update apparmor profiles

apparmor.d/abstractions/X

@@ -22,11 +22,12 @@
   # .Xauthority files required for X connections, per user
   owner @{HOME}/.Xauthority r,
   owner @{HOME}/.local/share/sddm/.Xauthority r,
-  owner /{,var/}run/gdm{,3}/*/database r,
-  owner /{,var/}run/lightdm/authority/[0-9]* r,
-  owner /{,var/}run/lightdm/*/xauthority r,
-  owner /{,var/}run/user/*/gdm/Xauthority r,
-  owner /{,var/}run/user/*/X11/Xauthority r,
+  owner @{run}/gdm{,3}/*/database r,
+  owner @{run}/lightdm/authority/[0-9]* r,
+  owner @{run}/lightdm/*/xauthority r,
+  owner @{run}/user/*/gdm/Xauthority r,
+  owner @{run}/user/*/X11/Xauthority r,
+  owner @{run}/user/*/xauth_* r,
 
   # the unix socket to use to connect to the display
   /tmp/.X11-unix/* rw,

apparmor.d/abstractions/dbus-network-manager-strict

@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=GetDevices
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings
+       interface=org.freedesktop.NetworkManager.Settings
+       member={GetDevices,ListConnections}
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings
+       peer=(name=org.freedesktop.NetworkManager),
+
+  #include if exists <abstractions/dbus-network-manager-strict.d>

apparmor.d/abstractions/deny-dconf

@@ -16,7 +16,7 @@
   # When this is blocked, expect lots of the following errors:
   #  dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
   #  dconf will not work properly.
-  deny owner /{var/,}run/user/[0-9]*/dconf/{,**} rw,
+  deny owner @{run}/user/[0-9]*/dconf/{,**} rw,
 
   deny owner @{HOME}/.config/dconf/{,**} rw,
   deny owner @{HOME}/.cache/dconf/{,**} rw,

apparmor.d/abstractions/disks-read

@@ -60,27 +60,27 @@
   # changes, it's better to allow the whole range (240-254) instead of the single major numbers
   # visible in the /proc/devices file.
   # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-  /{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
 
-  /{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
-  /{var/,}run/udev/data/b11:[0-9]*  r, # for /dev/sr*
-  /{var/,}run/udev/data/b8:[0-9]*   r, # for /dev/sd*
-  /{var/,}run/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
+  @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
+  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
+  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
 
-  /{var/,}run/udev/data/+usb:*      r, # for ?
+  @{run}/udev/data/+usb:*      r, # for ?

apparmor.d/abstractions/disks-write

@@ -60,27 +60,27 @@
   # changes, it's better to allow the whole range (240-254) instead of the single major numbers
   # visible in the /proc/devices file.
   # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-  /{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
 
-  /{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
-  /{var/,}run/udev/data/b11:[0-9]*  r, # for /dev/sr*
-  /{var/,}run/udev/data/b8:[0-9]*   r, # for /dev/sd*
-  /{var/,}run/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
+  @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
+  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
+  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
 
-  /{var/,}run/udev/data/+usb:*      r, # for ?
+  @{run}/udev/data/+usb:*      r, # for ?

apparmor.d/abstractions/exo-open

@@ -65,7 +65,10 @@
   /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
 
   # User files
-  owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{HOME}/.config/xfce4/helpers.rc r,
+  owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
+
+  # Include additions to the abstraction
+  #include if exists <abstractions/exo-open.d>

apparmor.d/abstractions/fonts

@@ -14,8 +14,7 @@
 
   /usr/lib/xorg/modules/fonts/**.so*    mr,
 
-  /usr/share/fonts/                     r,
-  /usr/share/fonts/**                   r,
+  /usr/share/fonts/{,**}                r,
   /usr/share/fonts-*/{,**}              r,
 
   /etc/fonts/**                         r,

apparmor.d/abstractions/gio-open

@@ -52,3 +52,6 @@
   owner @{HOME}/.config/mimeapps.list r,
   owner @{HOME}/.local/share/applications/{,*.desktop} r,
   owner @{PROC}/@{pid}/fd/ r,
+
+  # Include additions to the abstraction
+  #include if exists <abstractions/gio-open.d>

apparmor.d/abstractions/gnome

@@ -26,6 +26,7 @@
   /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
   /usr/share/themes/              r,
   /usr/share/themes/**            r,
+  /usr/share/gtk-3.0/settings.ini r,
 
   # for gnome 1 applications
   /etc/orbitrc                    r,
@@ -87,6 +88,7 @@
   /usr/share/gvfs/remote-volume-monitors/  r,
   /usr/share/gvfs/remote-volume-monitors/* r,
   @{PROC}/@{pid}/mounts                    r,
+  /run/mount/utab                          r,
 
   # printing
   /etc/papersize                   r,

apparmor.d/abstractions/gvfs-open

@@ -40,3 +40,6 @@
 
   /usr/bin/gvfs-open r,
   /{,usr/}bin/dash mr,
+
+  # Include additions to the abstraction
+  #include if exists <abstractions/gvfs-open.d>

apparmor.d/abstractions/hosts_access

@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /etc/hosts.deny r,
+  /etc/hosts.allow r,

apparmor.d/abstractions/kde-open5

@@ -33,7 +33,7 @@
 #
 #   # Add if audio support for message box is
 #   # considered as required.
-#   include if exists <abstractions/gstreamer>
+#   #include if exists <abstractions/gstreamer>
 #
 #   # < add additional allowed applications here >
 # }
@@ -100,3 +100,5 @@
   owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
   owner @{HOME}/.cache/kio_http/ rw,
 
+  # Include additions to the abstraction
+  #include if exists <abstractions/kde-open5.d>

apparmor.d/abstractions/kde5-plasma5

@@ -28,8 +28,8 @@
   # includes this abstraction)
   #owner @{HOME}/.config/#[0-9]*[0-9] rwk,
   #owner @{HOME}/.config/@{KDE_APP_NAME}rc* rwlk -> @{HOME}/.config/#[0-9]*[0-9],
-  #owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw,
-  #owner /{var/,}run/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9],
+  #owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
+  #owner @{run}/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
 
   # Common KDE config files
   #owner @{HOME}/.config/#[0-9]*[0-9] rw,
@@ -57,9 +57,9 @@
   #deny @{sys}/bus/ r,
   #deny @{sys}/bus/usb/devices/ r,
   #deny @{sys}/class/ r,
-  #deny /{var/,}run/udev/data/b8:[0-9]* r,   # for /dev/sda1 , etc.
-  #deny /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
-  #deny /{var/,}run/udev/data/+usb:* r,      #
+  #deny @{run}/udev/data/b8:[0-9]* r,   # for /dev/sda1 , etc.
+  #deny @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
+  #deny @{run}/udev/data/+usb:* r,      #
   #/etc/exports r,
   #/etc/xdg/menus/ r,
   #/usr/share/mime/ r,

apparmor.d/abstractions/mdns

@@ -9,5 +9,6 @@
 # ------------------------------------------------------------------
 
