diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 63701b8e..1c36d11b 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gajim +@{exec_path} = @{bin}/gajim profile gajim @{exec_path} { include include @@ -35,27 +35,27 @@ profile gajim @{exec_path} { @{exec_path} r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, - /{usr/,}{s,}bin/ldconfig rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/ldconfig rix, + @{bin}/uname rix, # To play sounds - /{usr/,}bin/aplay rix, - /{usr/,}bin/pacat rix, + @{bin}/aplay rix, + @{bin}/pacat rix, # Needed for GPG/PGP support - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, - /{usr/,}bin/ccache rCx -> ccache, - /{usr/,}bin/{,@{multiarch}-}ld.bfd rCx -> ccache, + @{bin}/ccache rCx -> ccache, + @{bin}/{,@{multiarch}-}ld.bfd rCx -> ccache, # External apps - /{usr/,}bin/xdg-settings rPx, - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/spacefm rPx, + @{bin}/xdg-settings rPx, + @{lib}/firefox/firefox rPx, + @{bin}/spacefm rPx, # Gajim plugins /usr/share/gajim/plugins/{,**} r, @@ -99,13 +99,13 @@ profile gajim @{exec_path} { include include - /{usr/,}bin/ccache mr, + @{bin}/ccache mr, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, - /{usr/,}bin/{,@{multiarch}-}ld.bfd rix, - /{usr/,}lib/gcc/@{multiarch}/[0-9]*/collect2 rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}g++-[0-9]* rix, + @{bin}/{,@{multiarch}-}ld.bfd rix, + @{lib}/gcc/@{multiarch}/[0-9]*/collect2 rix, owner /tmp/cc* rw, owner /tmp/tmp* rw, @@ -121,12 +121,12 @@ profile gajim @{exec_path} { profile gpg { include - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpgconf mr, - /{usr/,}bin/gpgsm mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, - /{usr/,}bin/gpg-agent rix, - /{usr/,}lib/gnupg/scdaemon rix, + @{bin}/gpg-agent rix, + @{lib}/gnupg/scdaemon rix, owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, diff --git a/apparmor.d/profiles-g-l/games-wesnoth-sh b/apparmor.d/profiles-g-l/games-wesnoth-sh index 167009b1..6c5a4b69 100644 --- a/apparmor.d/profiles-g-l/games-wesnoth-sh +++ b/apparmor.d/profiles-g-l/games-wesnoth-sh @@ -11,13 +11,13 @@ profile games-wesnoth-sh @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /usr/games/wesnoth{,-[0-9]*} rPx, # For the editor - /{usr/,}bin/basename rix, - /{usr/,}bin/sed rix, + @{bin}/basename rix, + @{bin}/sed rix, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 4d7890d3..ba657908 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ganyremote +@{exec_path} = @{bin}/ganyremote profile ganyremote @{exec_path} { include include @@ -23,33 +23,33 @@ profile ganyremote @{exec_path} { network inet6 stream, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/{m,g,}awk rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/rm rix, + @{bin}/{,e}grep rix, + @{bin}/cut rix, + @{bin}/id rix, + @{bin}/which{,.debianutils} rix, + @{bin}/tr rix, + @{bin}/{m,g,}awk rix, - /{usr/,}bin/anyremote rPx, - /{usr/,}bin/ps rPx, + @{bin}/anyremote rPx, + @{bin}/ps rPx, - /{usr/,}bin/killall rCx -> killall, - /{usr/,}bin/pgrep rCx -> pgrep, + @{bin}/killall rCx -> killall, + @{bin}/pgrep rCx -> pgrep, - /{usr/,}bin/pacmd rPUx, - /{usr/,}bin/pactl rPUx, + @{bin}/pacmd rPUx, + @{bin}/pactl rPUx, # Players - /{usr/,}bin/smplayer rPUx, - /{usr/,}bin/amarok rPUx, - /{usr/,}bin/vlc rPUx, - /{usr/,}bin/mpv rPUx, - /{usr/,}bin/strawberry rPUx, + @{bin}/smplayer rPUx, + @{bin}/amarok rPUx, + @{bin}/vlc rPUx, + @{bin}/mpv rPUx, + @{bin}/strawberry rPUx, owner @{HOME}/ r, owner @{HOME}/.anyRemote/{,*} rw, @@ -79,7 +79,7 @@ profile ganyremote @{exec_path} { ptrace (read), - /{usr/,}bin/killall mr, + @{bin}/killall mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied @@ -92,7 +92,7 @@ profile ganyremote @{exec_path} { include include - /{usr/,}bin/pgrep mr, + @{bin}/pgrep mr, # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. @{PROC}/ r, diff --git a/apparmor.d/profiles-g-l/gconfd b/apparmor.d/profiles-g-l/gconfd index 6a7f2c06..0c5698ad 100644 --- a/apparmor.d/profiles-g-l/gconfd +++ b/apparmor.d/profiles-g-l/gconfd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/@{multiarch}/gconf/gconfd-[0-9] +@{exec_path} = @{lib}/@{multiarch}/gconf/gconfd-[0-9] profile gconfd @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 5fdb1da0..c52f3c70 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/gdisk +@{exec_path} = @{bin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index 8793377a..2a665a5c 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gdk-pixbuf-query-loaders +@{exec_path} = @{bin}/gdk-pixbuf-query-loaders profile gdk-pixbuf-query-loaders @{exec_path} { include @@ -15,8 +15,8 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - /{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw, - /{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw, + @{lib}/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules index 826d7de6..03de3446 100644 --- a/apparmor.d/profiles-g-l/gio-querymodules +++ b/apparmor.d/profiles-g-l/gio-querymodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gio-querymodules +@{exec_path} = @{bin}/gio-querymodules profile gio-querymodules @{exec_path} flags=(attach_disconnected) { include include @@ -16,8 +16,8 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w, - /{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} w, + @{lib}/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w, + @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} w, deny /apparmor/.null rw, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 55603460..0939a251 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -7,13 +7,11 @@ abi , include -@{exec_path} = /{usr/,}bin/git -@{exec_path} += /{usr/,}bin/git-* -@{exec_path} += /{usr/,}lib/git-core/git -@{exec_path} += /{usr/,}lib/git-core/git-* -@{exec_path} += @{libexec}/git-core/git -@{exec_path} += @{libexec}/git-core/git-* -@{exec_path} += @{libexec}/git-core/mergetools/* +@{exec_path} = @{bin}/git +@{exec_path} += @{bin}/git-* +@{exec_path} += @{lib}/git-core/git +@{exec_path} += @{lib}/git-core/git-* +@{exec_path} += @{lib}/git-core/mergetools/* profile git @{exec_path} { include include @@ -34,47 +32,47 @@ profile git @{exec_path} { # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you # the most similar commands, which it thinks can be used instead. Git binaries are all under # /usr/bin/ , so allow only this location. - /{usr/,}bin/ r, + @{bin}/ r, deny /{usr/,}sbin/ r, deny /usr/local/{s,}bin/ r, deny /usr/games/ r, deny /usr/local/games/ r, # These are needed for "git submodule update" - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/date rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/envsubst rix, - /{usr/,}bin/gettext rix, - /{usr/,}bin/gettext.sh rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/whoami rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cat rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/envsubst rix, + @{bin}/gettext rix, + @{bin}/gettext.sh rix, + @{bin}/hostname rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/uname rix, + @{bin}/wc rix, + @{bin}/whoami rix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, - /{usr/,}bin/man rPx, - /{usr/,}bin/meld rPUx, - /{usr/,}lib/code/extensions/git/dist/askpass.sh rPx, - /{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx, + @{bin}/man rPx, + @{bin}/meld rPUx, + @{lib}/code/extensions/git/dist/askpass.sh rPx, + @{lib}/code/extensions/git/dist/git-editor.sh rPx, /usr/share/aurpublish/*.hook rPx, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/ssh rCx -> ssh, - /{usr/,}bin/sensible-editor rCx -> editor, - /{usr/,}bin/vim rCx -> editor, - /{usr/,}bin/vim.* rCx -> editor, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/ssh rCx -> ssh, + @{bin}/sensible-editor rCx -> editor, + @{bin}/vim rCx -> editor, + @{bin}/vim.* rCx -> editor, /usr/share/git-core/{,**} r, /usr/share/terminfo/x/xterm-256color r, @@ -108,8 +106,8 @@ profile git @{exec_path} { include include - /{usr/,}bin/gpg{,2} mr, - /{usr/,}bin/gpg-agent rPx, + @{bin}/gpg{,2} mr, + @{bin}/gpg-agent rPx, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -132,7 +130,7 @@ profile git @{exec_path} { network inet6 stream, network netlink raw, - /{usr/,}bin/ssh mr, + @{bin}/ssh mr, /etc/ssh/ssh_config.d/{,*} r, /etc/ssh/ssh_config r, @@ -162,11 +160,11 @@ profile git @{exec_path} { include include - /{usr/,}bin/sensible-editor mr, - /{usr/,}bin/vim mrix, - /{usr/,}bin/vim.* mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/sensible-editor mr, + @{bin}/vim mrix, + @{bin}/vim.