Merge branch 'master' into ubuntu2204_3

2022-09-03 22:30:52 +00:00 · 2022-09-03 22:30:52 +00:00 · 5a7d5beda1
commit 5a7d5beda1
parent 00d3eb5efd 746a36bfb4
118 changed files with 914 additions and 777 deletions
--- a/2
+++ b/2
@ -9,7 +9,7 @@ arch=("x86_64")
 url="https://github.com/roddhjav/$pkgname"
 license=('GPL2')
 depends=('apparmor')
-makedepends=('go' 'git')
+makedepends=('go' 'git' 'rsync' 'lsb-release')
 pkgver() {
  cd "$srcdir/$pkgname"
--- a/apparmor.d/abstractions/file-browsing-strict
+++ b/apparmor.d/abstractions/file-browsing-strict
@ -1,15 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # SPDX-License-Identifier: GPL-2.0-only
  abi <abi/3.0>,
  deny @{PROC}/@{pid}/mountinfo r,
  deny @{PROC}/@{pid}/mounts r,
  # Usually, apps shouldn't view this file
  deny /etc/fstab r,
  deny /dev/disk/*/ r,
  include if exists <abstractions/file-browsing-strict.d>
--- a/apparmor.d/abstractions/libvirt-lxc
+++ b/apparmor.d/abstractions/libvirt-lxc
@ -1,124 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) Libvirt Team
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  include <abstractions/base>
  # Allow receiving signals from libvirtd
  signal (receive) peer=libvirtd,
  umount,
  # ignore DENIED message on / remount
  deny mount options=(ro, remount) -> /,
  # allow tmpfs mounts everywhere
  mount fstype=tmpfs,
  # allow mqueue mounts everywhere
  mount fstype=mqueue,
  # allow fuse mounts everywhere
  mount fstype=fuse.*,
  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  deny @{PROC}/sys/fs/** wklx,
  # allow efivars to be mounted, writing to it will be blocked though
  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
  # block some other dangerous paths
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  # deny writes in /sys except for /sys/fs/cgroup, also allow
  # fusectl, securityfs and debugfs to be mounted there (read-only)
  mount fstype=fusectl -> /sys/fs/fuse/connections/,
  mount fstype=securityfs -> /sys/kernel/security/,
  mount fstype=debugfs -> /sys/kernel/debug/,
  mount fstype=proc -> /proc/,
  mount fstype=sysfs -> /sys/,
  deny /sys/firmware/efi/efivars/** rwklx,
  deny /sys/kernel/security/** rwklx,
  # generated by: lxc-generate-aa-rules.py container-rules.base
  deny /proc/sys/[^kn]*{,/**} wklx,
  deny /proc/sys/k[^e]*{,/**} wklx,
  deny /proc/sys/ke[^r]*{,/**} wklx,
  deny /proc/sys/ker[^n]*{,/**} wklx,
  deny /proc/sys/kern[^e]*{,/**} wklx,
  deny /proc/sys/kerne[^l]*{,/**} wklx,
  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
  deny /proc/sys/kernel/domainname?*{,/**} wklx,
  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
  deny /proc/sys/kernel/hostname?*{,/**} wklx,
  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
  deny /proc/sys/kernel/msg*/** wklx,
  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
  deny /proc/sys/kernel/sem*/** wklx,
  deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
  deny /proc/sys/kernel/shm*/** wklx,
  deny /proc/sys/kernel?*{,/**} wklx,
  deny /proc/sys/n[^e]*{,/**} wklx,
  deny /proc/sys/ne[^t]*{,/**} wklx,
  deny /proc/sys/net?*{,/**} wklx,
  deny /sys/[^fdc]*{,/**} wklx,
  deny /sys/c[^l]*{,/**} wklx,
  deny /sys/cl[^a]*{,/**} wklx,
  deny /sys/cla[^s]*{,/**} wklx,
  deny /sys/clas[^s]*{,/**} wklx,
  deny /sys/class/[^n]*{,/**} wklx,
  deny /sys/class/n[^e]*{,/**} wklx,
  deny /sys/class/ne[^t]*{,/**} wklx,
  deny /sys/class/net?*{,/**} wklx,
  deny /sys/class?*{,/**} wklx,
  deny /sys/d[^e]*{,/**} wklx,
  deny /sys/de[^v]*{,/**} wklx,
  deny /sys/dev[^i]*{,/**} wklx,
  deny /sys/devi[^c]*{,/**} wklx,
  deny /sys/devic[^e]*{,/**} wklx,
  deny /sys/device[^s]*{,/**} wklx,
  deny /sys/devices/[^v]*{,/**} wklx,
  deny /sys/devices/v[^i]*{,/**} wklx,
  deny /sys/devices/vi[^r]*{,/**} wklx,
  deny /sys/devices/vir[^t]*{,/**} wklx,
  deny /sys/devices/virt[^u]*{,/**} wklx,
  deny /sys/devices/virtu[^a]*{,/**} wklx,
  deny /sys/devices/virtua[^l]*{,/**} wklx,
  deny /sys/devices/virtual/[^n]*{,/**} wklx,
  deny /sys/devices/virtual/n[^e]*{,/**} wklx,
  deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
  deny /sys/devices/virtual/net?*{,/**} wklx,
  deny /sys/devices/virtual?*{,/**} wklx,
  deny /sys/devices?*{,/**} wklx,
  deny /sys/f[^s]*{,/**} wklx,
  deny /sys/fs/[^c]*{,/**} wklx,
  deny /sys/fs/c[^g]*{,/**} wklx,
  deny /sys/fs/cg[^r]*{,/**} wklx,
  deny /sys/fs/cgr[^o]*{,/**} wklx,
  deny /sys/fs/cgro[^u]*{,/**} wklx,
  deny /sys/fs/cgrou[^p]*{,/**} wklx,
  deny /sys/fs/cgroup?*{,/**} wklx,
  deny /sys/fs?*{,/**} wklx,
  include if exists <abstractions/libvirt-lxc.d>
--- a/apparmor.d/abstractions/libvirt-qemu
+++ b/apparmor.d/abstractions/libvirt-qemu
@ -1,258 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) Libvirt Team
 # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  # required for reading disk images
  capability dac_override,
  capability dac_read_search,
  capability chown,
  # needed to drop privileges
  capability setgid,
  capability setuid,
  network inet stream,
  network inet6 stream,
  ptrace (readby, tracedby) peer=libvirtd,
  ptrace (readby, tracedby) peer=virtqemud,
  signal (receive) peer=libvirtd,
  signal (receive) peer=virtqemud,
  /dev/kvm rw,
  /dev/net/tun rw,
  /dev/ptmx rw,
  @{PROC}/*/status r,
  # When qemu is signaled to terminate, it will read cmdline of signaling
  # process for reporting purposes. Allowing read access to a process
  # cmdline may leak sensitive information embedded in the cmdline.
  @{PROC}/@{pid}/cmdline r,
  # Per man(5) proc, the kernel enforces that a thread may
  # only modify its comm value or those in its thread group.
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  @{PROC}/sys/kernel/cap_last_cap r,