   # mdnsd
+  /etc/mdns.allow r,
   /etc/nss_mdns.conf r,
   /{,var/}run/mdnsd w,

apparmor.d/abstractions/nameservice

@@ -30,8 +30,8 @@
   /var/lib/extrausers/passwd r,
 
   # NSS records from systemd-userdbd.service
-  /{,var/}run/systemd/userdb/ r,
-  /{,var/}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
   @{PROC}/sys/kernel/random/boot_id r,
 
   # When using sssd, the passwd and group files are stored in an alternate path

apparmor.d/abstractions/postfix-common

@@ -1,7 +1,8 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
-#    Copyright (C) 2015 Canonical, Ltd.
+#    Copyright (C) 2015-2018 Canonical, Ltd.
+#    Copyright (C) 2020 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -31,6 +32,7 @@
   /usr/lib{,32,64}/sasl2/     r,
   /usr/lib/@{multiarch}/sasl2/*      mr,
   /usr/lib/@{multiarch}/sasl2/       r,
+  /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
 
   /var/spool/postfix/etc/*        r,
   /var/spool/postfix/lib/lib*.so* mr,

apparmor.d/abstractions/trash

@@ -16,8 +16,8 @@
   owner @{HOME}/.config/#[0-9]*[0-9] rwk,
   owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
 
-  owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw,
-  owner /{var/,}run/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9],
+  owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
+  owner @{run}/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
 
   # Home trash location
   owner @{HOME}/.local/share/Trash/ rw,

apparmor.d/abstractions/vulkan

@@ -3,10 +3,15 @@
 
   # System files
   /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
+  /etc/glvnd/egl_vendor.d/{*,.json} r,
   /etc/vulkan/icd.d/{,*.json} r,
   /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
   # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
   @{sys}/devices/pci[0-9]*/*/drm/ r,
+  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
   /usr/share/vulkan/icd.d/{,*.json} r,
   /usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
 

apparmor.d/abstractions/wayland

@@ -12,6 +12,6 @@
 
   #abi <abi/3.0>,
 
-  owner /{,var/}run/user/[0-9]*/weston-shared-* rw,
-  owner /{,var/}run/user/[0-9]*/wayland-[0-9]* rw,
-  owner /{,var/}run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
+  owner @{run}/user/[0-9]*/weston-shared-* rw,
+  owner @{run}/user/[0-9]*/wayland-[0-9]* rw,
+  owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,

apparmor.d/abstractions/xdg-open

@@ -24,7 +24,7 @@
 #
 #   # Enable gstreamer support if considered required by
 #   # profile author for (rare) error message boxes.
-#   include if exists <abstractions/gstreamer>
+#   #include if exists <abstractions/gstreamer>
 #
 #   # needed for ubuntu-* abstractions
 #   #include <abstractions/ubuntu-helpers>
@@ -79,3 +79,6 @@
   # Usr files
 
   owner @{HOME}/.local/share/applications/{,*.desktop} r,
+
+  # Include additions to the abstraction
+  #include if exists <abstractions/xdg-open.d>

apparmor.d/amarok

@@ -142,7 +142,7 @@ profile amarok @{exec_path} {
 
   /usr/share/icons/*/index.theme rk,
 
-  /{var/,}run/user/[0-9]*/ksocket-*/amarok*.slave-socket rw,
+  @{run}/user/[0-9]*/ksocket-*/amarok*.slave-socket rw,
 
   # What's this for?
   deny /etc/mysql/** r,
@@ -162,7 +162,7 @@ profile amarok @{exec_path} {
   deny @{sys}/devices/virtual/sound/seq/uevent r,
   deny @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{manufacturer,product,uevent,type} r,
   deny @{sys}/devices/system/node/ r,
-  deny /{,var/}run/udev/data/* r,
+  deny @{run}/udev/data/* r,
 
   # To generate the crash log info in Amarok
   /{usr/,}bin/gdb rCx -> gdb,

apparmor.d/apt-cdrom

@@ -34,7 +34,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   @{sys}/class/ r,
   @{sys}/class/*/ r,
   @{sys}/devices/**/uevent r,
-  /{var/,}run/udev/data/* r,
+  @{run}/udev/data/* r,
 
   /etc/fstab r,
 
@@ -80,8 +80,8 @@ profile apt-cdrom @{exec_path} flags=(complain) {
 
     /{usr/,}bin/umount mr,
 
-    /{var/,}run/mount/utab{,.*} rw,
-    /{var/,}run/mount/utab.lock rwk,
+    @{run}/mount/utab{,.*} rw,
+    @{run}/mount/utab.lock rwk,
 
     owner @{PROC}/@{pid}/mountinfo r,
 

apparmor.d/aptitude

@@ -146,7 +146,7 @@ profile aptitude @{exec_path} flags=(complain) {
   /var/lib/debtags/vocabulary r,
   /{usr/,}bin/su rPx,
 
-  /{var/,}run/lock/aptitude rwk,
+  @{run}/lock/aptitude rwk,
   /usr/share/aptitude/ r,
   /usr/share/aptitude/* r,
   /var/lib/aptitude/pkgstates{,.old,.new} rw,

apparmor.d/blkid

@@ -25,8 +25,8 @@ profile blkid @{exec_path} {
 
   # The standard location of the cache file
   # Without owner here if this tool should be used as a regular user
-  /{,var/}run/blkid/blkid.tab{,-*} rw,
-  /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
+  @{run}/blkid/blkid.tab{,-*} rw,
+  @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
   # When the system doesn't have the /run/ dir, the cache file is placed under /etc/
   /etc/blkid.tab{,-*} rw,
   /etc/blkid.tab.old rwl -> /etc/blkid.tab,

apparmor.d/bluetoothd

@@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} {
   /dev/rfkill rw,
   /dev/hidraw[0-9]* rw,
 
-  /{,var/}run/sdp rw,
+  @{run}/sdp rw,
 
   @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/devices/platform/**/rfkill/**/name r,

apparmor.d/brave

@@ -172,7 +172,7 @@ profile brave @{exec_path} {
   @{sys}/devices/**/uevent r,
   @{sys}/class/ r,
   @{sys}/class/**/ r,
-  /{,var/}run/udev/data/* r,
+  @{run}/udev/data/* r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
 

apparmor.d/btrfs

@@ -25,8 +25,8 @@ profile btrfs @{exec_path} {
 
   @{exec_path} mr,
 
-  /{var/,}run/blkid/blkid.tab{,-*} rw,
-  /{var/,}run/blkid/blkid.tab.old rwl -> /run/blkid/blkid.tab,
+  @{run}/blkid/blkid.tab{,-*} rw,
+  @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   owner @{PROC}/@{pid}/mounts r,
         @{PROC}/partitions r,

apparmor.d/btrfstune

@@ -23,8 +23,8 @@ profile btrfstune @{exec_path} {
         @{PROC}/partitions r,
   owner @{PROC}/@{pid}/mounts r,
 
