Merge branch 'main' into feat/update

apparmor.d/profiles-g-l/gajim

@@ -82,7 +82,7 @@ profile gajim @{exec_path} {
   # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
     /var/tmp/ r,
         /tmp/ r,
-  owner /tmp/* rw,
+  owner @{tmp}/* rw,
 
   # Silencer
   deny /usr/share/gajim/** w,
@@ -100,8 +100,8 @@ profile gajim @{exec_path} {
     @{bin}/{,@{multiarch}-}ld.bfd     rix,
     @{lib}/gcc/@{multiarch}/@{int}/collect2 rix,
 
-    owner /tmp/cc* rw,
-    owner /tmp/tmp* rw,
+    owner @{tmp}/cc* rw,
+    owner @{tmp}/tmp* rw,
 
     /media/ccache/*/** rw,
 

apparmor.d/profiles-g-l/git

@@ -89,21 +89,21 @@ profile git @{exec_path} {
   owner @{user_cache_dirs}/*/ rw,
   owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**,
 
-  owner /tmp/**        rwkl -> /tmp/**,
-  owner /tmp/**/bin/*  rCx -> exec,
+  owner @{tmp}/**        rwkl -> /tmp/**,
+  owner @{tmp}/**/bin/*  rCx -> exec,
 
   owner @{HOME}/.gitconfig* rw,
   owner @{HOME}/.netrc r,
   owner @{user_config_dirs}/git/{,*} rw,
 
-  owner /tmp/git-difftool.*/ rw,             # For diffs
-  owner /tmp/git-difftool.*/right/{,**} rw,
-  owner /tmp/git-difftool.*/left/{,**} rw,
-  owner /tmp/* rw,
-  owner /tmp/tmp*/ rw,                       # For TWRP-device-tree-generator
-  owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**,
-  owner /tmp/.git_vtag_tmp@{rand6} rw,       # For git log --show-signature
-  owner /tmp/git-commit-msg-.txt rw,         # For android studio
+  owner @{tmp}/git-difftool.*/ rw,             # For diffs
+  owner @{tmp}/git-difftool.*/right/{,**} rw,
+  owner @{tmp}/git-difftool.*/left/{,**} rw,
+  owner @{tmp}/* rw,
+  owner @{tmp}/tmp*/ rw,                       # For TWRP-device-tree-generator
+  owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**,
+  owner @{tmp}/.git_vtag_tmp@{rand6} rw,       # For git log --show-signature
+  owner @{tmp}/git-commit-msg-.txt rw,         # For android studio
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
   deny /dev/shm/.org.chromium.Chromium* rw,
@@ -119,7 +119,7 @@ profile git @{exec_path} {
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
-    owner /tmp/.git_vtag_tmp@{rand6} r,
+    owner @{tmp}/.git_vtag_tmp@{rand6} r,
 
     deny @{user_share_dirs}/gvfs-metadata/* r,
 
@@ -145,8 +145,8 @@ profile git @{exec_path} {
     owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
     owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
 
-    owner /tmp/git@*:@{int} rwl -> /tmp/git@*:@{int}.*,
-    owner /tmp/ssh-*/agent.@{int} rw,
+    owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*,
+    owner @{tmp}/ssh-*/agent.@{int} rw,
 
     owner @{PROC}/@{pid}/fd/ r,
 

apparmor.d/profiles-g-l/gpa

@@ -43,7 +43,7 @@ profile gpa @{exec_path} {
   # Files to verify
   owner /**.tar.gz r,
 
-  owner /tmp/xauth-@{int}-_[0-9] r,
+  owner @{tmp}/xauth-@{int}-_[0-9] r,
 
   # External apps
   @{lib}/firefox/firefox rPUx,

apparmor.d/profiles-g-l/gpartedbin

@@ -72,7 +72,7 @@ profile gpartedbin @{exec_path} {
         @{HOME}/.Xauthority r,
   owner @{HOME}/*.htm w,
 