  @{PROC}/sys/vm/overcommit_memory r,
  # detect hardware capabilities via qemu_getauxval
  owner @{PROC}/*/auxv r,
  # allow reading libnl's classid file
  /etc/libnl{,-3}/classid r,
  # For hostdev access. The actual devices will be added dynamically
  /sys/bus/usb/devices/ r,
  /sys/devices/**/usb[0-9]*/** r,
  # libusb needs udev data about usb devices (~equal to content of lsusb -v)
  @{run}/udev/data/+usb* r,
  @{run}/udev/data/c16[6,7]* r,
  @{run}/udev/data/c18[0,8,9]* r,
  # WARNING: this gives the guest direct access to host hardware and specific
  # portions of shared memory. This is required for sound using ALSA with kvm,
  # but may constitute a security risk. If your environment does not require
  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
  # the rules for files in /dev.
  /dev/snd/* rw,
  /{dev,run}/shm r,
  /{dev,run}/shmpulse-shm* r,
  /{dev,run}/shmpulse-shm* rwk,
  capability ipc_lock,
  # spice
  owner /{dev,run}/shm/spice.* rw,
  # 'kill' is not required for sound and is a security risk. Do not enable
  # unless you absolutely need it.
  deny capability kill,
  # Uncomment the following if you need access to /dev/fb*
  #/dev/fb* rw,
  /etc/pulse/client.conf r,
  @{HOME}/.pulse-cookie rwk,
  owner /root/.pulse-cookie rwk,
  owner /root/.pulse/ rw,
  owner /root/.pulse/* rw,
  /usr/share/alsa/** r,
  owner /tmp/pulse-*/ rw,
  owner /tmp/pulse-*/* rw,
  /var/lib/dbus/machine-id r,
  # access to firmware's etc
  /usr/share/AAVMF/** r,
  /usr/share/bochs/** r,
  /usr/share/edk2-ovmf/** rk,
  /usr/share/kvm/** r,
  /usr/share/misc/sgabios.bin r,
  /usr/share/openbios/** r,
  /usr/share/openhackware/** r,
  /usr/share/OVMF/** rk,
  /usr/share/ovmf/** rk,
  /usr/share/proll/** r,
  /usr/share/qemu-efi/** r,
  /usr/share/qemu-kvm/** r,
  /usr/share/qemu/** r,
  /usr/share/seabios/** r,
  /usr/share/sgabios/** r,
  /usr/share/slof/** r,
  /usr/share/vgabios/** r,
  # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
  /etc/pki/CA/ r,
  /etc/pki/CA/* r,
  /etc/pki/libvirt{,-spice,-vnc}/ r,
  /etc/pki/libvirt{,-spice,-vnc}/** r,
  /etc/pki/qemu/ r,
  /etc/pki/qemu/** r,
  # the various binaries
  /usr/bin/kvm rmix,
  /usr/bin/kvm-spice rmix,
  /usr/bin/qemu rmix,
  /usr/bin/qemu-aarch64 rmix,
  /usr/bin/qemu-alpha rmix,
  /usr/bin/qemu-arm rmix,
  /usr/bin/qemu-armeb rmix,
  /usr/bin/qemu-cris rmix,
  /usr/bin/qemu-i386 rmix,
  /usr/bin/qemu-kvm rmix,
  /usr/bin/qemu-m68k rmix,
  /usr/bin/qemu-microblaze rmix,
  /usr/bin/qemu-microblazeel rmix,
  /usr/bin/qemu-mips rmix,
  /usr/bin/qemu-mips64 rmix,
  /usr/bin/qemu-mips64el rmix,
  /usr/bin/qemu-mipsel rmix,
  /usr/bin/qemu-mipsn32 rmix,
  /usr/bin/qemu-mipsn32el rmix,
  /usr/bin/qemu-or32 rmix,
  /usr/bin/qemu-ppc rmix,
  /usr/bin/qemu-ppc64 rmix,
  /usr/bin/qemu-ppc64abi32 rmix,
  /usr/bin/qemu-ppc64le rmix,
  /usr/bin/qemu-s390x rmix,
  /usr/bin/qemu-sh4 rmix,
  /usr/bin/qemu-sh4eb rmix,
  /usr/bin/qemu-sparc rmix,
  /usr/bin/qemu-sparc32plus rmix,
  /usr/bin/qemu-sparc64 rmix,
  /usr/bin/qemu-system-aarch64 rmix,
  /usr/bin/qemu-system-alpha rmix,
  /usr/bin/qemu-system-arm rmix,
  /usr/bin/qemu-system-cris rmix,
  /usr/bin/qemu-system-hppa rmix,
  /usr/bin/qemu-system-i386 rmix,
  /usr/bin/qemu-system-lm32 rmix,
  /usr/bin/qemu-system-m68k rmix,
  /usr/bin/qemu-system-microblaze rmix,
  /usr/bin/qemu-system-microblazeel rmix,
  /usr/bin/qemu-system-mips rmix,
  /usr/bin/qemu-system-mips64 rmix,
  /usr/bin/qemu-system-mips64el rmix,
  /usr/bin/qemu-system-mipsel rmix,
  /usr/bin/qemu-system-moxie rmix,
  /usr/bin/qemu-system-nios2 rmix,
  /usr/bin/qemu-system-or1k rmix,
  /usr/bin/qemu-system-or32 rmix,
  /usr/bin/qemu-system-ppc rmix,
  /usr/bin/qemu-system-ppc64 rmix,
  /usr/bin/qemu-system-ppcemb rmix,
  /usr/bin/qemu-system-riscv32 rmix,
  /usr/bin/qemu-system-riscv64 rmix,
  /usr/bin/qemu-system-s390x rmix,
  /usr/bin/qemu-system-sh4 rmix,
  /usr/bin/qemu-system-sh4eb rmix,
  /usr/bin/qemu-system-sparc rmix,
  /usr/bin/qemu-system-sparc64 rmix,
  /usr/bin/qemu-system-tricore rmix,
  /usr/bin/qemu-system-unicore32 rmix,
  /usr/bin/qemu-system-x86_64 rmix,
  /usr/bin/qemu-system-xtensa rmix,
  /usr/bin/qemu-system-xtensaeb rmix,
  /usr/bin/qemu-unicore32 rmix,
  /usr/bin/qemu-x86_64 rmix,
  # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
  /usr/{lib,lib64}/qemu/*.so mr,
  /usr/lib/@{multiarch}/qemu/*.so mr,
  # let qemu load old shared objects after upgrades (LP: #1847361)
  /{var/,}run/qemu/*/*.so mr,
  # but explicitly deny writing to these files
  audit deny /{var/,}run/qemu/*/*.so w,
  # swtpm
  /{usr/,}bin/swtpm rmix,
  /usr/{lib,lib64}/libswtpm_libtpms.so mr,
  /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
  # for save and resume
  /{usr/,}bin/dash rmix,
  /{usr/,}bin/dd rmix,
  /{usr/,}bin/cat rmix,
  # for restore
  /{usr/,}bin/bash rmix,
  # for usb access
  /dev/bus/usb/ r,
  /etc/udev/udev.conf r,
  /sys/bus/ r,
  /sys/class/ r,
  # for rbd
  /etc/ceph/*.conf r,
  # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
  # dir and a few known functions like samba support.
  # We want to avoid to give blanket rw permission to everything under /tmp,
  # users are expected to add site specific addons for more uncommon cases.
  # Qemu processes usually all run as the same users, so the "owner"
  # restriction prevents access to other services files, but not across
  # different instances.
  # This is a tradeoff between usability and security - if paths would be more
  # predictable that would be preferred - at least for write rules we would
  # want more unique paths per rule.
  /{,var/}tmp/ r,
  owner /{,var/}tmp/**/ r,
  # for file-posix getting limits since 9103f1ce
  /sys/devices/**/block/*/queue/max_segments r,
  # for ppc device-tree access
  @{PROC}/device-tree/ r,
  @{PROC}/device-tree/** r,
  /sys/firmware/devicetree/** r,
  # allow connect with openGraphicsFD to work
  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
  unix (send, receive) type=stream addr=none peer=(label=virtqemud),
  # for gathering information about available host resources
  /sys/devices/system/cpu/ r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/node[0-9]*/meminfo r,
  /sys/module/vhost/parameters/max_mem_regions r,
  # silence refusals to open lttng files (see LP: #1432644)
  deny /dev/shm/lttng-ust-wait-* r,
  deny @{run}/shm/lttng-ust-wait-* r,
  # for vfio hotplug on systems without static vfio (LP: #1775777)
  /dev/vfio/vfio rw,
  # required for sasl GSSAPI plugin
  /etc/gss/mech.d/ r,
  /etc/gss/mech.d/* r,
  # required by libpmem init to fts_open()/fts_read() the symlinks in
  # /sys/bus/nd/devices
  / r, # harmless on any lsb compliant system
  /sys/bus/nd/devices/{,**/} r,
  # required for QEMU accessing UEFI nvram variables
  owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
  owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
  include if exists <abstractions/libvirt-qemu.d>
--- a/apparmor.d/abstractions/mesa.d/complete
+++ b/apparmor.d/abstractions/mesa.d/complete
@ -7,8 +7,8 @@
  /var/lib/gdm/.cache/mesa_shader_cache/ rw,
  /var/lib/gdm/.cache/mesa_shader_cache/index rw,
  /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
-  /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
+  /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
-  /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
+  /var/lib/gdm/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
  @{sys}/devices/pci[0-9]*/**/revision r,
  @{sys}/devices/pci[0-9]*/**/config r,
--- a/apparmor.d/abstractions/qt5-shader-cache
+++ b/apparmor.d/abstractions/qt5-shader-cache
@ -6,7 +6,7 @@
  owner @{HOME}/.cache/qtshadercache/ rw,
  owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw,
-  owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
+  owner @{HOME}/.cache/qtshadercache/@{hex} rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9],
  owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw,
  owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
-  owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{HOME}/.cache/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
