feat(profile): use the new @{tmp} variable.

It is only used with the owner statement.
2024-05-02 22:12:02 +01:00 · 2024-05-02 22:12:02 +01:00 · 3f69b9fec4
commit 3f69b9fec4
parent 0bbbe71422
257 changed files with 668 additions and 685 deletions
--- a/apparmor.d/profiles-m-r/man
+++ b/apparmor.d/profiles-m-r/man
@ -80,7 +80,7 @@ profile man_groff {
  /etc/papersize r,

  /tmp/groff* rw,
-  owner /tmp/* rw,
+  owner @{tmp}/* rw,

  include if exists <local/man_groff>
 }
--- a/apparmor.d/profiles-m-r/merkaartor
+++ b/apparmor.d/profiles-m-r/merkaartor
@ -49,8 +49,8 @@ profile merkaartor @{exec_path} {

  deny owner @{PROC}/@{pid}/cmdline r,

-  owner /tmp/qtsingleapp-merkaa-* rw,
-  owner /tmp/qtsingleapp-merkaa-*-lockfile rwk,
+  owner @{tmp}/qtsingleapp-merkaa-* rw,
+  owner @{tmp}/qtsingleapp-merkaa-*-lockfile rwk,

  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
--- a/apparmor.d/profiles-m-r/minitube
+++ b/apparmor.d/profiles-m-r/minitube
@ -50,8 +50,8 @@ profile minitube @{exec_path} {
  # If one is blocked, the others are probed.
  deny owner @{HOME}/#@{int} mrw,
       owner @{HOME}/.glvnd* mrw,
-  #    owner /tmp/#@{int} mrw,
-  #    owner /tmp/.glvnd* mrw,
+  #    owner @{tmp}/#@{int} mrw,
+  #    owner @{tmp}/.glvnd* mrw,

  # Cache
  owner @{user_cache_dirs}/ rw,
@ -74,8 +74,8 @@ profile minitube @{exec_path} {
  /usr/share/hwdata/pnp.ids r,

  # TMP
-  owner /tmp/qtsingleapp-minitu-* rw,
-  owner /tmp/qtsingleapp-minitu-*-lockfile rwk,
+  owner @{tmp}/qtsingleapp-minitu-* rw,
+  owner @{tmp}/qtsingleapp-minitu-*-lockfile rwk,

  @{bin}/xdg-open         rCx -> open,

--- a/apparmor.d/profiles-m-r/mkvmerge
+++ b/apparmor.d/profiles-m-r/mkvmerge
@ -19,8 +19,8 @@ profile mkvmerge @{exec_path} {
  owner @{user_music_dirs}/** rw,
  owner @{user_videos_dirs}/** rw,

-  owner /tmp/MKVToolNix-process-*.json r,
-  owner /tmp/MKVToolNix-GUI-MuxJob-*.json r,
+  owner @{tmp}/MKVToolNix-process-*.json r,
+  owner @{tmp}/MKVToolNix-GUI-MuxJob-*.json r,

  # file_inherit
  /dev/dri/card@{int} rw,
--- a/apparmor.d/profiles-m-r/mkvtoolnix-gui
+++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui
@ -50,11 +50,11 @@ profile mkvtoolnix-gui @{exec_path} {
  owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw,
  owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw,

-  owner /tmp/#@{int} rw,
-  owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int},
-  owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#@{int},
-  owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int},
-  owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int},
+  owner @{tmp}/MKVToolNix-process-*.json rwl -> /tmp/#@{int},
+  owner @{tmp}/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int},
+  owner @{tmp}/MKVToolNix-GUI-Instance-Communicator-* rw,
  owner /dev/shm/#@{int} rw,

  deny owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/profiles-m-r/modprobed-db
+++ b/apparmor.d/profiles-m-r/modprobed-db
@ -33,8 +33,8 @@ profile modprobed-db @{exec_path} {
  owner @{user_config_dirs}/modprobed-db.conf r,
  owner @{user_config_dirs}/modprobed.db rw,