-  owner /tmp/gparted-*/ rw,
+  owner @{tmp}/gparted-*/ rw,
 
   @{run}/mount/utab r,
   

apparmor.d/profiles-g-l/groups

@@ -11,14 +11,10 @@ include <tunables/global>
 profile groups @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
-  /etc/group r,
-  /etc/nsswitch.conf r,
-
-  @{run}/systemd/userdb r,
-
   @{PROC}/sys/kernel/random/boot_id r,
 
   /dev/tty@{int} rw,

apparmor.d/profiles-g-l/gtk-update-icon-cache

@@ -14,13 +14,9 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /usr/share/icons/** r,
-  /usr/share/icons/**/.icon-theme.cache rw,
-  /usr/share/icons/**/icon-theme.cache rw,
-
-  /var/lib/flatpak/exports/share/icons/{,**/} r,
-  /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw,
-  /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache w,
+  @{system_share_dirs}/icons/{,**/} r,
+  @{system_share_dirs}/icons/**/.icon-theme.cache rw,
+  @{system_share_dirs}/icons/**/icon-theme.cache w,
 
   owner @{user_share_dirs}/** r,
   owner @{user_share_dirs}/**/.icon-theme.cache rw,

apparmor.d/profiles-g-l/hardinfo

@@ -109,7 +109,7 @@ profile hardinfo @{exec_path} {
 
   owner @{HOME}/.hardinfo/ rw,
 
-  owner /tmp/#@{int} rw,
+  owner @{tmp}/#@{int} rw,
 
   # Allowed apps to open
   @{lib}/firefox/firefox rPUx,
@@ -154,8 +154,8 @@ profile hardinfo @{exec_path} {
 
     @{sys}/fs/cgroup/{,**} r,
 
-    owner /tmp/hsperfdata_*/ rw,
-    owner /tmp/hsperfdata_*/@{pid} rw,
+    owner @{tmp}/hsperfdata_*/ rw,
+    owner @{tmp}/hsperfdata_*/@{pid} rw,
 
   }
 

apparmor.d/profiles-g-l/hugo

@@ -37,8 +37,8 @@ profile hugo @{exec_path} {
 
   owner @{user_cache_dirs}/hugo_cache/{,**} rwkl,
 
-  owner /tmp/hugo_cache/{,**} rwkl,
-  owner /tmp/go-codehost-@{int} rw,
+  owner @{tmp}/hugo_cache/{,**} rwkl,
+  owner @{tmp}/go-codehost-@{int} rw,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 

apparmor.d/profiles-g-l/hw-probe

@@ -91,8 +91,8 @@ profile hw-probe @{exec_path} {
 
   owner /root/HW_PROBE/{,**} rw,
 
-  owner /tmp/*/ rw,
-  owner /tmp/*/cpu_perf rw,
+  owner @{tmp}/*/ rw,
+  owner @{tmp}/*/cpu_perf rw,
 
   @{sys}/class/drm/ r,
   @{sys}/class/power_supply/ r,

apparmor.d/profiles-g-l/hwinfo

@@ -71,7 +71,7 @@ profile hwinfo @{exec_path} {
   /var/lib/hardware/udi/ r,
 
   # For a log file
-  owner /tmp/hwinfo*.txt rw,
+  owner @{tmp}/hwinfo*.txt rw,
 
 
   profile kmod {
@@ -85,7 +85,7 @@ profile hwinfo @{exec_path} {
 
     # file_inherit
     /dev/ttyS@{int} r,
-    owner /tmp/hwinfo*.txt rw,
+    owner @{tmp}/hwinfo*.txt rw,
     @{sys}/devices/@{pci}/drm/card@{int}/ r,
 