--- a/apparmor.d/abstractions/trash.d/complete
+++ b/apparmor.d/abstractions/trash.d/complete
--- a/apparmor.d/groups/apps/atom
+++ b/apparmor.d/groups/apps/atom
@ -129,7 +129,7 @@ profile atom @{exec_path} {
  # The irq file is needed to render pages.
  deny @{sys}/devices/pci[0-9]*/**/irq r,
-  owner /tmp/atom-[0-9a-f]*.sock rw,
+  owner /tmp/atom-@{hex}.sock rw,
  owner "/tmp/Atom Crashes/" rw,
  owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw,
  owner /tmp/github-[0-9]*-[0-9]*-*.*/** rw,
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -91,9 +91,9 @@ profile calibre @{exec_path} {
  owner @{user_cache_dirs}/qtshadercache/ rw,
  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
  owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
--- a/apparmor.d/groups/apps/code
+++ b/apparmor.d/groups/apps/code
@ -109,8 +109,8 @@ profile code @{exec_path} {
  owner "/tmp/VSCode Crashes/" rw,
  owner /tmp/vscode-typescript[0-9]*/ rw,
-  owner @{run}/user/@{uid}/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
+  owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
-  owner @{run}/user/@{uid}/vscode-git-askpass-[0-9a-f]*.sock rw,
+  owner @{run}/user/@{uid}/vscode-git-askpass-@{hex}.sock rw,
  owner /tmp/vscode-ipc-@{uuid}.sock rw,
  # For installing extensions
--- a/apparmor.d/groups/apps/flameshot
+++ b/apparmor.d/groups/apps/flameshot
@ -54,7 +54,7 @@ profile flameshot @{exec_path} {
  owner /tmp/.*/{,s} rw,
  owner /tmp/*= rw,
-  owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
+  owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
  deny owner @{PROC}/@{pid}/cmdline r,
  deny       @{PROC}/sys/kernel/random/boot_id r,
--- a/apparmor.d/groups/apps/geany
+++ b/apparmor.d/groups/apps/geany
@ -51,7 +51,7 @@ profile geany @{exec_path} {
  owner @{user_config_dirs}/geany/{,**} rw,
-  owner /{run/,}user/@{uid}/geany/geany_socket.[0-9a-f]* rw,
+  owner /{run/,}user/@{uid}/geany/geany_socket.@{hex} rw,
  # To read/write files in the system. The read permission is granted for all files, the write
  # permission only for the owner. Also, dirs like /dev/, /proc/, /sys/  are not included in
@ -110,7 +110,7 @@ profile geany @{exec_path} {
    /{usr/,}bin/dbus-daemon rPUx,
    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
+    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
    @{HOME}/.Xauthority r,
  }
--- a/apparmor.d/groups/apps/okular
+++ b/apparmor.d/groups/apps/okular
@ -85,7 +85,7 @@ profile okular @{exec_path} {
  # Print to pdf
  /{usr/,}bin/ps2pdf rPUx,
-  owner /tmp/[0-9a-f]* rw,
+  owner /tmp/@{hex} rw,
  owner /tmp/#[0-9]*[0-9] rw,
  owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
--- a/apparmor.d/groups/apps/spotify
+++ b/apparmor.d/groups/apps/spotify
@ -67,7 +67,7 @@ profile spotify @{exec_path} {
  /usr/share/X11/XErrorDB r,
-  owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+  owner /tmp/@{hex}-@{hex}-@{hex}-@{hex} rw,
  # What's this for?
  #owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw,
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/groups/apps/telegram-desktop
@ -59,8 +59,8 @@ profile telegram-desktop @{exec_path} {
  # Autostart
  owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
-  owner /tmp/[0-9a-f]*-* rwk,
+  owner /tmp/@{hex}-* rwk,
-  owner @{run}/user/@{uid}/[0-9a-f]*-* rwk,
+  owner @{run}/user/@{uid}/@{hex}-* rwk,
  /dev/shm/#[0-9]*[0-9] rw,
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
-  dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*}
+  dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/@{hex}}
       interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},
  dbus send bus=system path=/org/freedesktop/PackageKit
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@ -170,7 +170,7 @@ profile synaptic @{exec_path} {
    /{usr/,}bin/dbus-daemon rPUx,
    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
+    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
    @{HOME}/.Xauthority r,
  }
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -200,7 +200,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
  owner @{user_config_dirs}/ r,
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix{,-wayland}-[0-9]*} r,
+  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r,
  owner @{user_config_dirs}/mimeapps.list{,.*} rw,
  owner @{user_cache_dirs}/ rw,
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@ -39,8 +39,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw,
  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw,
-  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/[0-9a-f]*" rw,
+  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/@{hex}" rw,
-  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,
+  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw,
  owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw,
@ -53,7 +53,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
        /tmp/ r,
    /var/tmp/ r,
-  owner /tmp/[0-9a-f]*.{dmp,extra} rw,
+  owner /tmp/@{hex}.{dmp,extra} rw,
  owner /tmp/firefox/.parentlock w,
  owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
--- a/apparmor.d/groups/browsers/firefox-minidump-analyzer
+++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer
@ -22,14 +22,14 @@ profile firefox-minidump-analyzer @{exec_path} {
  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw,
  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw,
-  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw,
+  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
  owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw,
  owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw,
  owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r,
-  owner /tmp/[0-9a-f]*.{dmp,extra} rw,
+  owner /tmp/@{hex}.{dmp,extra} rw,
  owner /tmp/firefox/.parentlock w,
  owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
--- a/apparmor.d/groups/bus/dbus-daemon-launch-helper
+++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper
@ -19,6 +19,7 @@ profile dbus-daemon-launch-helper @{exec_path} {
  @{exec_path} mr,
  /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
  /{usr/,}lib/cups-pk-helper-mechanism                      rPx,
  /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism       rPx,
  /{usr/,}lib/software-properties/software-properties-dbus  rPx,
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -24,10 +24,10 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  /etc/dconf/db/ibus r,
  /var/lib/dbus/machine-id r,
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
+  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
-  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
+  owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r,
-  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
+  /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
-  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
+  /var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9]* r,
  /var/lib/gdm/.cache/dconf/ w,
  /var/lib/gdm/.cache/dconf/user rw,
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -19,8 +19,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
-  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
+  /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
-  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,
+  /var/lib/gdm/.config/ibus/bus/@{hex}-unix-[0-9] r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} {
  /etc/machine-id r,
  /var/lib/gdm{3,}/.config/ibus/bus/ r,
-  /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r,
  include if exists <local/ibus-memconf>
 }
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -26,7 +26,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  /var/lib/dbus/machine-id r,
  /var/lib/gdm/.config/ibus/bus/ r,
-  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
+  /var/lib/gdm/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
  owner /dev/tty[0-9]* rw,
  /dev/null rw,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -23,10 +23,10 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
-  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
+  /var/lib/gdm/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
+  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r,
-  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
+  owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9] r,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
--- a/apparmor.d/groups/freedesktop/plymouth
+++ b/apparmor.d/groups/freedesktop/plymouth
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth
 profile plymouth @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -34,102 +34,75 @@ profile pulseaudio @{exec_path} {
  network bluetooth stream,
  network bluetooth seqpacket,
-  dbus (send)
+  dbus send bus=session path=/Client0/EntryGroup[0-9]*
     bus=session
     path=/Client0/EntryGroup[0-9]*
       interface=org.freedesktop.Avahi.EntryGroup
       member={GetState,AddService,AddServiceSubtype,Commit}
       peer=(name=org.freedesktop.Avahi),
-  dbus (receive)
+  dbus receive bus=session path=/Client0/EntryGroup[0-9]*
     bus=session
     path=/Client0/EntryGroup[0-9]*
       interface=org.freedesktop.Avahi.EntryGroup
       member=StateChanged
       peer=(name=org.freedesktop.Avahi),
-  dbus (send)
+  dbus send bus=session path=/org/freedesktop/DBus
     bus=session
     path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
       peer=(name=org.freedesktop.DBus),
-  dbus (receive)
+  dbus receive bus=session path=/org/freedesktop/DBus
     bus=session
     path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,RequestName,ReleaseName}
       peer=(name=:*),
-  dbus (receive)
+  dbus receive bus=session
     bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect,
-  dbus (bind)
+  dbus bind bus=session
     bus=session
       name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
-  dbus (bind)
+  dbus bind bus=session
     bus=session
       name=org.PulseAudio[0-9],
-  dbus (bind)
+  dbus bind bus=session
     bus=session
       name=org.pulseaudio*,
-  dbus (send)
+  dbus send bus=system
     bus=system
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch}
       peer=(name=org.freedesktop.DBus),
-  dbus (send)
+  dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
     bus=system
     path=/org/freedesktop/RealtimeKit[0-9]
       member={Get,MakeThreadHighPriority,MakeThreadRealtime}
       peer=(name=org.freedesktop.RealtimeKit[0-9]),
-  dbus (send)
+  dbus send bus=system path=/
     bus=system
