felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

rename to int, convert more profiles

Browse source
This commit is contained in:
nobody43 2023-08-06 17:53:35 +00:00
parent 706af2063f
commit a77a288cab
102 changed files with 268 additions and 268 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/apt-common
View file

@ -27,6 +27,6 @@
/var/lib/ubuntu-advantage/apt-esm/{,**} r,
owner /tmp/clearsigned.message.* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
include if exists <abstractions/apt-common.d>

16
apparmor.d/abstractions/kde5-plasma5
View file

@ -19,14 +19,14 @@
# For app config (in order to work the KDE_APP_NAME variable has to be set in profile which
# includes this abstraction)
#owner @{user_config_dirs}/#[0-9]*[0-9] rwk,
#owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#[0-9]*[0-9],
#owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
#owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
#owner @{user_config_dirs}/#@{int} rwk,
#owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#@{int},
#owner @{run}/user/@{uid}/#@{int} rw,
#owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#@{int},
# Common KDE config files
#owner @{user_config_dirs}/#[0-9]*[0-9] rw,
#owner @{user_config_dirs}/kdeglobals* rwkl -> @{user_config_dirs}/#[0-9]*[0-9],
#owner @{user_config_dirs}/#@{int} rw,
#owner @{user_config_dirs}/kdeglobals* rwkl -> @{user_config_dirs}/#@{int},
#owner @{user_config_dirs}/baloofilerc r,
#owner @{user_config_dirs}/dolphinrc r,
#owner @{user_config_dirs}/trashrc r,
@ -36,8 +36,8 @@
# For bookmarks
#@{bin}/keditbookmarks rPUx,
#owner @{user_share_dirs}/kfile/ rw,
#owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw,
#owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9],
#owner @{user_share_dirs}/kfile/#@{int} rw,
#owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#@{int},
# Common cache files
#owner @{user_cache_dirs}/icon-cache.kcache rw,

8
apparmor.d/abstractions/qt5-shader-cache
View file

@ -6,10 +6,10 @@
abi <abi/3.0>,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#@{number} rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{number},
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{number} rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{number},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
include if exists <abstractions/qt5-shader-cache.d>

8
apparmor.d/abstractions/thumbnails-cache-write
View file

@ -6,12 +6,12 @@
owner @{HOME}/thumbnails/ rw,
owner @{HOME}/thumbnails/{large,normal}/ rw,
owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9],
owner @{HOME}/thumbnails/{large,normal}/#@{int} rw,
owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
owner @{user_cache_dirs}/thumbnails/ rw,
owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw,
owner @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9],
owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw,
owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
include if exists <abstractions/thumbnails-cache-write.d>

8
apparmor.d/abstractions/trash.d/complete
View file

@ -5,11 +5,11 @@
owner @{user_config_dirs}/trashrc rw,
owner @{user_config_dirs}/trashrc.lock rwk,
owner @{user_config_dirs}/#[0-9]*[0-9] rwk,
owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/#@{int} rwk,
owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#@{int},
owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#@{int},
# Home trash location
owner @{user_share_dirs}/Trash/{,**} rwl,

2
apparmor.d/groups/akonadi/akonadi_archivemail_agent
View file

@ -31,7 +31,7 @@ profile akonadi_archivemail_agent @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/akonadi_archivemail_agentrc r,
owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent r,
owner @{user_config_dirs}/akonadi/agent_config_akonadi_archivemail_agent_changes{,.dat} rw,

2
apparmor.d/groups/akonadi/akonadi_indexing_agent
View file

@ -34,7 +34,7 @@ profile akonadi_indexing_agent @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/akonadi_indexing_agentrc r,
owner @{user_config_dirs}/akonadi/#[0-9]* rw,
owner @{user_config_dirs}/akonadi/#@{int} rw,
owner @{user_config_dirs}/akonadi/agent_config_akonadi_indexing_agent{,.*} rwlk,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,

2
apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
View file

@ -37,7 +37,7 @@ profile akonadi_maildispatcher_agent @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/akonadi/#[0-9]* rw,
owner @{user_config_dirs}/akonadi/#@{int} rw,
owner @{user_config_dirs}/akonadi/agent_config_akonadi_maildispatcher_agent* rwkl,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,

4
apparmor.d/groups/akonadi/akonadi_mailfilter_agent
View file

@ -36,7 +36,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r,
owner @{user_config_dirs}/akonadi_*_resource_*rc r,
owner @{user_config_dirs}/akonadi_mailfilter_agentrc r,
@ -54,7 +54,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
owner @{user_config_dirs}/kmail2rc r,
owner @{user_config_dirs}/kwinrc r,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
owner /tmp/akonadi_mailfilter_agent.* rwl,
owner @{user_config_dirs}/specialmailcollectionsrc r,

2
apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
View file

@ -33,7 +33,7 @@ profile akonadi_newmailnotifier_agent @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r,
owner @{user_config_dirs}/akonadi/agent_config_akonadi_newmailnotifier_agent_changes{,_changes.dat,.dat} rw,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,

10
apparmor.d/groups/apps/calibre
View file

@ -128,11 +128,11 @@ profile calibre @{exec_path} {
owner @{user_cache_dirs}/calibre/ rw,
owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
@ -146,7 +146,7 @@ profile calibre @{exec_path} {
# owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, # newer AA version
owner /tmp/* rw,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
@{sys}/devices/pci[0-9]*/**/irq r,

2
apparmor.d/groups/apps/dropbox
View file

@ -107,7 +107,7 @@ profile dropbox @{exec_path} {
# Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead
owner /tmp/dropbox-antifreeze-* rw,
owner /tmp/[a-zA-z0-9]* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
owner /var/tmp/etilqs_* rw,
@{run}/systemd/users/@{uid} r,

6
apparmor.d/groups/apps/flameshot
View file

@ -40,8 +40,8 @@ profile flameshot @{exec_path} {
# Flameshot home files
owner @{user_config_dirs}/flameshot/ rw,
owner @{user_config_dirs}/flameshot/flameshot.ini rw,
owner @{user_config_dirs}/flameshot/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#[0-9]*[0-9],
owner @{user_config_dirs}/flameshot/#@{int} rw,
owner @{user_config_dirs}/flameshot/flameshot.ini* rwl -> @{user_config_dirs}/flameshot/#@{int},
owner @{user_config_dirs}/flameshot/flameshot.ini.lock rwk,
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -63,7 +63,7 @@ profile flameshot @{exec_path} {
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
# file_inherit
owner /dev/tty[0-9]* rw,