* mrix, + @{bin}/{,ba,da}sh rix, + @{bin}/which{,.debianutils} rix, /usr/share/vim/{,**} r, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/profiles-g-l/glib-compile-resources b/apparmor.d/profiles-g-l/glib-compile-resources index e1dde8d6..bbcc62d7 100644 --- a/apparmor.d/profiles-g-l/glib-compile-resources +++ b/apparmor.d/profiles-g-l/glib-compile-resources @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/glib-compile-resources +@{exec_path} = @{bin}/glib-compile-resources profile glib-compile-resources @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/xmllint rix, + @{bin}/xmllint rix, /tmp/resource-* rw, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index c812c59c..90fabfb3 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index 9e9b127f..9dcd5d97 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{libexec}/glib-pacrunner +@{exec_path} = @{lib}/glib-pacrunner profile glib-pacrunner @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime index 6a43f7d0..c2bfd687 100644 --- a/apparmor.d/profiles-g-l/globaltime +++ b/apparmor.d/profiles-g-l/globaltime @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/globaltime +@{exec_path} = @{bin}/globaltime profile globaltime @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 106d7ad3..1fd21857 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/glxgears +@{exec_path} = @{bin}/glxgears profile glxgears @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index 82139919..86dcffdd 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/glxinfo +@{exec_path} = @{bin}/glxinfo profile glxinfo @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 1e854c3f..2ef5bb0d 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gpa +@{exec_path} = @{bin}/gpa profile gpa @{exec_path} { include include @@ -18,10 +18,10 @@ profile gpa @{exec_path} { @{exec_path} mr, - /{usr/,}bin/gpgconf rPx, - /{usr/,}bin/gpg-connect-agent rPx, - /{usr/,}bin/gpg{,2} rPx, - /{usr/,}bin/gpgsm rPx, + @{bin}/gpgconf rPx, + @{bin}/gpg-connect-agent rPx, + @{bin}/gpg{,2} rPx, + @{bin}/gpgsm rPx, /usr/share/gpa/{,*} r, @@ -45,7 +45,7 @@ profile gpa @{exec_path} { owner /tmp/xauth-[0-9]*-_[0-9] r, # External apps - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index 06c32689..e7e7106e 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/gparted +@{exec_path} = @{bin}/gparted profile gparted @{exec_path} { include @@ -15,34 +15,34 @@ profile gparted @{exec_path} { @{exec_path} r, - /{usr/,}{s,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/pidof rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/touch rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cut rix, + @{bin}/id rix, + @{bin}/ls rix, + @{bin}/mkdir rix, + @{bin}/pidof rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/touch rix, - /{usr/,}{s,}bin/gpartedbin rPx, - @{libexec}/gparted/gpartedbin rPx, - @{libexec}/gpartedbin rPx, + @{bin}/gpartedbin rPx, + @{lib}/gparted/gpartedbin rPx, + @{lib}/gpartedbin rPx, - @{libexec}/{,udisks2/}udisks2-inhibit rix, + @{lib}/{,udisks2/}udisks2-inhibit rix, @{run}/udev/rules.d/ rw, @{run}/udev/rules.d/90-udisks-inhibit.rules rw, - /{usr/,}bin/udevadm rCx -> udevadm, - /{usr/,}{s,}bin/killall5 rCx -> killall, + @{bin}/udevadm rCx -> udevadm, + @{bin}/killall5 rCx -> killall, - /{usr/,}bin/ps rPx, - /{usr/,}bin/xhost rPx, - /{usr/,}bin/pkexec rPx, - /{usr/,}bin/systemctl rPx -> child-systemctl, + @{bin}/ps rPx, + @{bin}/xhost rPx, + @{bin}/pkexec rPx, + @{bin}/systemctl rPx -> child-systemctl, # For shell pwd / r, @@ -63,7 +63,7 @@ profile gparted @{exec_path} { ptrace (read), - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, @@ -91,7 +91,7 @@ profile gparted @{exec_path} { ptrace (read), - /{usr/,}{s,}bin/killall5 mr, + @{bin}/killall5 mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 98a138cf..8c685673 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,9 +7,9 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/gpartedbin -@{exec_path} += @{libexec}/gpartedbin -@{exec_path} += @{libexec}/gparted/gpartedbin +@{exec_path} = @{bin}/gpartedbin +@{exec_path} += @{lib}/gpartedbin +@{exec_path} += @{lib}/gparted/gpartedbin profile gpartedbin @{exec_path} { include include @@ -30,45 +30,45 @@ profile gpartedbin @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}{s,}bin/blkid rPx, - /{usr/,}{s,}bin/dmidecode rPx, - /{usr/,}{s,}bin/hdparm rPx, - /{usr/,}bin/kmod rPx, + @{bin}/blkid rPx, + @{bin}/dmidecode rPx, + @{bin}/hdparm rPx, + @{bin}/kmod rPx, - /{usr/,}bin/mount rCx -> mount, - /{usr/,}bin/udevadm rCx -> udevadm, - /{usr/,}bin/umount rCx -> umount, + @{bin}/mount rCx -> mount, + @{bin}/udevadm rCx -> udevadm, + @{bin}/umount rCx -> umount, - /{usr/,}{s,}bin/dmraid rPUx, - /{usr/,}{s,}bin/dmsetup rPUx, - /{usr/,}{s,}bin/dumpe2fs rPx, - /{usr/,}{s,}bin/e2fsck rPx, - /{usr/,}{s,}bin/e2image rPx, - /{usr/,}{s,}bin/fsck.btrfs rPx, - /{usr/,}{s,}bin/fsck.fat rPx, - /{usr/,}{s,}bin/lvm rPUx, - /{usr/,}{s,}bin/mke2fs rPx, - /{usr/,}{s,}bin/mkntfs rPx, - /{usr/,}{s,}bin/mkswap rPx, - /{usr/,}{s,}bin/ntfslabel rPx, - /{usr/,}{s,}bin/ntfsresize rPx, - /{usr/,}{s,}bin/resize2fs rPx, - /{usr/,}{s,}bin/swaplabel rPx, - /{usr/,}{s,}bin/swapoff rPx, - /{usr/,}{s,}bin/swapon rPx, - /{usr/,}{s,}bin/tune2fs rPx, - /{usr/,}bin/btrfs rPx, - /{usr/,}bin/btrfstune rPx, - /{usr/,}bin/mdadm rPUx, - /{usr/,}bin/mkfs.* rPx, - /{usr/,}bin/mtools rPx, - /{usr/,}bin/ntfsinfo rPx, - /{usr/,}bin/xfs_io rPUx, + @{bin}/btrfs rPx, + @{bin}/btrfstune rPx, + @{bin}/dmraid rPUx, + @{bin}/dmsetup rPUx, + @{bin}/dumpe2fs rPx, + @{bin}/e2fsck rPx, + @{bin}/e2image rPx, + @{bin}/fsck.btrfs rPx, + @{bin}/fsck.fat rPx, + @{bin}/lvm rPUx, + @{bin}/mdadm rPUx, + @{bin}/mke2fs rPx, + @{bin}/mkfs.* rPx, + @{bin}/mkntfs rPx, + @{bin}/mkswap rPx, + @{bin}/mtools rPx, + @{bin}/ntfsinfo rPx, + @{bin}/ntfslabel rPx, + @{bin}/ntfsresize rPx, + @{bin}/resize2fs rPx, + @{bin}/swaplabel rPx, + @{bin}/swapoff rPx, + @{bin}/swapon rPx, + @{bin}/tune2fs rPx, + @{bin}/xfs_io rPUx, - /{usr/,}bin/xdg-open rCx -> child-open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open, + @{bin}/xdg-open rCx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open, @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, @@ -98,7 +98,7 @@ profile gpartedbin @{exec_path} { mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - /{usr/,}bin/mount mr, + @{bin}/mount mr, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r, @@ -121,7 +121,7 @@ profile gpartedbin @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, - /{usr/,}bin/umount mr, + @{bin}/umount mr, owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, @@ -137,7 +137,7 @@ profile gpartedbin @{exec_path} { ptrace (read), - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/profiles-g-l/gpasswd index d676b8cf..f6a89b95 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gpasswd +@{exec_path} = @{bin}/gpasswd profile gpasswd @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gping b/apparmor.d/profiles-g-l/gping index 2d7acc2a..33f925c4 100644 --- a/apparmor.d/profiles-g-l/gping +++ b/apparmor.d/profiles-g-l/gping @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}bin/gping +@{exec_path} = @{bin}/gping profile gping @{exec_path} { include include @{exec_path} mr, - /{usr/,}bin/ping rPx, + @{bin}/ping rPx, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index aad4a3c0..5401b194 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gpo +@{exec_path} = @{bin}/gpo profile gpo @{exec_path} { include include @@ -22,14 +22,14 @@ profile gpo @{exec_path} { network inet6 stream, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/uname rix, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index a276ab3a..fa4c2e5a 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gpodder +@{exec_path} = @{bin}/gpodder profile gpodder @{exec_path} { include include @@ -26,11 +26,11 @@ profile gpodder @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/uname rix, owner @{HOME}/ r, owner @{HOME}/gPodder/ rw, @@ -50,18 +50,18 @@ profile gpodder @{exec_path} { /usr/share/*/*.desktop r, - /{usr/,}bin/xdg-settings rPUx, + @{bin}/xdg-settings rPUx, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/xdg-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, # A/V players - /{usr/,}bin/smplayer rPUx, - /{usr/,}bin/vlc rPUx, - /{usr/,}bin/mpv rPUx, + @{bin}/smplayer rPUx, + @{bin}/vlc rPUx, + @{bin}/mpv rPUx, # Open in a web browser - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, @@ -71,20 +71,20 @@ profile gpodder @{exec_path} { include include - /{usr/,}bin/xdg-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{bin}/xdg-open mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 27c43a4b..4bf4cc49 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -6,17 +6,17 @@ abi , include -@{exec_path} = /{usr/,}bin/gpodder-migrate2tres +@{exec_path} = @{bin}/gpodder-migrate2tres profile gpodder-migrate2tres @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/uname rix, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index ab926783..4b10879a 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/groupadd +@{exec_path} = @{bin}/groupadd profile groupadd @{exec_path} { include include @@ -20,7 +20,7 @@ profile groupadd @{exec_path} { network netlink raw, @{exec_path} mr, - /{usr/,}{s,}bin/nscd rix, + @{bin}/nscd rix, /etc/login.defs r, diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/profiles-g-l/groupdel index df0f7018..51be777a 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/groupdel +@{exec_path} = @{bin}/groupdel profile groupdel @{exec_path} { include include @@ -22,7 +22,7 @@ profile groupdel @{exec_path} { network netlink raw, @{exec_path} mr, - /{usr/,}{s,}bin/nscd rix, + @{bin}/nscd rix, /etc/login.defs r, diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/profiles-g-l/groupmod index 7a5d595d..90ff11ec 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/groupmod +@{exec_path} = @{bin}/groupmod profile groupmod @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index ce910068..6de8a0a2 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/groups +@{exec_path} = @{bin}/groups profile groups @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck index bfa4734f..a0a73701 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/grpck +@{exec_path} = @{bin}/grpck profile grpck @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 6b5fc2fa..41bc4c5c 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gsettings +@{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gsimplecal b/apparmor.d/profiles-g-l/gsimplecal index e4ed7f32..b623cbdc 100644 --- a/apparmor.d/profiles-g-l/gsimplecal +++ b/apparmor.d/profiles-g-l/gsimplecal @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gsimplecal +@{exec_path} = @{bin}/gsimplecal profile gsimplecal @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index dd10f2be..c136c4f8 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/gsmartcontrol +@{exec_path} = @{bin}/gsmartcontrol profile gsmartcontrol @{exec_path} { include include @@ -22,8 +22,8 @@ profile gsmartcontrol @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/smartctl rPx, - /{usr/,}bin/xterm rCx -> terminal, + @{bin}/smartctl rPx, + @{bin}/xterm rCx -> terminal, # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -31,10 +31,10 @@ profile gsmartcontrol @{exec_path} { # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session # # Should this be allowed? Gsmartcontrol works fine without this. - #/{usr/,}bin/dbus-launch rCx -> dbus, - #/{usr/,}bin/dbus-send rCx -> dbus, - deny /{usr/,}bin/dbus-launch rx, - deny /{usr/,}bin/dbus-send rx, + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, owner @{user_config_dirs}/gsmartcontrol/ rw, owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw, @@ -62,16 +62,16 @@ profile gsmartcontrol @{exec_path} { # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and # hence this behavior should be blocked. - deny /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx, + deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx, profile dbus { include include - /{usr/,}bin/dbus-launch mr, - /{usr/,}bin/dbus-send mr, - /{usr/,}bin/dbus-daemon rPUx, + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, # for dbus-launch owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, @@ -89,7 +89,7 @@ profile gsmartcontrol @{exec_path} { capability setgid, capability fsetid, - /{usr/,}bin/xterm mr, + @{bin}/xterm mr, /usr/sbin/update-smart-drivedb rPx, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 7ac4a46c..d86b902d 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -6,17 +6,17 @@ abi , include -@{exec_path} = /{usr/,}bin/gsmartcontrol-root +@{exec_path} = @{bin}/gsmartcontrol-root profile gsmartcontrol-root @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, - /{usr/,}bin/pkexec rPx, + @{bin}/pkexec rPx, include if exists } diff --git a/apparmor.d/profiles-g-l/gssproxy b/apparmor.d/profiles-g-l/gssproxy index af96cbd9..69d4b6f3 100644 --- a/apparmor.d/profiles-g-l/gssproxy +++ b/apparmor.d/profiles-g-l/gssproxy @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gssproxy +@{exec_path} = @{bin}/gssproxy profile gssproxy @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 3783e53a..fda5e712 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gtk-query-immodules-{2,3}.0 +@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 profile gtk-query-immodules @{exec_path} { include @@ -15,8 +15,8 @@ profile gtk-query-immodules @{exec_path} { @{exec_path} mr, - /{usr/,}lib/gtk-{2,3,4}.0/**/immodules.cache w, - /{usr/,}lib/gtk-{2,3,4}.0/**/immodules.cache.[0-9A-Z]* w, + @{lib}/gtk-{2,3,4}.0/**/immodules.cache w, + @{lib}/gtk-{2,3,4}.0/**/immodules.cache.[0-9A-Z]* w, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index db7feb06..0f822a73 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gtk-update-icon-cache /{usr/,}bin/gtk4-update-icon-cache +@{exec_path} = @{bin}/gtk-update-icon-cache @{bin}/gtk4-update-icon-cache profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 2eea836f..7fc7d35e 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/gtk{,2,3}-youtube-viewer +@{exec_path} = @{bin}/gtk{,2,3}-youtube-viewer profile gtk-youtube-viewer @{exec_path} { include include @@ -25,23 +25,23 @@ profile gtk-youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/xterm rCx -> xterm, - /{usr/,}bin/rxvt rCx -> xterm, - /{usr/,}bin/urxvt rCx -> xterm, + @{bin}/xterm rCx -> xterm, + @{bin}/rxvt rCx -> xterm, + @{bin}/urxvt rCx -> xterm, # Players - /{usr/,}bin/mpv rPx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/smplayer rPx, + @{bin}/mpv rPx, + @{bin}/vlc rPx, + @{bin}/smplayer rPx, - /{usr/,}lib/firefox/firefox rPx, + @{lib}/firefox/firefox rPx, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/xdg-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, owner @{user_config_dirs}/youtube-viewer/{,*} rw, @@ -65,14 +65,14 @@ profile gtk-youtube-viewer @{exec_path} { signal (send) set=(hup, winch) peer=youtube-viewer, signal (send) set=(hup, winch) peer=youtube-viewer//wget, - /{usr/,}bin/xterm mr, - /{usr/,}bin/rxvt mr, - /{usr/,}bin/urxvt mr, + @{bin}/xterm mr, + @{bin}/rxvt mr, + @{bin}/urxvt mr, - /{usr/,}bin/zsh rix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/zsh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/youtube-viewer rPx, + @{bin}/youtube-viewer rPx, owner @{PROC}/@{pid}/loginuid r, @@ -97,20 +97,20 @@ profile gtk-youtube-viewer @{exec_path} { include include - /{usr/,}bin/xdg-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{bin}/xdg-open mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-g-l/gzdoom b/apparmor.d/profiles-g-l/gzdoom index 246a84b8..7512852f 100644 --- a/apparmor.d/profiles-g-l/gzdoom +++ b/apparmor.d/profiles-g-l/gzdoom @@ -27,13 +27,13 @@ profile gzdoom @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/zsh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/xmessage rix, - /{usr/,}bin/gdb rix, - /{usr/,}bin/iconv rix, + @{bin}/zsh rix, + @{bin}/uname rix, + @{bin}/xmessage rix, + @{bin}/gdb rix, + @{bin}/iconv rix, /opt/gzdoom/ r, /opt/gzdoom/** mr, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index f25228be..360eb1ad 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -6,17 +6,17 @@ abi , include -@{exec_path} = /{usr/,}bin/hardinfo +@{exec_path} = @{bin}/hardinfo profile hardinfo @{exec_path} { include include - include - include include + include include + include include - include include + include # This is needed to display some content of devices -> resources capability sys_admin, @@ -31,36 +31,36 @@ profile hardinfo @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/ldd rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/python2.[0-9]* rix, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/ruby[0-9].[0-9]* rix, - /{usr/,}bin/make rix, - /{usr/,}bin/strace rix, - /{usr/,}bin/gdb rix, - /{usr/,}bin/last rix, - /{usr/,}bin/iconv rix, - /{usr/,}{s,}bin/route rix, - /{usr/,}bin/valgrind{,.bin} rix, - /{usr/,}lib/@{multiarch}/valgrind/memcheck-*-linux rix, + @{bin}/{,ba,da}sh rix, + @{bin}/gdb rix, + @{bin}/iconv rix, + @{bin}/last rix, + @{bin}/ldd rix, + @{bin}/locale rix, + @{bin}/make rix, + @{bin}/perl rix, + @{bin}/python2.[0-9]* rix, + @{bin}/python3.[0-9]* rix, + @{bin}/route rix, + @{bin}/ruby[0-9].[0-9]* rix, + @{bin}/strace rix, + @{bin}/tr rix, + @{bin}/valgrind{,.bin} rix, + @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/ccache rCx -> ccache, - /{usr/,}bin/kmod rCx -> kmod, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rCx -> open, + @{bin}/ccache rCx -> ccache, + @{bin}/kmod rCx -> kmod, - /{usr/,}bin/glxinfo rPx, - /{usr/,}bin/xdpyinfo rPx, - /{usr/,}bin/lspci rPx, - /{usr/,}bin/lsusb rPx, - /{usr/,}bin/netstat rPx, - /{usr/,}bin/qtchooser rPx, + @{bin}/glxinfo rPx, + @{bin}/xdpyinfo rPx, + @{bin}/lspci rPx, + @{bin}/lsusb rPx, + @{bin}/netstat rPx, + @{bin}/qtchooser rPx, - /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, /usr/share/hardinfo/{,**} r, @@ -112,7 +112,7 @@ profile hardinfo @{exec_path} { owner /tmp/#[0-9]*[0-9] rw, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # Silencer deny /usr/share/gdb/python/** w, @@ -124,11 +124,11 @@ profile hardinfo @{exec_path} { profile ccache { include - /{usr/,}bin/ccache mr, + @{bin}/ccache mr, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, @@ -140,9 +140,9 @@ profile hardinfo @{exec_path} { include include - /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, + @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, - /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, /etc/java-[0-9]*-openjdk/** r, @@ -163,19 +163,19 @@ profile hardinfo @{exec_path} { include include - /{usr/,}bin/xdg-open mr, + @{bin}/xdg-open mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, @@ -185,7 +185,7 @@ profile hardinfo @{exec_path} { profile kmod { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, @{sys}/module/** r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 873fcac1..da4bc0a7 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = /{usr/,}bin/haveged +@{exec_path} = @{bin}/haveged profile haveged @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hciconfig b/apparmor.d/profiles-g-l/hciconfig index a4798680..b7da746e 100644 --- a/apparmor.d/profiles-g-l/hciconfig +++ b/apparmor.d/profiles-g-l/hciconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/hciconfig +@{exec_path} = @{bin}/hciconfig profile hciconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index 9e8933e7..f4d3ce25 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/hddtemp +@{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 2c8878e6..0d3e4615 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/hdparm +@{exec_path} = @{bin}/hdparm profile hdparm @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index 4cc7555e..539bf83a 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/hexchat +@{exec_path} = @{bin}/hexchat profile hexchat @{exec_path} { include include @@ -31,8 +31,8 @@ profile hexchat @{exec_path} { @{exec_path} mr, # Hexchat plugins - /{usr/,}lib/@{multiarch}/hexchat/** r, - /{usr/,}lib/@{multiarch}/hexchat/plugins/*.so mr, + @{lib}/@{multiarch}/hexchat/** r, + @{lib}/@{multiarch}/hexchat/plugins/*.so mr, # Hexchat home files owner @{HOME}/ r, @@ -45,7 +45,7 @@ profile hexchat @{exec_path} { /etc/fstab r, # External apps - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 15075dc3..814bd0b5 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} +@{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} profile hostname @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 7489aec1..b624b7c6 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/htop +@{exec_path} = @{bin}/htop profile htop @{exec_path} { include include @@ -25,7 +25,7 @@ profile htop @{exec_path} { @{exec_path} mr, - /{usr/,}bin/lsof rix, + @{bin}/lsof rix, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/profiles-g-l/hugeadm b/apparmor.d/profiles-g-l/hugeadm index 60d0fb7f..221ec704 100644 --- a/apparmor.d/profiles-g-l/hugeadm +++ b/apparmor.d/profiles-g-l/hugeadm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/hugeadm +@{exec_path} = @{bin}/hugeadm