-  owner /tmp/.inmem rw,
-  owner /tmp/.potential_new_db rw,
+  owner @{tmp}/.inmem rw,
+  owner @{tmp}/.potential_new_db rw,

        @{PROC}/modules r,
  owner @{PROC}/@{pid}/loginuid r,
--- a/apparmor.d/profiles-m-r/mono-sgen
+++ b/apparmor.d/profiles-m-r/mono-sgen
@ -36,8 +36,8 @@ profile mono-sgen @{exec_path} {
  owner @{user_config_dirs}/openra/{,**} rw,
  owner @{user_config_dirs}/.mono/{,**} r,

-  owner /tmp/*.* rw,
-  owner /tmp/CASESENSITIVETEST* rw,
+  owner @{tmp}/*.* rw,
+  owner @{tmp}/CASESENSITIVETEST* rw,
  owner /dev/shm/mono.* rw,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-m-r/mpsyt
+++ b/apparmor.d/profiles-m-r/mpsyt
@ -52,9 +52,9 @@ profile mpsyt @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,

        /tmp/ r,
-  owner /tmp/[a-z0-9]* rw,
-  owner /tmp/mpsyt-input* rw,
-  owner /tmp/mpsyt-mpv*.sock rw,
+  owner @{tmp}/[a-z0-9]* rw,
+  owner @{tmp}/mpsyt-input* rw,
+  owner @{tmp}/mpsyt-mpv*.sock rw,

  include if exists <local/mpsyt>
 }
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@ -53,11 +53,11 @@ profile mpv @{exec_path} {
  owner @{user_config_dirs}/mpv/{,**} rw,

        /tmp/ r,
-  owner /tmp/mpsyt-input* rw,
-  owner /tmp/mpsyt-mpv*.sock rw,
-  owner /tmp/smplayer-mpv-* rw,
-  owner /tmp/smplayer_preview/@{int}.{jpg,png} w,
-  owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w,
+  owner @{tmp}/mpsyt-input* rw,
+  owner @{tmp}/mpsyt-mpv*.sock rw,
+  owner @{tmp}/smplayer-mpv-* rw,
+  owner @{tmp}/smplayer_preview/@{int}.{jpg,png} w,
+  owner @{tmp}/smplayer_screenshots/cap_*.{jpg,png} w,

  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
--- a/apparmor.d/profiles-m-r/nmap
+++ b/apparmor.d/profiles-m-r/nmap
@ -31,8 +31,8 @@ profile nmap @{exec_path} {

  /usr/share/nmap/** r,

-  owner /tmp/zenmap-stdout-* rw,
-  owner /tmp/zenmap-*.xml rw,
+  owner @{tmp}/zenmap-stdout-* rw,
+  owner @{tmp}/zenmap-*.xml rw,

  owner @{PROC}/@{pid}/net/dev r,
  owner @{PROC}/@{pid}/net/if_inet6 r,
--- a/apparmor.d/profiles-m-r/ntfsdecrypt
+++ b/apparmor.d/profiles-m-r/ntfsdecrypt
@ -17,7 +17,7 @@ profile ntfsdecrypt @{exec_path} {
  @{exec_path} mr,

  # Common locations of the key
-  owner /tmp/*.key r,
+  owner @{tmp}/*.key r,
  owner @{HOME}/*.key r,

  include if exists <local/ntfsdecrypt>
--- a/apparmor.d/profiles-m-r/ntfsundelete
+++ b/apparmor.d/profiles-m-r/ntfsundelete
@ -19,8 +19,8 @@ profile ntfsundelete @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,

  # The recovery dir
-  owner /tmp/ntfs-recovery/ r,
-  owner /tmp/ntfs-recovery/* rw,
+  owner @{tmp}/ntfs-recovery/ r,
+  owner @{tmp}/ntfs-recovery/* rw,

  include if exists <local/ntfsundelete>
 }
--- a/apparmor.d/profiles-m-r/ntfsusermap
+++ b/apparmor.d/profiles-m-r/ntfsusermap
@ -21,7 +21,7 @@ profile ntfsusermap @{exec_path} {