12
apparmor.d/groups/apps/okular
View file

@ -39,15 +39,15 @@ profile okular @{exec_path} {
/tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,
owner @{user_config_dirs}/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/okularrc rw,
owner @{user_config_dirs}/okularrc.lock rwk,
owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/okularpartrc rw,
owner @{user_config_dirs}/okularpartrc.lock rwk,
owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/kwalletrc r,
@ -72,7 +72,7 @@ profile okular @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@ -86,8 +86,8 @@ profile okular @{exec_path} {
# Print to pdf
@{bin}/ps2pdf rPUx,
owner /tmp/@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/okular_*.ps rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/okular_*.ps rwl -> /tmp/#@{int},
# About
/usr/share/kf5/licenses/GPL_V2 r,

4
apparmor.d/groups/apps/telegram-desktop
View file

@ -51,7 +51,7 @@ profile telegram-desktop @{exec_path} {
# Download dir
owner @{TELEGRAM_WORK_DIR}/ rw,
owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#[0-9]*[0-9],
owner @{TELEGRAM_WORK_DIR}/** rwkl -> @{TELEGRAM_WORK_DIR}/#@{int},
# Telegram's profile (via telegram -many -workdir ~/some/dir/)
#owner @{TELEGRAM_WORK_DIR}/{,**} rw,
@ -62,7 +62,7 @@ profile telegram-desktop @{exec_path} {
owner /tmp/@{hex}-* rwk,
owner @{run}/user/@{uid}/@{hex}-* rwk,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{PROC}/@{pid}/cmdline r,

6
apparmor.d/groups/apps/vlc
View file

@ -161,13 +161,13 @@ profile vlc @{exec_path} {
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/vlc/ rw,
owner @{user_cache_dirs}/vlc/{,**} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_config_dirs}/vlc/ rw,
owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9],
owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#@{int},
owner @{user_share_dirs}/vlc/{,**} rw,
@ -193,7 +193,7 @@ profile vlc @{exec_path} {
audit @{PROC}/sys/kernel/random/boot_id r,
audit owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner /dev/tty[0-9]* rw,
# Silencer

2
apparmor.d/groups/apt/debsecan
View file

@ -44,7 +44,7 @@ profile debsecan @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
/tmp/#@{int} rw,
include if exists <local/debsecan>
}

2
apparmor.d/groups/apt/dpkg-query
View file

@ -22,7 +22,7 @@ profile dpkg-query @{exec_path} {
/var/lib/dpkg/** r,
# file_inherit
/tmp/#@{number} rw,
/tmp/#@{int} rw,
/dev/tty[0-9]* rw,
include if exists <local/dpkg-query>

2
apparmor.d/groups/browsers/firefox
View file

@ -190,7 +190,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_share_dirs}/ r,

4
apparmor.d/groups/bus/ibus-dconf
View file

@ -34,7 +34,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
/etc/dconf/profile/ibus r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
/var/lib/gdm{3,}/.cache/dconf/ w,
/var/lib/gdm{3,}/.cache/dconf/user rw,
/var/lib/gdm{3,}/.config/dconf/ w,
@ -42,7 +42,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/greeter-dconf-defaults r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/bus/ibus-engine-simple
View file

@ -22,7 +22,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
/var/lib/dbus/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/groups/bus/ibus-extension-gtk3
View file

@ -76,7 +76,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/greeter-dconf-defaults r,

2
apparmor.d/groups/bus/ibus-memconf
View file

@ -17,7 +17,7 @@ profile ibus-memconf @{exec_path} {
/etc/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
include if exists <local/ibus-memconf>
}

2
apparmor.d/groups/bus/ibus-portal
View file

@ -38,7 +38,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
/var/lib/dbus/machine-id r,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner /dev/tty[0-9]* rw,

4
apparmor.d/groups/bus/ibus-x11
View file

@ -45,11 +45,11 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/var/lib/gdm{3,}/.config/ibus/bus/ r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
/var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,

2
apparmor.d/groups/children/child-dpkg
View file

@ -45,7 +45,7 @@ profile child-dpkg {
/var/log/dpkg.log ra,
# file_inherit
/tmp/#@{number} rw,
/tmp/#@{int} rw,
include if exists <local/child-dpkg>
}

2
apparmor.d/groups/children/child-dpkg-divert
View file

@ -26,7 +26,7 @@ profile child-dpkg-divert {
/var/lib/dpkg/diversions r,
# file_inherit
/tmp/#@{number} rw,
/tmp/#@{int} rw,
include if exists <local/child-dpkg-divert>
}

2
apparmor.d/groups/cron/cron
View file

@ -53,7 +53,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/sessions/*.ref rw,
owner /tmp/#@{number} rw,
owner /tmp/#@{int} rw,
owner @{PROC}/@{pid}/uid_map r,
owner @{PROC}/@{pid}/loginuid rw,

2
apparmor.d/groups/cron/cron-apt
View file

@ -83,7 +83,7 @@ profile cron-apt @{exec_path} {
owner /tmp/cron-apt.*/action{log,error,mail,syslog} rw,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
include if exists <local/cron-apt>
}

10
apparmor.d/groups/cron/cron-popularity-contest
View file

@ -56,7 +56,7 @@ profile cron-popularity-contest @{exec_path} {
owner /tmp/tmp.*/random_seed w,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
profile savelog {
@ -81,7 +81,7 @@ profile cron-popularity-contest @{exec_path} {
/var/log/popularity-contest rw,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
}
@ -105,7 +105,7 @@ profile cron-popularity-contest @{exec_path} {
/var/log/popularity-contest.new w,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
}
@ -125,7 +125,7 @@ profile cron-popularity-contest @{exec_path} {
owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
}
@ -150,7 +150,7 @@ profile cron-popularity-contest @{exec_path} {
/var/log/popularity-contest.[0-9]*.gpg r,
# file_inherit
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
}

6
apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
View file

@ -48,8 +48,8 @@ profile polkit-kde-authentication-agent @{exec_path} {
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
@{run}/systemd/users/@{uid} r,
@ -58,7 +58,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
@{PROC}/@{pid}/fd/ r,
@{PROC}/sys/kernel/core_pattern r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
include if exists <local/polkit-kde-authentication-agent>
}