     path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name=org.bluez),
-  dbus (send)
+  dbus send bus=system path=/
     bus=system
     path=/
       interface=org.freedesktop.DBus.Peer
       member=Ping
       peer=(name=org.freedesktop.Avahi),
-  dbus (send)
+  dbus send bus=system path=/
     bus=system
     path=/
       interface=org.freedesktop.Avahi.Server
       member={GetAPIVersion,GetState,EntryGroupNew}
       peer=(name=org.freedesktop.Avahi),
-  dbus (receive)
+  dbus receive bus=system path=/
     bus=system
     path=/
       interface=org.freedesktop.Avahi.Server
       member=StateChanged
       peer=(name=org.freedesktop.Avahi),
-  dbus (send)
+  dbus send bus=system path=/
     bus=system
     path=/
       interface=org.freedesktop.hostname[0-9]
       member=Get
       peer=(name=/org/freedesktop/hostname[0-9]),
-  dbus (send)
+  dbus send bus=system path=/org.freedesktop.hostname[0-9]
     bus=system
     path=/org.freedesktop.hostname[0-9]
       interface=org.freedesktop.DBus.Prope
       member=Get
       peer=(name=/org/freedesktop/hostname[0-9]),
--- a/apparmor.d/groups/freedesktop/update-mime-database
+++ b/apparmor.d/groups/freedesktop/update-mime-database
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/update-mime-database
 profile update-mime-database @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  capability dac_override,
  capability dac_read_search,
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@ -69,7 +69,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
    /{usr/,}bin/dbus-daemon  rPx,
          @{HOME}/.Xauthority r,
-    owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
+    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
  }
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@ -61,7 +61,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
    /{usr/,}bin/dbus-daemon  rPx,
    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
+    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
    @{HOME}/.Xauthority r,
  }
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@ -64,7 +64,7 @@ profile xdg-settings @{exec_path} {
    /{usr/,}bin/dbus-daemon  rPx,
    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
+    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
    @{HOME}/.Xauthority r,
  }
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@ -31,6 +31,12 @@ profile evolution-calendar-factory @{exec_path} {
       interface=org.freedesktop.NetworkManager
       member={CheckPermissions,StateChanged},
  dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
       interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*},
  dbus bind bus=session
       name=org.gnome.evolution.dataserver.Calendar[0-9],
  @{exec_path} mr,
  @{exec_path}-subprocess rix,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -49,6 +49,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.login[0-9].Manager
       member={SessionNew,PrepareForShutdown,SessionRemoved},
  dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**}
       interface={org.freedesktop.DBus.{Properties,Introspectable},org.gnome.SessionManager},
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       peer=(name=:org.freedesktop.systemd1),
  dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
       interface=org.gnome.Mutter.IdleMonitor
       member=AddIdleWatch
       peer=(name=:*),
  dbus send bus=session path=/org/gnome/ScreenSaver
       interface=org.gnome.ScreenSaver
       member=GetActive 
       peer=(name=:*),
  @{exec_path} mr,
  /{usr/,}bin/{,z,ba,da}sh                                 rix,
@ -57,6 +74,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/mkdir                                        rix,
  /{usr/,}bin/touch                                        rix,
  /{usr/,}bin/gsettings                                    rix,
  /{usr/,}bin/gsettings-data-convert                       rix,
  /{usr/,}bin/session-migration                            rix,
  /{usr/,}bin/xdg-user-dirs-gtk-update                     rix,
  @{libexec}/gnome-session-check-accelerated               rix,
@ -124,22 +142,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/applications/mimeinfo.cache r,
  owner @{user_share_dirs}/session_migration-ubuntu r,
  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
  owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
  owner @{run}/user/@{uid}/systemd/notify w,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
        @{run}/systemd/sessions/* r,
        @{run}/systemd/sessions/*.ref rw,
        @{run}/systemd/users/@{uid} r,
  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
  owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
  owner @{run}/user/@{uid}/systemd/notify w,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
  @{sys}/devices/**/{vendor,device} r,
  owner @{PROC}/@{pid}/loginuid r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid r,
  /dev/tty rw,
  /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -150,13 +150,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.cache/ w,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
-  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
-  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
+  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.config/ibus/ rw,
  /var/lib/gdm{3,}/.config/ibus/bus/ rw,
-  /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
  /var/lib/gdm{3,}/.config/pulse/ r,
  /var/lib/gdm{3,}/.config/pulse/client.conf r,
  /var/lib/gdm{3,}/.config/pulse/cookie rwk,
--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@ -11,6 +11,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  signal (receive) set=(term, hup) peer=gdm*,
  signal (receive) set=(hup) peer=gsd-print-notifications,
@ -25,8 +26,26 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
  dbus bind bus=system
       name=com.redhat.PrinterDriversInstaller,
  dbus (send,receive) bus=session path=/org/gnome/SessionManager
       interface=org.gnome.SessionManager
       peer=(name=:*),
  dbus send bus=session path=/org/gnome/SessionManager
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*),
  dbus receive bus=session path=/
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect 
       peer=(name=:*),
  @{exec_path} mr,
  owner /tmp/[a-z0-9]* rw,
  owner @{PROC}/@{pid}/cgroup r,
  owner /dev/tty[0-9]* rw,
  include if exists <local/gsd-printer>
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -41,7 +41,7 @@ profile tracker-miner @{exec_path} {
  /var/lib/gdm{3,}/.cache/tracker3/tracker3/files/{,**} rwk,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
-  owner /var/tmp/etilqs_[0-9a-f]* rw,
+  owner /var/tmp/etilqs_@{hex} rw,
  # Allow to search user files
  owner @{HOME}/{,**} r,
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@ -25,53 +25,53 @@ profile gpg-agent @{exec_path} {
  owner @{HOME}/@{XDG_GPG_DIR}/ rw,
  owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
  owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
-  owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
  owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
-  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
  owner @{user_projects_dirs}/**/{.,}gnupg/ rw,
  owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r,
  owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
-  owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
  owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r,
  owner @{run}/user/@{uid}/gnupg/ rw,
  owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
-  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
  owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner @{run}/user/@{uid}/gnupg/sshcontrol r,
  owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
  owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
  owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
  owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
  owner /var/lib/*/.gnupg/ rw,
  owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
-  owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw,
  owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner /var/lib/*/.gnupg/sshcontrol r,
  owner /var/lib/*/gnupg/ rw,
  owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
-  owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw,
  owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
  owner /var/lib/*/gnupg/sshcontrol r,
  owner /tmp/tmp.*/gnupg/ rw,
  owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw,
-  owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
+  owner /tmp/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw,
  owner /tmp/tmp.*/gnupg/{,d.*/}S.gpg-agent rw,
  owner /tmp/tmp.*/gnupg/sshcontrol r,
--- a/apparmor.d/groups/gpg/gpg-connect-agent
+++ b/apparmor.d/groups/gpg/gpg-connect-agent
@ -21,9 +21,9 @@ profile gpg-connect-agent @{exec_path} {
  owner @{run}/user/@{uid}/gnupg/d.*/ rw,
-  owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid} rw,
+  owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid} rw,
-  owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
+  owner /tmp/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
-  owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
+  owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
  include if exists <local/gpg-connect-agent>
 }
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -46,6 +46,7 @@ profile mullvad-gui @{exec_path} {
  /var/lib/dbus/machine-id r,
  owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
  owner @{user_share_dirs}/gvfs-metadata/* r,
  owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
--- a/apparmor.d/groups/network/networkd-dispatcher
+++ b/apparmor.d/groups/network/networkd-dispatcher
@ -18,6 +18,8 @@ profile networkd-dispatcher @{exec_path} {
  /{usr/,}bin/ r,
  /{usr/,}bin/networkctl  rPx,
  /etc/networkd-dispatcher/{,**} r,
  @{run}/systemd/notify rw,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@ -24,11 +24,11 @@ profile bootctl @{exec_path} {
  /{boot,efi}/ r,
  /{boot,efi}/EFI/{,**} r,
-  /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
+  /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
  /{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
-  /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
+  /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
  /{boot,efi}/EFI/systemd/systemd-boot*.efi w,
-  /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
+  /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
  /{boot,efi}/loader/.#entries.srel* w,