-  owner /{,var/}run/blkid/blkid.tab{,-*} rw,
-  owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
+  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   #include if exists <local/btrfstune>
 }

apparmor.d/calibre

@@ -156,8 +156,8 @@ profile calibre @{exec_path} {
 
   @{sys}/devices/pci[0-9]*/**/irq r,
 
-  /{,var/}run/udev/data/+usb* r,            #
-  /{,var/}run/udev/data/c189:[0-9]* r,      # for /dev/bus/usb/**
+  @{run}/udev/data/+usb* r,            #
+  @{run}/udev/data/c189:[0-9]* r,      # for /dev/bus/usb/**
 
         /dev/shm/ r,
         /dev/shm/#[0-9]*[0-9] rw,

apparmor.d/cawbird

@@ -50,7 +50,7 @@ profile cawbird @{exec_path} {
 
   # This is needed as cawbird stores its settings in the dconf database.
   #include <abstractions/dconf>
-  /{var/,}run/user/[0-9]*/dconf/user rw,
+  @{run}/user/[0-9]*/dconf/user rw,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
@@ -60,7 +60,7 @@ profile cawbird @{exec_path} {
 
   # The orcexec.* file is JIT compiled code for various GStreamer elements.
   # If one is blocked the next is used instead.
-  owner /{var/,}run/user/[0-9]*/orcexec.* mrw,
+  owner @{run}/user/[0-9]*/orcexec.* mrw,
   #owner @{HOME}/orcexec.* mrw,
   #owner /tmp/orcexec.* mrw,
 

apparmor.d/cfdisk

@@ -27,8 +27,8 @@ profile cfdisk @{exec_path} {
 
   /etc/fstab r,
 
-  owner /{,var/}run/blkid/blkid.tab{,-*} rw,
-  owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
+  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   # A place for file images
   owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,

apparmor.d/cgrulesengd

@@ -43,7 +43,7 @@ profile cgrulesengd @{exec_path} {
   owner @{PROC}/@{pid}/mounts r,
         @{PROC}/cgroups r,
 
-  owner /{var/,}run/cgred.socket w,
+  owner @{run}/cgred.socket w,
 
   /etc/cgconfig.conf r,
   /etc/cgrules.conf r,

apparmor.d/chromium-chromium

@@ -149,7 +149,7 @@ profile chromium-chromium @{exec_path} {
   @{sys}/devices/**/uevent r,
   @{sys}/class/ r,
   @{sys}/class/**/ r,
-  /{,var/}run/udev/data/* r,
+  @{run}/udev/data/* r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
 

apparmor.d/code

@@ -133,8 +133,8 @@ profile code @{exec_path} {
   owner "/tmp/VSCode Crashes/" rw,
   owner /tmp/vscode-typescript[0-9]*/ rw,
 
-  owner /{var/,}run/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
-  owner /{var/,}run/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw,
+  owner @{run}/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
+  owner @{run}/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw,
 
   owner /tmp/vscode-ipc-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*.sock rw,
   # For installing extensions

apparmor.d/colord

@@ -39,8 +39,8 @@ profile colord @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,bDeviceClass,removable} r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
-  /{var/,}run/udev/data/+usb:* r,      #
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/+usb:* r,      #
 
   owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pids}/cgroup r,

apparmor.d/colord-sane

@@ -38,8 +38,8 @@ profile colord-sane @{exec_path} flags=(complain) {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,busnum,devnum,speed,descriptors} r,
   @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
-  /{var/,}run/udev/data/+usb:* r,      #
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/+usb:* r,      #
 
   @{PROC}/sys/dev/parport/ r,
 

apparmor.d/cron

@@ -61,8 +61,8 @@ profile cron @{exec_path} {
 
   /var/spool/cron/crontabs/{,*} r,
 
-  owner /{,var/}run/crond.pid rwk,
-  owner /{,var/}run/crond.reboot rw,
+  owner @{run}/crond.pid rwk,
+  owner @{run}/crond.reboot rw,
 
   owner /tmp/#[0-9]*[0-9] rw,
 

apparmor.d/cron-apt-listbugs

@@ -22,7 +22,7 @@ profile cron-apt-listbugs @{exec_path} {
 
   /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
 
-  /{var/,}run/systemd/system r,
+  @{run}/systemd/system r,
 
 
   profile prefclean {

apparmor.d/cron-mlocate

@@ -31,7 +31,7 @@ profile cron-mlocate @{exec_path} {
   /{usr/,}bin/updatedb.mlocate rPx,
   /{usr/,}sbin/on_ac_power     rPx,
 
-  /{var/,}run/mlocate.daily.lock rwk,
+  @{run}/mlocate.daily.lock rwk,
 
   #include if exists <local/cron-mlocate>
 }

apparmor.d/dbus-daemon

@@ -40,9 +40,9 @@ profile dbus-daemon @{exec_path} {
 
   /usr/share/defaults/**.conf r,
 
-        /{var/,}run/systemd/users/[0-9]* r,
-  owner /{var/,}run/user/[0-9]*/dbus-1/ rw,
-  owner /{var/,}run/user/[0-9]*/dbus-1/services/ rw,
+        @{run}/systemd/users/[0-9]* r,
+  owner @{run}/user/[0-9]*/dbus-1/ rw,
+  owner @{run}/user/[0-9]*/dbus-1/services/ rw,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,

apparmor.d/dconf-editor

@@ -25,8 +25,8 @@ profile dconf-editor @{exec_path} {
 
   @{exec_path} mr,
 
-  owner /{var/,}run/user/[0-9]*/dconf/ rw,
-  owner /{var/,}run/user/[0-9]*/dconf/user rw,
+  owner @{run}/user/[0-9]*/dconf/ rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
 
   # When GSETTINGS_BACKEND=keyfile
   owner @{HOME}/.config/glib-2.0/ rw,

apparmor.d/dconf-service

@@ -22,8 +22,8 @@ profile dconf-service @{exec_path} {
 
   @{exec_path} mr,
 
-  owner /{,var/}run/user/[0-9]*/dconf/ rw,
-  owner /{,var/}run/user/[0-9]*/dconf/user rw,
+  owner @{run}/user/[0-9]*/dconf/ rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
 
   owner @{HOME}/.config/dconf/ rw,
   owner @{HOME}/.config/dconf/user{,.*} rw,

apparmor.d/ddclient

@@ -29,7 +29,7 @@ profile ddclient @{exec_path} {
 
   /etc/ddclient.conf r,
 
-  /{,var/}run/ddclient.pid rw,
+  @{run}/ddclient.pid rw,
 
   /var/cache/ddclient/ddclient.cache rw,
 

apparmor.d/dhclient

@@ -40,8 +40,8 @@ profile dhclient @{exec_path} {
   /etc/dhcp/{,**} r,
 
   /var/lib/dhcp{,3}/dhclient* rw,
-  owner /{,var/}run/dhclient*.pid rw,
-  owner /{,var/}run/dhclient*.lease* rw,
+  owner @{run}/dhclient*.pid rw,
+  owner @{run}/dhclient*.lease* rw,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 

apparmor.d/dhclient-script

@@ -86,7 +86,7 @@ profile dhclient-script @{exec_path} {
   owner /tmp/variables.txt w,
 