2
apparmor.d/groups/freedesktop/xorg
View file

@ -141,7 +141,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
/dev/fb[0-9] rw,
/dev/input/event[0-9]* rw,
/dev/shm/#@{number} rw,
/dev/shm/#@{int} rw,
/dev/shm/shmfd-* rw,
/dev/tty rw,
/dev/tty[0-9]* rw,

4
apparmor.d/groups/gnome/gnome-control-center
View file

@ -136,7 +136,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/mimeapps.list* rw,
owner @{user_config_dirs}/rygel.conf{,.??????} rw,
owner @{user_share_dirs}/backgrounds/{,**} rw,
@ -155,7 +155,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/webkitgtk-wayland-compositor-@{uuid}.lock rwk,
owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/wayland-@{number} rw,
owner @{run}/user/@{uid}/wayland-@{int} rw,
@{run}/cups/cups.sock rw,
@{run}/samba/ rw,
@{run}/systemd/sessions/ r,

2
apparmor.d/groups/gnome/gnome-remote-desktop-daemon
View file

@ -23,7 +23,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{run}/user/@{uid}/wayland-@{number} rw,
owner @{run}/user/@{uid}/wayland-@{int} rw,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,

4
apparmor.d/groups/gnome/gnome-shell
View file

@ -527,7 +527,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/var/lib/gdm{3,}/.config/dconf/user r,
/var/lib/gdm{3,}/.config/ibus/ rw,
/var/lib/gdm{3,}/.config/ibus/bus/ rw,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
/var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
/var/lib/gdm{3,}/.config/pulse/ r,
/var/lib/gdm{3,}/.config/pulse/client.conf r,
/var/lib/gdm{3,}/.config/pulse/cookie rwk,
@ -581,7 +581,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/wayland-@{number} rwk,
owner @{run}/user/@{uid}/wayland-@{int} rwk,
owner /dev/shm/.org.chromium.Chromium.* rw,
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,

4
apparmor.d/groups/gnome/gnome-software
View file

@ -71,7 +71,7 @@ profile gnome-software @{exec_path} {
/var/tmp/flatpak-cache-*/ rw,
/var/tmp/flatpak-cache-*/** rwkl,
/var/tmp/#[0-9]* rw,
/var/tmp/#@{int} rw,
owner @{HOME}/.var/app/{,**} rw,
@ -86,7 +86,7 @@ profile gnome-software @{exec_path} {
owner /tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
owner @{run}/user/@{uid}/.dbus-proxy/ rw,
owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw,

2
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -49,7 +49,7 @@ profile gnome-terminal-server @{exec_path} {
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/cgroup r,

2
apparmor.d/groups/gnome/kgx
View file

@ -40,7 +40,7 @@ profile kgx @{exec_path} {
/usr/share/themes/{,**} r,
/usr/share/X11/xkb/{,**} r,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,

2
apparmor.d/groups/kde/baloo
View file

@ -38,7 +38,7 @@ profile baloo @{exec_path} {
owner @{MOUNTS}/{,**} r,
owner /tmp/*/{,**} r,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/baloofilerc rwl,
owner @{user_config_dirs}/baloofilerc.lock rwkl,

2
apparmor.d/groups/kde/gmenudbusmenuproxy
View file

@ -23,7 +23,7 @@ profile gmenudbusmenuproxy @{exec_path} {
/etc/machine-id r,
owner @{HOME}/.gtkrc-2.0 rw,
owner @{user_config_dirs}/gtk-{2,3}.0/#[0-9]* rw,
owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw,
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.??????} rwl,
owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,

2
apparmor.d/groups/kde/kalendarac
View file

@ -31,7 +31,7 @@ profile kalendarac @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/akonadi-firstrunrc r,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/emaildefaults r,

4
apparmor.d/groups/kde/kcminit
View file

@ -27,7 +27,7 @@ profile kcminit @{exec_path} {
owner @{HOME}/.Xdefaults r,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/gtkrc-2.0{,.??????} rwl,
owner @{user_config_dirs}/gtkrc{,.??????} rwl,
owner @{user_config_dirs}/kcminputrc r,
@ -42,7 +42,7 @@ profile kcminit @{exec_path} {
owner @{user_config_dirs}/Trolltech.conf{,.??????} rwl,
owner /tmp/kcminit.?????? rwl,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
@{run}/user/@{uid}/xauth_* rl,

4
apparmor.d/groups/kde/kconf_update
View file

@ -32,13 +32,13 @@ profile kconf_update @{exec_path} {
/etc/xdg/kdeglobals r,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kconf_updaterc r,
owner @{user_config_dirs}/kconf_updaterc* rwl,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals* rwl,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
owner /tmp/kconf_update.?????? rw,
include if exists <local/kconf_update>

2
apparmor.d/groups/kde/kde-powerdevil
View file

@ -29,7 +29,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/kdeglobals r,
owner @{user_config_dirs}/kdeglobals r,
owner @{user_config_dirs}/powerdevilrc rwl,

4
apparmor.d/groups/kde/kded5
View file

@ -68,7 +68,7 @@ profile kded5 @{exec_path} {
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca5_* r,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/bluedevilglobalrc rk,
owner @{user_config_dirs}/bluedevilglobalrc* rwkl,
owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
@ -95,7 +95,7 @@ profile kded5 @{exec_path} {
owner @{user_share_dirs}/kcookiejar/#@{hex}* rw,
owner @{user_share_dirs}/kcookiejar/cookies.* rwkl,
owner @{run}/user/@{uid}/#[0-9]* rw,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,
owner /tmp/plasma-csd-generator.??????/{,**} rw,

2
apparmor.d/groups/kde/kglobalaccel5
View file

@ -22,7 +22,7 @@ profile kglobalaccel5 @{exec_path} {
/etc/machine-id r,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kglobalshortcutsrc* rwl,
owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,

2
apparmor.d/groups/kde/kioslave5
View file

@ -57,7 +57,7 @@ profile kioslave5 @{exec_path} {
owner @{user_share_dirs}/baloo/index-lock rwk,
owner @{user_share_dirs}/baloo/index rw,
owner @{run}/user/@{uid}/#[0-9]* rw,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kio_desktop*kioworker.socket rwl,
owner @{run}/user/@{uid}/xauth_* rl,

10
apparmor.d/groups/kde/kscreenlocker-greet
View file

@ -72,11 +72,11 @@ profile kscreenlocker-greet @{exec_path} {
owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
@ -85,7 +85,7 @@ profile kscreenlocker-greet @{exec_path} {
owner @{user_config_dirs}/plasmarc r,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
deny owner @{HOME}/#@{int} mrw,
owner @{HOME}/.glvnd* mrw,
owner /tmp/*-cover-*.{jpg,png} r,