  /{boot,efi}/loader/{,**} r,
  /{boot,efi}/loader/entries.srel w,
@ -47,7 +47,7 @@ profile bootctl @{exec_path} {
  @{sys}/firmware/dmi/entries/*/raw r,
  @{sys}/firmware/efi/efivars/ r,
  @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
-  @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
+  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
  @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@ -26,13 +26,13 @@ profile coredumpctl @{exec_path} flags=(complain) {
  owner /var/tmp/coredump-* rw,
-  /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r,
+  /var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r,
  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/[0-9a-f]*/ r,
+  /{run,var}/log/journal/@{hex}/ r,
-  /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
+  /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
-  /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
+  /{run,var}/log/journal/@{hex}/system.journal* r,
-  /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
+  /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
  owner @{PROC}/@{pid}/cgroup r,
        @{PROC}/1/cgroup r,
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -34,12 +34,12 @@ profile journalctl @{exec_path} {
  /var/lib/systemd/catalog/.#database* rw,
        /{run,var}/log/journal/ r,
-        /{run,var}/log/journal/[0-9a-f]*/ r,
+        /{run,var}/log/journal/@{hex}/ r,
-        /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
+        /{run,var}/log/journal/@{hex}/system.journal* r,
-        /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
+        /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
-        /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
+        /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
-  owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,
+  owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*,
-  owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
+  owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw,
  owner /var/tmp/#[0-9]* rw,
  @{run}/host/container-manager r,
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
  # To be able to read logs
  @{run}/log/ r,
  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/[0-9a-f]*/ r,
+  /{run,var}/log/journal/@{hex}/ r,
-  /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
+  /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
-  /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
+  /{run,var}/log/journal/@{hex}/system.journal* r,
-  /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
+  /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
  @{run}/systemd/netif/links/[0-9]* r,
  @{run}/systemd/netif/state r,
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -26,11 +26,10 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /{usr/,}bin/* r,
  /{usr/,}sbin/* r,
  @{libexec}/** r,
  /opt/** r,
  / r,
  /{usr/,}{s,}bin/* r,
  /opt/** r,
  /etc/systemd/coredump.conf r,
@ -38,15 +37,15 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/systemd/coredump/#[0-9]* rwl,
  owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,
  owner @{PROC}/@{pid}/setgroups r,
        @{PROC}/@{pids}/comm r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/cmdline r,
-        @{PROC}/@{pids}/limits r,
+        @{PROC}/@{pids}/comm r,
        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/@{pids}/environ r,
        @{PROC}/@{pids}/fd/ r,
        @{PROC}/@{pids}/fdinfo/[0-9]* r,
        @{PROC}/@{pids}/limits r,
        @{PROC}/@{pids}/mountinfo r,
  owner @{PROC}/@{pid}/setgroups r,
  include if exists <local/systemd-coredump>
 }
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -26,8 +26,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
       peer=(name=org.freedesktop.PolicyKit1),
  dbus receive bus=system path=/org/freedesktop/hostname[0-9]
-       interface=org.freedesktop.DBus.Properties
+       interface=org.freedesktop.{DBus.Properties,hostname1}
-       member={Get,GetAll,SetHostname},
+       member={Get,GetAll,SetHostname}
       peer=(name=:*),
  dbus bind bus=system 
       name=org.freedesktop.hostname[0-9],
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -30,11 +30,11 @@ profile systemd-journald @{exec_path} {
  @{run}/log/ rw,
  /{run,var}/log/journal/ rw,
-  /{run,var}/log/journal/[0-9a-f]*/ rw,
+  /{run,var}/log/journal/@{hex}/ rw,
-  /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
+  /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
-  /{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
+  /{run,var}/log/journal/@{hex}/system.journal* rw,
-  /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
+  /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
-  /{run,var}/log/journal/[0-9a-f]*/fss rw,
+  /{run,var}/log/journal/@{hex}/fss rw,
  owner @{run}/systemd/journal/{,**} rw,
  owner @{run}/systemd/notify rw,
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -39,6 +39,11 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
       interface=org.freedesktop.DBus.Properties
       member=Get,
  dbus send bus=system path=/org/freedesktop/network[0-9]/link/*
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged 
       peer=(name=org.freedesktop.DBus),
  dbus bind bus=system
       name=org.freedesktop.network1,
@ -55,6 +60,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
        @{run}/systemd/network/ r,
        @{run}/systemd/network/*.network r,
        @{run}/systemd/notify rw,
  owner @{run}/systemd/netif/.#state rw,
  owner @{run}/systemd/netif/.#state* rw,
  owner @{run}/systemd/netif/leases/.#* rw,
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
 profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/systemd-common>
@ -20,6 +21,9 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,
  dbus bind bus=system
       name=org.freedesktop.timesync1,
  @{exec_path} mr,
  /etc/adjtime r,
@ -34,19 +38,5 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/netif/state r,
        @{run}/systemd/notify rw,
  # dbus-stricter
  @{run}/dbus/system_bus_socket rw,
  dbus send
       bus=system
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,RequestName}
       peer=(name=org.freedesktop.DBus),
  dbus bind
       bus=system
       name=org.freedesktop.timesync1,
  include if exists <local/systemd-timesyncd>
 }
--- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
+++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
@ -14,7 +14,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
  /{usr/,}{s,}bin/dumpe2fs  rPx,
  /{usr/,}bin/{,ba,da}sh    rix,
-  /{usr/,}bin/{m,}awk       rix,
+  /{usr/,}bin/{m,g,}awk     rix,
  /{usr/,}bin/cat           rix,
  /{usr/,}bin/cut           rix,
  /{usr/,}bin/date          rix,
@ -37,6 +37,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
    @{sys}/devices/virtual/block/**/ r,
    @{sys}/devices/virtual/block/**/autoclear r,
    @{sys}/devices/virtual/block/**/backing_file r,
    @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
    @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -31,12 +31,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,
-  mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
+  mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
  mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
  mount -> /tmp/ctd-volume[0-9]*/,
  mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
-  umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
+  umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
  umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
  umount /tmp/ctd-volume[0-9]*/,
  umount @{run}/netns/cni-@{uuid},
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@ -22,8 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
  ptrace (read) peer=containerd,
  ptrace (read) peer=unconfined,
-  mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
+  mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
-  umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
+  umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
  @{exec_path} mrix,
@ -34,12 +34,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
  /tmp/pty[0-9]*/pty.sock rw,
  @{run}/containerd/{,containerd.sock.ttrpc} rw,
-  @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
+  @{run}/containerd/io.containerd.grpc.v1.cri/containers/@{hex}/io/[0-9]*/@{hex}-{stdin,stdout,stderr} rw,
-  @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw,
+  @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/@{hex}/{,*} rw,
-  @{run}/containerd/s/{,[0-9a-f]*} rw,
+  @{run}/containerd/s/{,@{hex}} rw,
-  @{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
+  @{run}/docker/containerd/@{hex}/@{hex}-{stdin,stdout,stderr} rw,
-  @{run}/docker/containerd/[0-9a-f]*/init-{stdin,stdout,stderr} rw,
+  @{run}/docker/containerd/@{hex}/init-{stdin,stdout,stderr} rw,
  @{run}/docker/containerd/daemon/io.containerd.*/{,**} rw,
  @{run}/secrets/kubernetes.io/serviceaccount/*/token w,
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@ -61,7 +61,7 @@ profile k3s @{exec_path} {
  /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
  @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
-  /var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
+  /var/lib/rancher/k3s/data/@{hex}/bin/* rix,
  @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
  /usr/share/mime/globs2 r,
@ -145,7 +145,7 @@ profile k3s @{exec_path} {
  @{sys}/devices/virtual/block/*/** r,
  @{sys}/devices/virtual/dmi/id/* r,
-  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
+  @{sys}/devices/virtual/net/cali@{hex}/{address,mtu,speed} r,
  @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
  @{sys}/fs/cgroup/{,*,*/} r,
--- a/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc
+++ b/apparmor.d/groups/virt/libvirt/TEMPLATE.lxc
@ -1,21 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) Libvirt Team
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # This profile is for the container whose UUID matches this file.
 abi <abi/3.0>,
 include <tunables/global>
 profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/libvirt-lxc>
  # Globally allows everything to run under this profile
  # These can be narrowed depending on the container's use.
  file,
  capability,
  network,
 }
--- a/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu
+++ b/apparmor.d/groups/virt/libvirt/TEMPLATE.qemu
@ -1,17 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) Libvirt Team
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # This profile is for the VM whose UUID matches this file.
