Merge branch 'main' into feat/update

2024-05-06 19:56:11 +01:00 · 2024-05-06 19:56:11 +01:00 · f75e5047df
commit f75e5047df
parent e8eadcc7ec 8224ac2b3f
340 changed files with 1603 additions and 1539 deletions
--- a/apparmor.d/profiles-s-z/YACReaderLibrary
+++ b/apparmor.d/profiles-s-z/YACReaderLibrary
@ -41,7 +41,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
  owner @{user_share_dirs}/YACReader/YACReaderLibrary/ rw,
  owner @{user_share_dirs}/YACReader/YACReaderLibrary/** rwlk,

-  owner /tmp/@{uuid} w,
+  owner @{tmp}/@{uuid} w,

  owner @{PROC}/@{pid}/cmdline r,

--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@ -32,7 +32,7 @@ profile s3fs @{exec_path} {

  owner @{MOUNTS}/ r,
  owner @{MOUNTS}/*/ r,
-  owner /tmp/* rw,
+  owner @{tmp}/* rw,

  /dev/fuse rw,

@ -59,7 +59,7 @@ profile s3fs @{exec_path} {
    @{MOUNTS}/ r,
    @{MOUNTS}/*/ r,

-    owner /tmp/s3fstmp.* rw,
+    owner @{tmp}/s3fstmp.* rw,

    @{PROC}/@{pids}/mounts r,

--- a/apparmor.d/profiles-s-z/sanoid
+++ b/apparmor.d/profiles-s-z/sanoid
@ -27,7 +27,7 @@ profile sanoid @{exec_path} flags=(complain) {
  @{run}/sanoid/sanoid_cacheupdate.lock rwk,
  @{run}/sanoid/sanoid_pruning.lock rwk,

-  owner /tmp/** rw,
+  owner @{tmp}/** rw,

  include if exists <local/sanoid>
 }
--- a/apparmor.d/profiles-s-z/scrot
+++ b/apparmor.d/profiles-s-z/scrot
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/scrot
 profile scrot @{exec_path} {
  include <abstractions/base>
+  include <abstractions/freedesktop.org>
  include <abstractions/user-download-strict>

  @{exec_path} mr,
@ -21,16 +22,10 @@ profile scrot @{exec_path} {
  # The image dir
  owner @{HOME}/*.png rw,

-  owner @{HOME}/.Xauthority r,
-
-  /dev/shm/#@{int} rw,
-
-  owner @{HOME}/.icons/default/index.theme r,
-  /usr/share/icons/*/index.theme r,
-  /usr/share/icons/*/cursors/* r,
-
  # file_inherit
  owner @{HOME}/.xsession-errors w,

+  /dev/shm/#@{int} rw,
+
  include if exists <local/scrot>
 }
--- a/apparmor.d/profiles-s-z/smbspool
+++ b/apparmor.d/profiles-s-z/smbspool
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/smbspool
+profile smbspool @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/smbspool>
+}
--- a/apparmor.d/profiles-s-z/smplayer
+++ b/apparmor.d/profiles-s-z/smplayer
@ -64,11 +64,11 @@ profile smplayer @{exec_path} {

  owner @{user_cache_dirs}/#@{int} rw,

-  owner /tmp/qtsingleapp-smplay-* rw,
-  owner /tmp/qtsingleapp-smplay-*-lockfile rwk,
-  owner /tmp/smplayer_preview/ rw,
-  owner /tmp/smplayer_preview/@{int}.{jpg,png} rw,
-  owner /tmp/smplayer-mpv-* w,
+  owner @{tmp}/qtsingleapp-smplay-* rw,
+  owner @{tmp}/qtsingleapp-smplay-*-lockfile rwk,
+  owner @{tmp}/smplayer_preview/ rw,
+  owner @{tmp}/smplayer_preview/@{int}.{jpg,png} rw,
+  owner @{tmp}/smplayer-mpv-* w,