4
apparmor.d/groups/kde/ksmserver
View file

@ -47,7 +47,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{HOME}/?????? rw,
owner @{HOME}/.Xauthority rw,
owner @{user_cache_dirs}/#[0-9]* rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
owner @{user_cache_dirs}/ksycoca5_* rl,
@ -58,7 +58,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_config_dirs}/kscreenlockerrc r,
owner @{user_config_dirs}/ksmserverrc.?????? rwl,
owner @{user_config_dirs}/ksmserverrc r,
owner @{user_config_dirs}/#[0-9]* rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/ksmserverrc.lock rwk,
owner @{user_config_dirs}/kwinrc r,
owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,

6
apparmor.d/groups/kde/kwalletd5
View file

@ -55,9 +55,9 @@ profile kwalletd5 @{exec_path} {
owner @{user_share_dirs}/kwalletd/ rw,
owner @{user_share_dirs}/kwalletd/kdewallet_attributes.json r,
owner @{user_share_dirs}/kwalletd/*.kwl rw,
owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#[0-9]*[0-9],
owner @{user_share_dirs}/kwalletd/*.kwl.* rwl -> @{user_share_dirs}/kwalletd/#@{int},
owner @{user_share_dirs}/kwalletd/*.salt rw,
owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw,
owner @{user_share_dirs}/kwalletd/#@{int} rw,
owner /tmp/kwalletd5.* rw,
owner /tmp/runtime-*/xauth_?????? r,
@ -66,7 +66,7 @@ profile kwalletd5 @{exec_path} {
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
profile gpg {
include <abstractions/base>

12
apparmor.d/groups/kde/kwalletmanager5
View file

@ -37,16 +37,16 @@ profile kwalletmanager5 @{exec_path} {
/var/lib/dbus/machine-id r,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/kwalletmanager5rc rw,
owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwalletmanager5rc.lock rwk,
owner @{user_config_dirs}/kwalletrc rw,
owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/kwalletrc.lock rwk,
owner @{user_config_dirs}/session/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#[0-9]*[0-9],
owner @{user_config_dirs}/session/#@{int} rw,
owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int},
owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk,
owner @{user_config_dirs}/kdeglobals r,
@ -60,7 +60,7 @@ profile kwalletmanager5 @{exec_path} {
@{PROC}/@{pid}/mounts r,
/dev/shm/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
include if exists <local/kwalletmanager5>
}

8
apparmor.d/groups/kde/kwin_x11
View file

@ -46,7 +46,7 @@ profile kwin_x11 @{exec_path} {
owner @{HOME}/.Xauthority r,
owner @{user_cache_dirs}/ r,
owner @{user_cache_dirs}/#[0-9]* rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/kcrash-metadata/*.ini rw,
owner @{user_cache_dirs}/kwin/{,**} rwl,
@ -55,9 +55,9 @@ profile kwin_x11 @{exec_path} {
owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
owner @{user_cache_dirs}/plasma-svgelements{,.??????} rwl,
owner @{user_cache_dirs}/qtshadercache-*/@{hex} r,
owner @{user_cache_dirs}/session/#[0-9]* rw,
owner @{user_cache_dirs}/session/#@{int} rw,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/kcminputrc r,
owner @{user_config_dirs}/kdedefaults/* r,
owner @{user_config_dirs}/kdeglobals r,
@ -68,7 +68,7 @@ profile kwin_x11 @{exec_path} {
owner @{user_config_dirs}/session/kwin_* rwk,
owner @{user_config_dirs}/plasmarc r,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
owner /tmp/kwin.?????? rwl,
owner @{run}/user/@{uid}/kcrash_[0-9]* rw,

4
apparmor.d/groups/kde/plasma-discover
View file

@ -44,7 +44,7 @@ profile plasma-discover @{exec_path} {
/var/tmp/flatpak-cache-*/ rw,
/var/tmp/flatpak-cache-*/** rwkl,
/var/tmp/#[0-9]* rw,
/var/tmp/#@{int} rw,
/var/cache/swcatalog/ rw,
@ -56,7 +56,7 @@ profile plasma-discover @{exec_path} {
owner @{user_cache_dirs}/appstream/ r,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/#[0-9]* rwl,
owner @{user_config_dirs}/#@{int} rwl,
owner @{user_config_dirs}/discoverrc rwl,
owner @{user_config_dirs}/discoverrc.lock rwk,
owner @{user_config_dirs}/kde.org/{,**} rwlk,

8
apparmor.d/groups/kde/plasmashell
View file

@ -91,7 +91,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_templates_dirs}/ r,
owner @{user_cache_dirs}/ r,
owner @{user_cache_dirs}/#[0-9]* rwk,
owner @{user_cache_dirs}/#@{int} rwk,
owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.x86_64-pc-linux-gnu rwk,
owner @{user_cache_dirs}/icon-cache.kcache rw,
owner @{user_cache_dirs}/ksycoca5_* rl,
@ -102,8 +102,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_cache_dirs}/plasma-svgelements* rwl,
owner @{user_cache_dirs}/plasmashell/qmlcache/{,**} rwl,
owner @{user_config_dirs}/#@{int} rwk,
owner @{user_config_dirs}/*kde*.desktop* r,
owner @{user_config_dirs}/#@{number} rwk,
owner @{user_config_dirs}/akonadi-firstrunrc r,
owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
owner @{user_config_dirs}/baloofilerc r,
@ -128,7 +128,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_config_dirs}/pulse/cookie rwk,
owner @{user_config_dirs}/trashrc r,
owner @{user_share_dirs}/#[0-9]* rw,
owner @{user_share_dirs}/#@{int} rw,
owner @{user_share_dirs}/akonadi/search_db/{,**} r,
owner @{user_share_dirs}/kactivitymanagerd/resources/database rk,
owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
@ -145,7 +145,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
owner @{user_share_dirs}/plasma/plasmoids/{,**} r,
owner @{user_share_dirs}/user-places.xbel r,
owner @{run}/user/@{uid}/#[0-9]* rw,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kdesud_:1 w,
owner @{run}/user/@{uid}/plasmashell??????.[0-9].kioworker.socket rwl,
owner @{run}/user/@{uid}/gvfs/ r,