  # Where to save the UserMapping file
  owner /root/UserMapping w,
-  owner /tmp/UserMapping w,
+  owner @{tmp}/UserMapping w,

  include if exists <local/ntfsusermap>
 }
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -61,7 +61,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
  /boot/{efi/,}EFI/ r,
  /boot/{efi/,}EFI/*/ r,

-  owner /tmp/os-prober.*/{,**} rw,
+  owner @{tmp}/os-prober.*/{,**} rw,

  @{sys}/block/ r,
  @{sys}/devices/@{pci}/block/*/ r,
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -89,9 +89,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {

        /tmp/apt-changelog-@{rand6}/ w,
        /tmp/apt-changelog-@{rand6}/*.changelog rw,
-  owner /tmp/alpm_*/{,**} rw,
-  owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
-  owner /tmp/packagekit* rw,
+  owner @{tmp}/alpm_*/{,**} rw,
+  owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
+  owner @{tmp}/packagekit* rw,

        @{run}/systemd/inhibit/*.ref rw,
  owner @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/profiles-m-r/pam-tmpdir-helper
+++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper
@ -15,8 +15,8 @@ profile pam-tmpdir-helper @{exec_path} {

  @{exec_path} mr,

-  owner /tmp/user/ rw,
-  owner /tmp/user/@{uid}/ rw,
+  owner @{tmp}/user/ rw,
+  owner @{tmp}/ rw,

  /dev/ptmx rw,

--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -124,7 +124,7 @@ profile pass @{exec_path} {
    owner @{user_password_store_dirs}/   rw,
    owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,

-    owner /tmp/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
+    owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
    owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw,

    include if exists <local/pass_git>
@ -146,7 +146,7 @@ profile pass @{exec_path} {
    owner @{user_password_store_dirs}/   rw,
    owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
    owner /dev/shm/pass.*/{,*} rw,
-    owner /tmp/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
+    owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature

    owner /dev/pts/@{int} rw,

--- a/apparmor.d/profiles-m-r/pass-import
+++ b/apparmor.d/profiles-m-r/pass-import
@ -33,7 +33,7 @@ profile pass-import @{exec_path} {

  owner @{user_password_store_dirs}/{,**} rw,

-  owner /tmp/[a-zA-Z0-9]* rw,
+  owner @{tmp}/[a-zA-Z0-9]* rw,

  @{PROC}/@{pids}/fd/ r,

--- a/apparmor.d/profiles-m-r/pinentry-qt
+++ b/apparmor.d/profiles-m-r/pinentry-qt
@ -38,7 +38,7 @@ profile pinentry-qt @{exec_path} {
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kwinrc r,

-  owner /tmp/xauth_@{rand6} r,
+  owner @{tmp}/xauth_@{rand6} r,
  owner /dev/shm/#@{int} rw,

  @{sys}/devices/system/node/ r,
--- a/apparmor.d/profiles-m-r/popularity-contest
+++ b/apparmor.d/profiles-m-r/popularity-contest
@ -45,7 +45,7 @@ profile popularity-contest @{exec_path} {
  /var/log/popularity-contest.[0-9]* w,
  /var/log/popularity-contest.new w,

-  owner /tmp/#@{int} rw,
+  owner @{tmp}/#@{int} rw,
  
  @{PROC}/ r,

--- a/apparmor.d/profiles-m-r/psi
+++ b/apparmor.d/profiles-m-r/psi
@ -63,8 +63,8 @@ profile psi @{exec_path} {
  owner @{user_share_dirs}/psi/ rw,
  owner @{user_share_dirs}/psi/** rwk,

-  owner /tmp/#@{int} rw,
-  owner /tmp/Psi.* rwl -> /tmp/#@{int},
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/Psi.* rwl -> /tmp/#@{int},