  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -31,19 +31,7 @@ profile snap @{exec_path} {
  #aa:dbus own bus=session name=io.snapcraft.Launcher
  #aa:dbus own bus=session name=io.snapcraft.Settings

-  dbus send bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
-
-  dbus receive bus=system path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=JobRemoved
-       peer=(name=:*, label="@{p_systemd}"),
-  dbus receive bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=JobRemoved
-       peer=(name=:*, label="@{p_systemd_user}"),
+  #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"

  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
@ -71,7 +59,7 @@ profile snap @{exec_path} {
  @{HOME}/snap/{,**} rw,
  /snap/{,**} rw,

-  owner /tmp/snapd-auto-import-mount-@{int}/ rw,
+  owner @{tmp}/snapd-auto-import-mount-@{int}/ rw,

        @{run}/user/@{uid}/bus rw,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
--- a/apparmor.d/profiles-s-z/snap-update-ns
+++ b/apparmor.d/profiles-s-z/snap-update-ns
@ -39,7 +39,7 @@ profile snap-update-ns @{exec_path} {
  owner /var/snap/ rw,
  owner /var/snap/**/ rw,

-  owner /tmp/.snap/{,**} rwk,
+  owner @{tmp}/.snap/{,**} rwk,

  @{run}/snapd/lock/*.lock rwk,
  @{run}/snapd/ns/{,**} rw,
--- a/apparmor.d/profiles-s-z/spectre-meltdown-checker
+++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker
@ -73,17 +73,17 @@ profile spectre-meltdown-checker @{exec_path} {
  # To fetch MCE.db from the MCExtractor project
  @{bin}/wget       rCx -> mcedb,
  @{bin}/sqlite3    rCx -> mcedb,
-  owner /tmp/mcedb-* rw,
-  owner /tmp/smc-* rw,
-  owner /tmp/{,smc-}intelfw-*/ rw,
-  owner /tmp/{,smc-}intelfw-*/fw.zip rw,
-  owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw,
-  owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw,
+  owner @{tmp}/mcedb-* rw,
+  owner @{tmp}/smc-* rw,
+  owner @{tmp}/{,smc-}intelfw-*/ rw,
+  owner @{tmp}/{,smc-}intelfw-*/fw.zip rw,
+  owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw,
+  owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw,

  owner @{HOME}/.mcedb rw,

        /tmp/ r,
-  owner /tmp/{config,kernel}-* rw,
+  owner @{tmp}/{config,kernel}-* rw,

  owner /dev/cpu/@{int}/cpuid r,
  owner /dev/cpu/@{int}/msr rw,
@ -166,8 +166,8 @@ profile spectre-meltdown-checker @{exec_path} {
    owner @{HOME}/.mcedb rw,

          /tmp/ r,
-    owner /tmp/{,smc-}mcedb-* rwk,
-    owner /tmp/{,smc-}intelfw-*/fw.zip rw,
+    owner @{tmp}/{,smc-}mcedb-* rwk,
+    owner @{tmp}/{,smc-}intelfw-*/fw.zip rw,

    /usr/share/publicsuffix/public_suffix_list.* r,

--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -19,12 +19,10 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
-  include <abstractions/dri>
+  include <abstractions/graphics>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/fonts>
-  include <abstractions/gtk>
+  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
-  include <abstractions/X-strict>

  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Realtime
--- a/apparmor.d/profiles-s-z/ss
+++ b/apparmor.d/profiles-s-z/ss
@ -24,7 +24,7 @@ profile ss @{exec_path} {

  /etc/iproute2/{,**} r,

-  owner /tmp/*.ss     rw,
+  owner @{tmp}/*.ss     rw,
  owner @{HOME}/*.ss  rw,

        @{PROC} r,
--- a/apparmor.d/profiles-s-z/ssurl
+++ b/apparmor.d/profiles-s-z/ssurl
@ -13,8 +13,8 @@ profile ssurl @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

-       capability dac_read_search,
-  deny capability dac_override,
+  capability dac_read_search,
+  capability dac_override,

