Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

* 'tunables' of https://github.com/nobody43/apparmor.d:
  dbus temp tails
  Update apparmor.d
  Update gdm-runtime-config
  more unrelated changes
  adjust date-time
  random tails
  rename to int, convert more profiles
  fixes
  tunables

apparmor.d/profiles-a-f/aa-log

@@ -26,7 +26,7 @@ profile aa-log @{exec_path} {
   /var/log/syslog* r,
 
   /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/@{hex}/{,*} r,
+  /{run,var}/log/journal/@{md5}/{,*} r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
@@ -36,4 +36,4 @@ profile aa-log @{exec_path} {
   /dev/tty[0-9]* rw,
 
   include if exists <local/aa-log>
-}
+}

apparmor.d/profiles-a-f/anki

@@ -54,10 +54,10 @@ profile anki @{exec_path} {
   owner @{HOME}/ r,
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/qtshadercache/ rw,
-  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
 
   /usr/share/anki/{,**} r,
 
@@ -81,9 +81,9 @@ profile anki @{exec_path} {
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
 
   # If one is blocked, the others are probed.
-  deny owner @{HOME}/#[0-9]*[0-9] mrw,
+  deny owner @{HOME}/#@{int} mrw,
        owner @{HOME}/.glvnd* mrw,
-  #    owner /tmp/#[0-9]*[0-9] mrw,
+  #    owner /tmp/#@{int} mrw,
   #    owner /tmp/.glvnd* mrw,
 
   # The /proc/ dir is needed to avoid the following error:
@@ -118,7 +118,7 @@ profile anki @{exec_path} {
   owner /tmp/mozilla_*/*.apkg r,
 
   owner /dev/shm/.org.chromium.Chromium.* rw,
-        /dev/shm/#[0-9]*[0-9] rw,
+        /dev/shm/#@{int} rw,
 
   @{sys}/devices/pci[0-9]*/**/irq r,
   @{sys}/devices/pci[0-9]*/**/{vendor,device} r,

apparmor.d/profiles-a-f/birdtray

@@ -37,8 +37,8 @@ profile birdtray @{exec_path} {
   owner @{user_config_dirs}/ulduzsoft/ rw,
   owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*,
 
-  owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#[0-9]*[0-9],
-  owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
+  owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int},
 
   owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w,
 
@@ -56,7 +56,7 @@ profile birdtray @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
 
   deny       @{PROC}/sys/kernel/random/boot_id r,
   deny owner @{PROC}/@{pid}/cmdline r,

apparmor.d/profiles-a-f/blkid

@@ -20,7 +20,7 @@ profile blkid @{exec_path} {
   /etc/blkid.conf r,
 
   # When the system doesn't have the /run/ dir, the cache file is placed under /etc/
-  @{etc_rw}/blkid.tab{,-*} rw,
+  @{etc_rw}/blkid.tab{,-@{rand6}} rw,
   @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab,
 
   # Image files
@@ -29,7 +29,7 @@ profile blkid @{exec_path} {
   # The standard location of the cache file
   # Without owner here if this tool should be used as a regular user
   @{run}/blkid/ rw,
-  @{run}/blkid/blkid.tab{,-*} rw,
+  @{run}/blkid/blkid.tab{,-@{rand6}} rw,
   @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   # For the EVALUATE=scan method

apparmor.d/profiles-a-f/btrfs

@@ -39,7 +39,7 @@ profile btrfs @{exec_path} {
   # For fsck of the btrfs filesystem directly from gparted
   owner /tmp/gparted-*/ rw,
 
-  @{run}/blkid/blkid.tab{,-*} rw,
+  @{run}/blkid/blkid.tab{,-@{rand6}} rw,
   @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   @{sys}/fs/btrfs/@{uuid}/devinfo/[0-9]*/fsid r,

apparmor.d/profiles-a-f/btrfstune

@@ -16,7 +16,7 @@ profile btrfstune @{exec_path} {
         @{PROC}/partitions r,
   owner @{PROC}/@{pid}/mounts r,
 