4
apparmor.d/groups/kde/sddm
View file

@ -123,7 +123,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/tmp/sddm-* rw,
owner /tmp/*/{,s} rw,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
owner /tmp/sddm-auth* rw,
owner /tmp/xauth_?????? rw,
@ -134,7 +134,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{run}/systemd/sessions/*.ref rw,
@{run}/user/@{uid}/xauth_?????? rwl,
owner @{run}/sddm/ rw,
owner @{run}/user/@{uid}/#[0-9]* rw,
owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kwallet5.socket rw,
@{PROC}/ r,

4
apparmor.d/groups/kde/sddm-greeter
View file

@ -48,7 +48,7 @@ profile sddm-greeter @{exec_path} {
/var/lib/dbus/machine-id r,
owner /var/lib/sddm/** rw,
owner /var/lib/sddm/#[0-9]*[0-9] mrw,
owner /var/lib/sddm/#@{int} mrw,
owner /var/lib/sddm/.cache/** mrwkl -> /var/lib/sddm/.cache/**,
/var/lib/sddm/state.conf r,
@ -64,7 +64,7 @@ profile sddm-greeter @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
deny owner @{HOME}/#@{int} mrw,
owner @{HOME}/.glvnd* mrw,
owner /tmp/runtime-sddm/ rw,

6
apparmor.d/groups/kde/startplasma-x11
View file

@ -37,12 +37,12 @@ profile startplasma-x11 @{exec_path} {
owner @{HOME}/.Xauthority r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]* rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/kcrash-metadata/ rw,
owner @{user_cache_dirs}/ksycoca5_* rwkl,
owner @{user_cache_dirs}/plasma-svgelements rw,
owner @{user_config_dirs}/#@{number} rw,
owner @{user_config_dirs}/#@{int} rw,
owner @{user_config_dirs}/gtkrc rl,
owner @{user_config_dirs}/gtkrc-2.0 rl,
owner @{user_config_dirs}/kcminputrc r,
@ -62,7 +62,7 @@ profile startplasma-x11 @{exec_path} {
owner @{user_share_dirs}/sddm/xorg-session.log rw,
owner /tmp/#[0-9][0-9] rw,
owner /tmp/#@{int} rw,
owner /tmp/startplasma-x11.?????? rwl,
@{run}/user/@{uid}/xauth_* rl,

2
apparmor.d/groups/systemd/journalctl
View file

@ -40,7 +40,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
/{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw,
owner /{run,var}/log/journal/@{md5}/fss wl -> /var/log/journal/@{md5}/fss.tmp.*,
owner /{run,var}/log/journal/@{md5}/fss.tmp.* rw,
owner /var/tmp/#[0-9]* rw,
owner /var/tmp/#@{int} rw,
@{run}/host/container-manager r,
@{run}/systemd/journal/io.systemd.journal rw,

2
apparmor.d/groups/ubuntu/update-notifier
View file

@ -72,7 +72,7 @@ profile update-notifier @{exec_path} {
owner @{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/update-notifier.pid rwk,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/mountinfo r,

14
apparmor.d/profiles-a-f/anki
View file

@ -54,10 +54,10 @@ profile anki @{exec_path} {
owner @{HOME}/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
/usr/share/anki/{,**} r,
@ -81,9 +81,9 @@ profile anki @{exec_path} {
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
deny owner @{HOME}/#@{int} mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/#@{int} mrw,
# owner /tmp/.glvnd* mrw,
# The /proc/ dir is needed to avoid the following error:
@ -118,7 +118,7 @@ profile anki @{exec_path} {
owner /tmp/mozilla_*/*.apkg r,
owner /dev/shm/.org.chromium.Chromium.* rw,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/devices/pci[0-9]*/**/{vendor,device} r,

6
apparmor.d/profiles-a-f/birdtray
View file

@ -37,8 +37,8 @@ profile birdtray @{exec_path} {
owner @{user_config_dirs}/ulduzsoft/ rw,
owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*,
owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int},
owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w,
@ -56,7 +56,7 @@ profile birdtray @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,

2
apparmor.d/profiles-a-f/conky
View file

@ -124,7 +124,7 @@ profile conky @{exec_path} {
# Xserver auth cookie for clients
owner @{HOME}/.Xauthority r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
# Temperatures and Fans
@{bin}/sensors rPUx,

2
apparmor.d/profiles-a-f/exim4
View file

@ -71,7 +71,7 @@ profile exim4 @{exec_path} {
owner @{run}/dbus/system_bus_socket rw,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
/tmp/#@{int} rw,
/var/lib/dpkg/status r,
/var/log/cron-apt/lastfullmessage r,

4
apparmor.d/profiles-a-f/flatpak-system-helper
View file

@ -41,7 +41,7 @@ profile flatpak-system-helper @{exec_path} {
/var/lib/flatpak/{,**} rwkl,
/var/tmp/flatpak-cache-*/{,**} rw,
owner /{var/,}tmp/#[0-9]* rw,
owner /{var/,}tmp/#@{int} rw,
owner /{var/,}tmp/ostree-gpg-*/ rw,
owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
@ -66,4 +66,4 @@ profile flatpak-system-helper @{exec_path} {
}
include if exists <local/flatpak-system-helper>
}
}

2
apparmor.d/profiles-g-l/hardinfo
View file

@ -109,7 +109,7 @@ profile hardinfo @{exec_path} {
owner @{HOME}/.hardinfo/ rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/#@{int} rw,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,

4
apparmor.d/profiles-g-l/ioping
View file

@ -23,9 +23,9 @@ profile ioping @{exec_path} {
# case of files, this write operation can damage files, so we allow only to read the files. When
# pinging dirs, a file similar to "#1573619" is created in that dir, so it's allowed as well.
/ rw,
/#[0-9]*[0-9] rw,
/#@{int} rw,
/**/ rw,
/**/#[0-9]*[0-9] rw,
/**/#@{int} rw,
# Allow pinging files, but without write operation. Like in the case of dirs, when pinging dirs
# there's also created the file similar to "#1573619" .