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/startx
+++ b/apparmor.d/profiles-s-z/startx
@ -40,7 +40,7 @@ profile startx @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.xserverrc r,

        /tmp/ r,
-  owner /tmp/serverauth.* rw,
+  owner @{tmp}/serverauth.* rw,

        /dev/ r,
  owner /dev/tty@{int} rw,
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -139,13 +139,13 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  owner /dev/shm/ValveIPCSHM_@{uid} rw,

-  owner /tmp/dumps/ rw,
-  owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw,
-  owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
-  owner /tmp/miles_image_* mrw,
-  owner /tmp/runtime-info.txt.* rwk,
-  owner /tmp/sh-thd.* rw,
-  owner /tmp/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
+  owner @{tmp}/dumps/ rw,
+  owner @{tmp}/dumps/{assert,crash}_@{int}_@{int}.dmp rw,
+  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
+  owner @{tmp}/miles_image_* mrw,
+  owner @{tmp}/runtime-info.txt.* rwk,
+  owner @{tmp}/sh-thd.* rw,
+  owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,

  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -161,10 +161,10 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  owner /dev/shm/ValveIPCSHM_@{uid} rw,
  owner /dev/shm/wine-*-fsync rw,

-  owner /tmp/.wine-@{uid}/server-*/* rwk,
-  owner /tmp/** rw,
-  owner /tmp/miles_image_* mr,
-  owner /tmp/pressure-vessel-*/{,**} rwl,
+  owner @{tmp}/.wine-@{uid}/server-*/* rwk,
+  owner @{tmp}/** rw,
+  owner @{tmp}/miles_image_* mr,
+  owner @{tmp}/pressure-vessel-*/{,**} rwl,

  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad

--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@ -45,9 +45,9 @@ profile steam-gameoverlayui @{exec_path} {
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,
  owner /dev/shm/ValveIPCSHM_@{uid} rw,

-  owner /tmp/gameoverlayui.log* rw,
-  owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
-  owner /tmp/miles_image_* mrw,
+  owner @{tmp}/gameoverlayui.log* rw,
+  owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
+  owner @{tmp}/miles_image_* mrw,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

--- a/apparmor.d/profiles-s-z/strawberry
+++ b/apparmor.d/profiles-s-z/strawberry
@ -10,22 +10,18 @@ include <tunables/global>
@{exec_path} = @{bin}/strawberry
 profile strawberry @{exec_path} {
  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/dri-enumerate>
-  include <abstractions/mesa>
  include <abstractions/audio-client>
-  include <abstractions/qt5>
+  include <abstractions/consoles>
+  include <abstractions/desktop>
+  include <abstractions/devices-usb>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice-strict>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
-  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
-  include <abstractions/devices-usb>
-  include <abstractions/gstreamer>
+  include <abstractions/user-download-strict>

  signal (send) set=(term, kill) peer=strawberry-tagreader,

@ -42,88 +38,45 @@ profile strawberry @{exec_path} {

  @{bin}/strawberry-tagreader rPx,

-  @{bin}/xdg-open             rCx -> open,
+  @{open_path} rPx -> child-open-help,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
+  owner @{HOME}/ r,

-  # Media library
  owner @{user_music_dirs}/ r,
  owner @{user_music_dirs}/** rw,

-  # Playlists
-  owner @{HOME}/**.{m3u,xspf,pls,asx,cue,wpl} rw,
-  owner @{HOME}/**.{M3U,XSPF,PLS,ASX,CUE,WPL} rw,
-
-  owner @{HOME}/ r,
  owner @{user_config_dirs}/strawberry/ rw,
  owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int},

  owner @{user_share_dirs}/strawberry/ rw,
  owner @{user_share_dirs}/strawberry/** rwk,

-  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/strawberry/ rw,
  owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#@{int},

  owner @{user_cache_dirs}/xine-lib/ rw,
  owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw,

