diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 935bbbb0..0f4d183e 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -4,14 +4,11 @@ abi , - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl, - - owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/ r, - owner @{MOUNTS}/@{XDG_DOWNLOAD_DIR}/** rwkl, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl, + owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + + owner @{user_download_dirs}/ r, + owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**, # For SSHFS mounts (without owner as files in such mounts can be owned by different users) @{HOME}/mount-sshfs/ r, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index cc648448..911cc288 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -2,20 +2,23 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, +# Give read access on all defined user directories. It should only be used if +# access to ALL folders is required. - owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r, - owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, + + owner @{user_books_dirs}/{,**} r, + owner @{user_documents_dirs}/{,**} r, + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_projects_dirs}/{,**} r, + owner @{user_publicshare_dirs}/{,**} r, + owner @{user_sync_dirs}/{,**} r, + owner @{user_templates_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 6775f9dc..21c2fdc8 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -2,17 +2,12 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rwl, - owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, - - owner @{MOUNTS}/@{XDG_DOCUMENTS_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_VIDEOS_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/{,**} rwl, - owner @{MOUNTS}/@{XDG_BOOKS_DIR}/{,**} rwl, owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl, + + owner @{user_books_dirs}/{,**} rwl, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_music_dirs}/{,**} rwl, + owner @{user_pictures_dirs}/{,**} rwl, + owner @{user_projects_dirs}/{,**} rwl, + owner @{user_videos_dirs}/{,**} rwl, diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index a8933715..cea565a1 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -88,8 +88,8 @@ profile atom @{exec_path} { / r, @{MOUNTS}/ r, owner @{MOUNTS}/ r, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_config_dirs}/git/config r, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index f4082f1e..08767209 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -75,12 +75,8 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, - owner @{HOME}/@{XDG_BOOKS_DIR} rw, - owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl, - - owner @{MOUNTS}/@{XDG_BOOKS_DIR}/ r, - owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/ rw, - owner @{MOUNTS}/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/@{XDG_BOOKS_DIR}*/**, + owner @{user_books_dirs} rw, + owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index f941d070..af1b4d05 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -64,10 +64,8 @@ profile code @{exec_path} { owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**, # Git dirs - / r, - @{MOUNTS}/ r, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/ r, - owner @{MOUNTS}/@{XDG_PROJECTS_DIR}/** rwkl -> @{MOUNTS}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, /etc/fstab r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 3fbaa6b4..46e8c9c6 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -38,8 +38,7 @@ profile gnome-music @{exec_path} { /etc/machine-id r, - owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_MUSIC_DIR}/{,**} r, + owner @{user_music_dirs}/{,**} r, owner @{user_cache_dirs}/gnome-music/{,**} rwk, owner @{user_cache_dirs}/media-art/album-*.jpeg rw, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index b2e371b9..5a4f9796 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -15,8 +15,7 @@ profile gnome-photos-thumbnailer @{exec_path} { /usr/share/mime/mime.cache r, - owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r, - owner @{MOUNTS}/@{XDG_PICTURES_DIR}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index efbccf0f..cb04fd5d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -170,10 +170,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + owner @{user_music_dirs}/**/*.jpg r, + owner @{user_config_dirs}/.goutputstream{,*} rw, owner @{user_config_dirs}/monitors.xml{,~} rwl, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 9955daf5..e7b4d13f 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -30,8 +30,8 @@ profile gpg @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, + owner @{user_projects_dirs}/**/gnupg/ rw, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 00c33346..4bf35cbd 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -36,12 +36,12 @@ profile gpg-agent @{exec_path} { owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r, + owner @{user_projects_dirs}/**/{.,}gnupg/ rw, + owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index d943273b..e5ba0a3b 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -24,7 +24,7 @@ profile gpgconf @{exec_path} { /{usr/,}bin/pinentry-* rPx, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/**, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 78a371d4..9792071b 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -16,7 +16,7 @@ profile gpgsm @{exec_path} { deny /usr/bin/.gnupg/ w, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/gnupg/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**, owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 76eeedf8..4788e190 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -30,8 +30,8 @@ profile ssh @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r, + owner @{user_projects_dirs}/**/ssh/{,*} r, + owner @{user_projects_dirs}/**/config r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 0b9db0ff..e5e75be7 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -29,7 +29,7 @@ profile ssh-agent @{exec_path} { # SSH keys owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, + owner @{user_projects_dirs}/**/ssh/{,*} r, # When started via systemd @{run}/user/@{uid}/openssh_agent rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index ab522ceb..ff37f0ca 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -77,7 +77,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /etc/ssh/sshd_config.d/{,*} r, # For scp - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, + owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index d6770ee0..bda5c0c2 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -141,10 +141,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # User VM images and share @{user_share_dirs}/ r, @{user_share_dirs}/libvirt/{,**} rwk, - @{HOME}/@{XDG_VM_DIR}/{,**} rwk, - @{MOUNTS}/@{XDG_VM_DIR}/{,**} rwk, - @{HOME}/@{XDG_PUBLICSHARE_DIR}/{,**} rw, - @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}/{,**} rw, + @{user_vm_dirs}/{,**} rwk, + @{user_publicshare_dirs}/{,**} rw, @{run}/libvirt/ rw, @{run}/libvirt/** rwk, diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/profiles-a-f/aurpublish index fd643e75..879199f5 100644 --- a/apparmor.d/profiles-a-f/aurpublish +++ b/apparmor.d/profiles-a-f/aurpublish @@ -21,9 +21,9 @@ profile aurpublish @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/wc rix, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.SRCINFO rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/PKGBUILD r, + owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, + owner @{user_projects_dirs}/**/.SRCINFO rw, + owner @{user_projects_dirs}/**/PKGBUILD r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 1bf18858..bbab7719 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -34,7 +34,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { deny network inet, deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r, deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw, - deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, + deny owner @{user_download_dirs}/{,**} rw, deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny owner @{user_share_dirs}/gvfs-metadata/{,**} r, deny /dev/dri/* rw, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 053d00dd..ac9ffba1 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -80,8 +80,8 @@ profile git @{exec_path} { /etc/mailname r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**, + owner @{user_projects_dirs}/ rw, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, owner /tmp/** rwkl -> /tmp/**, @@ -167,8 +167,8 @@ profile git @{exec_path} { /etc/vimrc r, /etc/vim/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/[0-9]* rw, + owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, + owner @{user_projects_dirs}/**/.git/[0-9]* rw, owner @{HOME}/.fzf/plugin/ r, owner @{HOME}/.fzf/plugin/fzf.vim r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index beb5c439..dad61dd6 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -12,8 +12,8 @@ profile gitstatusd @{exec_path} { @{exec_path} mr, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw, + owner @{user_projects_dirs}/{,**} r, + owner @{user_projects_dirs}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index ba25cd0c..7482a9f0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -22,8 +22,8 @@ profile hugo @{exec_path} { /etc/mime.types r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.hugo_build.lock rwk, + owner @{user_projects_dirs}/{,**} rw, + owner @{user_projects_dirs}/**/.hugo_build.lock rwk, owner /tmp/hugo_cache/ rw, owner /tmp/hugo_cache/**/ rw, diff --git a/apparmor.d/profiles-g-l/jdownloader-install b/apparmor.d/profiles-g-l/jdownloader-install index 79b1478d..9bf9a3b2 100644 --- a/apparmor.d/profiles-g-l/jdownloader-install +++ b/apparmor.d/profiles-g-l/jdownloader-install @@ -6,9 +6,8 @@ abi , include -@{JD_INSTALLDIR} = /home/*/jd2 -@{JD_SH_PATH} = /home/*/@{XDG_DOWNLOAD_DIR} -@{JD_SH_PATH} += /home/*/@{XDG_DESKTOP_DIR} +@{JD_INSTALLDIR} = @{HOME}/jd2 +@{JD_SH_PATH} = @{user_download_dirs} @{HOME}/@{XDG_DESKTOP_DIR} @{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh profile jdownloader-install @{exec_path} { diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index 1b14475a..e32ab8c7 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -97,10 +97,9 @@ profile man_filter { # do is feed data to the invoking man process. /usr/** r, owner @{HOME}/@{XDG_DATA_HOME}/** r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/** r, + owner @{user_projects_dirs}/** r, owner @{user_cache_dirs}/** r, owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r, - owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r, /var/cache/man/** w, } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 2f19be1e..5701e0c9 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -41,7 +41,7 @@ profile minitube @{exec_path} { owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk, # Snapshot - owner @{HOME}/@{XDG_PICTURES_DIR}/*.png rw, + owner @{user_pictures_dirs}/*.png rw, owner @{HOME}/vlcsnap-.png rw, /usr/share/minitube/{,**} r, diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/profiles-m-r/ntfscp index ac6197c3..a10e17f2 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -17,10 +17,10 @@ profile ntfscp @{exec_path} { # For writing files owned by users other than root, since ntfscp has to be started as root. capability dac_read_search, - @{HOME}/@{XDG_DOWNLOAD_DIR}/ r, - @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl -> @{HOME}/@{XDG_DOWNLOAD_DIR}/**, @{HOME}/@{XDG_DESKTOP_DIR}/ r, - @{HOME}/@{XDG_DESKTOP_DIR}/** rwl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**, + @{user_download_dirs}/ r, + @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 8455fa74..b701b02b 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -56,7 +56,7 @@ profile pass @{exec_path} { /usr/share/terminfo/x/xterm-256color r, owner @{HOME}/.password-store/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw, + owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_config_dirs}/password-store/{,**} rw, owner /dev/shm/pass.