  @{run}/systemd/inhibit/[0-9]*.ref rw,

--- a/apparmor.d/profiles-m-r/psi-plus
+++ b/apparmor.d/profiles-m-r/psi-plus
@ -61,8 +61,8 @@ profile psi-plus @{exec_path} {
  owner @{user_share_dirs}/psi+/ rw,
  owner @{user_share_dirs}/psi+/** rwk,

-  owner /tmp/#@{int} rw,
-  owner /tmp/Psi+.* rwl -> /tmp/#@{int},
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/Psi+.* rwl -> /tmp/#@{int},
  owner /var/tmp/etilqs_@{hex} rw,

  @{run}/systemd/inhibit/[0-9]*.ref rw,
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -100,16 +100,14 @@ profile qbittorrent @{exec_path} {
  owner @{user_torrents_dirs}/** rw,

  owner /dev/shm/#@{int} rw,
-  owner /tmp/.*/{,s} rw,
-  owner /tmp/.qBittorrent/ rw,
-  owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*,
-  owner /tmp/*.torrent rw,
-  owner /tmp/mozilla_*/*.torrent rw,
-  owner /tmp/qtsingleapp-qBitto-* rw,
-  owner /tmp/qtsingleapp-qBitto-*-lockfile rwk,
-  owner /tmp/tmp* rw,
-  owner /tmp/user/@{uid}/.qBittorrent/ rw,
-  owner /tmp/user/@{uid}/.qBittorrent/** rw,
+  owner @{tmp}/.*/{,s} rw,
+  owner @{tmp}/.qBittorrent/ rw,
+  owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*,
+  owner @{tmp}/*.torrent rw,
+  owner @{tmp}/mozilla_*/*.torrent rw,
+  owner @{tmp}/qtsingleapp-qBitto-* rw,
+  owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk,
+  owner @{tmp}/tmp* rw,

  owner @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/comm r,
@ -142,8 +140,8 @@ profile qbittorrent @{exec_path} {
    owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int},  # unconventional '_' tail
    owner /dev/shm/* rw,

-    owner /tmp/@{int} rw,
-    owner /tmp/tmp* rw,
+    owner @{tmp}/@{int} rw,
+    owner @{tmp}/tmp* rw,

    deny /dev/dri/card@{int} rw,

--- a/apparmor.d/profiles-m-r/qbittorrent-nox
+++ b/apparmor.d/profiles-m-r/qbittorrent-nox
@ -57,13 +57,13 @@ profile qbittorrent-nox @{exec_path} {
  owner @{user_share_dirs}/mime/types r,

  # TMP
-  owner /tmp/qtsingleapp-qBitto-* rw,
-  owner /tmp/qtsingleapp-qBitto-*-lockfile rwk,
-  owner /tmp/.qBittorrent/ rw,
-  owner /tmp/.qBittorrent/* rwl -> /tmp/.qBittorrent/*,
-  owner /tmp/mozilla_*/*.torrent rw,
-  owner /tmp/*.torrent rw,
-  owner /tmp/.*/{,s} rw,
+  owner @{tmp}/qtsingleapp-qBitto-* rw,
+  owner @{tmp}/qtsingleapp-qBitto-*-lockfile rwk,
+  owner @{tmp}/.qBittorrent/ rw,
+  owner @{tmp}/.qBittorrent/* rwl -> /tmp/.qBittorrent/*,
+  owner @{tmp}/mozilla_*/*.torrent rw,
+  owner @{tmp}/*.torrent rw,
+  owner @{tmp}/.*/{,s} rw,

  include if exists <local/qbittorrent-nox>
 }
--- a/apparmor.d/profiles-m-r/qnapi
+++ b/apparmor.d/profiles-m-r/qnapi
@ -63,15 +63,15 @@ profile qnapi @{exec_path} {
  owner @{user_cache_dirs}/ rw,