   }
@@ -107,7 +107,7 @@ profile hwinfo @{exec_path} {
     @{run}/udev/data/* r,
 
     # file_inherit
-    owner /tmp/hwinfo*.txt rw,
+    owner @{tmp}/hwinfo*.txt rw,
 
   }
 

apparmor.d/profiles-g-l/i3lock

@@ -29,7 +29,7 @@ profile i3lock @{exec_path} {
   owner @{HOME}/*/*.png r,
 
   # When using also i3lock-fancy.
-  owner /tmp/tmp.*.png r,
+  owner @{tmp}/tmp.*.png r,
 
   # file_inherit
   owner /dev/tty@{int} rw,

apparmor.d/profiles-g-l/i3lock-fancy

@@ -36,9 +36,9 @@ profile i3lock-fancy @{exec_path} {
 
   /usr/share/i3lock-fancy/{,*} r,
 
-  owner /tmp/tmp.*.png rw,
-  owner /tmp/tmp.* rw,
-  owner /tmp/sh-thd.* rw,
+  owner @{tmp}/tmp.*.png rw,
+  owner @{tmp}/tmp.* rw,
+  owner @{tmp}/sh-thd.* rw,
 
   # file_inherit
   owner /dev/tty@{int} rw,
@@ -62,7 +62,7 @@ profile i3lock-fancy @{exec_path} {
     # For gray scale (doesn't seem to be required). It produces files like /home/*/PIHFhJ .
     deny owner @{HOME}/* rw,
 
-    owner /tmp/tmp.*.png rw,
+    owner @{tmp}/tmp.*.png rw,
 
     # file_inherit
     owner /dev/tty@{int} rw,

apparmor.d/profiles-g-l/jdownloader

@@ -61,16 +61,16 @@ profile jdownloader @{exec_path} {
 
   owner @{HOME}/.install4j rw,
 
-  owner /tmp/hsperfdata_*/ rw,
-  owner /tmp/hsperfdata_*/@{pid} rw,
+  owner @{tmp}/hsperfdata_*/ rw,
+  owner @{tmp}/hsperfdata_*/@{pid} rw,
   # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead
-  owner /tmp/SevenZipJBinding-*/ rw,
-  owner /tmp/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
+  owner @{tmp}/SevenZipJBinding-*/ rw,
+  owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
   # For auto updates
-  owner /tmp/lastChanceSrc@{int}lch rw,
-  owner /tmp/lastChanceDst@{int}.jar rw,
-  owner /tmp/i4j_log_jd2_@{int}.log rw,
-  owner /tmp/install4jError@{int}.log rw,
+  owner @{tmp}/lastChanceSrc@{int}lch rw,
+  owner @{tmp}/lastChanceDst@{int}.jar rw,
+  owner @{tmp}/i4j_log_jd2_@{int}.log rw,
+  owner @{tmp}/install4jError@{int}.log rw,
 
   owner @{HOME}/.Xauthority r,
 

apparmor.d/profiles-g-l/jmtpfs

@@ -18,8 +18,8 @@ profile jmtpfs @{exec_path} {
 
   @{bin}/fusermount{,3} rCx -> fusermount,
 
-  owner /tmp/tmp* rw,
-  owner /tmp/#@{int} rw,
+  owner @{tmp}/tmp* rw,
+  owner @{tmp}/#@{int} rw,
 
   # Mount points
   owner @{HOME}/*/ r,

apparmor.d/profiles-g-l/kanyremote

@@ -101,6 +101,7 @@ profile kanyremote @{exec_path} {
 
     /usr/share/anyremote/{,**} r,
 
+    include if exists <local/kanyremote_pgrep>
   }
 
   include if exists <local/kanyremote>

apparmor.d/profiles-g-l/keepassxc

@@ -42,8 +42,6 @@ profile keepassxc @{exec_path} {
   /usr/share/keepassxc/{,**} r,
 
   /etc/fstab r,
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
 
   owner @{HOME}/ r,
   owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
@@ -68,14 +66,14 @@ profile keepassxc @{exec_path} {
   owner @{user_share_dirs}/keepassxc/ rw,
   owner @{user_share_dirs}/keepassxc/* rwkl -> @{user_share_dirs}/keepassxc/#@{int},
 
