diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index c63a6b094..b18d939d3 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -28,7 +28,7 @@ @{run}/user/@{uid}/xauth_* rl, # Xwayland - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, /etc/X11/cursors/{,**} r, /usr/share/X11/{,**} r, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index b3641edf4..81b9d5d0e 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -6,10 +6,10 @@ abi , owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/#@{number} rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{number}, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{number} rw, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{number}, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index 29f7b0ca0..482430550 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -31,7 +31,7 @@ profile akonadi_archivemail_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/akonadi_archivemail_agentrc r, owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent r, owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent_changes{,.dat} rw, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 0e374696c..8a91f5943 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -36,7 +36,7 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r, owner @{user_config_dirs}/akonadi_*_resource_*rc r, owner @{user_config_dirs}/akonadi_mailfilter_agentrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index b57660233..c4f16840d 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -33,7 +33,7 @@ profile akonadi_newmailnotifier_agent @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r, owner @{user_config_dirs}/akonadi/agent_config_akonadi_newmailnotifier_agent_changes{,_changes.dat,.dat} rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index eac75559f..de7705bda 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -239,7 +239,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-tty-ask-password-agent rix, - owner @{run}/systemd/ask-password-block/* rw, + owner @{run}/systemd/ask-password-block/{,*} rw, owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/private rw, diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index d18cde27e..165114126 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -22,7 +22,7 @@ profile dpkg-query @{exec_path} { /var/lib/dpkg/** r, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{number} rw, /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 15274eabd..6a0f0156d 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -189,7 +189,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ r, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 1cbdceeac..0d7706ca2 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -33,16 +33,16 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { /etc/dconf/db/ibus r, /etc/dconf/profile/ibus r, - /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, /var/lib/gdm{3,}/.cache/dconf/ w, /var/lib/gdm{3,}/.cache/dconf/user rw, /var/lib/gdm{3,}/.config/dconf/ w, /var/lib/gdm{3,}/.config/dconf/user rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, - owner @{user_config_dirs}/ibus/bus/@{hex}-unix-[0-9]* r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 1a038d1b0..719b77c16 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -21,8 +21,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /var/lib/gdm{3,}/.config/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 079b33640..10b4bb401 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -73,10 +73,10 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, - /var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 794e9ad27..8285b6300 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} { /etc/machine-id r, /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-[0-9]* r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 6f3ef69f5..065b6952a 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -38,7 +38,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 0b17454e7..a8fc59baf 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -45,13 +45,13 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /var/lib/gdm{3,}/.config/ibus/bus/ r, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, owner @{user_config_dirs}/ibus/bus/ r, - owner @{user_config_dirs}/ibus/bus/@{hex}-unix{,-wayland}-[0-9] r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index cd3b138ad..ae86121b5 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -45,7 +45,7 @@ profile child-dpkg { /var/log/dpkg.log ra, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{number} rw, include if exists } diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 03199d3ce..12948535a 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -26,7 +26,7 @@ profile child-dpkg-divert { /var/lib/dpkg/diversions r, # file_inherit - /tmp/#[0-9]*[0-9] rw, + /tmp/#@{number} rw, include if exists } diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 70fe2bf3a..77a1f17f0 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -39,10 +39,10 @@ profile child-systemctl