   # For ntpd/ntpsec
-  /{var/,}run/systemd/netif/leases/ r,
+  @{run}/systemd/netif/leases/ r,
 
   # file_inherit
   /var/lib/dhcp/dhclient.leases r,

apparmor.d/dirmngr

@@ -29,8 +29,8 @@ profile dirmngr @{exec_path} {
 
   /usr/share/gnupg/sks-keyservers.netCA.pem r,
 
-  owner /{var/,}run/user/[0-9]*/gnupg/ rw,
-  owner /{var/,}run/user/[0-9]*/gnupg/S.dirmngr rw,
+  owner @{run}/user/[0-9]*/gnupg/ rw,
+  owner @{run}/user/[0-9]*/gnupg/S.dirmngr rw,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 

apparmor.d/discord

@@ -125,7 +125,7 @@ profile discord @{exec_path} {
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
 
-  owner /{var/,}run/user/[0-9]*/discord-ipc-[0-9] rw,
+  owner @{run}/user/[0-9]*/discord-ipc-[0-9] rw,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,

apparmor.d/dpkg-buildpackage

@@ -66,10 +66,16 @@ profile dpkg-buildpackage @{exec_path} flags=(complain) {
     /{usr/,}bin/patch   rix,
     /{usr/,}bin/diff    rix,
 
+    /{usr/,}bin/gpg       rix,
+    /{usr/,}bin/gpgv      rix,
+    /{usr/,}bin/gpg-agent rix,
+
     /etc/dpkg/origins/debian r,
 
-    owner /tmp/*.diff.* rw,
-    owner /tmp/* rw,
+    owner /tmp/** rwkl -> /tmp/**,
+    owner @{run}/user/[0-9]*/gnupg/** w,
+
+    @{PROC}/@{pid}/fd/ r,
 
     /usr/share/dpkg/tupletable r,
     /usr/share/dpkg/cputable r,

apparmor.d/dropbox

@@ -83,7 +83,7 @@ profile dropbox @{exec_path} {
   @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
   @{sys}/devices/virtual/block/loop[0-9]/ r,
   @{sys}/devices/virtual/block/loop[0-9]/loop/{autoclear,backing_file} r,
-  /{,var/}run/mount/utab r,
+  @{run}/mount/utab r,
 
   deny       @{PROC}/ r,
   # Dropbox doesn't sync without the 'stat' file
@@ -117,7 +117,7 @@ profile dropbox @{exec_path} {
   owner /tmp/#[0-9]*[0-9] rw,
   owner /var/tmp/etilqs_* rw,
 
-  /{,var/}run/systemd/users/[0-9]* r,
+  @{run}/systemd/users/[0-9]* r,
 
   deny @{sys}/module/apparmor/parameters/enabled r,
 

apparmor.d/dumpe2fs

@@ -21,8 +21,8 @@ profile dumpe2fs @{exec_path} {
 
   @{exec_path} mr,
 
-  owner /{,var/}run/blkid/blkid.tab{,-*} rw,
-  owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
+  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   # Image files
   @{HOME}/** r,

apparmor.d/e2fsck

@@ -25,8 +25,8 @@ profile e2fsck @{exec_path} {
   /{usr/,}bin/dash       rix,
   /{usr/,}sbin/badblocks rPx,
 
-  owner /{,var/}run/blkid/blkid.tab{,-*} rw,
-  owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
+  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/exim4

@@ -51,9 +51,9 @@ profile exim4 @{exec_path} {
   owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w,
   owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*,
 
-  owner /{,var/}run/exim4/exim.pid rw,
+  owner @{run}/exim4/exim.pid rw,
 
-  owner /{,var/}run/dbus/system_bus_socket rw,
+  owner @{run}/dbus/system_bus_socket rw,
 
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,

apparmor.d/exo-compose-mail

@@ -22,7 +22,7 @@ profile exo-compose-mail @{exec_path} {
   /{usr/,}bin/perl r,
 
   # Mail clients
-  /usr/bin/thunderbird                    rPx,
+  /{usr/,}bin/thunderbird                 rPx,
   /{usr/,}lib/thunderbird/thunderbird     rPx,
   /{usr/,}lib/thunderbird/thunderbird-bin rPx,
 

apparmor.d/firefox

@@ -204,7 +204,7 @@ profile firefox @{exec_path} {
     /{usr/,}bin/telegram-desktop rPx,
     /{usr/,}bin/spacefm          rPx,
     /{usr/,}bin/qpdfview         rPx,
-    /{usr/,}share/xfce4/exo/exo-compose-mail rPx,
+    /usr/share/xfce4/exo/exo-compose-mail rPx,
 
     # file_inherit
     owner @{HOME}/.xsession-errors w,

apparmor.d/firejail-default

@@ -2,6 +2,10 @@
 # Generic Firejail AppArmor profile
 #########################################
 
+# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
+# and <abstractions/dbus-session-strict>.
+#include <tunables/global>
+
 ##########
 # A simple PID declaration based on Ubuntu's @{pid}
 # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
@@ -19,6 +23,8 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #include <abstractions/dbus-strict>
 #include <abstractions/dbus-session-strict>
 dbus,
+# Add rule in order to avoid dbus-*=filter breakage (#3432)
+owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
 
 ##########
 # With ptrace it is possible to inspect and hijack running programs.
@@ -47,6 +53,10 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
 owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
 owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
 
+# Allow writing to /var/mail and /var/spool/mail (for mail clients)
+# Uncomment to enable
+#owner /var/{mail,spool/mail}/** w,
+
 # Allow writing to removable media
 owner /{,var/}run/media/** w,
 
@@ -60,18 +70,17 @@ owner /{,var/}run/media/** w,
 # Allow access to pcscd socket (smartcards)
 /{,var/}run/pcscd/pcscd.comm w,
 
-# Needed for firefox sandbox
-/proc/@{PID}/{uid_map,gid_map,setgroups} w,
+# Needed for browser self-sandboxing
+owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
 
 # Needed for electron apps
 /proc/@{PID}/comm w,
+# Needed for nslookup, dig, host
+/proc/@{PID}/task/@{PID}/comm w,
 
-# Silence noise
-deny /proc/@{PID}/oom_adj w,
-deny /proc/@{PID}/oom_score_adj w,
-
-# Uncomment to silence all denied write warnings
-#deny /sys/** w,
+# Used by chromium
+owner /proc/@{PID}/oom_score_adj w,
+owner /proc/@{PID}/clear_refs w,
 
 ##########
 # Allow running programs only from well-known system directories. If you need
@@ -80,7 +89,7 @@ deny /proc/@{PID}/oom_score_adj w,
 /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
 /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
 /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
-/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
 /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
 #/{,run/firejail/mnt/oroot/}home/** ix,
 

apparmor.d/fsck

@@ -28,16 +28,16 @@ profile fsck @{exec_path} {
         @{PROC}/partitions r,
   owner @{PROC}/@{pid}/mountinfo r,
 