-       owner @{PROC}/@{pid}/mountinfo r,
-       owner @{PROC}/@{pid}/mounts r,
-  deny owner @{PROC}/@{pid}/cmdline r,
-       owner @{PROC}/@{pid}/fd/ r,
-  deny       @{PROC}/sys/kernel/random/boot_id r,
+  owner @{tmp}/.*/ rw,
+  owner @{tmp}/.*/s rw,
+  owner @{tmp}/*= w,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/etilqs_@{hex} rw,
+  owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
+  owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int},
+  owner @{tmp}/strawberry*[0-9] w,
+  owner /dev/shm/#@{int} rw,

  @{run}/mount/utab r,

-  /etc/fstab r,
-
-  /dev/shm/#@{int} rw,
-  /dev/sr[0-9]* r,
-
-  owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
-  owner /tmp/.*/ rw,
-  owner /tmp/.*/s rw,
-  owner /tmp/strawberry*[0-9] w,
-  owner /tmp/strawberry-cover-*.jpg rwl -> /tmp/#@{int},
-  owner /tmp/#@{int} rw,
-  owner /tmp/*= w,
-
-  owner /var/tmp/etilqs_@{hex} rw,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  /usr/share/hwdata/pnp.ids r,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPUx,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
-  owner @{HOME}/.anyRemote/anyremote.stdout w,
-
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
+        @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,

  include if exists <local/strawberry>
 }
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -14,6 +14,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
  include <abstractions/app/sudo>

  capability chown,
+  capability fowner,
  capability mknod,
  capability sys_ptrace,

--- a/apparmor.d/profiles-s-z/swtpm_setup
+++ b/apparmor.d/profiles-s-z/swtpm_setup
@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} {
  /var/log/swtpm/{,**} w,
  /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r,

-  owner /tmp/swtpm_setup.certs.*/ w,
-  owner /tmp/swtpm_setup.certs.*/*.cert rw,
-  owner /tmp/.swtpm_setup.pidfile* rw,
+  owner @{tmp}/swtpm_setup.certs.*/ w,
+  owner @{tmp}/swtpm_setup.certs.*/*.cert rw,
+  owner @{tmp}/.swtpm_setup.pidfile* rw,

  include if exists <local/swtpm_setup>
 }
--- a/apparmor.d/profiles-s-z/sync
+++ b/apparmor.d/profiles-s-z/sync
@ -0,0 +1,17 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/sync
+profile sync @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/sync>
+}
--- a/apparmor.d/profiles-s-z/syncoid
+++ b/apparmor.d/profiles-s-z/syncoid
@ -25,7 +25,7 @@ profile syncoid @{exec_path} flags=(complain) {

  /etc/mbuffer.rc r,

-  owner /tmp/** rw,
+  owner @{tmp}/** rw,

  @{PROC}/@{pids}/maps r,

--- a/apparmor.d/profiles-s-z/system-config-printer
+++ b/apparmor.d/profiles-s-z/system-config-printer
@ -46,7 +46,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
        @{run}/cups/cups.sock rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

-  owner /tmp/* rw,
+  owner @{tmp}/* rw,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
--- a/apparmor.d/profiles-s-z/tasksel
+++ b/apparmor.d/profiles-s-z/tasksel
@ -38,7 +38,7 @@ profile tasksel @{exec_path} flags=(complain) {

  /usr/share/debconf/confmodule r,

-  owner /tmp/file* w,
+  owner @{tmp}/file* w,


  profile tasksel-tests flags=(complain) {
@ -66,7 +66,7 @@ profile tasksel @{exec_path} flags=(complain) {

    # The following is needed when debconf uses dialog/whiptail frontend.
    @{bin}/whiptail rPx,
-    owner /tmp/file* w,
+    owner @{tmp}/file* w,

