diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 9471d738..922406c2 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,40 +12,38 @@ profile debsign @{exec_path} { include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/basename rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/mv rix, + /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, + /{usr/,}bin/cmp rix, /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/head rix, /{usr/,}bin/cu rix, /{usr/,}bin/cut rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/getopt rix, /{usr/,}bin/dirname rix, - /{usr/,}bin/cmp rix, - + /{usr/,}bin/getopt rix, + /{usr/,}bin/head rix, /{usr/,}bin/md5sum rix, - /{usr/,}bin/sha{1,256,512}sum rix, - + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, /{usr/,}bin/perl rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sha{1,256,512}sum rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/gpg{,2} rCx -> gpg, + /etc/devscripts.conf r, + owner @{HOME}/.devscripts r, - # For package building owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner /tmp/debsign.*/ rw, owner /tmp/debsign.*/*.{dsc,changes,buildinfo}{,.asc} rw, - - /{usr/,}bin/gpg rCx -> gpg, profile gpg { include diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index c7e70ce7..8c594c7c 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,17 +10,17 @@ include @{exec_path} = /{usr/,}bin/reportbug profile reportbug @{exec_path} { include - include - include + include include - include + include + include include + include include include include - include include - include + include network inet dgram, network inet6 dgram, @@ -28,81 +29,67 @@ profile reportbug @{exec_path} { network netlink raw, @{exec_path} r, - /{usr/,}bin/python3.[0-9]* r, - - /usr/share/reportbug/handle_bugscript rix, /{usr/,}bin/ r, - /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/aa-enabled rix, - /{usr/,}{s,}bin/selinuxenabled rix, - /{usr/,}bin/md5sum rix, + /{usr/,}bin/python3.[0-9]* r, + /{usr/,}{s,}bin/ldconfig rix, + /{usr/,}{s,}bin/selinuxenabled rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/aa-enabled rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/stty rix, + /usr/share/reportbug/handle_bugscript rix, + + /{usr/,}{s,}bin/exim4 rPx, + /{usr/,}bin/apt-cache rPx, /{usr/,}bin/debconf-show rPx, /{usr/,}bin/debsums rPx, /{usr/,}bin/dlocate rPx, - /{usr/,}bin/apt-cache rPx, - # Do not strip env to avoid errors like the following: - # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open - # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, - # - /{usr/,}{s,}bin/exim4 rPx, - - /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}lib/firefox/firefox rPUx, # App allowed to open + /usr/share/bug/* rPUx, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/gpg{,2} rCx -> gpg, - - # For sending additional information - /etc/** r, - - /etc/reportbug.conf r, - owner @{HOME}/.reportbugrc{,~} rw, - - # For shell pwd - owner @{HOME}/ r, - - # Think what to do with it (#FIXME#) - /usr/share/bug/*/{control,presubj} r, - /usr/share/bug/* rPUx, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/X11/xkb/** r, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/xdg-open rCx -> open, /{usr/,}lib/python3/dist-packages/pylocales/locales.db rk, + /usr/share/bug/*/{control,presubj} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/X11/xkb/** r, + + /etc/** r, + /etc/reportbug.conf r, + + owner @{HOME}/ r, # For shell pwd + owner @{HOME}/.reportbugrc{,~} rw, + owner @{HOME}/draftbugreports/ r, + owner @{HOME}/draftbugreports/reportbug-* rw, + @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/sys/kernel/tainted r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + owner /tmp/* rw, + owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw, + owner /var/tmp/*.bug{,~} rw, @{sys}/module/apparmor/parameters/enabled r, /dev/ptmx rw, - owner /tmp/reportbug-*-[0-9]*-@{pid}-* rw, - owner /tmp/* rw, - owner /var/tmp/*.bug{,~} rw, - - owner @{HOME}/draftbugreports/ r, - owner @{HOME}/draftbugreports/reportbug-* rw, - - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - - profile run-parts { include diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 1b9567d0..b56b53de 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,16 +10,16 @@ include @{exec_path} = /{usr/,}bin/claws-mail profile claws-mail @{exec_path} flags=(complain) { include - include - include - include - include - include - include - include include - include + include + include + include + include + include + include include + include + include @{exec_path} mr, @@ -29,43 +30,34 @@ profile claws-mail @{exec_path} flags=(complain) { /{usr/,}bin/gpgsm rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg, - # For Orage integration - /{usr/,}bin/orage