flags=(attach_disconnected) { /etc/systemd/user/{,**} rwl, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex}/system.journal* r, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, @{run}/systemd/private rw, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 807e6227f..04fb6606f 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -53,7 +53,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/*.ref rw, - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{number} rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index a30746692..7958a4860 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -49,9 +49,11 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{bin}/passwd rPx, @{bin}/userdel rPx, @{bin}/usermod rPx, + @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, /usr/share/language-tools/set-language-helper rPUx, + /usr/share/language-tools/save-to-pam-env rPUx, /usr/share/accountsservice/{,**} r, /usr/share/dbus-1/interfaces/*.xml r, @@ -68,7 +70,8 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, - @{HOME}/ r, + @{HOME}/ r, + owner @{HOME}/.pam_environment r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index f904a756e..0577fc231 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -17,6 +17,7 @@ profile dconf @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /etc/dconf/db/** rw, + /etc/gdm{3,}/greeter.dconf-defaults r, /usr/share/gdm/dconf/{,**} r, diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index b68999c46..cf4bd8871 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -24,7 +24,7 @@ profile dconf-editor @{exec_path} { owner @{user_config_dirs}/glib-2.0/ rw, owner @{user_config_dirs}/glib-2.0/settings/ rw, owner @{user_config_dirs}/glib-2.0/settings/keyfile rw, - owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw, + owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-@{rand6} rw, owner @{HOME}/.Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 13b3bdbec..90d637913 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -168,7 +168,7 @@ profile xdg-desktop-portal-gtk @{exec_path} { @{run}/mount/utab r, @{run}/user/@{uid}/xauth_* rl, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 9caf2829b..ca8b66377 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -50,7 +50,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/ w, owner @{user_share_dirs}/flatpak/db/ rw, - owner @{user_share_dirs}/flatpak/db/.goutputstream-* rw, + owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 9d1732ffc..16f5efae5 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -141,7 +141,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { /dev/fb[0-9] rw, /dev/input/event[0-9]* rw, - /dev/shm/#[0-9]*[0-9] rw, + /dev/shm/#@{number} rw, /dev/shm/shmfd-* rw, /dev/tty rw, /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 2fffcf112..eb50fb7aa 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -37,7 +37,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, owner /tmp/server-[0-9]*.xkm rwk, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/xwayland-shared-?????? rw, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d5e92f6bf..c447fdd86 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -82,6 +82,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /etc/sysconfig/displaymanager r, /etc/sysconfig/windowmanager r, + owner @{HOME}/.pam_environment r, + owner @{run}/user/@{uid}/keyring/control rw, @{run}/cockpit/active.motd r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 2623aedc8..52b9822c9 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -85,6 +85,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{lib}/gnome-control-center-print-renderer rPx, @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, + /usr/share/language-tools/language-options rPUx, /snap/*/[0-9]*/**.png r, /usr/share/backgrounds/{,**} r, @@ -99,13 +100,14 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/search-providers/{,**} r, /usr/share/gnome/gnome-version.xml r, /usr/share/libdrm/*.ids r, + /usr/share/language-tools/main-countries r, /usr/share/mime/{,**} r, /usr/share/pipewire/client.conf r, /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, /usr/share/zoneinfo/{,**} r, - + # freedesktop.org-strict /usr/share/*ubuntu/applications/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, @@ -133,7 +135,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, owner @{user_config_dirs}/mimeapps.list* rw, owner @{user_config_dirs}/rygel.conf{,.??????} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, @@ -142,13 +145,17 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/webkitgtk/{,**} r, owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, + owner @{user_share_dirs}/gnome-remote-desktop/ w, + owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{.??????,} rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w, owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid} rwk, owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk, owner @{run}/user/@{uid}/webkitgtk/{,**} rw, - owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/wayland-@{number} rw, @{run}/cups/cups.sock rw, @{run}/samba/ rw, @{run}/systemd/sessions/ r, @@ -189,6 +196,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/*/comm rw, + owner @{PROC}/@{pid}/loginuid r, @{PROC}/cmdline r, @{PROC}/zoneinfo r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index d70bbf72d..a28f8a3a1 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -13,12 +13,18 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include include + network inet stream, + network inet6 stream, + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{run}/user/@{uid}/wayland-@{number} rw, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bf768733b..2bf249d38 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -514,20 +514,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /etc/xdg/menus/gnome-applications.menu r, /var/lib/gdm{3,}/.cache/ w, - /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, + /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk, /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw, /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, /var/lib/gdm{3,}/.cache/libgweather/ r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw, - /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/ rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex} rw, + /var/lib/gdm{3,}/.cache/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, /var/lib/gdm{3,}/.config/dconf/user r, /var/lib/gdm{3,}/.config/ibus/ rw, /var/lib/gdm{3,}/.config/ibus/bus/ rw, - /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r, + /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, /var/lib/gdm{3,}/.config/pulse/ r, /var/lib/gdm{3,}/.config/pulse/client.conf r, /var/lib/gdm{3,}/.config/pulse/cookie rwk, @@ -554,7 +554,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_games_dirs}/**/*.{png,jpg} r, owner @{user_music_dirs}/**/*.{png,jpg} r, - owner @{user_config_dirs}/.goutputstream{,*} rw, + owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/pulse/ r, @@ -578,10 +578,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, - owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, - owner @{run}/user/@{uid}/wayland-[0-9]* rwk, + owner @{run}/user/@{uid}/wayland-@{number} rwk, owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 0a54af2b3..6ae8704f4 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnome-shell-hotplug-sniffer profile gnome-shell-hotplug-sniffer @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 052722e59..14c2e8731 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -79,6 +79,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/mountinfo r, @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 3caf82c75..98d9536ac 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -142,7 +142,7 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 463d8066f..690fa6c64 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -23,7 +23,7 @@ profile mutter-x11-frames @{exec_path} { @{exec_path} mr, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 062389876..ed1962bf1 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -29,6 +29,7 @@ profile grub-install @{exec_path} flags=(complain) { /etc/default/grub.d/{,**} r, /etc/default/grub r, + /boot/efi/EFI/ubuntu/* w, /boot/efi/EFI/BOOT/{,**} rw, /boot/EFI/*/grubx*.efi rw, /boot/grub/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 88e8a037d..60d9a38a4 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -17,6 +17,7 @@ profile grub-multi-install @{exec_path} { @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, @{bin}/cat rix, + @{bin}/cut rix, @{bin}/dpkg-query rpx, @{bin}/readlink rix, @{bin}/sed rix, @@ -33,5 +34,7 @@ profile grub-multi-install @{exec_path} { owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mounts r, + /dev/disk/by-id/ r, + include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 68d5f54bc..de9cf0259 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -28,7 +28,7 @@ profile gvfsd-dav @{exec_path} { /usr/share/mime/mime.cache r, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 183d102dd..79f9888ea 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -57,7 +57,7 @@ profile gvfsd-dnssd @{exec_path} { @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-Z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 55941c2e5..abb98c80e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,7 +24,7 @@ profile gvfsd-http @{exec_path} { @{exec_path} mr, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 086ba5fa7..e605b36b7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -23,7 +23,7 @@ profile gvfsd-mtp @{exec_path} { owner @{HOME}/{,**} rw, owner @{MOUNTS}/{,**} rw, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index dd95aed1e..c4db24fef 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -51,7 +51,7 @@ profile gvfsd-network @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 035150d5a..347573ce5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -26,7 +26,7 @@ profile gvfsd-recent @{exec_path} { owner @{user_share_dirs}/recently-used.xbel r, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 