2
apparmor.d/profiles-g-l/jmtpfs
View file

@ -18,7 +18,7 @@ profile jmtpfs @{exec_path} {
@{bin}/fusermount{,3} rCx -> fusermount,
owner /tmp/tmp* rw,
owner /tmp/#[0-9]* rw,
owner /tmp/#@{int} rw,
# Mount points
owner @{HOME}/*/ r,

2
apparmor.d/profiles-g-l/kanyremote
View file

@ -67,7 +67,7 @@ profile kanyremote @{exec_path} {
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/usr/share/hwdata/pnp.ids r,

16
apparmor.d/profiles-g-l/keepassxc
View file

@ -65,18 +65,18 @@ profile keepassxc @{exec_path} {
# Database locations
owner @{user_cache_dirs}/keepassxc/ rw,
owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#[0-9]*[0-9],
owner @{user_cache_dirs}/keepassxc/* rwkl -> @{user_cache_dirs}/keepassxc/#@{int},
owner @{user_config_dirs}/keepassxc/ rw,
owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#[0-9]*[0-9],
owner @{user_config_dirs}/keepassxc/* rwkl -> @{user_config_dirs}/keepassxc/#@{int},
owner @{user_password_store_dirs}/ r,
owner @{user_password_store_dirs}/*.csv rw,
owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#[0-9]*[0-9],
owner @{user_password_store_dirs}/#[0-9]*[0-9] rw,
owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int},
owner @{user_password_store_dirs}/#@{int} rw,
owner /tmp/.[a-zA-Z]*/{,s} rw,
owner /tmp/*.*.gpgkey rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/*.*.settings rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int},
owner /tmp/*.*.settings rwl -> /tmp/#@{int},
owner /tmp/#@{int} rw,
owner /tmp/keepassxc-*.lock{,.rmlock} rwk,
owner /tmp/keepassxc-*.socket rw,
owner /tmp/keepassxc.lock rw,
@ -97,7 +97,7 @@ profile keepassxc @{exec_path} {
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/dev/tty rw,
/dev/urandom rw,
owner /dev/tty[0-9]* rw,

8
apparmor.d/profiles-m-r/megasync
View file

@ -44,7 +44,7 @@ profile megasync @{exec_path} {
# Megasync home files
owner @{HOME}/ r,
owner "@{user_share_dirs}/data/Mega Limited/" rw,
owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#[0-9]*[0-9]",
owner "@{user_share_dirs}/data/Mega Limited/**" rwkl -> "@{user_share_dirs}/data/Mega Limited/MEGAsync/#@{int}",
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -65,10 +65,10 @@ profile megasync @{exec_path} {
/etc/fstab r,
# Autostart
owner @{user_config_dirs}/autostart/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#[0-9]*[0-9],
owner @{user_config_dirs}/autostart/#@{int} rw,
owner @{user_config_dirs}/autostart/megasync.desktop rwl -> @{user_config_dirs}/autostart/#@{int},
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/etc/machine-id r,
/var/lib/dbus/machine-id r,

16
apparmor.d/profiles-m-r/minitube
View file

@ -35,7 +35,7 @@ profile minitube @{exec_path} {
# Minitube home files
owner "@{user_config_dirs}/Flavio Tordini/" rw,
owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#[0-9]*[0-9]",
owner "@{user_config_dirs}/Flavio Tordini/*" rwkl -> "@{user_config_dirs}/Flavio Tordini/#@{int}",
owner "@{user_share_dirs}/Flavio Tordini/" rw,
owner "@{user_share_dirs}/Flavio Tordini/Minitube/" rw,
owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk,
@ -47,9 +47,9 @@ profile minitube @{exec_path} {
/usr/share/minitube/{,**} r,
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
deny owner @{HOME}/#@{int} mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/#@{int} mrw,
# owner /tmp/.glvnd* mrw,
# Cache
@ -59,17 +59,17 @@ profile minitube @{exec_path} {
owner "@{user_cache_dirs}/Flavio Tordini/Minitube/**" rwl -> "@{user_cache_dirs}/Flavio Tordini/Minitube/**",
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/etc/vdpau_wrapper.cfg r,

12
apparmor.d/profiles-m-r/mkvtoolnix-gui
View file

@ -43,7 +43,7 @@ profile mkvtoolnix-gui @{exec_path} {
owner @{user_config_dirs}/bunkus.org/ rw,
owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/ rw,
owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/** rwkl -> @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/#[0-9]*[0-9],
owner @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/** rwkl -> @{user_config_dirs}/bunkus.org/mkvtoolnix-gui/#@{int},
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/bunkus.org/ rw,
@ -53,12 +53,12 @@ profile mkvtoolnix-gui @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/MKVToolNix-GUI-MuxConfig-* rwl -> /tmp/#@{int},
owner /tmp/MKVToolNix-process-*.json rwl -> /tmp/#@{int},
owner /tmp/MKVToolNix-GUI-MuxJob-*.json rwl -> /tmp/#@{int},
owner /tmp/MKVToolNix-GUI-Instance-Communicator-* rw,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,

6
apparmor.d/profiles-m-r/mumble
View file

@ -40,7 +40,7 @@ profile mumble @{exec_path} {
# Mumble home files
owner @{HOME}/ r,
owner @{user_config_dirs}/Mumble/ rw,
owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#[0-9]*[0-9],
owner @{user_config_dirs}/Mumble/** rwkl -> @{user_config_dirs}/Mumble/#@{int},
owner @{user_share_dirs}/Mumble/ rw,
owner @{user_share_dirs}/Mumble/** rwk,
owner @{HOME}/.MumbleOverlayPipe rw,
@ -51,8 +51,8 @@ profile mumble @{exec_path} {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/dev/shm/MumbleLink.[0-9]*[0-9] rw,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/MumbleLink.@{int} rw,
/dev/shm/#@{int} rw,
owner @{run}/user/@{uid}/MumbleSocket rw,
owner @{run}/user/@{uid}/MumbleOverlayPipe rw,

4
apparmor.d/profiles-m-r/pinentry-qt
View file

@ -27,12 +27,12 @@ profile pinentry-qt @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/usr/share/hwdata/pnp.ids r,

4
apparmor.d/profiles-m-r/plocate-build
View file

@ -14,8 +14,8 @@ profile plocate-build @{exec_path} {
/var/lib/mlocate/mlocate.db r,
/var/lib/mlocate/#[0-9]* rw,
/var/lib/mlocate/plocate.db rwl -> /var/lib/mlocate/#[0-9]*,
/var/lib/mlocate/#@{int} rw,
/var/lib/mlocate/plocate.db rwl -> /var/lib/mlocate/#@{int},
include if exists <local/plocate-build>
}

2
apparmor.d/profiles-m-r/popularity-contest
View file

@ -54,7 +54,7 @@ profile popularity-contest @{exec_path} {
/var/lib/ r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
/tmp/#@{int} rw,
/var/log/popularity-contest.[0-9]* w,
include if exists <local/popularity-contest>