rPUx, + /{usr/,}bin/orage rPUx, + /{usr/,}{s,}bin/exim4 rPUx, + /{usr/,}bin/geany rPUx, - # For sending local mails - /{usr/,}{s,}bin/exim4 rPUx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/publicsuffix/*.dafsa r, + /usr/share/sounds/freedesktop/stereo/*.oga r, - # For editing in an external editor - /{usr/,}bin/geany rPUx, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner /var/mail/* rwk, owner @{HOME}/ r, owner @{HOME}/.claws-mail/ rw, owner @{HOME}/.claws-mail/** rwl -> @{HOME}/.claws-mail/**, + owner @{HOME}/Mail/ rw, + owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, owner /tmp/claws-mail-[0-9]*/ rw, owner /tmp/claws-mail-[0-9]*/@{hex} rw, owner /tmp/claws-mail-[0-9]*/@{hex}.lock rwk, - owner /var/mail/* rwk, - - owner @{HOME}/Mail/ rw, - owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/sounds/freedesktop/stereo/*.oga r, - /usr/share/publicsuffix/*.dafsa r, - - profile gpg { include diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im index 0aa615aa..9fee021c 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino-im @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,10 +11,10 @@ include profile dino-im @{exec_path} { include include - include - include include + include include + include include include @@ -30,14 +31,13 @@ profile dino-im @{exec_path} { /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/** rwk, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/fd/ r, - profile gpg { include diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index a953620f..07ad5cb9 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,29 +14,27 @@ profile execute-dput @{exec_path} flags=(complain) { include @{exec_path} r, + /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, - - /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpg{,2} rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, /usr/share/dput/{,**} r, /etc/dput.cf r, + owner @{HOME}/.dput.cf r, - owner @{PROC}/@{pid}/fd/ r, - - # sources dir owner @{user_build_dirs}/**.changes r, owner @{user_build_dirs}/**.dsc r, owner @{user_build_dirs}/**.buildinfo r, owner @{user_build_dirs}/**.tar.xz r, + owner @{PROC}/@{pid}/fd/ r, profile gpg { include diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index e235f06b..3634a8f5 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -130,18 +130,18 @@ profile gajim @{exec_path} { /{usr/,}bin/gpg-agent rix, /{usr/,}lib/gnupg/scdaemon rix, - # without owner - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{HOME}/.local/share/gajim/openpgp/ rw, - owner @{HOME}/.local/share/gajim/openpgp/** rwkl -> @{HOME}/.local/share/gajim/openpgp/**, + owner @{user_share_dirs}/gajim/openpgp/ rw, + owner @{user_share_dirs}/gajim/openpgp/** rwkl -> @{HOME}/.local/share/gajim/openpgp/**, + + # "Without owner + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, } diff --git a/apparmor.d/profiles-g-l/kwalletd5 b/apparmor.d/profiles-g-l/kwalletd5 index 069ba54a..9cd52cf5 100644 --- a/apparmor.d/profiles-g-l/kwalletd5 +++ b/apparmor.d/profiles-g-l/kwalletd5 @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,56 +10,52 @@ include @{exec_path} = /{usr/,}bin/kwalletd5 profile kwalletd5 @{exec_path} { include + include include - include - include - include + include include + include include + include include + include include include - include - include - include + include @{exec_path} mr, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg{,2} rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - owner @{user_config_dirs}/kwalletrc r, - - owner @{user_config_dirs}/kdeglobals r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_share_dirs}/kwalletd/ rw, - owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw, - owner @{user_share_dirs}/kwalletd/*.salt rw, - owner @{user_share_dirs}/kwalletd/*.kwl rw, - owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#[0-9]*[0-9], - - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration - owner @{user_config_dirs}/qt5ct/{,**} r, + /usr/share/hwdata/pnp.ids r, /usr/share/qt5ct/** r, /var/lib/dbus/machine-id r, /etc/machine-id r, - /dev/shm/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/sys/kernel/core_pattern r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/qt5ct/{,**} r, + + owner @{user_share_dirs}/kwalletd/ rw, + owner @{user_share_dirs}/kwalletd/*.kwl rw, + owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#[0-9]*[0-9], + owner @{user_share_dirs}/kwalletd/*.salt rw, + owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw, owner /tmp/kwalletd5.