Add @{MOUNTS} for all common mountpoints.

2021-04-19 15:20:32 +01:00 · 2021-04-19 15:20:32 +01:00 · 1f11e6398b
commit 1f11e6398b
parent a5ec3e559c
127 changed files with 286 additions and 306 deletions
--- a/apparmor.d/groups/apps/android-studio
+++ b/apparmor.d/groups/apps/android-studio
@ -6,8 +6,8 @@ abi <abi/3.0>,

 include <tunables/global>

-@{AS_LIBDIR}     = /media/*/android-studio
-@{AS_SDKDIR}     = /media/*/SDK
+@{AS_LIBDIR}     = @{MOUNTS}/*/android-studio
+@{AS_SDKDIR}     = @{MOUNTS}/*/SDK
@{AS_HOMEDIR}    = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects

@ -90,8 +90,8 @@ profile android-studio @{exec_path} {

  / r,
  /home/ r,
-  /media/ r,
-  /media/*/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/*/ r,
  /usr/ r,
  /{usr/,}lib/ r,
  /{usr/,}lib{x32,32,64}/ r,
--- a/apparmor.d/groups/apps/atom
+++ b/apparmor.d/groups/apps/atom
@ -86,10 +86,10 @@ profile atom @{exec_path} {

  # Git dirs
        / r,
-        /media/ r,
-  owner /media/*/ r,
-  owner /media/*/atom/ r,
-  owner /media/*/atom/** rwkl -> /media/*/atom/**,
+        @{MOUNTS}/ r,
+  owner @{MOUNTS}/*/ r,
+  owner @{MOUNTS}/*/atom/ r,
+  owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**,

  owner @{user_config_dirs}/git/config r,

--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -76,8 +76,8 @@ profile calibre @{exec_path} {
        /home/ r,
  owner @{HOME}/ r,
  owner @{HOME}/**/ r,
-        /media/ r,
-  owner /media/**/ r,
+        @{MOUNTS}/ r,
+  owner @{MOUNTS}/**/ r,
  owner /{home,media}/**.@{calibre_ext} rw,

  /usr/share/calibre/{,**} r,
@ -85,9 +85,9 @@ profile calibre @{exec_path} {
  owner @{HOME}/@{XDG_BOOKS_DIR} rw,
  owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl,

-  owner /media/*/@{XDG_BOOKS_DIR}/ r,
-  owner /media/*/@{XDG_BOOKS_DIR}*/ rw,
-  owner /media/*/@{XDG_BOOKS_DIR}*/** rwkl -> /media/*/@{XDG_BOOKS_DIR}*/**,
+  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r,
+  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw,
+  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**,

  owner @{user_config_dirs}/calibre/ rw,
  owner @{user_config_dirs}/calibre/** rwk,
--- a/apparmor.d/groups/apps/code
+++ b/apparmor.d/groups/apps/code
@ -65,10 +65,10 @@ profile code @{exec_path} {

  # Git dirs
        / r,
-        /media/ r,
-  owner /media/*/ r,
-  owner /media/*/code/ r,
-  owner /media/*/code/** rwkl -> /media/*/code/**,
+        @{MOUNTS}/ r,
+  owner @{MOUNTS}/*/ r,
+  owner @{MOUNTS}/*/code/ r,
+  owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,

  # To remove the following error:
  #  Error initializing NSS with a persistent database
--- a/apparmor.d/groups/apps/filezilla
+++ b/apparmor.d/groups/apps/filezilla
@ -57,8 +57,8 @@ profile filezilla @{exec_path} {
  /{usr/,}lib/firefox/firefox rPUx,

  # FTP share folder
-  owner /media/*/ftp/ r,
-  owner /media/*/ftp/** rw,
+  owner @{MOUNTS}/*/ftp/ r,
+  owner @{MOUNTS}/*/ftp/** rw,

  # Silencer
  / r,
--- a/apparmor.d/groups/apps/geany
+++ b/apparmor.d/groups/apps/geany
@ -72,9 +72,9 @@ profile geany @{exec_path} {
        /lost+found/ r,
        /lost+found/** r,
  owner /lost+found/** rw,
-        /media/   r,
-        /media/** r,
-  owner /media/** rw,
+        @{MOUNTS}/   r,
+        @{MOUNTS}/** r,
+  owner @{MOUNTS}/** rw,
        /mnt/     r,
        /mnt/**   r,
  owner /mnt/**   rw,
--- a/apparmor.d/groups/apps/okular
+++ b/apparmor.d/groups/apps/okular
@ -33,8 +33,8 @@ profile okular @{exec_path} {
        /home/ r,
  owner @{HOME}/ r,
  owner @{HOME}/**/ r,
-        /media/ r,
-  owner /media/**/ r,
+        @{MOUNTS}/ r,
+  owner @{MOUNTS}/**/ r,
        /tmp/ r,
        /tmp/mozilla_*/ r,
  owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/groups/apps/telegram-desktop
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{TELEGRAM_WORK_DIR} = /media/Kabi/telegram
+@{TELEGRAM_WORK_DIR} = @{MOUNTS}/Kabi/telegram