-  owner /{,var/}run/fsck/ rw,
-  owner /{,var/}run/fsck/*.lock rwk,
+  owner @{run}/fsck/ rw,
+  owner @{run}/fsck/*.lock rwk,
 
   # When a mount dir is passed to fsck as an argument.
   /media/*/ r,
   /boot/ r,
   /home/ r,
 
-  owner /{,var/}run/blkid/blkid.tab{,-*} rw,
-  owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
+  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   #include if exists <local/fsck>
 }

apparmor.d/gnome-keyring-daemon

@@ -32,8 +32,8 @@ profile gnome-keyring-daemon @{exec_path} {
   owner @{HOME}/.ssh/ r,
   owner @{HOME}/.ssh/** r,
 
-  owner /{,var/}run/user/[0-9]*/keyring/ rw,
-  owner /{,var/}run/user/[0-9]*/keyring/* rw,
+  owner @{run}/user/[0-9]*/keyring/ rw,
+  owner @{run}/user/[0-9]*/keyring/* rw,
 
   #include if exists <local/gnome-keyring-daemon>
 }

apparmor.d/google-chrome-chrome

@@ -157,7 +157,7 @@ profile google-chrome-chrome @{exec_path} {
   @{sys}/devices/**/uevent r,
   @{sys}/class/ r,
   @{sys}/class/**/ r,
-  /{,var/}run/udev/data/* r,
+  @{run}/udev/data/* r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
 

apparmor.d/gparted

@@ -29,8 +29,8 @@ profile gparted @{exec_path} {
 
   /{usr/,}lib/udisks2/udisks2-inhibit  rix,
   /usr/libexec/udisks2/udisks2-inhibit rix,
-  /{var/,}run/udev/rules.d/ rw,
-  /{var/,}run/udev/rules.d/90-udisks-inhibit.rules rw,
+  @{run}/udev/rules.d/ rw,
+  @{run}/udev/rules.d/90-udisks-inhibit.rules rw,
 
   /{usr/,}bin/udevadm     rCx -> udevadm,
 
@@ -63,7 +63,7 @@ profile gparted @{exec_path} {
     @{sys}/** r,
     @{sys}/devices/virtual/block/**/uevent rw,
     @{sys}/devices/pci[0-9]*/**/block/**/uevent rw,
-    /{var/,}run/udev/data/* r,
+    @{run}/udev/data/* r,
 
   }
 

apparmor.d/gpartedbin

@@ -134,7 +134,7 @@ profile gpartedbin @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  /{var/,}run/mount/utab r,
+  @{run}/mount/utab r,
 
   # For fsck of the btrfs filesystem
   owner /tmp/gparted-*/ rw,
@@ -181,9 +181,9 @@ profile gpartedbin @{exec_path} {
 
     owner @{PROC}/@{pid}/mountinfo r,
 
-    owner /{,var/}run/mount/ rw,
-    owner /{,var/}run/mount/utab{,.*} rw,
-    owner /{,var/}run/mount/utab.lock wk,
+    owner @{run}/mount/ rw,
+    owner @{run}/mount/utab{,.*} rw,
+    owner @{run}/mount/utab.lock wk,
 
   }
 

apparmor.d/gpg

@@ -51,6 +51,24 @@ profile gpg @{exec_path} {
   # For spamassassin
   owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
 
+  # For lintian
+  owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r,
+  owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r,
+  owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw,
+  owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
+  owner /tmp/*/trustdb.gpg rw,
+  owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
+  owner /tmp/*/pubring.kbx rw,
+  owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
+  owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
+  owner /tmp/*.gpg rw,
+  owner /tmp/*.gpg~ w,
+  owner /tmp/*.gpg.tmp rw,
+  owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
+  owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
+  owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
+  owner @{run}/user/[0-9]*/gnupg/d.*/ rw,
+
   # Verify files
   owner @{HOME}/** r,
   owner /media/*/** r,

apparmor.d/gpg-agent

@@ -43,7 +43,7 @@ profile gpg-agent @{exec_path} {
 
   # For debuild
   owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w,
-  owner /{var/,}run/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
+  owner @{run}/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
 
   @{PROC}/@{pid}/fd/ r,
 

apparmor.d/hw-probe

@@ -130,7 +130,7 @@ profile hw-probe @{exec_path} {
 
     /{usr/,}bin/journalctl mr,
 
-    /{var/,}run/log/ rw,
+    @{run}/log/ rw,
     /{run,var}/log/journal/ rw,
     /{run,var}/log/journal/[0-9a-f]*/ rw,
     /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
@@ -189,7 +189,7 @@ profile hw-probe @{exec_path} {
     @{sys}/class/ r,
     @{sys}/class/*/ r,
     @{sys}/devices/**/uevent r,
-    /{var/,}run/udev/data/* r,
+    @{run}/udev/data/* r,
 
   }
 

apparmor.d/hwinfo

@@ -108,7 +108,7 @@ profile hwinfo @{exec_path} {
           @{PROC}/sys/kernel/osrelease r,
 
     @{sys}/** r,
-    /{var/,}run/udev/data/* r,
+    @{run}/udev/data/* r,
 
     # file_inherit
     owner /tmp/hwinfo*.txt rw,

apparmor.d/ifup

@@ -37,9 +37,9 @@ profile ifup @{exec_path} {
   /etc/network/interfaces r,
   /etc/network/interfaces.d/{,*} r,
 
-  /{var/,}run/network/ rw,
-  /{var/,}run/network/{.,}ifstate* rwk,
-  /{var/,}run/network/{ifup,ifdown}-*.pid rw,
+  @{run}/network/ rw,
+  @{run}/network/{.,}ifstate* rwk,
+  @{run}/network/{ifup,ifdown}-*.pid rw,
 
   # For setting a USB modem
   owner /dev/ttyUSB[0-9]* rw,

apparmor.d/initd-kexec

@@ -63,8 +63,8 @@ profile initd-kexec @{exec_path} {
 
     /dev/kmsg w,
 
-    owner /{var/,}run/systemd/ask-password/ rw,
-    owner /{var/,}run/systemd/ask-password-block/* rw,
+    owner @{run}/systemd/ask-password/ rw,
+    owner @{run}/systemd/ask-password-block/* rw,
 
   }
 

apparmor.d/initd-kexec-load

@@ -78,8 +78,8 @@ profile initd-kexec-load @{exec_path} {
 
     /dev/kmsg w,
 
-    owner /{var/,}run/systemd/ask-password/ rw,
-    owner /{var/,}run/systemd/ask-password-block/* rw,
+    owner @{run}/systemd/ask-password/ rw,
+    owner @{run}/systemd/ask-password-block/* rw,
 
   }
 

apparmor.d/initd-kmod

@@ -58,8 +58,8 @@ profile initd-kmod @{exec_path} {
     owner @{PROC}/@{pid}/stat r,
     owner @{PROC}/@{pid}/fd/ r,
 
-    owner /{var/,}run/systemd/ask-password/ rw,
-    owner /{var/,}run/systemd/ask-password-block/* rw,
+    owner @{run}/systemd/ask-password/ rw,
+    owner @{run}/systemd/ask-password-block/* rw,
 
