feat(profile): use the new @{tmp} variable.

It is only used with the owner statement.
2024-05-02 22:12:02 +01:00 · 2024-05-02 22:12:02 +01:00 · 3f69b9fec4
commit 3f69b9fec4
parent 0bbbe71422
257 changed files with 668 additions and 685 deletions
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@ -33,7 +33,7 @@ profile baloo @{exec_path} {
  # Allow to search user files
  owner @{HOME}/{,**} r,
  owner @{MOUNTS}/{,**} r,
-  owner /tmp/*/{,**} r,
+  owner @{tmp}/*/{,**} r,

  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/baloofilerc rwl,
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@ -54,7 +54,7 @@ profile dolphin @{exec_path} {
  @{MOUNTS}/** rw,
  owner @{HOME}/{,**} rw,
  owner @{run}/user/@{uid}/{,**} rw,
-  owner /tmp/{,**} rw,
+  owner @{tmp}/{,**} rw,

  # Silence non user's data
  deny /boot/{,**} r,
--- a/apparmor.d/groups/kde/kcminit
+++ b/apparmor.d/groups/kde/kcminit
@ -32,11 +32,11 @@ profile kcminit @{exec_path} {
  owner @{user_config_dirs}/Trolltech.conf.lock rwk,
  owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,

-  owner /tmp/#@{int} rw,
-  owner /tmp/kcminit.@{rand6} rwl,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/kcminit.@{rand6} rwl,

-  owner /tmp/.touchpaddefaults wl,
-  owner /tmp/.touchpaddefaults.lock rwk,
+  owner @{tmp}/.touchpaddefaults wl,
+  owner @{tmp}/.touchpaddefaults.lock rwk,

  @{run}/user/@{uid}/xauth_@{rand6} rl,

--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@ -91,9 +91,9 @@ profile kconf_update @{exec_path} {
  owner @{user_share_dirs}/krunnerstaterc.lock rwk,
  owner @{user_share_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},

-  owner /tmp/#@{int} rw,
-  owner /tmp/kconf_update.@{rand6}.lock rwk,
-  owner /tmp/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/kconf_update.@{rand6}.lock rwk,
+  owner @{tmp}/kconf_update.@{rand6}{,.@{rand6}} rwl -> /tmp/#@{int},

  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@ -156,9 +156,9 @@ profile kded @{exec_path} {
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/kded{5,6}*kioworker.socket rwl,

-  owner /tmp/#@{int} rw,
-  owner /tmp/kded6.@{rand6} rwl -> /tmp/#@{int},
-  owner /tmp/plasma-csd-generator.@{rand6}/{,**} rw,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
+  owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,

        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline/ r,
--- a/apparmor.d/groups/kde/kioworker
+++ b/apparmor.d/groups/kde/kioworker
@ -60,7 +60,7 @@ profile kioworker @{exec_path} {
  @{MOUNTS}/** rw,
  owner @{HOME}/{,**} rw,
  owner @{run}/user/@{uid}/{,**} rw,
-  owner /tmp/{,**} rw,
+  owner @{tmp}/{,**} rw,

  # Silence non user's data
  deny /boot/{,**} r,
@ -86,7 +86,7 @@ profile kioworker @{exec_path} {
  owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw,
  owner @{user_share_dirs}/kservices{5,6}/{,**} r,

-  owner /tmp/#@{int} rw,
+  owner @{tmp}/#@{int} rw,

        @{run}/mount/utab r,
  owner @{run}/user/@{uid}/#@{int} rw,
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@ -59,8 +59,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/konsole/** rwlk,
  owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r,

-  owner /tmp/#@{int} rw,
-  owner /tmp/konsole.@{rand6} rw,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/konsole.@{rand6} rw,

  @{PROC}/sys/kernel/core_pattern r,
  @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@ -91,7 +91,7 @@ profile kscreenlocker_greet @{exec_path} {
  deny owner @{HOME}/#@{int} mrw,
       owner @{HOME}/.glvnd* mrw,

-  owner /tmp/*-cover-*.{jpg,png} r,
+  owner @{tmp}/*-cover-*.{jpg,png} r,

  @{run}/faillock/[a-zA-z0-9]* rwk,

--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@ -62,7 +62,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/kservices{5,6}/ r,
  owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,

-  owner /tmp/@{rand6} rw,
+  owner @{tmp}/@{rand6} rw,

        @{run}/systemd/inhibit/[0-9]*.ref rw,
  owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
--- a/apparmor.d/groups/kde/kwalletd
+++ b/apparmor.d/groups/kde/kwalletd
@ -41,7 +41,7 @@ profile kwalletd @{exec_path} {
  owner @{user_share_dirs}/kwalletd/ rw,
  owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int},

