Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

* 'tunables' of https://github.com/nobody43/apparmor.d:
  dbus temp tails
  Update apparmor.d
  Update gdm-runtime-config
  more unrelated changes
  adjust date-time
  random tails
  rename to int, convert more profiles
  fixes
  tunables

apparmor.d/profiles-g-l/gajim

@@ -73,7 +73,7 @@ profile gajim @{exec_path} {
   owner @{user_cache_dirs}/gajim/** rwk,
 
   owner @{user_cache_dirs}/farstream/ rw,
-  owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp*} rw,
+  owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-g-l/glib-pacrunner

@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = @{lib}/glib-pacrunner
 profile glib-pacrunner @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
+  include <abstractions/dbus-session-strict>
   include <abstractions/nameservice-strict>
 
   network inet dgram,

apparmor.d/profiles-g-l/gsettings

@@ -11,7 +11,7 @@ profile gsettings @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
 
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-????????"),
 
   @{exec_path} mr,
 
@@ -27,4 +27,4 @@ profile gsettings @{exec_path} {
   owner @{run}/user/@{uid}/bus rw,
 
   include if exists <local/gsettings>
-}
+}

apparmor.d/profiles-g-l/hardinfo

@@ -109,7 +109,7 @@ profile hardinfo @{exec_path} {
 
   owner @{HOME}/.hardinfo/ rw,
 
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,
 
   # Allowed apps to open
   @{lib}/firefox/firefox rPUx,

apparmor.d/profiles-g-l/hw-probe

@@ -132,10 +132,10 @@ profile hw-probe @{exec_path} {
 
     @{run}/log/ rw,
     /{run,var}/log/journal/ rw,
-    /{run,var}/log/journal/@{hex}/ rw,
-    /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
-    /{run,var}/log/journal/@{hex}/system.journal* rw,
-    /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
+    /{run,var}/log/journal/@{md5}/ rw,
+    /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw,
+    /{run,var}/log/journal/@{md5}/system.journal* rw,
+    /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw,
 
     owner @{PROC}/@{pid}/stat r,
 

apparmor.d/profiles-g-l/ioping

@@ -23,9 +23,9 @@ profile ioping @{exec_path} {
   # case of files, this write operation can damage files, so we allow only to read the files. When
   # pinging dirs, a file similar to "#1573619" is created in that dir, so it's allowed as well.
   / rw,
-  /#[0-9]*[0-9] rw,
+  /#@{int} rw,
   /**/ rw,
-  /**/#[0-9]*[0-9] rw,
+  /**/#@{int} rw,
 
   # Allow pinging files, but without write operation. Like in the case of dirs, when pinging dirs
   # there's also created the file similar to "#1573619" .

apparmor.d/profiles-g-l/jmtpfs

@@ -18,7 +18,7 @@ profile jmtpfs @{exec_path} {
   @{bin}/fusermount{,3} rCx -> fusermount,
 
   owner /tmp/tmp* rw,
-  owner /tmp/#[0-9]* rw,
+  owner /tmp/#@{int} rw,
 
   # Mount points
   owner @{HOME}/*/ r,

apparmor.d/profiles-g-l/kanyremote

@@ -67,7 +67,7 @@ profile kanyremote @{exec_path} {
   deny owner @{PROC}/@{pid}/cmdline r,
   deny       @{PROC}/sys/kernel/random/boot_id r,
 
-  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#@{int} rw,
 
   /usr/share/hwdata/pnp.ids r,
 

apparmor.d/profiles-g-l/keepassxc

@@ -65,18 +65,18 @@ profile keepassxc @{exec_path} {
 
   # Database locations
   owner @{user_cache_dirs}/keepassxc/ rw,
-  owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int},
   owner @{user_config_dirs}/keepassxc/ rw,
-  owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#[0-9]*[0-9],
+  owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int},
   owner @{user_password_store_dirs}/ r,
   owner @{user_password_store_dirs}/*.csv rw,
-  owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#[0-9]*[0-9],
-  owner @{user_password_store_dirs}/#[0-9]*[0-9] rw,
+  owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int},
+  owner @{user_password_store_dirs}/#@{int} rw,
 
   owner /tmp/.[a-zA-Z]*/{,s} rw,
-  owner /tmp/*.*.gpgkey rwl -> /tmp/#[0-9]*[0-9],
-  owner /tmp/*.*.settings rwl -> /tmp/#[0-9]*[0-9],
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int},
+  owner /tmp/*.*.settings rwl -> /tmp/#@{int},
+  owner /tmp/#@{int} rw,
   owner /tmp/keepassxc-*.lock{,.rmlock} rwk,
   owner /tmp/keepassxc-*.socket rw,
   owner /tmp/keepassxc.lock rw,
@@ -97,7 +97,7 @@ profile keepassxc @{exec_path} {
   owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
   owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w,
 
-        /dev/shm/#[0-9]*[0-9] rw,
+        /dev/shm/#@{int} rw,
         /dev/tty rw,
         /dev/urandom rw,
   owner /dev/tty[0-9]* rw,

apparmor.d/profiles-g-l/labwc

@@ -58,7 +58,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/sessions/* r,
   @{run}/systemd/seats/seat[0-9]* r,
 
-  @{run}/user/@{uid}/wayland-[0-9].lock k,
+  @{run}/user/@{uid}/wayland-@{int}.lock k,
 
   owner @{PROC}/@{pid}/fd/ r,