profile hugeadm @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 611d164e..9ccd2f26 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/hugo +@{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include include @@ -21,9 +21,9 @@ profile hugo @{exec_path} { @{exec_path} mr, - /{usr/,}bin/git rix, - /{usr/,}lib/go/bin/go rix, - /{usr/,}lib/git-core/git-remote-http rix, + @{bin}/git rix, + @{lib}/go/bin/go rix, + @{lib}/git-core/git-remote-http rix, /usr/share/git-core/{,**} r, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 962ec0dd..b908e8a5 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/hw-probe +@{exec_path} = @{bin}/hw-probe profile hw-probe @{exec_path} { include include @@ -17,72 +17,72 @@ profile hw-probe @{exec_path} { network inet6 dgram, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/pwd rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/sleep rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/uname rix, + @{bin}/pwd rix, + @{bin}/{,e}grep rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/sleep rix, + @{bin}/md5sum rix, + @{bin}/uname rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/tar rix, + @{bin}/dd rix, + @{bin}/tar rix, - /{usr/,}bin/efivar rix, - /{usr/,}bin/efibootmgr rix, + @{bin}/efivar rix, + @{bin}/efibootmgr rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/dpkg rPx -> child-dpkg, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/dpkg rPx -> child-dpkg, - /{usr/,}{s,}bin/dkms rPx, - /{usr/,}{s,}bin/fdisk rPx, - /{usr/,}bin/upower rPx, - /{usr/,}{s,}bin/hdparm rPx, - /{usr/,}{s,}bin/smartctl rPx, - /{usr/,}bin/sensors rPx, - /{usr/,}bin/lsblk rPx, - /{usr/,}bin/dmesg rPx, - /{usr/,}bin/hciconfig rPx, - /{usr/,}bin/uptime rPx, - /{usr/,}{s,}bin/rfkill rPx, - /{usr/,}{s,}bin/biosdecode rPx, - /{usr/,}{s,}bin/dmidecode rPx, - /{usr/,}bin/edid-decode rPx, - /{usr/,}bin/cpupower rPx, - /{usr/,}bin/acpi rPx, - /{usr/,}bin/lspci rPx, - /{usr/,}bin/lscpu rPx, - /{usr/,}bin/lsusb rPx, - /{usr/,}bin/usb-devices rPx, - /{usr/,}{s,}bin/hwinfo rPx, - /{usr/,}bin/glxinfo rPx, - /{usr/,}{s,}bin/i2cdetect rPx, - /{usr/,}bin/glxgears rPx, - /{usr/,}{s,}bin/memtester rPx, - /{usr/,}bin/xrandr rPx, - /{usr/,}bin/inxi rPx, - /{usr/,}bin/aplay rPx, - /{usr/,}bin/amixer rPx, - /{usr/,}bin/xdpyinfo rPx, - /{usr/,}bin/df rPx, - /{usr/,}bin/cpuid rPx, - /{usr/,}bin/xinput rPx, + @{bin}/acpi rPx, + @{bin}/amixer rPx, + @{bin}/aplay rPx, + @{bin}/biosdecode rPx, + @{bin}/cpuid rPx, + @{bin}/cpupower rPx, + @{bin}/df rPx, + @{bin}/dkms rPx, + @{bin}/dmesg rPx, + @{bin}/dmidecode rPx, + @{bin}/edid-decode rPx, + @{bin}/fdisk rPx, + @{bin}/glxgears rPx, + @{bin}/glxinfo rPx, + @{bin}/hciconfig rPx, + @{bin}/hdparm rPx, + @{bin}/hwinfo rPx, + @{bin}/i2cdetect rPx, + @{bin}/inxi rPx, + @{bin}/lsblk rPx, + @{bin}/lscpu rPx, + @{bin}/lspci rPx, + @{bin}/lsusb rPx, + @{bin}/memtester rPx, + @{bin}/rfkill rPx, + @{bin}/sensors rPx, + @{bin}/smartctl rPx, + @{bin}/upower rPx, + @{bin}/uptime rPx, + @{bin}/usb-devices rPx, + @{bin}/xdpyinfo rPx, + @{bin}/xinput rPx, + @{bin}/xrandr rPx, - /{usr/,}bin/systemctl rPx -> child-systemctl, + @{bin}/systemctl rPx -> child-systemctl, - /{usr/,}bin/find rCx -> find, - /{usr/,}bin/journalctl rCx -> journalctl, - /{usr/,}bin/systemd-analyze rCx -> systemd-analyze, - /{usr/,}bin/killall rCx -> killall, - /{usr/,}bin/udevadm rCx -> udevadm, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}{s,}bin/iw rCx -> netconfig, - /{usr/,}{s,}bin/ifconfig rCx -> netconfig, - /{usr/,}{s,}bin/iwconfig rCx -> netconfig, - /{usr/,}{s,}bin/ethtool rCx -> netconfig, - /{usr/,}bin/curl rCx -> curl, + @{bin}/curl rCx -> curl, + @{bin}/ethtool rCx -> netconfig, + @{bin}/find rCx -> find, + @{bin}/ifconfig rCx -> netconfig, + @{bin}/iw rCx -> netconfig, + @{bin}/iwconfig rCx -> netconfig, + @{bin}/journalctl rCx -> journalctl, + @{bin}/killall rCx -> killall, + @{bin}/kmod rCx -> kmod, + @{bin}/systemd-analyze rCx -> systemd-analyze, + @{bin}/udevadm rCx -> udevadm, owner /root/HW_PROBE/{,**} rw, @@ -117,7 +117,7 @@ profile hw-probe @{exec_path} { capability dac_read_search, - /{usr/,}bin/find mr, + @{bin}/find mr, /dev/{,**} r, @@ -128,7 +128,7 @@ profile hw-probe @{exec_path} { profile journalctl { include - /{usr/,}bin/journalctl mr, + @{bin}/journalctl mr, @{run}/log/ rw, /{run,var}/log/journal/ rw, @@ -147,7 +147,7 @@ profile hw-probe @{exec_path} { profile systemd-analyze { include - /{usr/,}bin/systemd-analyze mr, + @{bin}/systemd-analyze mr, owner @{PROC}/@{pid}/stat r, @@ -162,7 +162,7 @@ profile hw-probe @{exec_path} { ptrace (read), - /{usr/,}bin/killall mr, + @{bin}/killall mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied @@ -174,7 +174,7 @@ profile hw-probe @{exec_path} { profile udevadm { include - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, @@ -196,7 +196,7 @@ profile hw-probe @{exec_path} { profile kmod { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, @{PROC}/cmdline r, @{PROC}/modules r, @@ -221,10 +221,10 @@ profile hw-probe @{exec_path} { network appletalk dgram, network netlink raw, - /{usr/,}{s,}bin/iw mr, - /{usr/,}{s,}bin/ifconfig mr, - /{usr/,}{s,}bin/iwconfig mr, - /{usr/,}{s,}bin/ethtool mr, + @{bin}/iw mr, + @{bin}/ifconfig mr, + @{bin}/iwconfig mr, + @{bin}/ethtool mr, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/dev r, @@ -237,7 +237,7 @@ profile hw-probe @{exec_path} { include include - /{usr/,}bin/curl mr, + @{bin}/curl mr, } diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 1994ae75..92f8a891 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/hwinfo +@{exec_path} = @{bin}/hwinfo profile hwinfo @{exec_path} { include include @@ -31,12 +31,12 @@ profile hwinfo @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/udevadm rCx -> udevadm, + @{bin}/kmod rCx -> kmod, + @{bin}/udevadm rCx -> udevadm, - /{usr/,}{s,}bin/dmraid rPUx, + @{bin}/dmraid rPUx, @{PROC}/version r, @{PROC}/cmdline r, @@ -77,7 +77,7 @@ profile hwinfo @{exec_path} { profile kmod { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, /etc/modprobe.d/{,*.conf} r, @@ -94,7 +94,7 @@ profile hwinfo @{exec_path} { profile udevadm { include - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index f857e080..e22905fd 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -7,8 +7,8 @@ abi , include -@{exec_path} = /{usr/,}bin/hypnotix -@{exec_path} += /{usr/,}lib/hypnotix/hypnotix.py +@{exec_path} = @{bin}/hypnotix +@{exec_path} += @{lib}/hypnotix/hypnotix.py profile hypnotix @{exec_path} { include include @@ -36,17 +36,17 @@ profile hypnotix @{exec_path} { network netlink raw, @{exec_path} rix, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mkdir rix, + @{bin}/{,ba,da}sh rix, + @{bin}/ldconfig rix, + @{bin}/mkdir rix, - /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, + @{bin}/xdg-screensaver rCx -> xdg-screensaver, - /{usr/,}bin/youtube-dl rPUx, - /{usr/,}bin/yt-dlp rPUx, - /{usr/,}lib/firefox/firefox rPx, + @{bin}/youtube-dl rPUx, + @{bin}/yt-dlp rPUx, + @{lib}/firefox/firefox rPx, /usr/share/hypnotix/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -69,22 +69,22 @@ profile hypnotix @{exec_path} { /dev/ r, # Silencer - deny /{usr/,}lib/hypnotix/** w, + deny @{lib}/hypnotix/** w, profile xdg-screensaver { include include - /{usr/,}bin/xdg-screensaver mr, + @{bin}/xdg-screensaver mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/xset rix, - /{usr/,}bin/xautolock rix, - /{usr/,}bin/dbus-send rix, + @{bin}/{,ba,da}sh rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xset rix, + @{bin}/xautolock rix, + @{bin}/dbus-send rix, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index 65886e1f..ce7b8f5a 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/i2cdetect +@{exec_path} = @{bin}/i2cdetect profile i2cdetect @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index be43f574..1932029d 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/i3lock +@{exec_path} = @{bin}/i3lock profile i3lock @{exec_path} { include include @@ -19,7 +19,7 @@ profile i3lock @{exec_path} { @{exec_path} mr, - /{usr/,}sbin/unix_chkpwd rPx, + @{bin}/unix_chkpwd rPx, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index 7d692d61..81f544d6 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/i3lock-fancy +@{exec_path} = @{bin}/i3lock-fancy profile i3lock-fancy @{exec_path} { include include @@ -14,22 +14,22 @@ profile i3lock-fancy @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/fc-match rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/env rix, + @{bin}/rm rix, + @{bin}/fc-match rix, + @{bin}/getopt rix, + @{bin}/mktemp rix, + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/env rix, - /{usr/,}bin/i3lock rPx, - /{usr/,}bin/xrandr rPx, + @{bin}/i3lock rPx, + @{bin}/xrandr rPx, - /{usr/,}bin/convert-im6.q16 rCx -> imagemagic, - /{usr/,}bin/import-im6.q16 rCx -> imagemagic, - /{usr/,}bin/scrot rCx -> imagemagic, + @{bin}/convert-im6.q16 rCx -> imagemagic, + @{bin}/import-im6.q16 rCx -> imagemagic, + @{bin}/scrot rCx -> imagemagic, owner /tmp/tmp.*.png rw, owner /tmp/tmp.