10
apparmor.d/profiles-m-r/psi
View file

@ -56,17 +56,17 @@ profile psi @{exec_path} {
owner @{HOME}/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/psi/{,**} rw,
owner @{user_config_dirs}/autostart/psi.desktop rw,
owner @{user_config_dirs}/psi/ rw,
owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#[0-9]*[0-9],
owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#@{int},
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_share_dirs}/psi/ rw,
owner @{user_share_dirs}/psi/** rwk,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/Psi.* rwl -> /tmp/#@{int},
@{run}/systemd/inhibit/[0-9]*.ref rw,
@ -75,7 +75,7 @@ profile psi @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
# file_inherit
owner /dev/tty[0-9]* rw,

10
apparmor.d/profiles-m-r/psi-plus
View file

@ -54,17 +54,17 @@ profile psi-plus @{exec_path} {
owner @{HOME}/ r,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/psi+/{,**} rw,
owner @{user_config_dirs}/autostart/psi-plus.desktop rw,
owner @{user_config_dirs}/psi+/ rw,
owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#[0-9]*[0-9],
owner @{user_config_dirs}/psi+/** rwkl -> @{user_config_dirs}/psi+/#@{int},
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_share_dirs}/psi+/ rw,
owner @{user_share_dirs}/psi+/** rwk,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/Psi+.* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/Psi+.* rwl -> /tmp/#@{int},
owner /var/tmp/etilqs_@{hex} rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@ -74,7 +74,7 @@ profile psi-plus @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
# file_inherit
owner /dev/tty[0-9]* rw,

12
apparmor.d/profiles-m-r/qbittorrent
View file

@ -115,16 +115,16 @@ profile qbittorrent @{exec_path} {
# Qbittorrent home dirs
owner @{user_config_dirs}/qBittorrent/ rw,
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int},
owner @{user_share_dirs}/data/ rw,
owner @{user_share_dirs}/{,data/}qBittorrent/ rw,
owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#[0-9]*[0-9],
owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#@{int},
# Old dir, not recommended to use:
# deny owner @{user_share_dirs}/data/qBittorrent/ rw,
# Cache dir
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/qBittorrent/{,**} rw,
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
@ -140,7 +140,7 @@ profile qbittorrent @{exec_path} {
/dev/disk/by-label/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{PROC}/@{pids}/fd/ r,
deny owner @{PROC}/@{pids}/cmdline r,
@ -260,11 +260,11 @@ profile qbittorrent @{exec_path} {
owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw,
# Used while searching for torrents
owner /dev/shm/sem.mp-* rwl -> /dev/shm/[0-9]*[0-9],
owner /dev/shm/sem.mp-* rwl -> /dev/shm/@{int},
owner /dev/shm/* rw,
# To load/add torrents from the search engine
owner /tmp/[0-9]*[0-9] rw,
owner /tmp/@{int} rw,
owner /tmp/tmp* rw,
# file_inherit

8
apparmor.d/profiles-m-r/qbittorrent-nox
View file

@ -24,15 +24,15 @@ profile qbittorrent-nox @{exec_path} {
# Qbittorrent home dirs
owner @{user_config_dirs}/qBittorrent/ rw,
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#@{int},
owner @{user_share_dirs}/qBittorrent/ rw,
owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
owner @{user_share_dirs}/qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#@{int},
# Old dir, not recommended to use:
deny owner @{user_share_dirs}/data/qBittorrent/ rw,
# Cache dir
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner @{user_cache_dirs}/qBittorrent/{,**} rw,
# Torrent files
@ -41,7 +41,7 @@ profile qbittorrent-nox @{exec_path} {
/dev/disk/by-label/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,

14
apparmor.d/profiles-m-r/qnapi
View file

@ -57,8 +57,8 @@ profile qnapi @{exec_path} {
owner @{user_config_dirs}/qnapi.ini rw,
owner @{user_config_dirs}/qnapi.ini.lock rwk,
owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{number},
owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#@{int},
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_cache_dirs}/ rw,
@ -66,15 +66,15 @@ profile qnapi @{exec_path} {
/tmp/ r,
owner /tmp/@{hex}.* rw,
owner /tmp/** rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/QNapi-*-rc wl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/QNapi-*-rc wl -> /tmp/#@{int},
owner /tmp/QNapi-*-rc.lock rwk,
owner /tmp/QNapi.[0-9]*.tmp rw,
owner /tmp/QNapi.[0-9]*.tmp.* rw,
owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/QNapi.[0-9]*[0-9] rw,
owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#@{int},
owner /tmp/QNapi.@{int} rw,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,

8
apparmor.d/profiles-m-r/qpdfview
View file

@ -50,17 +50,17 @@ profile qpdfview @{exec_path} {
owner @{user_work_dirs}/{,**} rw,
owner @{user_config_dirs}/qpdfview/ rw,
owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9],
owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#@{int},
owner @{user_share_dirs}/qpdfview/ rw,
owner @{user_share_dirs}/qpdfview/** rwk,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
owner /tmp/@{hex} rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/qpdfview.*.pdf rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/qpdfview.*.pdf rwl -> /tmp/#@{int},
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,

6
apparmor.d/profiles-m-r/qt5ct
View file

@ -23,11 +23,11 @@ profile qt5ct @{exec_path} {
@{exec_path} mr,
owner @{user_config_dirs}/qt5ct/ rw,
owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#[0-9]*[0-9],
owner @{user_config_dirs}/qt5ct/** rwkl -> @{user_config_dirs}/qt5ct/#@{int},
owner @{user_config_dirs}/fontconfig/ rw,
owner @{user_config_dirs}/fontconfig/** rw,
owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#[0-9]*[0-9],
owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int},
owner @{user_config_dirs}/kdeglobals r,
@ -48,7 +48,7 @@ profile qt5ct @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
include if exists <local/qt5ct>
}

2
apparmor.d/profiles-m-r/quiterss
View file

@ -63,7 +63,7 @@ profile quiterss @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw,
owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk,

2
apparmor.d/profiles-m-r/redshift
View file

@ -17,7 +17,7 @@ profile redshift @{exec_path} {
dbus send
bus=system
path=/org/freedesktop/GeoClue2/Client/[0-9]*[0-9],
path=/org/freedesktop/GeoClue2/Client/@{int},
dbus receive
bus=system

8
apparmor.d/profiles-m-r/rpi-imager
View file

@ -54,11 +54,11 @@ profile rpi-imager @{exec_path} {
owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_config_dirs}/QtProject.conf r,