-  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   include if exists <local/btrfstune>

apparmor.d/profiles-a-f/cfdisk

@@ -25,7 +25,7 @@ profile cfdisk @{exec_path} {
   # A place for file images
   owner @{user_img_dirs}/{,**} rwk,
 
-  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
         @{PROC}/partitions r,

apparmor.d/profiles-a-f/conky

@@ -124,7 +124,7 @@ profile conky @{exec_path} {
   # Xserver auth cookie for clients
   owner @{HOME}/.Xauthority r,
 
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
 
   # Temperatures and Fans
   @{bin}/sensors rPUx,

apparmor.d/profiles-a-f/cupsd

@@ -93,7 +93,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/module/apparmor/parameters/enabled r,
 
-        @{PROC}/@{pids}/fd r,
+        @{PROC}/@{pids}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
   
   owner /tmp/*_latest_print_info w,

apparmor.d/profiles-a-f/dumpe2fs

@@ -18,7 +18,7 @@ profile dumpe2fs @{exec_path} {
   # Image files
   owner @{user_img_dirs}/{,**} r,
 
-  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   /dev/tty[0-9]* rw,

apparmor.d/profiles-a-f/e2fsck

@@ -30,7 +30,7 @@ profile e2fsck @{exec_path} {
         @{run}/blkid/ rw,
         @{run}/systemd/fsck.progress rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
-  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
 
   @{sys}/devices/**/power_supply/AC/online r,
 

apparmor.d/profiles-a-f/engrampa

@@ -118,7 +118,7 @@ profile engrampa @{exec_path} {
 
   owner @{user_config_dirs}/ r,
   owner @{user_config_dirs}/engrampa/ rw,
-  owner @{user_config_dirs}/mimeapps.list{,.*} rw,
+  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
 
   owner @{user_share_dirs}/ r,
 

apparmor.d/profiles-a-f/exim4

@@ -71,7 +71,7 @@ profile exim4 @{exec_path} {
   owner @{run}/dbus/system_bus_socket rw,
 
   # file_inherit
-  /tmp/#[0-9]*[0-9] rw,
+  /tmp/#@{int} rw,
   /var/lib/dpkg/status r,
   /var/log/cron-apt/lastfullmessage r,
 

apparmor.d/profiles-a-f/exo-helper

@@ -36,7 +36,7 @@ profile exo-helper @{exec_path} {
   owner @{user_share_dirs}/xfce4/helpers/*.desktop rw,
   owner @{user_share_dirs}/xfce4/helpers/*.desktop.@{pid}.tmp rw,
 
-  owner @{user_config_dirs}/mimeapps.list{,.*} rw,
+  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
 
   # Some missing icons
   /usr/share/**.png r,

apparmor.d/profiles-a-f/flatpak-system-helper

@@ -41,7 +41,7 @@ profile flatpak-system-helper @{exec_path} {
   /var/lib/flatpak/{,**} rwkl,
   /var/tmp/flatpak-cache-*/{,**} rw,
 
-  owner /{var/,}tmp/#[0-9]* rw, 
+  owner /{var/,}tmp/#@{int} rw,
   owner /{var/,}tmp/ostree-gpg-*/ rw,
   owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
 
@@ -66,4 +66,4 @@ profile flatpak-system-helper @{exec_path} {
   }
 
   include if exists <local/flatpak-system-helper>
-}
+}

apparmor.d/profiles-a-f/fsck

@@ -30,7 +30,7 @@ profile fsck @{exec_path} {
 
   owner @{run}/fsck/ rw,
   owner @{run}/fsck/*.lock rwk,
-  owner @{run}/blkid/blkid.tab{,-*} rw,
+  owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
         @{run}/mount/utab r,
         @{run}/systemd/fsck.progress rw,

apparmor.d/profiles-a-f/fwupd

@@ -102,7 +102,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   /var/tmp/etilqs_@{hex} rw,
 
   /boot/{,**} r,
-  /boot/EFI/*/.goutputstream-* rw,
+  /boot/EFI/*/.goutputstream-@{rand6} rw,
   /boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
   /boot/EFI/*/fwupdx[0-9]*.efi rw,
   @{lib}/fwupd/efi/fwupdx[0-9]*.efi r,