   }
 

apparmor.d/inxi

@@ -77,7 +77,7 @@ profile inxi @{exec_path} {
   @{HOME}/.local/share/xorg/ r,
   @{HOME}/.local/share/xorg/Xorg.[0-9]*.log r,
 
-  /{var/,}run/ r,
+  @{run}/ r,
 
   @{PROC}/asound/ r,
   @{PROC}/asound/version r,
@@ -144,7 +144,7 @@ profile inxi @{exec_path} {
           @{PROC}/sys/kernel/osrelease r,
 
     @{sys}/devices/pci[0-9]*/**/block/**/uevent r,
-    /{var/,}run/udev/data/b* r,
+    @{run}/udev/data/b* r,
 
   }
 

apparmor.d/ip

@@ -35,14 +35,14 @@ profile ip @{exec_path} flags=(attach_disconnected) {
   mount options=(rw, bind)    /etc/netns/firefox/resolv.conf -> /etc/resolv.conf,
   mount fstype=sysfs            -> /sys/,
 
-  umount /{var/,}run/netns/*,
+  umount @{run}/netns/*,
   umount /sys/,
 
   /etc/iproute2/{,**} r,
 
   / r,
-  owner /{var/,}run/netns/ rw,
-        /{var/,}run/netns/* rw,
+  owner @{run}/netns/ rw,
+        @{run}/netns/* rw,
   /etc/netns/*/ r,
 
   owner @{PROC}/@{pid}/cgroup r,

apparmor.d/kconfig-hardened-check

@@ -23,8 +23,13 @@ profile kconfig-hardened-check @{exec_path} {
 
   /{usr/,}bin/ r,
 
+
+  # The usual kernel config locations
   /boot/config-* r,
   @{PROC}/config.gz r,
 
+  # This is for kernels, which are built manually
+  owner /**/.config r,
+
   #include if exists <local/kconfig-hardened-check>
 }

apparmor.d/keepassxc

@@ -89,8 +89,8 @@ profile keepassxc @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{uevent,speed,descriptors} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
-  /{var/,}run/udev/data/+usb:* r,      #
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/+usb:* r,      #
 
   /dev/bus/usb/ r,
   /dev/shm/#[0-9]*[0-9] rw,
@@ -100,10 +100,10 @@ profile keepassxc @{exec_path} {
   owner @{HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
   owner @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
   owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
-  owner /{var/,}run/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
-  owner /{var/,}run/user/[0-9]*/kpxc_server rw,
+  owner @{run}/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
+  owner @{run}/user/[0-9]*/kpxc_server rw,
 
-  owner /{var/,}run/user/[0-9]*/org.keepassxc.KeePassXC.BrowserServer w,
+  owner @{run}/user/[0-9]*/org.keepassxc.KeePassXC.BrowserServer w,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,

apparmor.d/keepassxc-proxy

@@ -24,8 +24,8 @@ profile keepassxc-proxy @{exec_path} {
   @{exec_path} mr,
 
   # file_inherit
-  deny owner /{var/,}run/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
-  deny owner /{var/,}run/user/[0-9]*/kpxc_server rw,
+  deny owner @{run}/user/[0-9]*/.[a-zA-Z]*/{,s} rw,
+  deny owner @{run}/user/[0-9]*/kpxc_server rw,
   deny       /dev/shm/org.chromium.* rw,
   deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw,
   #

apparmor.d/kodi

@@ -87,7 +87,7 @@ profile kodi @{exec_path} {
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/temp r,
 
-  /{var/,}run/udev/data/* r,
+  @{run}/udev/data/* r,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,

apparmor.d/light-locker

@@ -33,14 +33,14 @@ profile light-locker @{exec_path} {
   owner @{PROC}/@{pid}/cgroup r,
 
   # when locking the screen and switching/closing sessions
-  /{,var/}run/systemd/sessions/[0-9]* r,
+  @{run}/systemd/sessions/[0-9]* r,
 
   # To silecne the following error:
   #  dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
   #  dconf will not work properly.
   ##include <abstractions/dconf>
-  #owner /{var/,}run/user/[0-9]*/dconf/ w,
-  #owner /{var/,}run/user/[0-9]*/dconf/user rw,
+  #owner @{run}/user/[0-9]*/dconf/ w,
+  #owner @{run}/user/[0-9]*/dconf/user rw,
   #include <abstractions/deny-dconf>
 
   @{sys}/devices/pci[0-9]*/**/uevent r,

apparmor.d/lightdm

@@ -99,8 +99,8 @@ profile lightdm @{exec_path} {
   /var/log/lightdm/{,**} rw,
   /var/log/btmp wk,
 
-  /{,var/}run/lightdm/{,**} rw,
-  /{,var/}run/lightdm.pid rw,
+  @{run}/lightdm/{,**} rw,
+  @{run}/lightdm.pid rw,
 
   @{PROC}/1/limits r,
   /etc/security/limits.d/ r,

apparmor.d/lintian

@@ -53,6 +53,7 @@ profile lintian @{exec_path} flags=(complain) {
   /{usr/,}bin/filterdiff         rix,
   /{usr/,}bin/lexgrog            rix,
   /{usr/,}bin/mv                 rix,
+  /usr/bin/cp rix,
 
   /{usr/,}bin/{,@{multiarch}-}ar      rix,
   /{usr/,}bin/{,@{multiarch}-}readelf rix,
@@ -65,6 +66,8 @@ profile lintian @{exec_path} flags=(complain) {
   /{usr/,}bin/man                rPx,
   /{usr/,}bin/dpkg-architecture  rPx,
 
+  /usr/share/intltool-debian/* rCx -> intltool,
+
   /usr/share/lintian/{,**} rk,
 
   /etc/lintianrc r,
@@ -85,6 +88,8 @@ profile lintian @{exec_path} flags=(complain) {
   owner /tmp/*/random_seed w,
 
   owner /tmp/* rw,
+  owner /tmp/lintian-po-debconf-*/ rw,
+  owner /tmp/lintian-po-debconf-*/** rw,
 
   # For pbuilder
   owner @{BUILD_DIR}/**.{changes,dsc,buildinfo,tar.*,deb} rk,
@@ -158,7 +163,27 @@ profile lintian @{exec_path} flags=(complain) {
     owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
     owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
     owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
-    owner /{var/,}run/user/[0-9]*/gnupg/d.*/ rw,
+    owner @{run}/user/[0-9]*/gnupg/d.*/ rw,
+
+    # file_inherit
+    owner /tmp/* rw,
+
+  }
+
+
+  profile intltool flags=(complain) {
+    #include <abstractions/base>
+    #include <abstractions/perl>
+
+    /usr/share/intltool-debian/* mrix,
+
+    /usr/bin/dash rix,
+    /usr/bin/xgettext rix,
+
+    /usr/share/gettext/** r,
+    /usr/share/gettext-*/** r,
+
+    owner /tmp/lintian-po-debconf-*/** rw,
 