* rw, @@ -46,9 +46,9 @@ profile i3lock-fancy @{exec_path} { include include - /{usr/,}bin/convert-im6.q16 mr, - /{usr/,}bin/import-im6.q16 mr, - /{usr/,}bin/scrot mr, + @{bin}/convert-im6.q16 mr, + @{bin}/import-im6.q16 mr, + @{bin}/scrot mr, /usr/share/ImageMagick-[0-9]/*.xml r, /etc/ImageMagick-[0-9]/*.xml r, diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index f8839e02..e8e7c140 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/id +@{exec_path} = @{bin}/id profile id @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 8f5d0cf0..df9d8c9e 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/ifconfig +@{exec_path} = @{bin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 7e4f6850..e7c17b40 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/{ifup,ifdown,ifquery} +@{exec_path} = @{bin}/{ifup,ifdown,ifquery} profile ifup @{exec_path} { include @@ -18,21 +18,21 @@ profile ifup @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/route rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/ip rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/sleep rix, - /{usr/,}bin/wc rix, + @{bin}/{,ba,da}sh rix, + @{bin}/ip rix, + @{bin}/route rix, + @{bin}/seq rix, + @{bin}/sleep rix, + @{bin}/wc rix, - /{usr/,}{s,}bin/dhclient rPx, - /{usr/,}bin/macchanger rPx, + @{bin}/dhclient rPx, + @{bin}/macchanger rPx, - /{usr/,}lib/ifupdown/*.sh rix, + @{lib}/ifupdown/*.sh rix, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}{s,}bin/sysctl rCx -> sysctl, + @{bin}/run-parts rCx -> run-parts, + @{bin}/kmod rCx -> kmod, + @{bin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -50,9 +50,9 @@ profile ifup @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, - /{usr/,}lib/bridge-utils/ifupdown.sh rPUx, + @{lib}/bridge-utils/ifupdown.sh rPUx, /etc/network/if-down.d/ r, /etc/network/if-down.d/resolvconf rPUx, @@ -95,7 +95,7 @@ profile ifup @{exec_path} { profile kmod { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, @{sys}/module/** r, @@ -115,7 +115,7 @@ profile ifup @{exec_path} { capability sys_admin, # capability sys_resource, - /{usr/,}{s,}bin/sysctl mr, + @{bin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index adb5713a..755ac411 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -6,20 +6,20 @@ abi , include -@{exec_path} = /{usr/,}bin/im-launch +@{exec_path} = @{bin}/im-launch profile im-launch @{exec_path} { include @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gnome-session rix, - /{usr/,}bin/env rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/gettext{,.sh} rix, - /{usr/,}bin/true rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/dpkg-query rpx, + @{bin}/{,ba,da}sh rix, + @{bin}/gnome-session rix, + @{bin}/env rix, + @{bin}/locale rix, + @{bin}/gettext{,.sh} rix, + @{bin}/true rix, + @{bin}/sed rix, + @{bin}/dpkg-query rpx, /usr/share/im-config/{,**} r, diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 3724f75c..fa4d9e41 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -11,17 +11,17 @@ profile initd-kexec @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, - /{usr/,}bin/echo rix, + @{bin}/cat rix, + @{bin}/readlink rix, + @{bin}/tput rix, + @{bin}/echo rix, - /{usr/,}{s,}bin/kexec rPx, + @{bin}/kexec rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + @{bin}/run-parts rCx -> run-parts, + @{bin}/systemctl rCx -> systemctl, /etc/default/kexec r, @@ -30,7 +30,7 @@ profile initd-kexec @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, /etc/default/kexec.d/ r, @@ -43,9 +43,9 @@ profile initd-kexec @{exec_path} { ptrace (read), - /{usr/,}bin/systemctl mr, + @{bin}/systemctl mr, - /{usr/,}bin/systemd-tty-ask-password-agent rix, + @{bin}/systemd-tty-ask-password-agent rix, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index 7ed9bc2f..cedad282 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -11,23 +11,23 @@ profile initd-kexec-load @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/head rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, + @{bin}/{,e}grep rix, + @{bin}/cat rix, + @{bin}/{m,g,}awk rix, + @{bin}/cut rix, + @{bin}/tail rix, + @{bin}/sed rix, + @{bin}/head rix, + @{bin}/rm rix, + @{bin}/readlink rix, + @{bin}/tput rix, - /{usr/,}{s,}bin/kexec rPx, + @{bin}/kexec rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + @{bin}/run-parts rCx -> run-parts, + @{bin}/systemctl rCx -> systemctl, /no-kexec-reboot rw, @@ -43,7 +43,7 @@ profile initd-kexec-load @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, /etc/default/kexec.d/ r, @@ -57,9 +57,9 @@ profile initd-kexec-load @{exec_path} { ptrace (read), - /{usr/,}bin/systemctl mr, + @{bin}/systemctl mr, - /{usr/,}bin/systemd-tty-ask-password-agent rix, + @{bin}/systemd-tty-ask-password-agent rix, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/initd-kmod b/apparmor.d/profiles-g-l/initd-kmod index 7ef35736..2f81edd1 100644 --- a/apparmor.d/profiles-g-l/initd-kmod +++ b/apparmor.d/profiles-g-l/initd-kmod @@ -11,18 +11,18 @@ profile initd-kmod @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, - /{usr/,}bin/id rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/{,e}grep rix, + @{bin}/readlink rix, + @{bin}/tput rix, + @{bin}/id rix, + @{bin}/echo rix, + @{bin}/{,e}grep rix, - /{usr/,}bin/kmod rPx, + @{bin}/kmod rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + @{bin}/run-parts rCx -> run-parts, + @{bin}/systemctl rCx -> systemctl, /etc/modules-load.d/*.conf r, /etc/modules r, @@ -31,7 +31,7 @@ profile initd-kmod @{exec_path} { profile run-parts { include - /{usr/,}bin/run-parts mr, + @{bin}/run-parts mr, /etc/modules-load.d/ r, @@ -44,9 +44,9 @@ profile initd-kmod @{exec_path} { ptrace (read), - /{usr/,}bin/systemctl mr, + @{bin}/systemctl mr, - /{usr/,}bin/systemd-tty-ask-password-agent rix, + @{bin}/systemd-tty-ask-password-agent rix, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index 6c508b3c..6a0aba58 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/install-catalog +@{exec_path} = @{bin}/install-catalog profile install-catalog @{exec_path} { include @@ -14,12 +14,12 @@ profile install-catalog @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, + @{bin}/{,ba}sh rix, + @{bin}/basename rix, + @{bin}/grep rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sed rix, /etc/sgml/catalog{,.new} rw, /etc/sgml/sgml-docbook.cat{,.new} rw, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index 997a523e..b1ba9646 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/install-info +@{exec_path} = @{bin}/install-info profile install-info @{exec_path} { include include @@ -15,8 +15,8 @@ profile install-info @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gzip rix, + @{bin}/{,ba,da}sh rix, + @{bin}/gzip rix, /usr/share/info/{,**} r, /usr/share/info/dir rw, diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index f2b2f512..a6e13cf7 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/install-printerdriver +@{exec_path} = @{bin}/install-printerdriver @{exec_path} += /usr/share/system-config-printer/install-printerdriver.py profile install-printerdriver @{exec_path} flags=(complain) { include @@ -14,8 +14,8 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/{,ba,da}sh rix, + @{bin}/python3.[0-9]* r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index e155345d..e1cfaef8 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/inxi +@{exec_path} = @{bin}/inxi profile inxi @{exec_path} { include include @@ -20,52 +20,52 @@ profile inxi @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/ r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/zsh rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/tput rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/file rix, + @{bin}/ r, + @{bin}/{,ba,da}sh rix, + @{bin}/zsh rix, + @{bin}/tty rix, + @{bin}/tput rix, + @{bin}/getconf rix, + @{bin}/file rix, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - /{usr/,}bin/ip rCx -> ip, - /{usr/,}lib/systemd/systemd rCx -> systemd, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/udevadm rCx -> udevadm, + @{bin}/ip rCx -> ip, + @{lib}/systemd/systemd rCx -> systemd, + @{bin}/kmod rCx -> kmod, + @{bin}/udevadm rCx -> udevadm, - /{usr/,}bin/systemctl rPx -> child-systemctl, + @{bin}/systemctl rPx -> child-systemctl, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, + @{bin}/dpkg-query rpx, - /{usr/,}bin/compton rPx, - /{usr/,}bin/xrandr rPx, - /{usr/,}bin/glxinfo rPx, - /{usr/,}bin/lspci rPx, - /{usr/,}bin/lsusb rPx, - /{usr/,}bin/lsblk rPx, - /{usr/,}bin/sensors rPx, - /{usr/,}bin/uptime rPx, - /{usr/,}{s,}bin/dmidecode rPx, - /{usr/,}bin/xdpyinfo rPx, - /{usr/,}bin/who rPx, - /{usr/,}bin/xprop rPx, - /{usr/,}bin/df rPx, - /{usr/,}{s,}bin/blockdev rPx, - /{usr/,}bin/dig rPx, - /{usr/,}bin/ps rPx, - /{usr/,}bin/sudo rPx, - /{usr/,}bin/openbox rPx, - /{usr/,}bin/xset rPx, - /{usr/,}{s,}bin/smartctl rPx, - /{usr/,}{s,}bin/hddtemp rPx, + @{bin}/blockdev rPx, + @{bin}/compton rPx, + @{bin}/df rPx, + @{bin}/dig rPx, + @{bin}/dmidecode rPx, + @{bin}/glxinfo rPx, + @{bin}/hddtemp rPx, + @{bin}/lsblk rPx, + @{bin}/lspci rPx, + @{bin}/lsusb rPx, + @{bin}/openbox rPx, + @{bin}/ps rPx, + @{bin}/sensors rPx, + @{bin}/smartctl rPx, + @{bin}/sudo rPx, + @{bin}/uptime rPx, + @{bin}/who rPx, + @{bin}/xdpyinfo rPx, + @{bin}/xprop rPx, + @{bin}/xrandr rPx, + @{bin}/xset rPx, /etc/ r, /etc/inxi.conf r, @@ -118,7 +118,7 @@ profile inxi @{exec_path} { network netlink raw, - /{usr/,}bin/ip mr, + @{bin}/ip mr, @{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r, @@ -129,7 +129,7 @@ profile inxi @{exec_path} { profile systemd { include - /{usr/,}lib/systemd/systemd mr, + @{lib}/systemd/systemd mr, /etc/systemd/user.conf r, @@ -143,7 +143,7 @@ profile inxi @{exec_path} { profile udevadm { include - /{usr/,}bin/udevadm mr, + @{bin}/udevadm mr, /etc/udev/udev.conf r, @@ -161,7 +161,7 @@ profile inxi @{exec_path} { profile kmod { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, @{PROC}/cmdline r, @{PROC}/modules r, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 69fac18a..112046b4 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/ioping +@{exec_path} = @{bin}/ioping profile ioping @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index a40de22a..32a28bc5 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/iotop +@{exec_path} = @{bin}/iotop profile iotop @{exec_path} { include include @@ -19,11 +19,11 @@ profile iotop @{exec_path} { capability sys_nice, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/file rix, + @{bin}/file rix, - /{usr/,}{s,}bin/ r, + @{bin}/ r, @{PROC}/ r, @{PROC}/vmstat r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bf0cc3ff..e6faeaff 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/ip +@{exec_path} = @{bin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index 11e14948..0c485112 