@{exec_path} = /{usr/,}bin/telegram-desktop
 profile telegram-desktop @{exec_path} {
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@ -86,8 +86,8 @@ profile vlc @{exec_path} {
        /home/ r,
  owner @{HOME}/ r,
  owner @{HOME}/**/ r,
-        /media/ r,
-  owner /media/**/ r,
+        @{MOUNTS}/ r,
+  owner @{MOUNTS}/**/ r,
  owner /{home,media}/**.@{vlc_ext} rw,

  /var/lib/dbus/machine-id r,
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/apt
 profile apt @{exec_path} flags=(complain) {
--- a/apparmor.d/groups/apt/apt-cdrom
+++ b/apparmor.d/groups/apt/apt-cdrom
@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
  /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,

  # For pendrives
-  /media/*/*/ r,
-  /media/*/*/**/ r,
-  /media/*/*/.disk/info r,
-  /media/*/*/dists/**/binary-*/Packages{,.gz} r,
-  /media/*/*/dists/**/i18n/Translation-en{,.gz} r,
+  @{MOUNTS}/*/*/ r,
+  @{MOUNTS}/*/*/**/ r,
+  @{MOUNTS}/*/*/.disk/info r,
+  @{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r,
+  @{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r,

  /var/lib/apt/lists/** rw,

--- a/apparmor.d/groups/apt/apt-extracttemplates
+++ b/apparmor.d/groups/apt/apt-extracttemplates
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/apt-extracttemplates
 profile apt-extracttemplates @{exec_path} {
--- a/apparmor.d/groups/apt/apt-ftparchive
+++ b/apparmor.d/groups/apt/apt-ftparchive
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/apt-ftparchive
 profile apt-ftparchive @{exec_path} {
--- a/apparmor.d/groups/apt/apt-get
+++ b/apparmor.d/groups/apt/apt-get
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/apt-get
 profile apt-get @{exec_path} flags=(complain) {
--- a/apparmor.d/groups/apt/apt-methods-cdrom
+++ b/apparmor.d/groups/apt/apt-methods-cdrom
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/cdrom
 profile apt-methods-cdrom @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-copy
+++ b/apparmor.d/groups/apt/apt-methods-copy
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/copy
 profile apt-methods-copy @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-file
+++ b/apparmor.d/groups/apt/apt-methods-file
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/file
 profile apt-methods-file @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-ftp
+++ b/apparmor.d/groups/apt/apt-methods-ftp
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/ftp
 profile apt-methods-ftp @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/gpgv
 profile apt-methods-gpgv @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/http{,s}
 profile apt-methods-http @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-mirror
+++ b/apparmor.d/groups/apt/apt-methods-mirror
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
 profile apt-methods-mirror @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-rred
+++ b/apparmor.d/groups/apt/apt-methods-rred
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/rred
 profile apt-methods-rred @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-rsh
+++ b/apparmor.d/groups/apt/apt-methods-rsh
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
 profile apt-methods-rsh @{exec_path} {
--- a/apparmor.d/groups/apt/apt-methods-store
+++ b/apparmor.d/groups/apt/apt-methods-store
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/store
 profile apt-methods-store @{exec_path} {
--- a/apparmor.d/groups/apt/apt-show-versions
+++ b/apparmor.d/groups/apt/apt-show-versions
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/apt-show-versions
 profile apt-show-versions @{exec_path} {
--- a/apparmor.d/groups/apt/aptitude
+++ b/apparmor.d/groups/apt/aptitude
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/aptitude{,-curses}
 profile aptitude @{exec_path} flags=(complain) {
--- a/apparmor.d/groups/apt/dpkg-checkbuilddeps
+++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps
 profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
--- a/apparmor.d/groups/apt/dpkg-deb
+++ b/apparmor.d/groups/apt/dpkg-deb
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/dpkg-deb
 profile dpkg-deb @{exec_path} {
--- a/apparmor.d/groups/apt/dpkg-genbuildinfo
+++ b/apparmor.d/groups/apt/dpkg-genbuildinfo
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/dpkg-genbuildinfo
 profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
--- a/apparmor.d/groups/apt/dpkg-genchanges
+++ b/apparmor.d/groups/apt/dpkg-genchanges
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/dpkg-genchanges
 profile dpkg-genchanges @{exec_path} flags=(complain) {
--- a/apparmor.d/groups/apt/dpkg-split
+++ b/apparmor.d/groups/apt/dpkg-split
@ -6,7 +6,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