-  owner /tmp/kwalletd5.* rw,
+  owner @{tmp}/kwalletd5.* rw,

        @{PROC}/sys/kernel/core_pattern r,
  owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/kde/kwin_x11
+++ b/apparmor.d/groups/kde/kwin_x11
@ -56,8 +56,8 @@ profile kwin_x11 @{exec_path} {
  owner @{user_config_dirs}/session/kwin_* rwk,
  owner @{user_config_dirs}/plasmarc r,
  owner @{user_config_dirs}/session/#@{int} rw,
-  owner /tmp/#@{int} rw,
-  owner /tmp/kwin.@{rand6} rwl,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/kwin.@{rand6} rwl,

  owner @{run}/user/@{uid}/kcrash_@{int} rw,

--- a/apparmor.d/groups/kde/okular
+++ b/apparmor.d/groups/kde/okular
@ -45,8 +45,8 @@ profile okular @{exec_path} {

  owner @{user_cache_dirs}/okular/{,**} rw,

-  owner /tmp/#@{int} rw,
-  owner /tmp/okular_@{rand6}.ps rwl -> /tmp/#@{int},
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int},

  @{PROC}/sys/kernel/core_pattern r,

--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@ -83,11 +83,11 @@ profile plasma-discover @{exec_path} {
  owner @{user_share_dirs}/kwin/ rw,
  owner @{user_share_dirs}/kwin/** rwlk -> @{user_share_dirs}/kwin/**,

-  owner /tmp/*.kwinscript rwl -> /tmp/#@{int},
-  owner /tmp/#@{int} rw,
-  owner /tmp/discover-@{rand6}/{,**} rw,
-  owner /tmp/ostree-gpg-*/ rw,
-  owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+  owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int},
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/discover-@{rand6}/{,**} rw,
+  owner @{tmp}/ostree-gpg-*/ rw,
+  owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,

  owner @{run}/user/@{uid}/.flatpak-cache rw,
  owner @{run}/user/@{uid}/.flatpak/{,**} rw,
@ -109,8 +109,8 @@ profile plasma-discover @{exec_path} {

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

-    owner /tmp/ostree-gpg-*/ r,
-    owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+    owner @{tmp}/ostree-gpg-*/ r,
+    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,

    include if exists <local/plasma-discover_gpg>
  }
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -166,7 +166,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  owner @{user_share_dirs}/user-places.xbel{,*} rwl,

        /tmp/.mount_nextcl@{rand6}/{,*} r,
-  owner /tmp/#@{int} rw,
+  owner @{tmp}/#@{int} rw,

        @{run}/mount/utab r,
        @{run}/user/@{uid}/gvfs/ r,
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -168,9 +168,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {

        /tmp/sddm-* rw,
        /tmp/xauth_@{rand6} rwl -> /tmp/#@{int},
-  owner /tmp/*/{,s} rw,
-  owner /tmp/#@{int} rw,
-  owner /tmp/sddm-auth* rw,
+  owner @{tmp}/*/{,s} rw,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/sddm-auth* rw,

        @{run}/faillock/[a-zA-z0-9]* rwk,
        @{run}/sddm.pid rw,
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@ -63,8 +63,8 @@ profile sddm-greeter @{exec_path} {
  deny owner @{HOME}/#@{int} mrw,
       owner @{HOME}/.glvnd* mrw,

-  owner /tmp/runtime-sddm/ rw,
-  owner /tmp/sddm-:@{int}-@{rand6} rw,
+  owner @{tmp}/runtime-sddm/ rw,
+  owner @{tmp}/sddm-:@{int}-@{rand6} rw,

  owner @{run}/sddm/{,*} rw,

--- a/apparmor.d/groups/kde/sddm-xsession
+++ b/apparmor.d/groups/kde/sddm-xsession
@ -61,8 +61,8 @@ profile sddm-xsession @{exec_path} {

  owner @{user_share_dirs}/sddm/xorg-session.log w,

-  owner /tmp/xsess-env-* rw,
-  owner /tmp/file* rw,
+  owner @{tmp}/xsess-env-* rw,
+  owner @{tmp}/file* rw,

  owner @{PROC}/@{pid}/loginuid r,

--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@ -64,8 +64,8 @@ profile startplasma @{exec_path} {
  owner @{user_share_dirs}/sddm/wayland-session.log rw,
  owner @{user_share_dirs}/sddm/xorg-session.log rw,

-  owner /tmp/#@{int} rw,
-  owner /tmp/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int},
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/startplasma-{x11,wayland}.@{rand6} rwl -> /tmp/#@{int},

  owner @{run}/user/@{uid}/ r,

--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@ -18,7 +18,7 @@ profile xembedsniproxy @{exec_path} {
  /usr/share/hwdata/*.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,

-  owner /tmp/xauth_@{rand6} r,
+  owner @{tmp}/xauth_@{rand6} r,

  @{run}/user/@{uid}/xauth_@{rand6} rl,

--- a/apparmor.d/groups/kde/xsettingsd
+++ b/apparmor.d/groups/kde/xsettingsd
@ -16,7 +16,7 @@ profile xsettingsd @{exec_path} {

  owner @{user_config_dirs}/xsettingsd/{,**} rw,

-  owner /tmp/xauth_@{rand6} r,
+  owner @{tmp}/xauth_@{rand6} r,

  owner @{run}/user/@{uid}/xauth_@{rand6} rl,