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /{usr/,}bin/ipcalc +@{exec_path} = @{bin}/ipcalc profile ipcalc @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index a64f35fd..1c8d6cfb 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/irqbalance +@{exec_path} = @{bin}/irqbalance profile irqbalance @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 6a1c85a5..ec0cac8c 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/iw +@{exec_path} = @{bin}/iw profile iw @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index aa636c58..85ade244 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/iwconfig +@{exec_path} = @{bin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index 44d677df..8082811b 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/iwlist +@{exec_path} = @{bin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome index e47d18b9..80a0e919 100644 --- a/apparmor.d/profiles-g-l/jami-gnome +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/jami-gnome +@{exec_path} = @{bin}/jami-gnome profile jami-gnome @{exec_path} { include include @@ -38,8 +38,8 @@ profile jami-gnome @{exec_path} { owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v0 w, owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v1/ w, - /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, - /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, + @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, + @{lib}/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, /usr/share/ring/{,**} r, /usr/share/sounds/jami-gnome/{,**} r, diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index 6d1b017a..e8154382 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -20,24 +20,24 @@ profile jdownloader @{exec_path} { @{exec_path} rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/find rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/chmod rix, + @{bin}/basename rix, + @{bin}/dirname rix, + @{bin}/expr rix, + @{bin}/cut rix, + @{bin}/ls rix, + @{bin}/{,e}grep rix, + @{bin}/find rix, + @{bin}/sed rix, + @{bin}/chmod rix, - /{usr/,}bin/ffmpeg rPx, + @{bin}/ffmpeg rPx, # These are needed when the above tools are in some nonstandard locations - #/{usr/,}bin/which{,.debianutils} rix, + #@{bin}/which{,.debianutils} rix, #/usr/ r, #/usr/local/ r, - #/{usr/,}bin/ r, - #/{usr/,}lib/ r, + #@{bin}/ r, + #@{lib}/ r, deny /opt/ r, @@ -86,35 +86,35 @@ profile jdownloader @{exec_path} { deny @{PROC}/asound/version r, # For Reconnect -> Share Settings/Get Route - #/{usr/,}bin/netstat rix, - #/{usr/,}{s,}bin/route rix, - #/{usr/,}bin/ping rix, - #/{usr/,}bin/ip rix, + #@{bin}/netstat rix, + #@{bin}/route rix, + #@{bin}/ping rix, + #@{bin}/ip rix, #@{PROC}/@{pid}/net/route r, # To open a web browser for CAPTCHA - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{bin}/xdg-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, profile open { include include - /{usr/,}bin/xdg-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{bin}/xdg-open mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index 1eb551d2..9daf41e3 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -7,18 +7,18 @@ abi , include -@{exec_path} = /{usr/,}bin/jekyll +@{exec_path} = @{bin}/jekyll profile jekyll @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/ruby[0-9].[0-9]* rix, + @{bin}/ruby[0-9].[0-9]* rix, - /{usr/,}lib/ruby/gems/*/specifications/ r, - /{usr/,}lib/ruby/gems/*/specifications/** r, - /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk, + @{lib}/ruby/gems/*/specifications/ r, + @{lib}/ruby/gems/*/specifications/** r, + @{lib}/ruby/gems/*/specifications/**.gemspec rwk, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu index d639e482..e236e673 100644 --- a/apparmor.d/profiles-g-l/jgmenu +++ b/apparmor.d/profiles-g-l/jgmenu @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/jgmenu{,_run} +@{exec_path} = @{bin}/jgmenu{,_run} profile jgmenu @{exec_path} { include include @@ -19,14 +19,14 @@ profile jgmenu @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/zsh rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/find rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/cat rix, + @{bin}/{,ba,da}sh rix, + @{bin}/zsh rix, + @{bin}/mkdir rix, + @{bin}/find rix, + @{bin}/wc rix, + @{bin}/cat rix, - /{usr/,}lib/jgmenu/jgmenu-* rix, + @{lib}/jgmenu/jgmenu-* rix, owner @{HOME}/ r, owner @{HOME}/.jgmenu-lockfile rwk, diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index e16b29c6..bb3b0e29 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/jmtpfs +@{exec_path} = @{bin}/jmtpfs profile jmtpfs @{exec_path} { include include @@ -15,7 +15,7 @@ profile jmtpfs @{exec_path} { @{exec_path} mr, - /{usr/,}bin/fusermount{,3} rCx -> fusermount, + @{bin}/fusermount{,3} rCx -> fusermount, owner /tmp/tmp* rw, owner /tmp/#[0-9]* rw, @@ -45,7 +45,7 @@ profile jmtpfs @{exec_path} { # capability dac_read_search, - /{usr/,}bin/fusermount{,3} mr, + @{bin}/fusermount{,3} mr, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index ea027dab..1e73b4a4 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/kanyremote +@{exec_path} = @{bin}/kanyremote profile kanyremote @{exec_path} { include include @@ -27,34 +27,34 @@ profile kanyremote @{exec_path} { network inet6 stream, @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/ r, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/head rix, - /{usr/,}bin/find rix, + @{bin}/ r, + @{bin}/rm rix, + @{bin}/{,e}grep rix, + @{bin}/cut rix, + @{bin}/id rix, + @{bin}/which{,.debianutils} rix, + @{bin}/tr rix, + @{bin}/{m,g,}awk rix, + @{bin}/head rix, + @{bin}/find rix, - /{usr/,}bin/anyremote rPx, - /{usr/,}bin/ps rPx, + @{bin}/anyremote rPx, + @{bin}/ps rPx, - /{usr/,}bin/killall rCx -> killall, - /{usr/,}bin/pgrep rCx -> pgrep, + @{bin}/killall rCx -> killall, + @{bin}/pgrep rCx -> pgrep, - /{usr/,}bin/pacmd rPUx, - /{usr/,}bin/pactl rPUx, + @{bin}/pacmd rPUx, + @{bin}/pactl rPUx, # Players - /{usr/,}bin/smplayer rPUx, - /{usr/,}bin/amarok rPUx, - /{usr/,}bin/vlc rPUx, - /{usr/,}bin/mpv rPUx, - /{usr/,}bin/strawberry rPUx, + @{bin}/smplayer rPUx, + @{bin}/amarok rPUx, + @{bin}/vlc rPUx, + @{bin}/mpv rPUx, + @{bin}/strawberry rPUx, owner @{HOME}/ r, owner @{HOME}/.anyRemote/{,*} rw, @@ -91,7 +91,7 @@ profile kanyremote @{exec_path} { ptrace (read), - /{usr/,}bin/killall mr, + @{bin}/killall mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied @@ -104,7 +104,7 @@ profile kanyremote @{exec_path} { include include - /{usr/,}bin/pgrep mr, + @{bin}/pgrep mr, # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. @{PROC}/ r, diff --git a/apparmor.d/profiles-g-l/kcheckpass b/apparmor.d/profiles-g-l/kcheckpass index 1e858737..2cf744fd 100644 --- a/apparmor.d/profiles-g-l/kcheckpass +++ b/apparmor.d/profiles-g-l/kcheckpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass +@{exec_path} = @{lib}/@{multiarch}/libexec/kcheckpass profile kcheckpass @{exec_path} { include include @@ -17,7 +17,7 @@ profile kcheckpass @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}bin/unix_chkpwd rPx, + @{bin}/unix_chkpwd rPx, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index e6ba3661..356cf319 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}bin/kconfig-hardened-check +@{exec_path} = @{bin}/kconfig-hardened-check profile kconfig-hardened-check @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{usr/,}bin/ r, + @{bin}/ r, # The usual kernel config locations diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 34950835..a6c872ce 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/keepassxc +@{exec_path} = @{bin}/keepassxc profile keepassxc @{exec_path} { include include @@ -39,9 +39,9 @@ profile keepassxc @{exec_path} { @{exec_path} mrix, # Allowed apps to open - /{usr/,}bin/geany rPUx, - /{usr/,}bin/xdg-open rCx -> child-open, - /{usr/,}lib/firefox/firefox rPx, + @{bin}/geany rPUx, + @{bin}/xdg-open rCx -> child-open, + @{lib}/firefox/firefox rPx, /usr/share/hwdata/pnp.ids r, /usr/share/keepassxc/{,**} r, diff --git a/apparmor.d/profiles-g-l/keepassxc-cli b/apparmor.d/profiles-g-l/keepassxc-cli index 555c6723..ccb58bce 100644 --- a/apparmor.d/profiles-g-l/keepassxc-cli +++ b/apparmor.d/profiles-g-l/keepassxc-cli @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/keepassxc-cli +@{exec_path} = @{bin}/keepassxc-cli profile keepassxc-cli @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index 5af7c132..721e658c 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/keepassxc-proxy +@{exec_path} = @{bin}/keepassxc-proxy profile keepassxc-proxy @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index b1b61585..4520ca2d 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -6,28 +6,28 @@ abi , include -@{exec_path} = /{usr/,}bin/kernel-install +@{exec_path} = @{bin}/kernel-install profile kernel-install @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/mountpoint rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/basename rix, + @{bin}/mountpoint rix, + @{bin}/sort rix, + @{bin}/rm rix, + @{bin}/mkdir rix, + @{bin}/cp rix, + @{bin}/chown rix, + @{bin}/chmod rix, + @{bin}/basename rix, - /{usr/,}bin/kmod rCx -> kmod, + @{bin}/kmod rCx -> kmod, - /{usr/,}lib/kernel/install.d/ r, - /{usr/,}lib/kernel/install.d/[0-9][0-9]-*.install rix, + @{lib}/kernel/install.d/ r, + @{lib}/kernel/install.d/[0-9][0-9]-*.install rix, /etc/kernel/install.d/ r, /etc/kernel/install.d/*.install rix, @@ -41,10 +41,10 @@ profile kernel-install @{exec_path} { owner /boot/loader/entries/ rw, owner /boot/loader/entries/*.conf w, - /{usr/,}lib/modules/*/modules.* w, + @{lib}/modules/*/modules.