     # file_inherit
     owner /tmp/* rw,

apparmor.d/lsblk

@@ -24,7 +24,7 @@ profile lsblk @{exec_path} {
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mountinfo r,
 
-  /{var/,}run/mount/utab r,
+  @{run}/mount/utab r,
 
   #include if exists <local/lsblk>
 }

apparmor.d/lsusb

@@ -28,8 +28,8 @@ profile lsusb @{exec_path} {
 
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r,
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
-  /{var/,}run/udev/data/+usb:* r,      #
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/+usb:* r,      #
 
   /etc/udev/hwdb.bin r,
 

apparmor.d/mke2fs

@@ -30,8 +30,8 @@ profile mke2fs @{exec_path} {
   owner @{PROC}/@{pid}/mounts r,
         @{PROC}/swaps r,
 
-  owner /{,var/}run/blkid/blkid.tab{,-*} rw,
-  owner /{,var/}run/blkid/blkid.tab.old rwl -> /{,var/}run/blkid/blkid.tab,
+  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   # A place for file images
   owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,

apparmor.d/mount

@@ -56,9 +56,9 @@ profile mount @{exec_path} flags=(complain) {
 
   owner @{PROC}/@{pid}/mountinfo r,
 
-  owner /{,var/}run/mount/ rw,
-  owner /{,var/}run/mount/utab{,.*} rw,
-  owner /{,var/}run/mount/utab.lock wk,
+  owner @{run}/mount/ rw,
+  owner @{run}/mount/utab{,.*} rw,
+  owner @{run}/mount/utab.lock wk,
 
   #include if exists <local/mount>
 }

apparmor.d/mpv

@@ -132,14 +132,14 @@ profile mpv @{exec_path} {
   @{sys}/devices/**/input/**/uevent r,
   @{sys}/devices/**/input/**/capabilities/* r,
   /dev/input/event[0-9]* r,
-  /{var/,}run/udev/data/+input:input[0-9]* r,
-  /{var/,}run/udev/data/c13:[0-9]* r,  # for /dev/input/*
+  @{run}/udev/data/+input:input[0-9]* r,
+  @{run}/udev/data/c13:[0-9]* r,  # for /dev/input/*
   #
   @{sys}/class/sound/ r,
   @{sys}/devices/**/sound/**/uevent r,
   @{sys}/devices/**/sound/**/capabilities/* r,
-  /{var/,}run/udev/data/+sound:* r,
-  /{var/,}run/udev/data/c116:[0-9]* r, # for ALSA
+  @{run}/udev/data/+sound:* r,
+  @{run}/udev/data/c116:[0-9]* r, # for ALSA
 
   # Be able to turn off the screensaver while playing movies
   /{usr/,}bin/xdg-screensaver rPUx,

apparmor.d/mumble

@@ -55,8 +55,8 @@ profile mumble @{exec_path} {
   /dev/shm/MumbleLink.[0-9]*[0-9] rw,
   /dev/shm/#[0-9]*[0-9] rw,
 
-  owner /{var/,}run/user/[0-9]*/MumbleSocket rw,
-  owner /{var/,}run/user/[0-9]*/MumbleOverlayPipe rw,
+  owner @{run}/user/[0-9]*/MumbleSocket rw,
+  owner @{run}/user/[0-9]*/MumbleOverlayPipe rw,
 
   deny owner @{PROC}/@{pid}/cmdline r,
        owner @{PROC}/@{pid}/fd/ r,

apparmor.d/networkctl

@@ -34,8 +34,8 @@ profile networkctl @{exec_path} flags=(complain) {
 
   @{sys}/devices/**/net/**/uevent r,
 
-  /{var/,}run/systemd/netif/links/[0-9]* r,
-  /{var/,}run/systemd/netif/state r,
+  @{run}/systemd/netif/links/[0-9]* r,
+  @{run}/systemd/netif/state r,
 
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/random/boot_id r,
@@ -43,7 +43,7 @@ profile networkctl @{exec_path} flags=(complain) {
   /etc/udev/hwdb.bin r,
 
   # To be able to read logs
-  /{var/,}run/log/ r,
+  @{run}/log/ r,
   /{run,var}/log/journal/ r,
   /{run,var}/log/journal/[0-9a-f]*/ r,
   /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,

apparmor.d/nvidia_modprobe

@@ -22,11 +22,13 @@ profile nvidia_modprobe {
 
   # System files
 
+  /dev/nvidia-modeset w,
   /dev/nvidia-uvm w,
   /dev/nvidia-uvm-tools w,
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/pci[0-9]*/**/config r,
   @{PROC}/devices r,
+  @{PROC}/driver/nvidia/params r,
   @{PROC}/modules r,
   @{PROC}/sys/kernel/modprobe r,
 

apparmor.d/openvpn

@@ -43,7 +43,7 @@ profile openvpn @{exec_path} {
 
   /var/log/openvpn/*.log w,
 
-  /{,var/}run/openvpn/*.{pid,status} rw,
+  @{run}/openvpn/*.{pid,status} rw,
 
   /{usr/,}bin/ip                        rix,
   /{usr/,}bin/systemd-ask-password      rCx -> systemd-ask-password,

apparmor.d/opera

@@ -149,7 +149,7 @@ profile opera @{exec_path} {
   @{sys}/devices/**/uevent r,
   @{sys}/class/ r,
   @{sys}/class/**/ r,
-  /{,var/}run/udev/data/* r,
+  @{run}/udev/data/* r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
 

apparmor.d/polkitd

@@ -43,8 +43,8 @@ profile polkitd @{exec_path} {
 
   owner /var/lib/polkit-1/.cache/ rw,
 
-  /{,var/}run/systemd/sessions/* r,
-  /{,var/}run/systemd/users/[0-9]* r,
+  @{run}/systemd/sessions/* r,
+  @{run}/systemd/users/[0-9]* r,
 
   #include if exists <local/polkitd>
 }

apparmor.d/ps

@@ -57,7 +57,7 @@ profile ps @{exec_path} flags=(attach_disconnected) {
        @{PROC}/tty/drivers r,
        @{PROC}/uptime r,
 
-  /{var/,}run/systemd/sessions/[0-9]* r,
+  @{run}/systemd/sessions/[0-9]* r,
 
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/meminfo r,

apparmor.d/psi-plus

@@ -89,7 +89,7 @@ profile psi-plus @{exec_path} {
   owner /tmp/#[0-9]*[0-9] rw,
   owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9],
 
-  /{var/,}run/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   /usr/share/hwdata/pnp.ids r,
 

apparmor.d/pulseaudio

@@ -42,8 +42,8 @@ profile pulseaudio @{exec_path} {
   # TCP wrap
   /etc/hosts.{allow,deny} r,
 
-  owner /{,var/}run/user/[0-9]*/ rw,
-  owner /{,var/}run/user/[0-9]*/pulse/{,*} rw,
+  owner @{run}/user/[0-9]*/ rw,
+  owner @{run}/user/[0-9]*/pulse/{,*} rw,
 
