feat(profile): initial integration with attached path.

The feature is not yet enabled.

See https://apparmor.pujol.io/development/internal/#re-attached-path

apparmor.d/profiles-s-z/signal-desktop

@@ -40,7 +40,7 @@ profile signal-desktop @{exec_path} {
   audit @{lib_dirs}/chrome-sandbox rPx,
   @{lib_dirs}/chrome_crashpad_handler rix,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
         @{sys}/fs/cgroup/user.slice/cpu.max r,
         @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,

apparmor.d/profiles-s-z/spice-vdagent

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/spice-vdagent
 profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/audio-client>
   include <abstractions/audio-server>
   include <abstractions/bus-accessibility>
@@ -46,8 +47,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/spice-vdagent>
 }
 

apparmor.d/profiles-s-z/steam

@@ -174,12 +174,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{tmp}/steam@{rand6}/{,**} rw,
   owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
 
+  owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw,
   owner /dev/shm/fossilize-*-@{int}-@{int} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
-  owner /dev/shm/ValveIPCSHM_@{uid} rw,
 
   owner @{run}/user/@{uid}/ r,
 

apparmor.d/profiles-s-z/superproductivity

@@ -29,7 +29,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) {
   @{bin}/speech-dispatcher rPx,
   @{open_path}             rPx -> child-open-strict,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/superproductivity>
 }

apparmor.d/profiles-s-z/udisksd

@@ -104,11 +104,12 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{MOUNTS}/ rw,
   @{MOUNTS}/*/ rw,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/ r,
   @{run}/mount/utab{,.*} rwk,
   @{run}/udisks2/{,**} rw,
   @{run}/systemd/seats/seat@{int} r,
-  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/cryptsetup/ r,
   @{run}/cryptsetup/L* rwk,
 

apparmor.d/profiles-s-z/uname

@@ -14,7 +14,7 @@ profile uname @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /dev/tty@{int} rw,
+  @{att}/dev/tty@{int} rw,
 
   deny network,
   deny owner @{user_share_dirs}/gvfs-metadata/* r,

apparmor.d/profiles-s-z/wechat-universal

@@ -46,7 +46,7 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) {
     owner @{HOME}/.xwechat/{,**} rwk,
     owner @{HOME}/.sys1og.conf rw,
 
-    @{run}/systemd/inhibit/@{int}.ref rw,
+    @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
     @{run}/utmp r,
 
     @{PROC}/@{pid}/net/route r,

apparmor.d/profiles-s-z/xbrlapi

@@ -9,14 +9,13 @@ include <tunables/global>
 @{exec_path} = @{bin}/xbrlapi
 profile xbrlapi @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
 
   network inet stream,
   network inet6 stream,
 
   @{exec_path} mr,
 
-  /dev/tty@{int} rw,
-
   include if exists <local/xbrlapi>
 }