/run -> @{run}, [0-9]* -> @{uid}.

2021-10-07 14:52:41 +01:00 · 2021-10-07 14:52:41 +01:00 · 2fc138a4d7
commit 2fc138a4d7
parent 9c8c2144b8
15 changed files with 35 additions and 35 deletions
--- a/apparmor.d/groups/apps/android-studio
+++ b/apparmor.d/groups/apps/android-studio
@ -211,9 +211,9 @@ profile android-studio @{exec_path} {
  owner /tmp/** rwk,
  owner /tmp/native-platform[0-9]*dir/*.so rwm,

-  owner /{var,}run/user/[0-9]*/avd/ rw,
-  owner /{var,}run/user/[0-9]*/avd/running/ rw,
-  owner /{var,}run/user/[0-9]*/avd/running/pid_@{pid}.ini rw,
+  owner /{var,}run/user/@{uid}/avd/ rw,
+  owner /{var,}run/user/@{uid}/avd/running/ rw,
+  owner /{var,}run/user/@{uid}/avd/running/pid_@{pid}.ini rw,

  /usr/share/hwdata/pnp.ids r,

--- a/apparmor.d/groups/apps/geany
+++ b/apparmor.d/groups/apps/geany
@ -51,7 +51,7 @@ profile geany @{exec_path} {

  owner @{user_config_dirs}/geany/{,**} rw,

-  owner /{run/,}user/[0-9]*/geany/geany_socket.[0-9a-f]* rw,
+  owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw,

  # To read/write files in the system. The read permission is granted for all files, the write
  # permission only for the owner. Also, dirs like /dev/, /proc/, /sys/  are not included in
@ -84,9 +84,9 @@ profile geany @{exec_path} {
        /root/    r,
        /root/**  r,
  owner /root/**  rw,
-        /run/     r,
-        /run/**   r,
-  owner /run/**   rw,
+        @{run}/   r,
+        @{run}/** r,
+  owner @{run}/** rw,
        /srv/     r,
        /srv/**   r,
  owner /srv/**   rw,
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash
@ -22,7 +22,7 @@ profile libreoffice-oosplash /usr/lib/libreoffice/program/oosplash flags=(compla
  /etc/libreoffice/**                   r,
  /etc/passwd                           r,
  /etc/nsswitch.conf                    r,
-  /run/nscd/passwd                      r,
+  @{run}/nscd/passwd                      r,
  /sys/devices/{virtual,pci[0-9]*}/**/queue/rotational  r, # for isRotational() in desktop/unx/source/pagein.c
  /usr/lib{,32,64}/ure/bin/javaldx      rmpux,
  /usr/share/libreoffice/program/*      r,
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
@ -126,7 +126,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
  owner @{user_cache_dirs}/fontconfig/**    rw,
  owner @{user_config_dirs}/gtk-???/bookmarks r,  #Make bookmarks work

-  owner /{,var/}run/user/*/dconf/user   rw,
+  owner /{,var/}run/user/@{uid}/dconf/user   rw,
  owner @{user_config_dirs}/dconf/user      r,

  # allow schema to be read
@ -201,9 +201,9 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
  @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()

  #To avoid "Unable to create io-slave." for file dialog
-  owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
+  owner /{,var/}run/user/@{uid}/#[0-9]* rw,
  #For KIO IO::Slave::createSlave()
-  owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl ->  /{,var/}run/user/[0-9]*/#[0-9]*,
+  owner /{,var/}run/user/@{uid}/soffice.bin*.slave-socket wl ->  /{,var/}run/user/@{uid}/#[0-9]*,

  owner @{HOME}/.mozilla/firefox/profiles.ini r,
  owner @{HOME}/.mozilla/firefox/*/secmod.db r,
--- a/apparmor.d/groups/browsers/torbrowser.Browser.firefox
+++ b/apparmor.d/groups/browsers/torbrowser.Browser.firefox
@ -108,7 +108,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {

  # Should use abstractions/gstreamer instead once merged upstream
  /etc/udev/udev.conf r,
-  /run/udev/data/+pci:* r,
+  @{run}/udev/data/+pci:* r,
  /sys/devices/pci[0-9]*/**/uevent r,
  owner /{dev,run}/shm/shmfd-* rw,

@ -132,7 +132,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
  deny @{PROC}/@{pid}/net/route r,
  deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
  deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-  deny /run/user/[0-9]*/dconf/user rw,
+  deny @{run}/user/@{uid}/dconf/user rw,
  deny /usr/bin/lsb_release x,

  # Silence denial logs about PulseAudio
@ -150,7 +150,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
  /sys/class/ r,
  /sys/bus/ r,
  /sys/class/hidraw/ r,
-  /run/udev/data/c24{5,7,9}:* r,
+  @{run}/udev/data/c24{5,7,9}:* r,
  /dev/hidraw* rw,
  # Yubikey NEO also needs this:
  /sys/devices/**/hidraw/hidraw*/uevent r,
--- a/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container
+++ b/apparmor.d/groups/browsers/torbrowser.Browser.plugin-container
@ -79,7 +79,7 @@ profile torbrowser_plugin_container {

  # Should use abstractions/gstreamer instead once merged upstream
  /etc/udev/udev.conf r,
-  /run/udev/data/+pci:* r,
+  @{run}/udev/data/+pci:* r,
  /sys/devices/pci[0-9]*/**/uevent r,
  owner /{dev,run}/shm/shmfd-* rw,

--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@ -20,7 +20,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  # Where the users can be created,
  /home/{,*} rw,
  /var/{,**} rw,
-  /run/{,**} rw,
+  @{run}/{,**} rw,

  /etc/ r,
  /etc/nsswitch.conf r,