@{exec_path} = /{usr/,}bin/dpkg-split
 profile dpkg-split @{exec_path} {
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@ -4,7 +4,7 @@

 abi <abi/3.0>,

-@{BUILD_DIR} = /media/debuilder/
+@{BUILD_DIR} = @{MOUNTS}/debuilder/

 include <tunables/global>

--- a/apparmor.d/groups/desktop/obex-folder-listing
+++ b/apparmor.d/groups/desktop/obex-folder-listing
@ -14,8 +14,8 @@ profile obex-folder-listing @{exec_path} {

  owner @{HOME}/ r,
  owner @{HOME}/**/ r,
-  owner /media/*/ r,
-  owner /media/*/**/ r,
+  owner @{MOUNTS}/*/ r,
+  owner @{MOUNTS}/*/**/ r,

  include if exists <local/obex-folder-listing>
 }
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -25,9 +25,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  # Full access to user's data
  / r,
  owner @{HOME}/{,**} rw,
+  owner @{MOUNTS}/*/{,**} rw,
  owner @{run}/user/@{uid}/{,**} rw,
-  owner /media/*/{,**} rw,
-  owner /mnt/*/{,**} rw,
  owner /tmp/{,**} rw,

  # Silencer for non user's data
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -24,7 +24,7 @@ profile tracker-miner @{exec_path} {

  # Allow to search user files
  owner @{HOME}/{,**} r,
-  owner /media/*/{,**} r,
+  owner @{MOUNTS}/*/{,**} r,
  owner /tmp/*/{,**} r,

  owner @{user_share_dirs}/{applications/,mime/mime.cache} r,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -64,8 +64,7 @@ profile gpg @{exec_path} {

  # Verify files
  owner @{HOME}/** r,
-  owner /mnt/*/** r,
-  owner /media/*/** r,
+  owner @{MOUNTS}/*/** r,

  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@ -35,8 +35,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
  /etc/fstab r,

  # Mount points
-  /media/*/ r,
-  /media/*/*/ r,
+  @{MOUNTS}/*/ r,
+  @{MOUNTS}/*/*/ r,
  @{HOME}/*/*/ r,
  @{HOME}/*/*/**/ r,
  @{HOME}/bluetooth/ r,
--- a/apparmor.d/groups/gvfs/gvfsd-archive
+++ b/apparmor.d/groups/gvfs/gvfsd-archive
@ -16,14 +16,12 @@ profile gvfsd-archive @{exec_path} {
  @{exec_path} mr,

  owner @{HOME}/**.{tar,tar.gz,zip} r,
-  owner /media/**.{TAR,TAR.GZ,ZIP} r,
+  owner @{MOUNTS}/**.{TAR,TAR.GZ,ZIP} r,
  owner @{HOME}/**.{tar,tar.gz,zip} r,
-  owner /mnt/**.{TAR,TAR.GZ,ZIP} r,

  owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
-  owner /media/*/**.{iso,img,bin,mdf,nrg} r,
+  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
-  owner /mnt/*/**.{ISO,IMG,BIN,MDF,NRG} r,

  include if exists <local/gvfsd-archive>
 }
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@ -19,8 +19,7 @@ profile gvfsd-recent @{exec_path} {

  # Full access to user's data
  owner @{HOME}/{,**} rw,
-  owner /media/*/{,**} rw,
-  owner /mnt/*/{,**} rw,
+  owner @{MOUNTS}/*/{,**} rw,

  owner @{HOME}/.zshenv r,
  owner @{user_config_dirs}/user-dirs.dirs r,
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -31,8 +31,7 @@ profile gvfsd-trash @{exec_path} {

  # Can restore all user files
  owner @{HOME}/{,**} rw,
-  owner /media/*/{,**} rw,
-  owner /mnt/*/{,**} rw,
+  owner @{MOUNTS}/*/{,**} rw,

  include if exists <local/gvfsd-trash>
 }