    /usr/share/debconf/confmodule r,

--- a/apparmor.d/profiles-s-z/terminator
+++ b/apparmor.d/profiles-s-z/terminator
@ -36,7 +36,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) {

  owner @{user_config_dirs}/terminator/{,**} rw,

-  owner /tmp/#@{int} rw,
+  owner @{tmp}/#@{int} rw,

        @{PROC}/ r,
        @{PROC}/@{pid}/net/tcp{,6} r,
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -126,14 +126,14 @@ profile thunderbird @{exec_path} {

        /tmp/ r,
    /var/tmp/ r,
-  owner /tmp/@{name}{,_*}/ rw,
-  owner /tmp/@{name}{,_*}/* rwk,
-  owner /tmp/* rw,
-  owner /tmp/mozilla_*/ rw,
-  owner /tmp/mozilla_*/* rw,
-  owner /tmp/MozillaMailnews/ rw,
-  owner /tmp/MozillaMailnews/*.msf rw,
-  owner /tmp/Temp-@{uuid}/ rw,
+  owner @{tmp}/@{name}{,_*}/ rw,
+  owner @{tmp}/@{name}{,_*}/* rwk,
+  owner @{tmp}/* rw,
+  owner @{tmp}/mozilla_*/ rw,
+  owner @{tmp}/mozilla_*/* rw,
+  owner @{tmp}/MozillaMailnews/ rw,
+  owner @{tmp}/MozillaMailnews/*.msf rw,
+  owner @{tmp}/Temp-@{uuid}/ rw,

  @{run}/mount/utab r,

--- a/apparmor.d/profiles-s-z/thunderbird-glxtest
+++ b/apparmor.d/profiles-s-z/thunderbird-glxtest
@ -21,7 +21,7 @@ profile thunderbird-glxtest @{exec_path} {

  owner @{config_dirs}/*/.parentlock rw,

-  owner /tmp/thunderbird/.parentlock rw,
+  owner @{tmp}/thunderbird/.parentlock rw,

  owner @{PROC}/@{pid}/cmdline r,

--- a/apparmor.d/profiles-s-z/thunderbird-vaapitest
+++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest
@ -20,7 +20,7 @@ profile thunderbird-vaapitest @{exec_path} {

  @{exec_path} mr,

-  owner /tmp/thunderbird/.parentlock rw,
+  owner @{tmp}/thunderbird/.parentlock rw,

  deny @{cache_dirs}/*/startupCache/** r,
  deny @{config_dirs}/*/.parentlock rw,
--- a/apparmor.d/profiles-s-z/tint2
+++ b/apparmor.d/profiles-s-z/tint2
@ -43,7 +43,7 @@ profile tint2 @{exec_path} {

  owner @{HOME}/.Xauthority r,

-  owner /tmp/tint2-@{pid}-@{int}.png rw,
+  owner @{tmp}/tint2-@{pid}-@{int}.png rw,

  # Battery applet
  @{sys}/class/power_supply/ r,
--- a/apparmor.d/profiles-s-z/transmission-qt
+++ b/apparmor.d/profiles-s-z/transmission-qt
@ -40,7 +40,7 @@ profile transmission-qt @{exec_path} {
  owner @{user_cache_dirs}/transmission/ rw,
  owner @{user_cache_dirs}/transmission/** rwk,

