rPx, /usr/share/distro-info/* r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 0e9f43b9..07a45a83 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -32,7 +32,7 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/ischroot rix, + @{bin}/ischroot rix, /usr/share/unattended-upgrades/{,*} r, /etc/apt/apt.conf.d/{,*} r, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 2947f78a..8e2e01fa 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -6,17 +6,17 @@ abi , include -@{exec_path} = /{usr/,}sbin/update-apt-xapian-index +@{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}sbin/ r, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/ r, + @{bin}/dpkg rPx -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd index c44d9ada..f6ee2118 100644 --- a/apparmor.d/groups/avahi/avahi-autoipd +++ b/apparmor.d/groups/avahi/avahi-autoipd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/avahi-autoipd +@{exec_path} = @{bin}/avahi-autoipd profile avahi-autoipd @{exec_path} { include include diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index abdb5ba6..4738aa33 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains +@{exec_path} = @{bin}/avahi-browse @{bin}/avahi-browse-domains profile avahi-browse @{exec_path} { include include @@ -26,7 +26,7 @@ profile avahi-browse @{exec_path} { @{exec_path} mr, - /{usr/,}lib/@{multiarch}/avahi/service-types.db rwk, + @{lib}/@{multiarch}/avahi/service-types.db rwk, include if exists } diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish index f66e28ec..9ac64398 100644 --- a/apparmor.d/groups/avahi/avahi-publish +++ b/apparmor.d/groups/avahi/avahi-publish @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service +@{exec_path} = @{bin}/avahi-publish @{bin}/avahi-publish-address @{bin}/avahi-publish-service profile avahi-publish @{exec_path} { include include diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index f9a55dcc..07a8b977 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name +@{exec_path} = @{bin}/avahi-resolve @{bin}/avahi-resolve-address @{bin}/avahi-resolve-host-name profile avahi-resolve @{exec_path} { include include diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index c9b47f76..9b00fa57 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/avahi-set-host-name +@{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include include diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 7c2be653..2574c7d5 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -20,7 +20,7 @@ profile brave @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/man rPUx, # For "brave --help" + @{bin}/man rPUx, # For "brave --help" @{chromium_lib_dirs}/swiftshader/libGLESv2.so mr, @{chromium_lib_dirs}/swiftshader/libEGL.so mr, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index 22c51a50..a5adcfb8 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -16,13 +16,13 @@ profile brave-wrapper @{exec_path} { @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/dirname rix, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, @{chromium_lib_dirs}/brave rPx, diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index b82e4ba2..e1b2a778 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -20,7 +20,7 @@ profile chrome @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/man rPUx, # For "chrome --help" + @{bin}/man rPUx, # For "chrome --help" @{chromium_lib_dirs}/google-@{chromium_name} rPx, diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index e64bdbc1..b21cd1c5 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -16,13 +16,13 @@ profile chrome-wrapper @{exec_path} { @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/dirname rix, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/touch rix, + @{bin}/which{,.debianutils} rix, @{chromium_lib_dirs}/chrome rPx, diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index dd62e861..6c567552 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -9,7 +9,7 @@ include @{chromium_name} = chromium @{chromium_domain} = org.chromium.Chromium -@{chromium_lib_dirs} = /{usr/,}lib/@{chromium_name} +@{chromium_lib_dirs} = @{lib}/@{chromium_name} @{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} @{chromium_cache_dirs} = @{user_cache_dirs}/@{chromium_name} diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler index 6808587e..90ad1aa3 100644 --- a/apparmor.d/groups/browsers/chromium-crashpad-handler +++ b/apparmor.d/groups/browsers/chromium-crashpad-handler @@ -9,7 +9,7 @@ include @{chromium_config_dirs} = @{user_config_dirs}/chromium -@{exec_path} = /{usr/,}lib/chromium/chrome_crashpad_handler +@{exec_path} = @{lib}/chromium/chrome_crashpad_handler profile chromium-crashpad-handler @{exec_path} { include diff --git a/apparmor.d/groups/browsers/chromium-sandbox b/apparmor.d/groups/browsers/chromium-sandbox index e2828acc..04260b53 100644 --- a/apparmor.d/groups/browsers/chromium-sandbox +++ b/apparmor.d/groups/browsers/chromium-sandbox @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}lib/chromium/chrome-sandbox +@{exec_path} = @{lib}/chromium/chrome-sandbox profile chromium-sandbox @{exec_path} { include @@ -20,7 +20,7 @@ profile chromium-sandbox @{exec_path} { @{exec_path} mr, - /{usr/,}lib/chromium/chromium rPx, + @{lib}/chromium/chromium rPx, @{PROC}/@{pids}/ r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index cc71f68f..77fcd3cd 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -7,29 +7,29 @@ abi , include -@{exec_path} = /{usr/,}bin/chromium +@{exec_path} = @{bin}/chromium profile chromium-wrapper @{exec_path} { include include @{exec_path} r, - /{usr/,}lib/chromium/chromium rPx, + @{lib}/chromium/chromium rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uname rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/expr rix, + @{bin}/ls rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/tr rix, + @{bin}/uname rix, - /{usr/,}bin/man