refactor(profiles): use @{bin} and @{lib} in profiles (1)

2023-07-09 13:20:25 +01:00 · 2023-07-09 13:20:25 +01:00 · bb71f49598
commit bb71f49598
parent 59469b57b4
125 changed files with 955 additions and 959 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -15,8 +15,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd
-profile systemd /{usr/,}lib/systemd/systemd flags=(complain) {
+@{exec_path} = @{lib}/systemd/systemd
+profile systemd @{lib}/systemd/systemd flags=(complain) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
@ -30,56 +30,56 @@ profile systemd /{usr/,}lib/systemd/systemd flags=(complain) {

  @{exec_path} mr,

-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/systemctl   rCx -> systemctl,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/systemctl   rCx -> systemctl,

-  /{usr/,}lib/systemd/user-environment-generators/*  rPx,
-  /{usr/,}lib/systemd/user-environment-generators/*  rPx,
-  /{usr/,}lib/systemd/user-generators/*              rPx,
+  @{lib}/systemd/user-environment-generators/*  rPx,
+  @{lib}/systemd/user-environment-generators/*  rPx,
+  @{lib}/systemd/user-generators/*              rPx,

  # Server
-  /{usr/,}lib/openssh/agent-launch rPx,
+  @{lib}/openssh/agent-launch rPx,

  # Dbus
-  @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
-  /{usr/,}bin/dbus-daemon                           rPx,
+  @{bin}/dbus-daemon                           rPx,
+  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,

  # Desktop
-  @{libexec}/xdg-desktop-portal*   rPx,
-  @{libexec}/xdg-document-portal   rPx,
-  @{libexec}/xdg-permission-store  rPx,
-  /{usr/,}bin/xdg-user-dirs-update rPx,
+  @{bin}/xdg-user-dirs-update rPx,
+  @{lib}/xdg-desktop-portal*   rPx,
+  @{lib}/xdg-document-portal   rPx,
+  @{lib}/xdg-permission-store  rPx,

  # Audio
-  /{usr/,}bin/pipewire        rux, # FIXME: no new privs
-  /{usr/,}bin/pipewire-pulse  rux, # FIXME: no new privs
-  /{usr/,}bin/pulseaudio      rux, # FIXME: no new privs
-  /{usr/,}bin/wireplumber     rux, # FIXME: no new privs
+  @{bin}/pipewire        rux, # FIXME: no new privs
+  @{bin}/pipewire-pulse  rux, # FIXME: no new privs
+  @{bin}/pulseaudio      rux, # FIXME: no new privs
+  @{bin}/wireplumber     rux, # FIXME: no new privs

  # Gnome
-  @{libexec}/{,dconf/}dconf-service         rPx,
-  @{libexec}/evolution-addressbook-factory  rPx,
-  @{libexec}/evolution-calendar-factory     rPx,
-  @{libexec}/evolution-source-registry      rPx,
-  @{libexec}/gnome-session-binary           rPx,
-  @{libexec}/gnome-session-ctl              rPx,
-  @{libexec}/gnome-terminal-server          rPx,
-  @{libexec}/goa-*                          rPx,
-  @{libexec}/gsd-*                          rPx,
-  @{libexec}/gvfs-*                         rPx,
-  @{libexec}/gvfsd*                         rPx,
-  @{libexec}/tracker-extract-*              rPx,
-  @{libexec}/tracker-miner-*                rPx,
-  /{usr/,}bin/gjs                           rPx,
-  /{usr/,}bin/gnome-keyring-daemon          rPx,
-  /{usr/,}bin/gnome-shell                   rPx,
-  /{usr/,}bin/gsettings                     rPx,
-  /{usr/,}lib/dconf/dconf-service           rPx,
-  /{usr/,}lib/gvfs/gvfs-*                   rPx,
-  /{usr/,}lib/gvfs/gvfsd*                   rPx,
+  @{bin}/gjs                            rPx,
+  @{bin}/gnome-keyring-daemon           rPx,
+  @{bin}/gnome-shell                    rPx,
+  @{bin}/gsettings                      rPx,
+  @{lib}/{,dconf/}dconf-service         rPx,
+  @{lib}/dconf/dconf-service            rPx,
+  @{lib}/evolution-addressbook-factory  rPx,
+  @{lib}/evolution-calendar-factory     rPx,
+  @{lib}/evolution-source-registry      rPx,
+  @{lib}/gnome-session-binary           rPx,
+  @{lib}/gnome-session-ctl              rPx,
+  @{lib}/gnome-terminal-server          rPx,
+  @{lib}/goa-*                          rPx,
+  @{lib}/gsd-*                          rPx,
+  @{lib}/gvfs-*                         rPx,
+  @{lib}/gvfs/gvfs-*                    rPx,
+  @{lib}/gvfs/gvfsd*                    rPx,
+  @{lib}/gvfsd*                         rPx,
+  @{lib}/tracker-extract-*              rPx,
+  @{lib}/tracker-miner-*                rPx,

  # Ubuntu
-  /{usr/,}bin/snap                          rPx,
+  @{bin}/snap                          rPx,

  /etc/systemd/user.conf r,
  /etc/systemd/user.conf.d/{,**} r,
@ -123,7 +123,7 @@ profile systemd /{usr/,}lib/systemd/systemd flags=(complain) {
  profile systemctl {
    include <abstractions/base>

-    /{usr/,}bin/systemctl mr,
+    @{bin}/systemctl mr,

          @{PROC}/cmdline r,
          @{PROC}/sys/kernel/osrelease r,