-  owner /tmp/tr_session_id_* rwk,
+  owner @{tmp}/tr_session_id_* rwk,

  deny owner @{PROC}/@{pid}/cmdline r,
       owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/profiles-s-z/ucf
+++ b/apparmor.d/profiles-s-z/ucf
@ -1,116 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2022 Mikhail Morfikov
-# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/ucf
-profile ucf @{exec_path} flags=(complain) {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  @{exec_path} r,
-  @{sh_path}            rix,
-
-  @{bin}/{,e}grep       rix,
-  @{bin}/basename       rix,
-  @{bin}/cat            rix,
-  @{bin}/cp             rix,
-  @{bin}/dirname        rix,
-  @{bin}/{m,g,}awk      rix,
-  @{bin}/getopt         rix,
-  @{bin}/id             rix,
-  @{bin}/md5sum         rix,
-  @{bin}/mkdir          rix,
-  @{bin}/mv             rix,
-  @{bin}/perl           rix,
-  @{bin}/readlink       rix,
-  @{bin}/rm             rix,
-  @{bin}/sed            rix,
-  @{bin}/seq            rix,
-  @{bin}/stat           rix,
-  @{bin}/tr             rix,
-  @{bin}/which{,.debianutils}          rix,
-
-  # Do not strip env to avoid errors like the following:
-  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
-  #  shared object file): ignored.
-  @{bin}/dpkg-query     rpx,
-  #
-  @{bin}/dpkg-divert    rPx,
-
-  @{bin}/sensible-pager rCx -> pager,
-
-  # Think what to do about this (#FIXME#)
-  /usr/share/debconf/frontend     rPx,
-  #/usr/share/debconf/frontend    rCx -> frontend,
-
-  /etc/ucf.conf r,
-  /var/lib/ucf/** rw,
-
-  owner /tmp/* rw,
-  /etc/default/* rw,
-
-  # For md5sum
-  /etc/** r,
-  /usr/share/** r,
-  @{run}/** r,
-
-  # For writing new config files
-  /etc/** rw,
-
-  /usr/share/debconf/confmodule r,
-
-  # For shell pwd
-  / r,
-  /root/ r,
-
-
-  profile pager flags=(complain) {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/                r,
-    @{bin}/sensible-pager mr,
-
-    # For shell pwd
-    /root/ r,
-
-  }
-
-  profile frontend flags=(complain) {
-    include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/perl>
-    include <abstractions/nameservice-strict>
-
-    /usr/share/debconf/frontend r,
-    @{bin}/perl r,
-
-    @{bin}/ucf rPx,
-
-    @{sh_path}        rix,
-    @{bin}/stty       rix,
-    @{bin}/locale     rix,
-
-    /etc/debconf.conf r,
-    owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
-
-    # The following is needed when debconf uses GUI frontends.
-    include <abstractions/gtk>
-    include <abstractions/fonts>
-    include <abstractions/fontconfig-cache-read>
-    include <abstractions/freedesktop.org>
-    capability dac_read_search,
-    @{bin}/lsb_release rPx -> lsb_release,
-    @{bin}/hostname    rix,
-    owner @{PROC}/@{pid}/mounts r,
-    @{HOME}/.Xauthority r,
-
-  }
-
-  include if exists <local/ucf>
-}
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -47,6 +47,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]         -> @{MOUNTS}/*/,
  mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,

+  mount options=(rw move) -> @{MOUNTS}/,
+  mount options=(rw move) -> @{MOUNTS}/*/,
+
  # Allow mounting on temporary mount point
  mount -> @{run}/udisks2/temp-mount-*/,
  mount / -> @{MOUNTS}/*/,
--- a/apparmor.d/profiles-s-z/unix-chkpwd
+++ b/apparmor.d/profiles-s-z/unix-chkpwd
@ -19,6 +19,7 @@ profile unix-chkpwd @{exec_path} {

  @{exec_path} mr,

+  /etc/machine-id r,
  /etc/shadow r,

  # systemd userdb, used in nspawn
--- a/apparmor.d/profiles-s-z/unmkinitramfs
+++ b/apparmor.d/profiles-s-z/unmkinitramfs
@ -38,14 +38,14 @@ profile unmkinitramfs @{exec_path} {
        /boot/ r,
  owner /boot/initrd.img-* r,
        /tmp/ r,
-  owner /tmp/initrd.img-* r,
+  owner @{tmp}/initrd.img-* r,
        /mnt/ r,
  owner /mnt/initrd.img-* r,
        /mnt/boot/ r,
  owner /mnt/boot/initrd.img-* r,

  # To extract the content of the initrd image
-  owner /tmp/** rwl -> /tmp/**,
+  owner @{tmp}/** rwl -> /tmp/**,

        /var/tmp/ r,
  owner /var/tmp/unmkinitramfs_* rw,
--- a/apparmor.d/profiles-s-z/update-ca-certificates
+++ b/apparmor.d/profiles-s-z/update-ca-certificates
@ -53,7 +53,7 @@ profile update-ca-certificates @{exec_path} {
  / r,