*/{,*} rw, @@ -84,7 +84,7 @@ profile pass @{exec_path} { owner @{HOME}/.viminfo{,.tmp} rw, owner @{HOME}/.password-store/ r, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ r, + owner @{user_projects_dirs}/**/*-store/ r, owner @{user_config_dirs}/password-store/ r, owner @{user_cache_dirs}/vim/{,**} rw, @@ -118,8 +118,8 @@ profile pass @{exec_path} { owner @{HOME}/.password-store/ rw, owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/**, + owner @{user_projects_dirs}/**/*-store/ rw, + owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/password-store/ rw, owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 55418bae..c02d9d37 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -27,7 +27,7 @@ profile pass-import @{exec_path} { /usr/share/file/misc/magic.mgc r, owner @{HOME}/.password-store/{,**} rw, - owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw, + owner @{user_projects_dirs}/**/*-store/{,**} rw, owner @{user_config_dirs}/password-store/{,**} rw, owner /tmp/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 2eab25a4..051776b5 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -7,8 +7,6 @@ abi , include -@{TORRENT_DIR} = @{MOUNTS}/torrent - @{exec_path} = /{usr/,}bin/qbittorrent profile qbittorrent @{exec_path} { include @@ -71,10 +69,8 @@ profile qbittorrent @{exec_path} { /usr/share/qt5ct/** r, # Torrent files - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, # GeoIP settings /usr/share/GeoIP/GeoIP.dat r, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index defec22b..38fd8120 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -6,8 +6,6 @@ abi , include -@{TORRENT_DIR} = @{MOUNTS}/*/torrent - @{exec_path} = /{usr/,}bin/qbittorrent-nox profile qbittorrent-nox @{exec_path} { include @@ -38,10 +36,8 @@ profile qbittorrent-nox @{exec_path} { owner @{user_cache_dirs}/qBittorrent/{,**} rw, # Torrent files - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, /dev/disk/by-label/ r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 7c223bed..9d04457b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -6,8 +6,6 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/mp3/ - @{exec_path} = /{usr/,}bin/strawberry profile strawberry @{exec_path} { include @@ -46,11 +44,8 @@ profile strawberry @{exec_path} { /{usr/,}bin/xdg-open rCx -> open, # Media library - / r, - @{MOUNTS}/ r, - owner @{MOUNTS}/*/ r, - owner @{MEDIA_LIB}/ r, - owner @{MEDIA_LIB}/** rw, + owner @{user_music_dirs}/ r, + owner @{user_music_dirs}/** rw, # Playlists owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw, diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 45a13c29..6b88c2bd 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -6,8 +6,6 @@ abi , include -@{MEDIA_LIB} = @{MOUNTS}/mp3/ - @{exec_path} = /{usr/,}bin/strawberry-tagreader profile strawberry-tagreader @{exec_path} { include @@ -21,8 +19,8 @@ profile strawberry-tagreader @{exec_path} { @{exec_path} mr, # Media library - owner @{MEDIA_LIB}/ r, - owner @{MEDIA_LIB}/** rw, + owner @{user_music_dirs}/ r, + owner @{user_music_dirs}/** rw, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt index c2d4834c..37637812 100644 --- a/apparmor.d/profiles-s-z/transmission-qt +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -6,8 +6,6 @@ abi , include -@{TORRENT_DIR} = /media/*/torrent - @{exec_path} = /{usr/,}bin/transmission-qt profile transmission-qt @{exec_path} { include @@ -36,10 +34,8 @@ profile transmission-qt @{exec_path} { @{exec_path} mr, # Torrent files - /media/ r, - owner /media/*/ r, - owner @{TORRENT_DIR}/ r, - owner @{TORRENT_DIR}/** rw, + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, owner @{HOME}/.config/transmission/ rw, owner @{HOME}/.config/transmission/** rwk, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 416a527c..10475656 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,8 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # User VM images owner @{user_share_dirs}/ r, owner @{user_share_dirs}/libvirt/{,**} rw, - owner @{HOME}/@{XDG_VM_DIR}/{,**} rw, - owner @{MOUNTS}/@{XDG_VM_DIR}/{,**} rw, + owner @{user_vm_dirs}/{,**} rw, owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, @{run}/mount/utab r, diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs index f7ef793a..98a55a7c 100644 --- a/apparmor.d/tunables/xdg-user-dirs +++ b/apparmor.d/tunables/xdg-user-dirs @@ -21,13 +21,13 @@ @{XDG_VIDEOS_DIR}="Videos" # Extra user personal directories -@{XDG_PROJECTS_DIR}="Projects" @{XDG_BOOKS_DIR}="Books" -@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" +@{XDG_PROJECTS_DIR}="Projects" @{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots" - @{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" @{XDG_VM_DIR}=".vm" +@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" # User personal keyrings @{XDG_SSH_DIR}=".ssh" @@ -52,7 +52,18 @@ @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ # Other user directories +@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} +@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} +@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} @{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} +@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} +@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments # to the various XDG directories