 abi <abi/3.0>,
 include <tunables/global>
 profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/libvirt-qemu>
 }
--- a/apparmor.d/groups/virt/virt-aa-helper
+++ b/apparmor.d/groups/virt/virt-aa-helper
@ -0,0 +1,68 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) Libvirt Team
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/libvirt/virt-aa-helper
 profile virt-aa-helper @{exec_path} {
  include <abstractions/base>
  include <abstractions/openssl>
  capability dac_override,
  capability dac_read_search,
  network inet,
  network inet6,
  @{exec_path} mr,
  /{usr/,}{s,}bin/apparmor_parser rPx,
  /etc/apparmor.d/libvirt/* r,
  /etc/apparmor.d/libvirt/libvirt-@{uuid} rw,
  /etc/libnl{,-3}/classid r,   # Allow reading libnl's classid file
  # System VM images
  /var/lib/libvirt/images/{,**} r,
  /var/lib/nova/instances/_base/* r,
  # User VM images
  @{user_share_dirs}/ r,
  @{user_share_dirs}/libvirt/{,**} r,
  @{user_vm_dirs}/{,**} r,
  # For virt-sandbox
  @{run}/libvirt/**/[sv]d[a-z] r,
  @{sys}/bus/usb/devices/ r,
  @{sys}/devices/ r,
  @{sys}/devices/** r,
        @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/net/psched r,
        @{PROC}/filesystems r,
  deny  @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/status r,
  # For gl enabled graphics
  /dev/dri/{,*} r,
  # For hostdev
  deny /dev/dasd* r,
  deny /dev/dm-* r,
  deny /dev/drbd[0-9]* r,
  deny /dev/mapper/ r,
  deny /dev/mapper/* r,
  deny /dev/nvme* r,
  deny /dev/sd* r,
  deny /dev/vd* r,
  deny /dev/zd[0-9]* r,
  include if exists <usr/virt-aa-helper.d>
  include if exists <local/virt-aa-helper>
 }
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@ -29,9 +29,9 @@ profile aa-log @{exec_path} {
    /etc/machine-id r,
    /{run,var}/log/journal/ r,
-    /{run,var}/log/journal/[0-9a-f]*/ r,
+    /{run,var}/log/journal/@{hex}/ r,
-    /{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r,
+    /{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r,
-    /{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r,
+    /{run,var}/log/journal/@{hex}/user-@{uid}.journal r,
    @{PROC}/sys/kernel/random/boot_id r,
    @{PROC}/sys/kernel/cap_last_cap r,
--- a/apparmor.d/profiles-a-f/anki
+++ b/apparmor.d/profiles-a-f/anki
@ -55,9 +55,9 @@ profile anki @{exec_path} {
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/qtshadercache/ rw,
  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
  /usr/share/anki/{,**} r,
--- a/apparmor.d/profiles-a-f/claws-mail
+++ b/apparmor.d/profiles-a-f/claws-mail
@ -43,8 +43,8 @@ profile claws-mail @{exec_path} flags=(complain) {
  owner @{HOME}/.claws-mail/** rwl -> @{HOME}/.claws-mail/**,
  owner /tmp/claws-mail-[0-9]*/ rw,
-  owner /tmp/claws-mail-[0-9]*/[0-9a-f]* rw,
+  owner /tmp/claws-mail-[0-9]*/@{hex} rw,
-  owner /tmp/claws-mail-[0-9]*/[0-9a-f]*.lock rwk,
+  owner /tmp/claws-mail-[0-9]*/@{hex}.lock rwk,
  owner /var/mail/* rwk,
--- a/apparmor.d/profiles-a-f/cups-backend-beh
+++ b/apparmor.d/profiles-a-f/cups-backend-beh
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/beh
 profile cups-backend-beh @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-beh>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-brf
+++ b/apparmor.d/profiles-a-f/cups-backend-brf
@ -0,0 +1,20 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/cups-brf
 profile cups-backend-brf @{exec_path} {
  include <abstractions/base>
  capability setuid,
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-brf>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-dnssd
+++ b/apparmor.d/profiles-a-f/cups-backend-dnssd
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/dnssd
 profile cups-backend-dnssd @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-dnssd>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-implicitclass
+++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/implicitclass
 profile cups-backend-implicitclass @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-implicitclass>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-ipp
+++ b/apparmor.d/profiles-a-f/cups-backend-ipp
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/ipp
 profile cups-backend-ipp @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-ipp>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-lpd
+++ b/apparmor.d/profiles-a-f/cups-backend-lpd
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/lpd
 profile cups-backend-lpd @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-lpd>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-parallel
+++ b/apparmor.d/profiles-a-f/cups-backend-parallel
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/parallel
 profile cups-backend-parallel @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-parallel>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-pdf
+++ b/apparmor.d/profiles-a-f/cups-backend-pdf
@ -0,0 +1,46 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/cups-pdf
 profile cups-backend-pdf @{exec_path} {
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  capability chown,
  capability setgid,
  capability setuid,
  capability dac_override,
  unix peer=(label=cupsd),
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh      rix,
  /{usr/,}bin/cp              rix,
  /{usr/,}bin/gs              rix,
  /{usr/,}bin/gsc             rix,
  /{usr/,}lib/ghostscript/**  mr,
  /usr/share/ghostscript/{,**} r,
  /etc/papersize r,
  /etc/cups/ r,
  /etc/cups/cups-pdf.conf r,
  /etc/cups/ppd/*.ppd r,
  /var/log/cups/cups-pdf*_log w,
  /var/spool/cups-pdf/{,**} rw,
  /var/spool/cups/** r,
  /var/tmp/gs_* rw,
  /dev/tty rw,
  include if exists <local/cups-backend-pdf>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-serial
+++ b/apparmor.d/profiles-a-f/cups-backend-serial
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/serial
 profile cups-backend-serial @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-serial>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-snmp
+++ b/apparmor.d/profiles-a-f/cups-backend-snmp
@ -0,0 +1,23 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/snmp
 profile cups-backend-snmp @{exec_path} {
  include <abstractions/base>
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  @{exec_path} mr,
  /etc/cups/snmp.conf r,
  /etc/papersize r,
  include if exists <local/cups-backend-snmp>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-socket
+++ b/apparmor.d/profiles-a-f/cups-backend-socket
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/socket
 profile cups-backend-socket @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  /etc/papersize r,
  include if exists <local/cups-backend-socket>
 }
--- a/apparmor.d/profiles-a-f/cups-backend-usb
+++ b/apparmor.d/profiles-a-f/cups-backend-usb
@ -0,0 +1,24 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/usb
 profile cups-backend-usb @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>
  network netlink raw,
  @{exec_path} mr,
  /usr/share/cups/usb/{,**} r,
  /etc/cups/ppd/*.ppd r,
  /etc/papersize r,
  include if exists <local/cups-backend-usb>
 }
--- a/apparmor.d/profiles-a-f/cups-browsed
+++ b/apparmor.d/profiles-a-f/cups-browsed
@ -0,0 +1,69 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cups-browsed
 profile cups-browsed @{exec_path} {
  include <abstractions/base>
  include <abstractions/cups-client>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  capability net_bind_service,
  capability sys_nice,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  dbus send bus=system path=/
       interface=org.freedesktop.Avahi.Server
       member={GetAPIVersion,GetState,ServiceBrowserNew},
  dbus send bus=system path=/
       interface=org.freedesktop.DBus.Peer
       member=Ping
       peer=(name=org.freedesktop.Avahi),
  dbus send bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
  dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
       interface=org.freedesktop.Avahi.ServiceBrowser
       member=Free
       peer=(name=org.freedesktop.Avahi),
  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
       interface=org.freedesktop.Avahi.ServiceBrowser
       member={AllForNow,CacheExhausted},