2259ac779..29ee1627c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -23,7 +23,7 @@ profile gvfsd-smb @{exec_path} { /etc/samba/smb.conf r, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index c37b2deea..72b40cf97 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -58,7 +58,7 @@ profile gvfsd-smb-browse @{exec_path} { owner @{run}/samba/ rw, owner @{run}/samba/gencache.tdb rwk, - owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{user_cache_dirs}/samba/ w, owner @{user_cache_dirs}/samba/gencache.tdb rwk, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 7574fd480..f3ed674cb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -50,7 +50,7 @@ profile gvfsd-trash @{exec_path} { owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 50de39ef1..0a7962989 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -38,7 +38,7 @@ profile baloo @{exec_path} { owner @{MOUNTS}/{,**} r, owner /tmp/*/{,**} r, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/baloofilerc rwl, owner @{user_config_dirs}/baloofilerc.lock rwkl, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index 10b2e29cf..46ef5ccc5 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -31,7 +31,7 @@ profile kalendarac @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, @@ -50,4 +50,4 @@ profile kalendarac @{exec_path} { /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 4064a7b3a..61375cd1c 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -27,7 +27,7 @@ profile kcminit @{exec_path} { owner @{HOME}/.Xdefaults r, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl, owner @{user_config_dirs}/gtkrc{,.??????} rwl, owner @{user_config_dirs}/kcminputrc r, @@ -51,4 +51,4 @@ profile kcminit @{exec_path} { /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 532f4073e..5e0345f32 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -32,7 +32,7 @@ profile kconf_update @{exec_path} { /etc/xdg/kdeglobals r, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/kconf_updaterc r, owner @{user_config_dirs}/kconf_updaterc* rwl, owner @{user_config_dirs}/kdedefaults/kdeglobals r, @@ -42,4 +42,4 @@ profile kconf_update @{exec_path} { owner /tmp/kconf_update.?????? rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d5e73bbdd..723720455 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -29,7 +29,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/powerdevilrc rwl, diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5 index a687db53e..ad4d3bfa4 100644 --- a/apparmor.d/groups/kde/kded5 +++ b/apparmor.d/groups/kde/kded5 @@ -68,7 +68,7 @@ profile kded5 @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca5_* r, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/bluedevilglobalrc rk, owner @{user_config_dirs}/bluedevilglobalrc* rwkl, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, diff --git a/apparmor.d/groups/kde/kglobalaccel5 b/apparmor.d/groups/kde/kglobalaccel5 index 9f8d495c8..d9d0c6c05 100644 --- a/apparmor.d/groups/kde/kglobalaccel5 +++ b/apparmor.d/groups/kde/kglobalaccel5 @@ -22,9 +22,9 @@ profile kglobalaccel5 @{exec_path} { /etc/machine-id r, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, - owner @{user_config_dirs}/#[0-9]* rw, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/core_pattern r, @@ -32,4 +32,4 @@ profile kglobalaccel5 @{exec_path} { /dev/tty r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kwalletmanager5 b/apparmor.d/groups/kde/kwalletmanager5 index 76cce525e..b177e3988 100644 --- a/apparmor.d/groups/kde/kwalletmanager5 +++ b/apparmor.d/groups/kde/kwalletmanager5 @@ -38,12 +38,12 @@ profile kwalletmanager5 @{exec_path} { owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/qt5ct/{,**} r, - owner @{user_config_dirs}/#[0-9]*[0-9] rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/kwalletmanager5rc rw, - owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{number}, owner @{user_config_dirs}/kwalletmanager5rc.lock rwk, owner @{user_config_dirs}/kwalletrc rw, - owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{number}, owner @{user_config_dirs}/kwalletrc.lock rwk, owner @{user_config_dirs}/session/#[0-9]*[0-9] rw, owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#[0-9]*[0-9], diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 7c57a6221..7358b6404 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -57,7 +57,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/qtshadercache-*/@{hex} r, owner @{user_cache_dirs}/session/#[0-9]* rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kdeglobals r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 0cb5edddb..87e7754c0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -92,7 +92,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/#[0-9]* rwk, - owner @{user_cache_dirs}/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk, + owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk, owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca5_* rl, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, @@ -103,7 +103,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl, owner @{user_config_dirs}/*kde*.desktop* r, - owner @{user_config_dirs}/#[0-9]* rwk, + owner @{user_config_dirs}/#@{number} rwk, owner @{user_config_dirs}/akonadi-firstrunrc r, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/baloofilerc r, diff --git a/apparmor.d/groups/kde/startplasma-x11 b/apparmor.d/groups/kde/startplasma-x11 index 18b5fc3d4..3cf933336 100644 --- a/apparmor.d/groups/kde/startplasma-x11 +++ b/apparmor.d/groups/kde/startplasma-x11 @@ -42,7 +42,7 @@ profile startplasma-x11 @{exec_path} { owner @{user_cache_dirs}/ksycoca5_* rwkl, owner @{user_cache_dirs}/plasma-svgelements rw, - owner @{user_config_dirs}/#[0-9]* rw, + owner @{user_config_dirs}/#@{number} rw, owner @{user_config_dirs}/gtkrc rl, owner @{user_config_dirs}/gtkrc-2.0 rl, owner @{user_config_dirs}/kcminputrc r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 1105e2969..afcf3c38c 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,7 +7,7 @@ abi , include @{exec_path} = /opt/Mullvad*/mullvad-gui -profile mullvad-gui @{exec_path} flags=(attach_disconnected) { +profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include include include @@ -51,7 +51,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/dconf/user rw, owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/systemd/inhibit/*.ref rw, @@ -80,4 +80,4 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/* r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index c282c1154..0b3f37637 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/coredumpctl +@{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include include @@ -30,10 +30,10 @@ profile coredumpctl @{exec_path} flags=(complain) { /var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex}/system.journal* r, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, owner /tmp/*.coredump w, owner /tmp/core.* w, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 249d0a6c2..df637757c 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -34,12 +34,12 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/catalog/.#database* rw, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/system.journal* r, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, - owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*, - owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw, + /{run,var}/log/journal/@{md5}/ rw, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw, + owner /{run,var}/log/journal/@{md5}/fss wl -> /var/log/journal/@{md5}/fss.tmp.*, + owner /{run,var}/log/journal/@{md5}/fss.tmp.* rw, owner /var/tmp/#[0-9]* rw, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 3200f41a1..0e5e3629b 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex}/system.journal* r, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/ r, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{md5}/system.journal* r, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r, @{run}/systemd/netif/links/[0-9]* r, @{run}/systemd/netif/state r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 9753d5185..5c5d44fce 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -30,7 +30,7 @@ profile systemd-journald @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex}/{,*} rw, + /{run,var}/log/journal/@{md5}/{,*} rw, owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-user-generators-autostart b/apparmor.d/groups/systemd/systemd-user-generators-autostart index c16806a45..b5372ec32 100644 --- a/apparmor.d/groups/systemd/systemd-user-generators-autostart +++ b/apparmor.d/groups/systemd/systemd-user-generators-autostart @@ -10,14 +10,18 @@ include profile systemd-user-generators-autostart @{exec_path} { include + ptrace (read) peer=unconfined, + @{exec_path} mr, - /etc/xdg/autostart/*.desktop r, + /etc/xdg/autostart/{,*.desktop} r, owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/1/environ r, + @{PROC}/@{pids}/cgroup r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 310590644..dd7fbd834 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -77,7 +77,7 @@ profile apport-gtk @{exec_path} { /var/log/installer/media-info r, @{run}/snapd.socket rw, - owner @{run}/user/.mutter-Xwaylandauth.* rw, + owner @{run}/user/.mutter-Xwaylandauth.@{rand6} rw, /tmp/[a-z0-9]* rw, /tmp/apport_core_* rw, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index c16a4171b..54a056db0 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -102,10 +102,10 @@ profile subiquity-console-conf @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex}/ rw, - /{run,var}/log/journal/@{hex}/system.journal* rw, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/ rw, + /{run,var}/log/journal/@{md5}/system.journal* rw, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw, owner @{PROC}/@{pid}/stat r, @@ -115,4 +115,4 @@ profile subiquity-console-conf @{exec_path} { } include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 33ee9823e..9a2323acb 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -26,7 +26,7 @@ profile aa-log @{exec_path} { /var/log/syslog* r, /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/{,*} r, + /{run,var}/log/journal/@{md5}/{,*} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @@ -36,4 +36,4 @@ profile aa-log @{exec_path} { /dev/tty[0-9]* rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 03d62c221..e877660ae 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -37,8 +37,8 @@ profile birdtray @{exec_path} { owner @{user_config_dirs}/ulduzsoft/ rw, owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, - owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#[0-9]*[0-9], - owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{number}, + owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{number}, owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index d593c4c5d..fe57ea883 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -20,7 +20,7 @@ profile blkid @{exec_path} { /etc/blkid.conf r, # When the system doesn't have the /run/ dir, the cache file is placed under /etc/ - @{etc_rw}/blkid.tab{,-*} rw, + @{etc_rw}/blkid.tab{,-@{rand6}} rw, @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab, # Image files @@ -29,7 +29,7 @@ profile blkid @{exec_path} { # The standard location of the cache file # Without owner here if this tool should be used as a regular user @{run}/blkid/ rw, - @{run}/blkid/blkid.tab{,-*} rw, + @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # For the EVALUATE=scan method diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs index d2ff098f0..af03e97fc 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -38,7 +38,7 @@ profile btrfs @{exec_path} { # For fsck of the btrfs filesystem directly from gparted owner /tmp/gparted-*/ rw, - @{run}/blkid/blkid.tab{,-*} rw, + @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/profiles-a-f/btrfstune index bc76fc51f..82faba872 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/profiles-a-f/btrfstune @@ -16,7 +16,7 @@ profile btrfstune @{exec_path} { @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, include if exists diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index f88a9fbad..706e5edaa 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -25,7 +25,7 @@ profile cfdisk @{exec_path} { # A place for file images owner @{user_img_dirs}/{,**} rwk, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd index dbfa15801..784f763f1 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -92,7 +92,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pids}/fd r, + @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner /tmp/*_latest_print_info w, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index eac046edd..ab4b42d1f 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -18,7 +18,7 @@ profile dumpe2fs @{exec_path} { # Image files owner @{user_img_dirs}/{,**} r, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 9fa61cf74..8d3e4b239 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -30,7 +30,7 @@ profile e2fsck @{exec_path} { @{run}/blkid/ rw, @{run}/systemd/fsck.progress rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{sys}/devices/**/power_supply/AC/online r, diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 534a1abc0..4d5f07a50 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -30,7 +30,7 @@ profile fsck @{exec_path} { owner @{run}/fsck/ rw, owner @{run}/fsck/*.lock rwk, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index ad10044bd..302e13a34 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -102,7 +102,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /var/tmp/etilqs_@{hex} rw, /boot/{,**} r, - /boot/EFI/*/.goutputstream-* rw, + /boot/EFI/*/.goutputstream-@{rand6} rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fwupdx[0-9]*.efi rw, @{lib}/fwupd/efi/fwupdx[0-9]*.efi r, diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index 9dcd5d972..097e756da 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/glib-pacrunner profile glib-pacrunner @{exec_path} { include + include + include include network inet dgram, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index b908e8a52..b52301108 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -132,10 +132,10 @@ profile hw-probe @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, - /{run,var}/log/journal/@{hex}/ rw, - /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex}/system.journal* rw, - /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/ rw, + /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{md5}/system.journal* rw, + /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs index a309e8392..4205ee3eb 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -31,7 +31,7 @@ profile mke2fs @{exec_path} { # For virt-resize owner /var/tmp/.guestfs-[0-9]*/** rwk, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index 3001cd549..a48b7259c 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -37,7 +37,7 @@ profile mono-sgen @{exec_path} { owner @{user_config_dirs}/openra/{,**} rw, owner @{user_config_dirs}/.mono/{,**} r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner /tmp/*.