        /tmp/ r,
-  owner /tmp/ca-certificates{,.crt}.tmp.* rw,
+  owner @{tmp}/ca-certificates{,.crt}.tmp.* rw,

  /dev/tty rw,

--- a/apparmor.d/profiles-s-z/update-cracklib
+++ b/apparmor.d/profiles-s-z/update-cracklib
@ -36,7 +36,7 @@ profile update-cracklib @{exec_path} {

  owner /var/cache/cracklib/{,**} rw,

-  owner /tmp/sort@{rand6} rw,
+  owner @{tmp}/sort@{rand6} rw,

  include if exists <local/update-cracklib>
 }
--- a/apparmor.d/profiles-s-z/uuidgen
+++ b/apparmor.d/profiles-s-z/uuidgen
@ -0,0 +1,17 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/uuidgen
+profile uuidgen @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/uuidgen>
+}
--- a/apparmor.d/profiles-s-z/vcsi
+++ b/apparmor.d/profiles-s-z/vcsi
@ -28,7 +28,7 @@ profile vcsi @{exec_path} {

  /etc/fstab r,

-  owner /tmp/* rw,
+  owner @{tmp}/* rw,

  include if exists <local/vcsi>
 }
--- a/apparmor.d/profiles-s-z/vidcutter
+++ b/apparmor.d/profiles-s-z/vidcutter
@ -51,10 +51,10 @@ profile vidcutter @{exec_path} {
  owner @{user_config_dirs}/vidcutter/ rw,
  owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int},

-  owner /tmp/vidcutter-@{uuid} w,
-  owner /tmp/#@{int} rw,
-  owner /tmp/*.jpg rwl -> /tmp/#@{int},
-  owner /tmp/vidcutter/{,*} rw,
+  owner @{tmp}/vidcutter-@{uuid} w,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/*.jpg rwl -> /tmp/#@{int},
+  owner @{tmp}/vidcutter/{,*} rw,

  deny owner @{PROC}/@{pid}/cmdline r,
       owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -85,10 +85,11 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/virtual/drm/ttm/uevent r,

+        @{PROC}/@{pids}/net/route r,
+  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/@{pids}/net/route r,
+  owner @{PROC}/@{pid}/stat r,

  /dev/media@{int} r,
  /dev/video@{int} rw,
--- a/apparmor.d/profiles-s-z/vsftpd
+++ b/apparmor.d/profiles-s-z/vsftpd
@ -10,13 +10,10 @@ include <tunables/global>
@{exec_path} = @{bin}/vsftpd
 profile vsftpd @{exec_path} {
  include <abstractions/base>
-  include <abstractions/nameservice>
-
-  # Only for local users authentication
  include <abstractions/authentication>
-
-  # For libwrap (TCP Wrapper) support (tcp_wrappers=YES)
  include <abstractions/hosts_access>
+  include <abstractions/nameservice>
+  include <abstractions/wutmp>

  # To be able to listen on ports < 1024
  capability net_bind_service,
@ -43,7 +40,8 @@ profile vsftpd @{exec_path} {
  capability net_admin,
  capability dac_read_search,
  # If session_support=YES, vsftpd will also try and update utmp and wtmp
-  include <abstractions/wutmp>
+
+  @{exec_path} mr,

  # To validate allowed users shells
  /etc/shells r,
--- a/apparmor.d/profiles-s-z/whatis
+++ b/apparmor.d/profiles-s-z/whatis
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -24,5 +25,8 @@ profile whatis @{exec_path} {

  owner @{HOME}/.manpath r,

+  owner @{user_share_dirs}/man/{,**/}{,whatis} r,
+  owner @{user_share_dirs}/man/{,**/}index.{bt,db,dir,pag} rk,
+
  include if exists <local/whatis>
 }
--- a/apparmor.d/profiles-s-z/whiptail
+++ b/apparmor.d/profiles-s-z/whiptail
@ -18,7 +18,7 @@ profile whiptail @{exec_path} flags=(complain) {