  dbus receive bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.{DBus.Properties,NetworkManager}
       member={CheckPermissions,PropertiesChanged,StateChanged,DeviceAdded},
  dbus receive bus=system path=/
       interface=org.freedesktop.Avahi.Server
       member=StateChanged,
  @{exec_path} mr,
  /usr/share/cups/locale/{,**} r,
  /usr/share/locale/{,**} r,
  /etc/cups/{,**} r,
  /var/cache/cups/{,**} rw,
  /var/log/cups/{,**} rw,
  @{run}/cups/certs/* r,
  include if exists <local/cups-browsed>
 }
--- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
+++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
@ -0,0 +1,35 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism
 profile cups-pk-helper-mechanism @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  capability dac_read_search,
  capability sys_nice,
  dbus receive bus=system path=/
       interface=org.opensuse.CupsPkHelper.Mechanism,
  dbus bind bus=system 
      name=org.opensuse.CupsPkHelper.Mechanism,
  @{exec_path} mr,
  /etc/cups/ppd/*.ppd r,
  owner /tmp/[a-z0-9]* rw,
  @{run}/cups/cups.sock rw,
  include if exists <local/cups-pk-helper-mechanism>
 }
--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@ -0,0 +1,90 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cupsd
 profile cupsd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability net_admin,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability wake_alarm,
  network inet stream,
  network inet6 stream,
  network appletalk dgram,
  network ash dgram,
  network ax25 dgram,
  network bluetooth,
  network econet dgram,
  network ipx dgram,
  network netrom seqpacket,
  network rose dgram,
  network x25 seqpacket,
  dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/cups_*}
    interface=org.freedesktop.ColorManager{,.*}
    member={CreateProfile,CreateDevice,FindDeviceById,AddProfile}
    peer=(name=org.freedesktop.ColorManager),
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh          rix,
  /{usr/,}bin/gsc                 rix,
  /{usr/,}bin/hostname            rix,
  /{usr/,}bin/ippfind             rix,
  /{usr/,}bin/python3.[0-9]*      rix,
  /{usr/,}bin/smbspool            rPx,
  /{usr/,}bin/xz                  rix,
  /{usr/,}lib/cups/backend/*      rPx,
  /{usr/,}lib/cups/cgi-bin/*.cgi  rix,
  /{usr/,}lib/cups/daemon/*       rix,
  /{usr/,}lib/cups/driver/*       rix,
  /{usr/,}lib/cups/filter/*       rix,
  /{usr/,}lib/cups/monitor/*      rix,
  /{usr/,}lib/cups/notifier/*     rix,
  /usr/share/cups/{,**} r,
  /usr/share/ppd/{,**} r,
  /usr/share/ghostscript/{,**} r,
  /etc/cups/{,**} rw,
  /etc/foomatic/* r,
  /etc/papersize r,
  /etc/pnm2ppa.conf r,
  /etc/printcap rwl,
  /var/cache/cups/ rw,
  /var/cache/cups/** rwk,
  /var/log/cups/{,*} rw,
  /var/spool/cups/{,**} rw,
  @{run}/cups/{,**} rw,
  @{run}/systemd/notify w,
  @{sys}/module/apparmor/parameters/enabled r,
        @{PROC}/@{pids}/fd r,
  owner @{PROC}/@{pid}/mounts r,
  /dev/tty rw,
  include if exists <local/cupsd>
 }
--- a/apparmor.d/profiles-a-f/deltachat-desktop
+++ b/apparmor.d/profiles-a-f/deltachat-desktop
@ -49,10 +49,10 @@ profile deltachat-desktop @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  owner /tmp/[0-9a-f]*/ rw,
+  owner /tmp/@{hex}/ rw,
-  owner /tmp/[0-9a-f]*/db.sqlite-blobs/ rw,
+  owner /tmp/@{hex}/db.sqlite-blobs/ rw,
-  owner /tmp/[0-9a-f]*/db.sqlite rwk,
+  owner /tmp/@{hex}/db.sqlite rwk,
-  owner /tmp/[0-9a-f]*/db.sqlite-journal rw,
+  owner /tmp/@{hex}/db.sqlite-journal rw,
             @{PROC}/ r,
       owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-a-f/dhclient-script
+++ b/apparmor.d/profiles-a-f/dhclient-script
@ -14,88 +14,60 @@ profile dhclient-script @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  capability net_admin,
  capability sys_admin,
-
+  audit capability sys_module,
  # Needed?
  audit deny capability sys_module,
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh mrix,
  /{usr/,}bin/mkdir       rix,
  /{usr/,}bin/ping        rPx,
  /{usr/,}bin/chronyc     rPUx,
  /{usr/,}bin/run-parts   rCx -> run-parts,
  /{usr/,}sbin/resolvconf rPx,
  # To remove the following error:
  #  /sbin/dhclient-script: 133: hostname: Permission denied
  /{usr/,}bin/hostname    rix,
  # To read scripts
  /etc/dhcp/ r,
  /etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r,
  # For debug script
  /{usr/,}bin/date rix,
  /etc/dhcp/debug r,
  owner /tmp/dhclient-script.debug rw,
  # For ddclient script
  /{usr/,}{s,}bin/ddclient  rPx,
-  /etc/default/ddclient   r,
+  /{usr/,}{s,}bin/sysctl    rix,
-  /{usr/,}bin/logger      rix,
+  /{usr/,}bin/{,ba,da}sh   mrix,
-
+  /{usr/,}bin/chmod         rix,
-  # For samba script
+  /{usr/,}bin/chown         rix,
-  /{usr/,}bin/mv rix,
+  /{usr/,}bin/chronyc       rPUx,
-  /etc/samba/dhcp.conf{,.new} rw,
+  /{usr/,}bin/date          rix,
-  # For netbios name servers settings from a DHCP server
+  /{usr/,}bin/fold          rix,
-  /var/lib/samba/dhcp.conf{,.new} rw,
+  /{usr/,}bin/head          rix,
-
+  /{usr/,}bin/hostname      rix,
  # Many scripts may use the ip tool
  capability net_admin,
  /{usr/,}bin/ip            rix,
-
+  /{usr/,}bin/logger        rix,
-  # For loadbalance
+  /{usr/,}bin/mkdir         rix,
-  /etc/iproute2/rt_tables r,
+  /{usr/,}bin/mv            rix,
-  /etc/iproute2/rt_tables.d/{,*} r,
+  /{usr/,}bin/paste         rix,
-  owner @{PROC}/@{pid}/loginuid r,
+  /{usr/,}bin/ping          rPx,
-
+  /{usr/,}bin/printenv      rix,
  # For updating the /etc/resolv.conf file
  /{usr/,}bin/readlink      rix,
  /{usr/,}bin/rm            rix,
-  /{usr/,}bin/chown     rix,
+  /{usr/,}bin/run-parts     rCx -> run-parts,
  /{usr/,}bin/chmod     rix,
  /{usr/,}bin/sed           rix,
  /etc/fstab r,
  /etc/resolv.conf.dhclient-new.@{pid} rw,
  /etc/resolv.conf rw,
  # For stable-privacy addresses
  /{usr/,}{s,}bin/sysctl   rix,
  /{usr/,}bin/head      rix,
  /{usr/,}bin/xxd       rix,
  /{usr/,}bin/paste     rix,
  /{usr/,}bin/fold      rix,
  /{usr/,}bin/tr            rix,
-  @{PROC}/sys/net/ipv6/conf/*/stable_secret w,
+  /{usr/,}bin/xxd           rix,
  /{usr/,}sbin/resolvconf   rPx,
-  # For printing env
+  /etc/default/ddclient r,
-  /{usr/,}bin/printenv  rix,
+  /etc/dhcp/{,**} r,
  /etc/fstab r,
  /etc/iproute2/rt_tables r,
  /etc/iproute2/rt_tables.d/{,*} r,
  /etc/resolv.conf rw,
  /etc/resolv.conf.dhclient-new.@{pid} rw,
  /etc/samba/dhcp.conf{,.new} rw,
  /var/lib/dhcp/dhclient.leases r,
  /var/lib/samba/dhcp.conf{,.new} rw,
  owner /tmp/dhclient-script.debug rw,
  owner /tmp/variables.txt w,
-  # For ntpd/ntpsec
+  @{run}/chrony-dhcp/ rw,
  @{run}/systemd/netif/leases/ r,
  # For chrony
  @{run}/chrony-dhcp/ rw,
  # file_inherit
  /var/lib/dhcp/dhclient.leases r,
  @{sys}/devices/virtual/dmi/id/board_vendor r,
  owner @{PROC}/@{pid}/loginuid r,
        @{PROC}/sys/net/ipv6/conf/*/stable_secret w,
  profile run-parts {
    include <abstractions/base>
--- a/apparmor.d/profiles-a-f/losetup
+++ b/apparmor.d/profiles-a-f/losetup
@ -0,0 +1,26 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/losetup
 profile losetup @{exec_path} {
  include <abstractions/base>
  capability dac_override,
  capability dac_read_search,
  unix (receive) type=stream,
  @{exec_path} mr,
  @{sys}/devices/system/cpu/possible r,
  /dev/loop-control rw,
  /dev/loop[0-9]* rw,
  include if exists <local/losetup>
 }
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -11,9 +11,9 @@ include <tunables/global>
@{exec_path} += /{usr/,}bin/git-*
@{exec_path} += /{usr/,}lib/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-*
-@{exec_path} += /usr/libexec/git-core/git
+@{exec_path} += @{libexec}/git-core/git
-@{exec_path} += /usr/libexec/git-core/git-*
+@{exec_path} += @{libexec}/git-core/git-*
-@{exec_path} += /usr/libexec/git-core/mergetools/*
+@{exec_path} += @{libexec}/git-core/mergetools/*
 profile git @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
@ -167,8 +167,9 @@ profile git @{exec_path} {
    /etc/vimrc r,
    /etc/vim/{,**} r,
-    owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
+    owner @{user_projects_dirs}/**/ r,
    owner @{user_projects_dirs}/**/.git/[0-9]* rw,