* rw, owner /tmp/CASESENSITIVETEST* rw, @@ -52,4 +52,4 @@ profile mono-sgen @{exec_path} { owner @{PROC}/@{pid}/fd/ r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/profiles-m-r/obexd index fdbd0e7ed..242115a28 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -9,6 +9,8 @@ include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include + include + include include network bluetooth stream, diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk-2 index 6218e9aaa..89d189c00 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk-2 @@ -18,7 +18,7 @@ profile pinentry-gtk-2 @{exec_path} { /usr/share/gtk-2.0/gtkrc r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, include if exists } diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 8c6298b81..a2920fd5e 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -57,8 +57,8 @@ profile qnapi @{exec_path} { owner @{user_config_dirs}/qnapi.ini rw, owner @{user_config_dirs}/qnapi.ini.lock rwk, - owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], - owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#[0-9]*[0-9], + owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{number}, + owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{number}, owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 0a1f95ee3..eb8d9f68b 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -116,6 +116,7 @@ profile run-parts @{exec_path} { /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, + /etc/kernel/postinst.d/zz-shim rCx -> kernel, /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, /etc/kernel/postrm.d/ r, @@ -128,7 +129,7 @@ profile run-parts @{exec_path} { /etc/kernel/prerm.d/ r, /etc/kernel/prerm.d/dkms rCx -> kernel, - owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/#@{number} rw, owner /tmp/$anacron* rw, owner @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index f65f09534..6f53f6800 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -89,7 +89,7 @@ profile rustdesk @{exec_path} { # service and GUI intercommunication @{HOME}/.Xauthority r, - @{run}/user/@{uid}/.mutter-Xwaylandauth.?????? r, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/gdm{,3}/Xauthority r, /tmp/[rR]ust[dD]esk/{,**} rw, /tmp/.X11-unix/ r, @@ -103,7 +103,7 @@ profile rustdesk @{exec_path} { owner @{run}/user/@{uid}/pulse/native rw, owner @{user_config_dirs}/pulse/ rw, owner @{user_config_dirs}/pulse/cookie rwk, - owner @{user_config_dirs}/pulse/*-runtime{,.tmp} rw, + owner @{user_config_dirs}/pulse/@{md5}-runtime{,.tmp} rw, owner /tmp/pulse-*/ rw, # gtk-tiny diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 2b5fe8def..5ca4fe450 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -31,7 +31,8 @@ profile scrcpy @{exec_path} { /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r, include if exists } diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index ef8c338e4..ed268af4c 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -60,7 +60,7 @@ profile system-config-printer @{exec_path} flags=(complain) { owner @{HOME}/.cups/ rw, owner @{HOME}/.cups/lpoptions rw, - owner @{run}/user/@{uid}/gvfsd/socket-* rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/cups/cups.sock rw, owner /tmp/* rw, diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index c5e2dc9ed..a336d8eba 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -25,7 +25,7 @@ profile tune2fs @{exec_path} { # Image files owner @{user_img_dirs}/{,**} rw, - owner @{run}/blkid/blkid.tab{,-*} rw, + owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b479f466e..c854a4f08 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -139,7 +139,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw, - @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w, + @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop[0-9]*/uevent rw, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index bd2cd296c..3ad0e8379 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -23,7 +23,7 @@ profile zpool @{exec_path} { @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old rwl, - @{run}/blkid/blkid.tab-* rwl, + @{run}/blkid/blkid.tab-@{rand6} rwl, /tmp/tmp.* rw, diff --git a/apparmor.d/tunables/multiarch.d/apparmor.d b/apparmor.d/tunables/multiarch.d/apparmor.d index 13f386372..2ae56bec1 100644 --- a/apparmor.d/tunables/multiarch.d/apparmor.d +++ b/apparmor.d/tunables/multiarch.d/apparmor.d @@ -6,11 +6,29 @@ # To allow extended personalisation without breaking everything. # All apparmor profiles should always use the variables defined here. +# Single hex character +@{h}=[0-9a-fA-F] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Only number (0-9999999999) +@{number}={[0-9],[0-9][0-9],[0-9][0-9][0-9],[0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]} + +# Any six characters +@{rand6}=@{c}@{c}@{c}@{c}@{c}@{c} + +# Any eight characters +@{rand8}=@{c}@{c}@{c}@{c}@{c}@{c}@{c}@{c} + +# MD5 hash +@{md5}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} + # Universally unique identifier -@{uuid}=[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]*-[0-9a-fA-F]* +@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} # Hexadecimal -@{hex}=[0-9a-fA-F]* +@{hex}=@{h}*@{h} # Date and time @{date}=[0-9][0-9][0-9][0-9]-[1-12]-[1-31]