        /tmp/ r,
-  owner /tmp/@{hex}.* rw,
-  owner /tmp/** rw,
-  owner /tmp/#@{int} rw,
-  owner /tmp/QNapi-*-rc wl -> /tmp/#@{int},
-  owner /tmp/QNapi-*-rc.lock rwk,
-  owner /tmp/QNapi.@{int}.tmp rw,
-  owner /tmp/QNapi.@{int}.tmp.* rw,
-  owner /tmp/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int},
-  owner /tmp/QNapi.@{int} rw,
+  owner @{tmp}/@{hex}.* rw,
+  owner @{tmp}/** rw,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int},
+  owner @{tmp}/QNapi-*-rc.lock rwk,
+  owner @{tmp}/QNapi.@{int}.tmp rw,
+  owner @{tmp}/QNapi.@{int}.tmp.* rw,
+  owner @{tmp}/QNapi.@{int}.tmp.* rwl -> /tmp/#@{int},
+  owner @{tmp}/QNapi.@{int} rw,

  owner /dev/shm/#@{int} rw,

--- a/apparmor.d/profiles-m-r/qpdfview
+++ b/apparmor.d/profiles-m-r/qpdfview
@ -56,9 +56,9 @@ profile qpdfview @{exec_path} {
  owner @{user_share_dirs}/qpdfview/** rwk,

  owner /dev/shm/#@{int} rw,
-  owner /tmp/@{hex} rw,
-  owner /tmp/#@{int} rw,
-  owner /tmp/qpdfview.*.pdf rwl -> /tmp/#@{int},
+  owner @{tmp}/@{hex} rw,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/qpdfview.*.pdf rwl -> /tmp/#@{int},

       owner @{PROC}/@{pid}/mountinfo r,
       owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/profiles-m-r/qtox
+++ b/apparmor.d/profiles-m-r/qtox
@ -52,7 +52,7 @@ profile qtox @{exec_path} {
  owner @{PROC}/@{pid}/cmdline r,
        @{PROC}/sys/kernel/core_pattern r,  # for KCrash::initialize()

-  owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
+  owner @{tmp}/qipc_{systemsem,sharedmemory}_*@{hex} rw,

  /dev/ r,
  /dev/video@{int} rw,
--- a/apparmor.d/profiles-m-r/quiterss
+++ b/apparmor.d/profiles-m-r/quiterss
@ -61,8 +61,8 @@ profile quiterss @{exec_path} {

  /dev/shm/#@{int} rw,

-  owner /tmp/qtsingleapp-quiter-@{int}-@{int} rw,
-  owner /tmp/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk,
+  owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw,
+  owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk,
  owner /var/tmp/etilqs_@{hex} rw,

  # Allowed apps to open
--- a/apparmor.d/profiles-m-r/repo
+++ b/apparmor.d/profiles-m-r/repo
@ -50,8 +50,8 @@ profile repo @{exec_path} {

  /usr/share/git-core/{,**} r,

-  owner /tmp/.git_vtag_tmp@{rand6} rw,
-  owner /tmp/ssh-*/ rw,
+  owner @{tmp}/.git_vtag_tmp@{rand6} rw,
+  owner @{tmp}/ssh-*/ rw,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
@ -80,7 +80,7 @@ profile repo @{exec_path} {
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
    owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**,

-    owner /tmp/.git_vtag_tmp@{rand6} r,
+    owner @{tmp}/.git_vtag_tmp@{rand6} r,

  }

--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -135,9 +135,9 @@ profile run-parts @{exec_path} {

  /usr/share/landscape/landscape-sysinfo.wrapper rPUx,

-  owner /tmp/#@{int} rw,
-  owner /tmp/$anacron* rw,
-  owner /tmp/file@{rand6} ra,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/$anacron* rw,
+  owner @{tmp}/file@{rand6} ra,
  
  owner @{sys}/class/power_supply/            r,

--- a/apparmor.d/profiles-m-r/runuser
+++ b/apparmor.d/profiles-m-r/runuser
@ -45,7 +45,7 @@ profile runuser @{exec_path} {
  /etc/default/runuser r,

  # file_inherit
-  owner /tmp/debian-security-support.postinst.*/output w,
+  owner @{tmp}/debian-security-support.postinst.*/output w,

  include if exists <local/runuser>
 }