-  owner /tmp/.[a-zA-Z]*/{,s} rw,
-  owner /tmp/*.*.gpgkey rwl -> /tmp/#@{int},
-  owner /tmp/*.*.settings rwl -> /tmp/#@{int},
-  owner /tmp/#@{int} rw,
-  owner /tmp/keepassxc-*.lock{,.rmlock} rwk,
-  owner /tmp/keepassxc-*.socket rw,
-  owner /tmp/keepassxc.lock rw,
-  owner /tmp/keepassxc.socket rw,
+  owner @{tmp}/.[a-zA-Z]*/{,s} rw,
+  owner @{tmp}/*.*.gpgkey rwl -> /tmp/#@{int},
+  owner @{tmp}/*.*.settings rwl -> /tmp/#@{int},
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/keepassxc-*.lock{,.rmlock} rwk,
+  owner @{tmp}/keepassxc-*.socket rw,
+  owner @{tmp}/keepassxc.lock rw,
+  owner @{tmp}/keepassxc.socket rw,
 
   owner @{run}/user/@{pid}/app/ w,
   owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw,

apparmor.d/profiles-g-l/kernel-install

@@ -33,7 +33,7 @@ profile kernel-install @{exec_path} {
   /etc/kernel/install.d/ r,
   /etc/kernel/install.d/*.install rix,
 
-  owner /tmp/sh-thd.* rw,
+  owner @{tmp}/sh-thd.* rw,
 
   owner /boot/{vmlinuz,initrd.img}-* r,
   owner /boot/[a-f0-9]*/*/ rw,

apparmor.d/profiles-g-l/kmod

@@ -47,11 +47,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   owner /var/tmp/dracut.*/{,**} rw,
 
   owner /boot/System.map-* r,
-  owner /tmp/mkinitcpio.*/{,**} rw,
+  owner @{tmp}/mkinitcpio.*/{,**} rw,
 
   # For local kernel build
-  owner /tmp/depmod.*/lib/modules/*/ r,
-  owner /tmp/depmod.*/lib/modules/*/modules.* rw,
+  owner @{tmp}/depmod.*/lib/modules/*/ r,
+  owner @{tmp}/depmod.*/lib/modules/*/modules.* rw,
   owner @{user_build_dirs}/**/System.map r,
   owner @{user_build_dirs}/**/lib/modules/*/ r,
   owner @{user_build_dirs}/**/lib/modules/*/modules.* rw,

apparmor.d/profiles-g-l/linssid

@@ -62,8 +62,8 @@ profile linssid @{exec_path} {
   owner @{PROC}/@{pid}/net/wireless r,
   owner @{PROC}/@{pid}/cmdline r,
 
-  owner /tmp/runtime-root/ rw,
-  owner /tmp/linssid_* rw,
+  owner @{tmp}/runtime-root/ rw,
+  owner @{tmp}/linssid_* rw,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
@@ -88,7 +88,7 @@ profile linssid @{exec_path} {
     # file_inherit
     owner @{HOME}/.linssid.prefs rw,
     owner @{HOME}/LinSSID.datalog rw,
-    owner /tmp/linssid_* rw,
+    owner @{tmp}/linssid_* rw,
     owner /dev/dri/card@{int} rw,
 
   }

apparmor.d/profiles-g-l/linux-check-removal

@@ -38,7 +38,7 @@ profile linux-check-removal @{exec_path} flags=(complain) {
 
     # The following is needed when debconf uses dialog/whiptail frontend.
     @{bin}/whiptail   rPx,
-    owner /tmp/file* w,
+    owner @{tmp}/file* w,
 
     /usr/share/debconf/confmodule r,
 

apparmor.d/profiles-g-l/lynx

@@ -30,8 +30,8 @@ profile lynx @{exec_path} {
   @{sh_path}        rix,
   /etc/mailcap r,
 
-  owner /tmp/lynxXXXX*/ rw,
-  owner /tmp/lynxXXXX*/*TMP.html{,.gz} rw,
+  owner @{tmp}/lynxXXXX*/ rw,
+  owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw,
 
   owner @{HOME}/ r,