    owner @{user_projects_dirs}/**/.git/*MSG rw,
    owner @{HOME}/.fzf/plugin/ r,
    owner @{HOME}/.fzf/plugin/fzf.vim r,
--- a/apparmor.d/profiles-g-l/gpo
+++ b/apparmor.d/profiles-g-l/gpo
@ -40,7 +40,7 @@ profile gpo @{exec_path} {
  /etc/inputrc r,
-  owner /var/tmp/etilqs_[0-9a-f]* rw,
+  owner /var/tmp/etilqs_@{hex} rw,
  include if exists <local/gpo>
 }
--- a/apparmor.d/profiles-g-l/gpodder
+++ b/apparmor.d/profiles-g-l/gpodder
@ -46,7 +46,7 @@ profile gpodder @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  owner /var/tmp/etilqs_[0-9a-f]* rw,
+  owner /var/tmp/etilqs_@{hex} rw,
  /etc/mime.types r,
--- a/apparmor.d/profiles-g-l/gsmartcontrol
+++ b/apparmor.d/profiles-g-l/gsmartcontrol
@ -76,7 +76,7 @@ profile gsmartcontrol @{exec_path} {
    /{usr/,}bin/dbus-daemon rPUx,
    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
+    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
    @{HOME}/.Xauthority r,
  }
--- a/apparmor.d/profiles-g-l/hw-probe
+++ b/apparmor.d/profiles-g-l/hw-probe
@ -132,10 +132,10 @@ profile hw-probe @{exec_path} {
    @{run}/log/ rw,
    /{run,var}/log/journal/ rw,
-    /{run,var}/log/journal/[0-9a-f]*/ rw,
+    /{run,var}/log/journal/@{hex}/ rw,
-    /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
+    /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
-    /{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
+    /{run,var}/log/journal/@{hex}/system.journal* rw,
-    /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
+    /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
    owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/profiles-g-l/jdownloader
+++ b/apparmor.d/profiles-g-l/jdownloader
@ -51,7 +51,7 @@ profile jdownloader @{exec_path} {
  owner @{JD_INSTALLDIR}/tmp/jna/jna[0-9]*.tmp mrw,
  owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
-  owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
+  owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw,
  owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
  owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw,
  owner @{HOME}/.java/fonts/[0-9]*/ rw,
--- a/apparmor.d/profiles-g-l/jdownloader-install
+++ b/apparmor.d/profiles-g-l/jdownloader-install
@ -48,7 +48,7 @@ profile jdownloader-install @{exec_path} {
  owner @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh.[0-9]*.dir/jre/lib/*/*.so mrw,
  owner @{JD_SH_PATH}/install4jError[0-9]*.log rw,
-  owner @{HOME}/.oracle_jre_usage/[0-9a-f]*.timestamp rw,
+  owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw,
  owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
  owner @{HOME}/.java/fonts/[0-9]*/fcinfo*.tmp rw,
  owner @{HOME}/.java/fonts/[0-9]*/fcinfo-*.properties rw,
--- a/apparmor.d/profiles-g-l/kscreenlocker-greet
+++ b/apparmor.d/profiles-g-l/kscreenlocker-greet
@ -43,9 +43,9 @@ profile kscreenlocker-greet @{exec_path} {
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/qtshadercache/ rw,
  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
  owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
--- a/apparmor.d/profiles-g-l/linssid
+++ b/apparmor.d/profiles-g-l/linssid
@ -103,7 +103,7 @@ profile linssid @{exec_path} {
    /{usr/,}bin/dbus-daemon rPUx,
    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
+    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
    @{HOME}/.Xauthority r,
  }
--- a/apparmor.d/profiles-g-l/lxappearance
+++ b/apparmor.d/profiles-g-l/lxappearance
@ -59,7 +59,7 @@ profile lxappearance @{exec_path} {
    /{usr/,}bin/dbus-daemon rPUx,
    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
+    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
    @{HOME}/.Xauthority r,
  }
--- a/apparmor.d/profiles-m-r/minitube
+++ b/apparmor.d/profiles-m-r/minitube
@ -60,9 +60,9 @@ profile minitube @{exec_path} {
  owner @{user_cache_dirs}/qtshadercache/ rw,
  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
  # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
  owner @{user_config_dirs}/qt5ct/{,**} r,
--- a/apparmor.d/profiles-m-r/mkvtoolnix-gui
+++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui
@ -80,7 +80,7 @@ profile mkvtoolnix-gui @{exec_path} {
  owner @{user_cache_dirs}/bunkus.org/ rw,
  owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/ rw,
  owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/ rw,
-  owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/[0-9a-f]* rw,
+  owner @{user_cache_dirs}/bunkus.org/mkvtoolnix-gui/**/@{hex} rw,
  owner @{user_config_dirs}/qt5ct/{,**} r,
  /usr/share/qt5ct/** r,
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@ -38,6 +38,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/needrestart/iucode-scan-versions  rPx,
  /usr/share/debconf/frontend                   rix,
  /{usr/,}bin/networkd-dispatcher r,
  /{usr/,}bin/gettext.sh r,
  /usr/share/needrestart/{,**} r,
  /usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
@ -47,15 +48,18 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
  /etc/needrestart/*.d/* rix,
  /etc/shadow r,
  /boot/ r,
  /boot/vmlinuz* r,
  owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/ r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/environ r,
        @{PROC}/@{pids}/maps r,
        @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pid}/fd/ r,
  /dev/ r,
  /dev/**/ r,
--- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
+++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
@ -10,6 +10,7 @@ include <tunables/global>
 profile needrestart-apt-pinvoke @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  @{exec_path} mr,
--- a/apparmor.d/profiles-m-r/openbox
+++ b/apparmor.d/profiles-m-r/openbox
@ -35,7 +35,7 @@ profile openbox @{exec_path} {
  owner @{user_config_dirs}/openbox/ r,
  owner @{user_config_dirs}/openbox/* r,
-  owner @{user_config_dirs}/obmenu-generator/icons/[0-9a-f]*.png r,
+  owner @{user_config_dirs}/obmenu-generator/icons/@{hex}.png r,
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/openbox/ rw,
--- a/apparmor.d/profiles-m-r/psi
+++ b/apparmor.d/profiles-m-r/psi
@ -82,7 +82,7 @@ profile psi @{exec_path} {
  /etc/fstab r,
-  owner /var/tmp/etilqs_[0-9a-f]* rw,
+  owner /var/tmp/etilqs_@{hex} rw,
  owner /tmp/#[0-9]*[0-9] rw,
  owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9],
--- a/apparmor.d/profiles-m-r/psi-plus
+++ b/apparmor.d/profiles-m-r/psi-plus
@ -82,7 +82,7 @@ profile psi-plus @{exec_path} {
  /etc/fstab r,
-  owner /var/tmp/etilqs_[0-9a-f]* rw,
+  owner /var/tmp/etilqs_@{hex} rw,
  owner /tmp/#[0-9]*[0-9] rw,
  owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9],
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -235,7 +235,7 @@ profile qbittorrent @{exec_path} {
    # file_inherit
    owner @{MOUNTS}/torrent/** r,
-    owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw,
+    owner @{MOUNTS}/torrent/**.@{hex}.parts rw,
    owner "@{MOUNTS}/torrent/**.!qB" rw,
    owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/profiles-m-r/qnapi
+++ b/apparmor.d/profiles-m-r/qnapi
@ -109,7 +109,7 @@ profile qnapi @{exec_path} {
  owner /tmp/#[0-9]*[0-9] rw,
  owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rw,
  owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rwl -> /tmp/#[0-9]*[0-9],
-  owner /tmp/[0-9a-f]*.@{qnapi_txt_ext} rw,
+  owner /tmp/@{hex}.@{qnapi_txt_ext} rw,
  owner /tmp/*.@{qnapi_txt_ext} rw,
  /var/lib/dbus/machine-id r,
--- a/apparmor.d/profiles-m-r/qpdfview
+++ b/apparmor.d/profiles-m-r/qpdfview
@ -75,7 +75,7 @@ profile qpdfview @{exec_path} {
  /usr/share/hwdata/pnp.ids r,
  # Print
-  owner /tmp/[0-9a-f]* rw,
+  owner /tmp/@{hex} rw,
  # Save as
  owner /tmp/#[0-9]*[0-9] rw,
--- a/apparmor.d/profiles-m-r/qtox
+++ b/apparmor.d/profiles-m-r/qtox
@ -60,7 +60,7 @@ profile qtox @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
-  owner /tmp/qipc_{systemsem,sharedmemory}_*[0-9a-f]* rw,
+  owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
  @{sys}/devices/system/node/ r,                   # for ld-linux-x86-64.so -> libnuma1.so
  @{sys}/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
--- a/Show more
+++ b/Show more