   /usr/share/applications/{,**} r,
 
@@ -51,14 +51,14 @@ profile pulseaudio @{exec_path} {
   @{sys}/class/ r,
   @{sys}/class/sound/ r,
   @{sys}/devices/**/sound/**/{uevent,pcm_class} r,
-  /{,var/}run/udev/data/+sound* r,
-  /{,var/}run/udev/data/c116:[0-9]* r, # For ALSA
+  @{run}/udev/data/+sound* r,
+  @{run}/udev/data/c116:[0-9]* r, # For ALSA
 
   @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]/meminfo r,
 
-  /{,var/}run/systemd/users/[0-9]* r,
+  @{run}/systemd/users/[0-9]* r,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/stat r,
@@ -68,7 +68,7 @@ profile pulseaudio @{exec_path} {
 
   # The orcexec.* file is JIT compiled code for various GStreamer elements.
   # If one is blocked the next is used instead.
-  owner /{var/,}run/user/[0-9]*/orcexec.* mrw,
+  owner @{run}/user/[0-9]*/orcexec.* mrw,
   #owner @{HOME}/orcexec.* mrw,
   #owner /tmp/orcexec.* mrw,
 

apparmor.d/quiterss

@@ -71,7 +71,7 @@ profile quiterss @{exec_path} {
 
   # The orcexec.* file is JIT compiled code for various GStreamer elements.
   # If one is blocked the next is used instead.
-  owner /{var/,}run/user/[0-9]*/orcexec.* mrw,
+  owner @{run}/user/[0-9]*/orcexec.* mrw,
   #owner @{HOME}/orcexec.* mrw,
   #owner /tmp/orcexec.* mrw,
 

apparmor.d/rsyslogd

@@ -44,8 +44,8 @@ profile rsyslogd @{exec_path} {
   /var/spool/rsyslog/ r,
   /var/spool/rsyslog/** rw,
 
-  owner /{,var/}run/rsyslogd.pid{,.tmp} rwk,
-  owner /{,var/}run/systemd/journal/syslog w,
+  owner @{run}/rsyslogd.pid{,.tmp} rwk,
+  owner @{run}/systemd/journal/syslog w,
 
   # log files and devices
   /var/log/** rw,

apparmor.d/scdaemon

@@ -21,12 +21,12 @@ profile scdaemon @{exec_path} {
 
   owner @{HOME}/.gnupg/scdaemon.conf r,
 
-  owner /{,var/}run/user/[0-9]*/gnupg/S.scdaemon rw,
+  owner @{run}/user/[0-9]*/gnupg/S.scdaemon rw,
 
   @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
-  /{var/,}run/udev/data/+usb:* r,      #
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/+usb:* r,      #
 
   /dev/bus/usb/ r,
   @{sys}/bus/ r,

apparmor.d/sddm

@@ -100,7 +100,7 @@ profile sddm @{exec_path} {
   owner @{HOME}/.local/share/kwalletd/ rw,
   owner @{HOME}/.local/share/kwalletd/kdewallet.salt rw,
         @{HOME}/.local/share/kwalletd/kdewallet.salt r,
-  owner /{,var/}run/user/[0-9]*/kwallet5.socket rw,
+  owner @{run}/user/[0-9]*/kwallet5.socket rw,
   /var/log/btmp wk,
 
   # Themes
@@ -135,8 +135,8 @@ profile sddm @{exec_path} {
         /tmp/sddm-* rw,
   owner /tmp/*/{,s} rw,
 
-  owner /{,var/}run/sddm/ rw,
-        /{,var/}run/sddm/* w,
+  owner @{run}/sddm/ rw,
+        @{run}/sddm/* w,
 
   # Session error logs
   # Creating the dir structure is needed when a new user is logging in for the very first time
@@ -165,7 +165,7 @@ profile sddm @{exec_path} {
   # Run SDDM on a specific TTY
   /dev/tty[0-9]* rw,
 
-  /{,var/}run/systemd/sessions/[0-9]*.ref rw,
+  @{run}/systemd/sessions/[0-9]*.ref rw,
 
 
   profile sddm-scripts {
@@ -201,10 +201,10 @@ profile sddm @{exec_path} {
     owner @{HOME}/.Xauthority-n rw,
     owner @{HOME}/.Xauthority   rwl -> @{HOME}/.Xauthority-n,
 
-    owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c  w,
-    owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l  wl -> /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c,
-    owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw,
-    owner /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}   rwl -> /{var/,}run/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n,
+    owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c  w,
+    owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-l  wl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-c,
+    owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n rw,
+    owner @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}   rwl -> @{run}/sddm/\{[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*\}-n,
 
   }
 

apparmor.d/sddm-greeter

@@ -92,7 +92,7 @@ profile sddm-greeter @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  owner /{,var/}run/sddm/{,*} rw,
+  owner @{run}/sddm/{,*} rw,
 
   /{usr/,}lib/@{multiarch}/ld-*.so mr,
 

apparmor.d/sddm-xsession

@@ -136,7 +136,7 @@ profile sddm-xsession @{exec_path} {
     @{sys}/class/ r,
     @{sys}/class/*/ r,
     @{sys}/devices/**/uevent r,
-    /{var/,}run/udev/data/* r,
+    @{run}/udev/data/* r,
 
   }
 

apparmor.d/ssh-agent

@@ -30,7 +30,7 @@ profile ssh-agent @{exec_path} {
   /{usr/,}bin/enlightenment_start  rPUx,
 
   # When started via systemd
-  /{var/,}run/user/[0-9]*/openssh_agent rw,
+  @{run}/user/[0-9]*/openssh_agent rw,
 
   # askpass apps
   #/{usr/,}lib/ssh/x11-ssh-askpass rPUx,

apparmor.d/strawberry

@@ -76,7 +76,7 @@ profile strawberry @{exec_path} {
        owner @{PROC}/@{pid}/fd/ r,
   deny       @{PROC}/sys/kernel/random/boot_id r,
 
-  /{var/,}run/mount/utab r,
+  @{run}/mount/utab r,
 
   /etc/fstab r,
 
@@ -89,7 +89,7 @@ profile strawberry @{exec_path} {
 
   # The orcexec.* file is JIT compiled code for various GStreamer elements.
   # If one is blocked the next is used instead.
-  owner /{var/,}run/user/[0-9]*/orcexec.* mrw,
+  owner @{run}/user/[0-9]*/orcexec.* mrw,
   #owner @{HOME}/orcexec.* mrw,
   #owner /tmp/orcexec.* mrw,
 

apparmor.d/sudo

@@ -52,9 +52,9 @@ profile sudo @{exec_path} {
   /dev/ r,
 
   # For timestampdir
-  owner /{var/,}run/sudo/ rw,
-  owner /{var/,}run/sudo/ts/ rw,
-  owner /{var/,}run/sudo/ts/* rwk,
+  owner @{run}/sudo/ rw,
+  owner @{run}/sudo/ts/ rw,
+  owner @{run}/sudo/ts/* rwk,
 
   @{PROC}/@{pid}/fd/ r,
   @{PROC}/@{pids}/stat r,