rPUx, # For "chromium --help" - # /{usr/,}bin/gdb rPUx, + @{bin}/man rPUx, # For "chromium --help" + # @{bin}/gdb rPUx, /usr/share/chromium/extensions/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 76c19ade..2435cb09 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -8,11 +8,11 @@ abi , include @{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name} +@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} @{firefox_config_dirs} = @{HOME}/.mozilla/ @{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ -@{exec_path} = /{usr/,}bin/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name} +@{exec_path} = @{bin}/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name} profile firefox @{exec_path} flags=(attach_disconnected) { include include @@ -128,8 +128,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/basename rix, @{firefox_lib_dirs}/{,**} r, @{firefox_lib_dirs}/*.so mr, @@ -139,28 +139,28 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{firefox_lib_dirs}/pingsender rPx, @{firefox_lib_dirs}/plugin-container rPx, @{firefox_lib_dirs}/vaapitest rPUx, - /{usr/,}lib/mozilla/kmozillahelper rPUx, + @{lib}/mozilla/kmozillahelper rPUx, - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - /{usr/,}lib/mozilla/plugins/ r, - /{usr/,}lib/mozilla/plugins/libvlcplugin.so mr, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, + @{lib}/mozilla/plugins/ r, + @{lib}/mozilla/plugins/libvlcplugin.so mr, # Desktop integration - @{libexec}/gvfsd-metadata rPx, - /{usr/,}bin/exo-open rPx -> child-open, - /{usr/,}bin/gnome-software rPx, - /{usr/,}bin/kreadconfig5 rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/update-mime-database rPx, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - /{usr/,}lib/gio-launch-desktop rPx -> child-open, + @{bin}/exo-open rPx -> child-open, + @{bin}/gnome-software rPx, + @{bin}/kreadconfig5 rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/update-mime-database rPx, + @{bin}/xdg-open rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, + @{lib}/gvfsd-metadata rPx, # Common extensions /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, - /{usr/,}bin/browserpass rPx, + @{bin}/browserpass rPx, # As a temporary solution - see issue #128 - /{usr/,}bin/keepassxc-proxy rix, + @{bin}/keepassxc-proxy rix, /usr/share/doc/{,**} r, /usr/share/egl/{,**} r, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 88a59fb0..076c235c 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -8,7 +8,7 @@ abi , include @{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name} +@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} @{firefox_config_dirs} = @{HOME}/.mozilla/ @{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ @@ -35,7 +35,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { @{firefox_lib_dirs}/minidump-analyzer rPx, - /{usr/,}bin/mv rix, + @{bin}/mv rix, /usr/share/X11/xkb/** r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index 25684512..78385797 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/mozilla/kmozillahelper +@{exec_path} = @{lib}/mozilla/kmozillahelper profile firefox-kmozillahelper @{exec_path} { include include diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 89edc408..7b81a0f4 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -10,7 +10,7 @@ include @{MOZ_HOMEDIR} = @{HOME}/.mozilla @{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name} +@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} @{firefox_config_dirs} = @{HOME}/.mozilla/ @{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 284e4dda..9f0ba599 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -8,7 +8,7 @@ abi , include @{firefox_name} = firefox{,-esr} -@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/ +@{firefox_lib_dirs} = @{lib}/@{firefox_name}/ /opt/@{firefox_name}/ @{firefox_config_dirs} = @{HOME}/.mozilla/ @{exec_path} = @{firefox_lib_dirs}/pingsender diff --git a/apparmor.d/groups/browsers/firefox-plugin-container b/apparmor.d/groups/browsers/firefox-plugin-container index 806e3b95..dd4590b9 100644 --- a/apparmor.d/groups/browsers/firefox-plugin-container +++ b/apparmor.d/groups/browsers/firefox-plugin-container @@ -8,7 +8,7 @@ abi , include @{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name} /opt/@{firefox_name} +@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} @{exec_path} = @{firefox_lib_dirs}/plugin-container profile firefox-plugin-container @{exec_path} { diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 29da08d9..f597aa02 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -9,7 +9,7 @@ include @{chromium_name} = opera{,-beta,-developer} @{chromium_domain} = com.opera.Opera -@{chromium_lib_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name} +@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name} @{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} @{chromium_cache_dirs} = @{user_cache_dirs}/@{chromium_name} diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index adfee634..9751deba 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -8,7 +8,7 @@ abi , include @{chromium_name} = opera{,-beta,-developer} -@{chromium_lib_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name} +@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name} @{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} @{exec_path} = @{chromium_lib_dirs}/opera_crashreporter diff --git a/apparmor.d/groups/browsers/opera-sandbox b/apparmor.d/groups/browsers/opera-sandbox index 02ab6e01..7535b3f8 100644 --- a/apparmor.d/groups/browsers/opera-sandbox +++ b/apparmor.d/groups/browsers/opera-sandbox @@ -7,7 +7,7 @@ abi , include @{chromium_name} = opera{,-beta,-developer} -@{chromium_lib_dirs} = /{usr/,}lib/@{multiarch}/@{chromium_name} +@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name} @{exec_path} = @{chromium_lib_dirs}/opera_sandbox profile opera-sandbox @{exec_path} {