2
apparmor.d/profiles-m-r/run-parts
View file

@ -129,7 +129,7 @@ profile run-parts @{exec_path} {
/etc/kernel/prerm.d/ r,
/etc/kernel/prerm.d/dkms rCx -> kernel,
owner /tmp/#@{number} rw,
owner /tmp/#@{int} rw,
owner /tmp/$anacron* rw,
owner @{sys}/class/power_supply/ r,

2
apparmor.d/profiles-s-z/scrcpy
View file

@ -32,7 +32,7 @@ profile scrcpy @{exec_path} {
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{number} r,
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
include if exists <local/scrcpy>
}

2
apparmor.d/profiles-s-z/scrot
View file

@ -22,7 +22,7 @@ profile scrot @{exec_path} {
owner @{HOME}/.Xauthority r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{HOME}/.icons/default/index.theme r,
/usr/share/icons/*/index.theme r,

6
apparmor.d/profiles-s-z/smplayer
View file

@ -61,10 +61,10 @@ profile smplayer @{exec_path} {
owner @{user_videos_dirs}/{,**} rw,
owner @{user_config_dirs}/smplayer/ rw,
owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9],
owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#@{int},
owner @{user_config_dirs}/qt5ct/{,**} r,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/#@{int} rw,
owner /tmp/qtsingleapp-smplay-* rw,
owner /tmp/qtsingleapp-smplay-*-lockfile rwk,
@ -75,7 +75,7 @@ profile smplayer @{exec_path} {
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
deny owner @{PROC}/@{pid}/stat r,
deny owner @{PROC}/@{pid}/cmdline r,

8
apparmor.d/profiles-s-z/smtube
View file

@ -33,15 +33,15 @@ profile smtube @{exec_path} {
# SMTube config files
owner @{user_config_dirs}/smtube/ rw,
owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#[0-9]*[0-9],
owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#@{int},
# Needed for updating YT code
owner @{user_config_dirs}/smplayer/yt.js rw,
owner @{user_config_dirs}/smplayer/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/smplayer/#@{int} rw,
owner @{user_config_dirs}/smplayer/hdpi.ini rw,
owner @{user_config_dirs}/smplayer/hdpi.ini.lock rwk,
owner @{user_config_dirs}/smplayer/hdpi.ini.* rwl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9],
owner @{user_config_dirs}/smplayer/hdpi.ini.* rwl -> @{user_config_dirs}/smplayer/#@{int},
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -57,7 +57,7 @@ profile smtube @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,

2
apparmor.d/profiles-s-z/steam
View file

@ -148,7 +148,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner /dev/shm/#[0-9]* rw,
owner /dev/shm/#@{int} rw,
owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,

2
apparmor.d/profiles-s-z/steam-game
View file

@ -177,7 +177,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer
owner /dev/shm/#[0-9]* rw,
owner /dev/shm/#@{int} rw,
owner /dev/shm/mono.* rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,

10
apparmor.d/profiles-s-z/strawberry
View file

@ -53,14 +53,14 @@ profile strawberry @{exec_path} {
owner @{HOME}/ r,
owner @{user_config_dirs}/strawberry/ rw,
owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#[0-9]*[0-9],
owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int},
owner @{user_share_dirs}/strawberry/ rw,
owner @{user_share_dirs}/strawberry/** rwk,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/strawberry/ rw,
owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#[0-9]*[0-9],
owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#@{int},
owner @{user_cache_dirs}/xine-lib/ rw,
owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw,
@ -78,15 +78,15 @@ profile strawberry @{exec_path} {
/etc/fstab r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/dev/sr[0-9]* r,
owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
owner /tmp/.*/ rw,
owner /tmp/.*/s rw,
owner /tmp/strawberry*[0-9] w,
owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#@{int},
owner /tmp/#@{int} rw,
owner /tmp/*= w,
owner /var/tmp/etilqs_@{hex} rw,

2
apparmor.d/profiles-s-z/tint2
View file

@ -50,7 +50,7 @@ profile tint2 @{exec_path} {
@{sys}/fs/cgroup/{,**} r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,

4
apparmor.d/profiles-s-z/updatedb.plocate
View file

@ -26,8 +26,8 @@ profile updatedb.plocate @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
/var/lib/plocate/plocate.db rw,
/var/lib/plocate/#[0-9]* rw,
/var/lib/plocate/plocate.db rwl -> /var/lib/plocate/#[0-9]*,
/var/lib/plocate/#@{int} rw,
/var/lib/plocate/plocate.db rwl -> /var/lib/plocate/#@{int},
/ r,
/**/ r,

4
apparmor.d/profiles-s-z/usbguard-applet-qt
View file

@ -25,9 +25,9 @@ profile usbguard-applet-qt @{exec_path} {
@{exec_path} mr,
owner @{user_config_dirs}/USBGuard/ rw,
owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#[0-9]*[0-9],
owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int},
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
/dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,

16
apparmor.d/profiles-s-z/vidcutter
View file

@ -57,14 +57,14 @@ profile vidcutter @{exec_path} {
owner @{user_videos_dirs}/{,**} rw,
owner @{user_config_dirs}/vidcutter/ rw,
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#[0-9]*[0-9],
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int},
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
@ -72,8 +72,8 @@ profile vidcutter @{exec_path} {
@{sys}/devices/system/node/node[0-9]*/meminfo r,
owner /tmp/vidcutter-@{uuid} w,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/#@{int} rw,
owner /tmp/*.jpg rwl -> /tmp/#@{int},
owner /tmp/vidcutter/{,*} rw,
deny owner @{PROC}/@{pid}/cmdline r,
@ -83,7 +83,7 @@ profile vidcutter @{exec_path} {
deny @{PROC}/sys/kernel/random/boot_id r,
/dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
/dev/disk/*/ r,
owner /dev/tty[0-9]* rw,

2
apparmor.d/profiles-s-z/wireshark
View file

@ -76,7 +76,7 @@ profile wireshark @{exec_path} {
/usr/share/GeoIP/{,**} r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/shm/#@{int} rw,
owner /tmp/wireshark_extcap_ciscodump_[0-9]*_* rw,

2
apparmor.d/profiles-s-z/wpa-gui
View file

@ -26,7 +26,7 @@ profile wpa-gui @{exec_path} {
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/wpa_ctrl_@{pid}-[0-9] w,
owner /dev/shm/#[0-9]*[0-9] rw,
owner /dev/shm/#@{int} rw,
@{run}/wpa_supplicant/ r,

Some files were not shown because too many files have changed in this diff Show more