* w, /etc/os-release r, - /{usr/,}lib/os-release r, + @{lib}/os-release r, /etc/kernel/tries r, @@ -58,7 +58,7 @@ profile kernel-install @{exec_path} { profile kmod flags=(complain) { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, } diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index ddf480c8..b8dc7dd1 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/kerneloops +@{exec_path} = @{bin}/kerneloops profile kerneloops @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 800e9732..52278e8e 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/kerneloops-applet +@{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 5c3cb113..fbdec078 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/kexec +@{exec_path} = @{bin}/kexec profile kexec @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index d1974498..90be8c59 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -7,8 +7,8 @@ abi , include -@{exec_path} = /{usr/,}bin/{kmod,lsmod} -@{exec_path} += /{usr/,}{s,}bin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe} +@{exec_path} = @{bin}/{kmod,lsmod} +@{exec_path} += @{bin}/{depmod,insmod,lsmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include include @@ -25,15 +25,15 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}{s,}bin/sysctl rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/false rix, - /{usr/,}bin/id rix, - /{usr/,}bin/true rix, + @{bin}/{,ba,da}sh rix, + @{bin}/basename rix, + @{bin}/false rix, + @{bin}/id rix, + @{bin}/sysctl rPx, + @{bin}/true rix, - /{usr/,}lib/modprobe.d/{,*.conf} r, - /{usr/,}lib/modules/*/modules.* rw, + @{lib}/modprobe.d/{,*.conf} r, + @{lib}/modules/*/modules.* rw, /etc/depmod.d/{,**} r, /etc/modprobe.d/{,*.conf} r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index e0f54cd5..00c63206 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/kodi /{usr/,}lib/@{multiarch}/kodi/kodi.bin +@{exec_path} = @{bin}/kodi @{lib}/@{multiarch}/kodi/kodi.bin profile kodi @{exec_path} { include include @@ -20,22 +20,22 @@ profile kodi @{exec_path} { @{exec_path} mr, - /{usr/,}lib/@{multiarch}/kodi/kodi.bin mrix, - /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr rPx, + @{lib}/@{multiarch}/kodi/kodi.bin mrix, + @{lib}/@{multiarch}/kodi/kodi-xrandr rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/find rix, - /{usr/,}bin/date rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/dirname rix, - /{usr/,}{s,}bin/ldconfig rix, + @{bin}/{,ba,da}sh rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/find rix, + @{bin}/ldconfig rix, + @{bin}/mv rix, + @{bin}/uname rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/df rCx -> df, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/df rCx -> df, /usr/share/kodi/{,**} r, @@ -77,7 +77,7 @@ profile kodi @{exec_path} { profile df { include - /{usr/,}bin/df mr, + @{bin}/df mr, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kodi-xrandr b/apparmor.d/profiles-g-l/kodi-xrandr index 3ad826a6..f092418d 100644 --- a/apparmor.d/profiles-g-l/kodi-xrandr +++ b/apparmor.d/profiles-g-l/kodi-xrandr @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr +@{exec_path} = @{lib}/@{multiarch}/kodi/kodi-xrandr profile kodi-xrandr @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index 2ebb8b08..a4490bb3 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -6,20 +6,20 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/kvm-ok +@{exec_path} = @{bin}/kvm-ok profile kvm-ok @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/id rix, + @{bin}/uname rix, + @{bin}/{,e}grep rix, + @{bin}/id rix, - /{usr/,}bin/kmod rCx -> kmod, + @{bin}/kmod rCx -> kmod, - /{usr/,}{s,}bin/rdmsr rPx, + @{bin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, @@ -32,12 +32,12 @@ profile kvm-ok @{exec_path} { profile kmod { include - /{usr/,}bin/kmod mr, + @{bin}/kmod mr, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, - /{usr/,}lib/modprobe.d/ r, - /{usr/,}lib/modprobe.d/*.conf r, + @{lib}/modprobe.d/ r, + @{lib}/modprobe.d/*.conf r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 5bf184a4..8c62faac 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/labwc +@{exec_path} = @{bin}/labwc profile labwc @{exec_path} flags=(attach_disconnected) { include include @@ -26,9 +26,8 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, # Apps allowed to run - /{usr/,}{s,}bin/* rPUx, - /{usr/,}bin/* rPUx, - @{libexec}/* rPUx, + @{bin}/* rPUx, + @{lib}/* rPUx, /usr/share/libinput/ r, /usr/share/libinput/*.quirks r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 1d3da425..30d944c3 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/landscape-sysinfo +@{exec_path} = @{bin}/landscape-sysinfo profile landscape-sysinfo @{exec_path} { include include @@ -25,7 +25,7 @@ profile landscape-sysinfo @{exec_path} { @{exec_path} mr, - /{usr/,}bin/who rix, + @{bin}/who rix, /var/log/landscape/{,**} rw, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index 4d185c37..34615593 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -12,14 +12,14 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bc rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/date rix, - /{usr/,}bin/find rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/landscape-sysinfo rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/bc rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/find rix, + @{bin}/grep rix, + @{bin}/landscape-sysinfo rPx, / r, /etc/default/locale r, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 1737430b..27d0ebb1 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -14,9 +14,9 @@ profile language-validate @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/grep rix, + @{bin}/locale rix, /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index 3ddb573b..496d2819 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/last{,b} +@{exec_path} = @{bin}/last{,b} profile last @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index 3bfc4a63..7bd3ba06 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/lastlog +@{exec_path} = @{bin}/lastlog profile lastlog @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light index 479e817b..e4a462f7 100644 --- a/apparmor.d/profiles-g-l/light +++ b/apparmor.d/profiles-g-l/light @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/light +@{exec_path} = @{bin}/light profile light @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 10659736..16eac48d 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/light-locker +@{exec_path} = @{bin}/light-locker profile light-locker @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/light-locker-command b/apparmor.d/profiles-g-l/light-locker-command index a0fcba19..e44a79f4 100644 --- a/apparmor.d/profiles-g-l/light-locker-command +++ b/apparmor.d/profiles-g-l/light-locker-command @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/light-locker-command +@{exec_path} = @{bin}/light-locker-command profile light-locker-command @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/lightdm b/apparmor.d/profiles-g-l/lightdm index 104e87fc..12b0778a 100644 --- a/apparmor.d/profiles-g-l/lightdm +++ b/apparmor.d/profiles-g-l/lightdm @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/lightdm +@{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} { include include @@ -64,16 +64,16 @@ profile lightdm @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/plymouth mrix, + @{bin}/plymouth mrix, - /{usr/,}bin/Xorg rPx, - /{usr/,}{s,}bin/lightdm-gtk-greeter rPx, - /{usr/,}bin/startx rPx, + @{bin}/lightdm-gtk-greeter rPx, + @{bin}/startx rPx, + @{bin}/Xorg rPx, /etc/X11/Xsession rPUx, - /{usr/,}bin/gnome-keyring-daemon rPUx, + @{bin}/gnome-keyring-daemon rPUx, - /{usr/,}bin/rm rix, + @{bin}/rm rix, # LightDM files /usr/share/lightdm/{,**} r, @@ -116,7 +116,7 @@ profile lightdm @{exec_path} { owner @{HOME}/.dmrc* rw, /var/cache/lightdm/dmrc/*.dmrc* rw, - @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, include if exists } diff --git a/apparmor.d/profiles-g-l/lightdm-gtk-greeter b/apparmor.d/profiles-g-l/lightdm-gtk-greeter index 7625a558..0ec35e27 100644 --- a/apparmor.d/profiles-g-l/lightdm-gtk-greeter +++ b/apparmor.d/profiles-g-l/lightdm-gtk-greeter @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/lightdm-gtk-greeter +@{exec_path} = @{bin}/lightdm-gtk-greeter profile lightdm-gtk-greeter @{exec_path} { include include @@ -21,9 +21,9 @@ profile lightdm-gtk-greeter @{exec_path} { @{exec_path} mr, - /{usr/,}bin/locale rix, + @{bin}/locale rix, - /{usr/,}lib/systemd/systemd rCx -> systemd, + @{lib}/systemd/systemd rCx -> systemd, # LightDM files /usr/share/lightdm/{,**} r, @@ -51,12 +51,12 @@ profile lightdm-gtk-greeter @{exec_path} { @{HOME}/.dmrc r, @{HOME}/.face r, - @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, profile systemd { include - /{usr/,}lib/systemd/systemd mr, + @{lib}/systemd/systemd mr, /etc/systemd/user.conf r, diff --git a/apparmor.d/profiles-g-l/lightworks b/apparmor.d/profiles-g-l/lightworks index d27a3287..4d26751d 100644 --- a/apparmor.d/profiles-g-l/lightworks +++ b/apparmor.d/profiles-g-l/lightworks @@ -6,18 +6,18 @@ abi , include -@{exec_path} = /{usr/,}bin/lightworks +@{exec_path} = @{bin}/lightworks profile lightworks @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}lib/lightworks/ntcardvt rPx, + @{lib}/lightworks/ntcardvt rPx, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/od rix, + @{bin}/mkdir rix, + @{bin}/cat rix, + @{bin}/od rix, owner @{HOME}/Lightworks/{,**/} w, owner @{HOME}/Lightworks/Projects/DefNetDrive.txt w, diff --git a/apparmor.d/profiles-g-l/lightworks-ntcardvt b/apparmor.d/profiles-g-l/lightworks-ntcardvt index b5077ef4..59857e23 100644 --- a/apparmor.d/profiles-g-l/lightworks-ntcardvt +++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}lib/lightworks/ntcardvt +@{exec_path} = @{lib}/lightworks/ntcardvt profile lightworks-ntcardvt @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid index 507e9c9f..3291d6c6 100644 --- a/apparmor.d/profiles-g-l/linssid +++ b/apparmor.d/profiles-g-l/linssid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/linssid /{usr/,}bin/linssid-pkexec +@{exec_path} = @{bin}/linssid @{bin}/linssid-pkexec profile linssid @{exec_path} { include include @@ -28,8 +28,8 @@ profile linssid @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -37,13 +37,13 @@ profile linssid @{exec_path} { # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session # # Should this be allowed? Linssid works fine without this. - #/{usr/,}bin/dbus-launch rCx -> dbus, - #/{usr/,}bin/dbus-send rCx -> dbus, - deny /{usr/,}bin/dbus-launch rx, - deny /{usr/,}bin/dbus-send rx, + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, - /{usr/,}{s,}bin/iw rCx -> iw, - /{usr/,}bin/pkexec rPx, + @{bin}/iw rCx -> iw, + @{bin}/pkexec rPx, # For regular run as root user owner @{HOME}/.linssid.prefs rw, @@ -84,7 +84,7 @@ profile linssid @{exec_path} { network netlink raw, - /{usr/,}{s,}bin/iw mr, + @{bin}/iw mr, # file_inherit owner @{HOME}/.linssid.prefs rw, @@ -98,9 +98,9 @@ profile linssid @{exec_path} { include include - /{usr/,}bin/dbus-launch mr, - /{usr/,}bin/dbus-send mr, - /{usr/,}bin/dbus-daemon rPUx, + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, # for dbus-launch owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index ddbcd694..1f93f427 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}bin/linux-check-removal +@{exec_path} = @{bin}/linux-check-removal profile linux-check-removal @{exec_path} flags=(complain) { include include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -27,16 +27,16 @@ profile linux-check-removal @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - /{usr/,}bin/perl r, + @{bin}/perl r, - /{usr/,}bin/linux-check-removal rPx, + @{bin}/linux-check-removal rPx, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + @{bin}/{,ba,da}sh rix, + @{bin}/stty rix, + @{bin}/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. - /{usr/,}bin/whiptail rPx, + @{bin}/whiptail rPx, owner /tmp/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index 93b354d9..fbe2dea7 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -6,14 +6,14 @@ abi , include -@{exec_path} = /{usr/,}bin/linux-version +@{exec_path} = @{bin}/linux-version profile linux-version @{exec_path} { include include include @{exec_path} r, - /{usr/,}bin/perl r, + @{bin}/perl r, /boot/ r, diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/profiles-g-l/locale-gen index bcd0cade..7d816e54 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/profiles-g-l/locale-gen @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/locale-gen +@{exec_path} = @{bin}/locale-gen profile locale-gen @{exec_path} { include include @@ -15,14 +15,14 @@ profile locale-gen @{exec_path} { @{exec_path} mr, - /{usr/,}bin/{,ba}sh rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/localedef rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, + @{bin}/{,ba}sh rix, + @{bin}/gzip rix, + @{bin}/localedef rix, + @{bin}/rm rix, + @{bin}/sed rix, - /{usr/,}lib/locale/locale-archive rwl, - /{usr/,}lib/locale/locale-archive* rw, + @{lib}/locale/locale-archive rwl, + @{lib}/locale/locale-archive* rw, /usr/share/i18n/{,**} r, diff --git a/apparmor.d/profiles-g-l/localepurge b/apparmor.d/profiles-g-l/localepurge index 8e3b54c4..c4eee28c 100644 --- a/apparmor.d/profiles-g-l/localepurge +++ b/apparmor.d/profiles-g-l/localepurge @@ -6,30 +6,30 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/localepurge +@{exec_path} = @{bin}/localepurge profile localepurge @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/fgrep rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/du rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/find rix, + @{bin}/fgrep rix, + @{bin}/chmod rix, + @{bin}/mkdir rix, + @{bin}/touch rix, + @{bin}/ls rix, + @{bin}/{,e}grep rix, + @{bin}/sort rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/tr rix, + @{bin}/du rix, + @{bin}/xargs rix, + @{bin}/basename rix, + @{bin}/find rix, - /{usr/,}bin/df rPx, + @{bin}/df rPx, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 692b610f..bec1cf74 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/login +@{exec_path} = @{bin}/login profile login @{exec_path} flags=(attach_disconnected) { include include @@ -40,7 +40,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/{,z,ba,da}sh rUx, + @{bin}/{,z,ba,da}sh rUx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 8af7cc18..cb5542cb 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/logrotate +@{exec_path} = @{bin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -28,34 +28,34 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}{s,}bin/ r, + @{bin}/ r, - /{usr/,}{s,}bin/invoke-rc.d rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/kill rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/shred rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/zstd rix, - /{usr/,}lib/rsyslog/rsyslog-rotate rix, + @{bin}/{,ba,da}sh rix, + @{bin}/cat rix, + @{bin}/grep rix, + @{bin}/gzip rix, + @{bin}/invoke-rc.d rix, + @{bin}/kill rix, + @{bin}/ls rix, + @{bin}/shred rix, + @{bin}/xz rix, + @{bin}/zstd rix, + @{lib}/rsyslog/rsyslog-rotate rix, - /{usr/,}bin/fail2ban-client rPx, - /{usr/,}bin/my_print_defaults rPUx, - /{usr/,}bin/mysqladmin rPUx, - /{usr/,}bin/systemd-tty-ask-password-agent rPx, - /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, + @{bin}/fail2ban-client rPx, + @{bin}/my_print_defaults rPUx, + @{bin}/mysqladmin rPUx, + @{bin}/systemd-tty-ask-password-agent rPx, + @{lib}/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, /etc/init.d/nginx rPUx, - /{usr/,}{s,}bin/squid rPUx, + @{bin}/squid rPUx, - /{usr/,}bin/pgrep rCx -> pgrep, + @{bin}/pgrep rCx -> pgrep, # no new privs - #/{usr/,}bin/systemctl rCx -> systemctl, - /{usr/,}bin/systemctl rix, - /{usr/,}{s,}bin/runlevel rix, + #@{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rix, + @{bin}/runlevel rix, include ptrace (read), capability sys_ptrace, @@ -90,7 +90,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, ptrace (read), - /{usr/,}bin/systemctl mr, + @{bin}/systemctl mr, owner @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @@ -106,7 +106,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { profile pgrep { include - /{usr/,}bin/pgrep mr, + @{bin}/pgrep mr, # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. @{PROC}/ r, diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/profiles-g-l/losetup index b15d2f0e..422e0156 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/profiles-g-l/losetup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/losetup +@{exec_path} = @{bin}/losetup profile losetup @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index 675b2994..c7d6701b 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/lsblk +@{exec_path} = @{bin}/lsblk profile lsblk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index 16dee098..36e6dfd4 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/lscpu +@{exec_path} = @{bin}/lscpu profile lscpu @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lsinitramfs b/apparmor.d/profiles-g-l/lsinitramfs index cdee7671..124fc0ee 100644 --- a/apparmor.d/profiles-g-l/lsinitramfs +++ b/apparmor.d/profiles-g-l/lsinitramfs @@ -6,17 +6,17 @@ abi , include -@{exec_path} = /{usr/,}bin/lsinitramfs +@{exec_path} = @{bin}/lsinitramfs profile lsinitramfs @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/getopt rix, + @{bin}/cat rix, + @{bin}/getopt rix, - /{usr/,}bin/unmkinitramfs rPx, + @{bin}/unmkinitramfs rPx, include if exists } diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 3b7d235d..2f28c61d 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/lspci +@{exec_path} = @{bin}/lspci profile lspci @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb index ec7c052d..382d060d 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/lsusb +@{exec_path} = @{bin}/lsusb profile lsusb @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 0efafd25..58b4d5ba 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/lvm +@{exec_path} = @{bin}/lvm profile lvm @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig index 6511c3de..2423886e 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/lvmconfig +@{exec_path} = @{bin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/profiles-g-l/lvmdump index 4b975b06..1d97ecf7 100644 --- a/apparmor.d/profiles-g-l/lvmdump +++ b/apparmor.d/profiles-g-l/lvmdump @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/lvmdump +@{exec_path} = @{bin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld index ea2c8d08..7c5852d6 100644 --- a/apparmor.d/profiles-g-l/lvmpolld +++ b/apparmor.d/profiles-g-l/lvmpolld @@ -6,15 +6,15 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/lvmpolld +@{exec_path} = @{bin}/lvmpolld profile lvmpolld @{exec_path} { include include include @{exec_path} rm, - /{usr/,}bin/grep rix, - /{usr/,}bin/umount rPx, + @{bin}/grep rix, + @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index 1f8dd52e..fc083377 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/lxappearance +@{exec_path} = @{bin}/lxappearance profile lxappearance @{exec_path} { include include @@ -22,10 +22,10 @@ profile lxappearance @{exec_path} { # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session # # Should this be allowed? Lxappearance works fine without this. - #/{usr/,}bin/dbus-launch rCx -> dbus, - #/{usr/,}bin/dbus-send rCx -> dbus, - deny /{usr/,}bin/dbus-launch rx, - deny /{usr/,}bin/dbus-send rx, + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, /usr/share/lxappearance/{,**} r, @@ -54,9 +54,9 @@ profile lxappearance @{exec_path} { include include - /{usr/,}bin/dbus-launch mr, - /{usr/,}bin/dbus-send mr, - /{usr/,}bin/dbus-daemon rPUx, + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, # for dbus-launch owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index 1a8ef8e8..1100a8e2 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/lynx +@{exec_path} = @{bin}/lynx profile lynx @{exec_path} { include include @@ -27,7 +27,7 @@ profile lynx @{exec_path} { /etc/mime.types r, - /{usr/,}bin/{,ba,da}sh rix, + @{bin}/{,ba,da}sh rix, /etc/mailcap r, owner /tmp/lynxXXXX*/ rw,