* rw, - /usr/share/hwdata/pnp.ids r, - - # For GPG encrypted wallets - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpg{,2} rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + /dev/shm/#[0-9]*[0-9] rw, profile gpg { include diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 3779183b..8eff494a 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,23 +11,21 @@ include profile psi @{exec_path} { include include - include - include - include - include - include - include - include - include - include - include include + include + include + include + include + include + include include include + include + include include include - - signal (send) set=(term, kill) peer=lsb_release, + include + include network inet dgram, network inet6 dgram, @@ -34,70 +33,53 @@ profile psi @{exec_path} { network inet6 stream, network netlink dgram, + signal (send) set=(term, kill) peer=lsb_release, + @{exec_path} mr, + /{usr/,}bin/aplay rCx -> aplay, + /{usr/,}bin/gpg{,2} rCx -> gpg, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}lib/firefox/firefox rPUx, - # Needed for GPG/PGP support - /{usr/,}bin/gpg{,2} rCx -> gpg, - - # Needed for playing sound events - /{usr/,}bin/aplay rCx -> aplay, - - # PSI files + /usr/share/hwdata/pnp.ids r, /usr/share/psi/{,**} r, - - # PSI config files - owner @{HOME}/ r, - owner @{user_config_dirs}/psi/ rw, - owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#[0-9]*[0-9], - - owner @{user_share_dirs}/psi/ rw, - owner @{user_share_dirs}/psi/** rwk, - - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration - owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, - # Cache files - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/psi/{,**} rw, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Autostart - owner @{user_config_dirs}/autostart/psi.desktop rw, - /etc/debian_version r, - - /dev/shm/#[0-9]*[0-9] rw, - - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, owner /var/tmp/etilqs_@{hex} rw, + owner @{HOME}/ r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/psi/{,**} rw, + owner @{user_config_dirs}/autostart/psi.desktop rw, + owner @{user_config_dirs}/psi/ rw, + owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#[0-9]*[0-9], + owner @{user_config_dirs}/qt5ct/{,**} r, + owner @{user_share_dirs}/psi/ rw, + owner @{user_share_dirs}/psi/** rwk, + owner /tmp/#[0-9]*[0-9] rw, owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9], @{run}/systemd/inhibit/[0-9]*.ref rw, - /usr/share/hwdata/pnp.ids r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + /dev/shm/#[0-9]*[0-9] rw, # file_inherit owner /dev/tty[0-9]* rw, - profile aplay { include include diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index e719213e..d3b3bb04 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,23 +11,21 @@ include profile psi-plus @{exec_path} { include include - include - include - include - include - include - include - include - include - include - include include + include + include + include + include + include + include include include + include + include include include - - signal (send) set=(term, kill) peer=lsb_release, + include + include network inet dgram, network inet6 dgram, @@ -34,70 +33,52 @@ profile psi-plus @{exec_path} { network inet6 stream, network netlink dgram, + signal (send) set=(term, kill) peer=lsb_release, + @{exec_path} mr, + /{usr/,}bin/aplay rCx -> aplay, + /{usr/,}bin/gpg{,2} rCx -> gpg, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}lib/firefox/firefox rPUx, - # Needed for GPG/PGP support - /{usr/,}bin/gpg{,2} rCx -> gpg, - - # Needed for playing sound events - /{usr/,}bin/aplay rCx -> aplay, - - # PSI files + /usr/share/hwdata/pnp.ids r, /usr/share/psi-plus/{,**} r, + /usr/share/qt5ct/** r, + + /etc/debian_version r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, - # PSI config files owner @{HOME}/ r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/psi+/{,**} rw, + owner @{user_config_dirs}/autostart/psi-plus.desktop rw, owner @{user_config_dirs}/psi+/ rw, owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#[0-9]*[0-9], - + owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_share_dirs}/psi+/ rw, owner @{user_share_dirs}/psi+/** rwk, - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration - owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - - # Cache files - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/psi+/{,**} rw, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Autostart - owner @{user_config_dirs}/autostart/psi-plus.desktop rw, - - /etc/debian_version r, - - /dev/shm/#[0-9]*[0-9] rw, - - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - owner /var/tmp/etilqs_@{hex} rw, - owner /tmp/#[0-9]*[0-9] rw, owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9], + owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/inhibit/[0-9]*.ref rw, - /usr/share/hwdata/pnp.ids r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, + /dev/shm/#[0-9]*[0-9] rw, # file_inherit owner /dev/tty[0-9]* rw, - profile aplay { include include