  /etc/newt/palette.* r,

-  owner /tmp/gpm* w,
+  owner @{tmp}/gpm* w,

  include if exists <local/whiptail>
 }
--- a/apparmor.d/profiles-s-z/wireshark
+++ b/apparmor.d/profiles-s-z/wireshark
@ -48,7 +48,7 @@ profile wireshark @{exec_path} {
  owner @{HOME}/.wireshark/{,**} rw,
  owner @{user_config_dirs}/wireshark/{,**} rw,

-  owner /tmp/wireshark_extcap_ciscodump_@{int}_* rw,
+  owner @{tmp}/wireshark_extcap_ciscodump_@{int}_* rw,

  deny       @{PROC}/sys/kernel/random/boot_id r,
  deny owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/profiles-s-z/wl-copy
+++ b/apparmor.d/profiles-s-z/wl-copy
@ -17,7 +17,7 @@ profile wl-copy @{exec_path} {

  @{bin}/xdg-mime rPx,

-  owner /tmp/wl-copy-buffer-*/{,**} rw,
+  owner @{tmp}/wl-copy-buffer-*/{,**} rw,

  /dev/tty rw,

--- a/apparmor.d/profiles-s-z/wpa-cli
+++ b/apparmor.d/profiles-s-z/wpa-cli
@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} {
  owner @{HOME}/.wpa_cli_history-@{int}.tmp rw,

  owner @{run}/wpa_supplicant/ r,
-  owner /tmp/wpa_ctrl_@{pid}-[0-9] rw,
+  owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw,

  include if exists <local/wpa-cli>
 }
--- a/apparmor.d/profiles-s-z/wpa-gui
+++ b/apparmor.d/profiles-s-z/wpa-gui
@ -24,7 +24,7 @@ profile wpa-gui @{exec_path} {

  /usr/share/hwdata/pnp.ids r,

-  owner /tmp/wpa_ctrl_@{pid}-[0-9] w,
+  owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w,
  owner /dev/shm/#@{int} rw,

  @{run}/wpa_supplicant/ r,
--- a/apparmor.d/profiles-s-z/xarchiver
+++ b/apparmor.d/profiles-s-z/xarchiver
@ -56,7 +56,7 @@ profile xarchiver @{exec_path} {
        @{MOUNTS}/ r,
        @{MOUNTS}/** rw,
        /tmp/ r,
-  owner /tmp/** rw,
+  owner @{tmp}/** rw,

  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/profiles-s-z/xauth
+++ b/apparmor.d/profiles-s-z/xauth
@ -26,15 +26,15 @@ profile xauth @{exec_path} {
  owner @{HOME}/.Xauthority-n rw,
  owner @{HOME}/.Xauthority   rwl -> @{HOME}/.Xauthority-n,

-  owner /tmp/serverauth.*-c  w,
-  owner /tmp/serverauth.*-l  wl -> /tmp/serverauth.*-c,
-  owner /tmp/serverauth.*-n rw,
-  owner /tmp/serverauth.*   rwl -> /tmp/serverauth.*-n,
+  owner @{tmp}/serverauth.*-c  w,
+  owner @{tmp}/serverauth.*-l  wl -> /tmp/serverauth.*-c,
+  owner @{tmp}/serverauth.*-n rw,
+  owner @{tmp}/serverauth.*   rwl -> /tmp/serverauth.*-n,

-  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/xauth_@{rand6} r,
-  owner /tmp/xauth_@{rand6}-c w,
-  owner /tmp/xauth_@{rand6}-l wl,
+  owner @{tmp}/runtime-*/xauth_@{rand6} r,
+  owner @{tmp}/xauth_@{rand6} r,
+  owner @{tmp}/xauth_@{rand6}-c w,
+  owner @{tmp}/xauth_@{rand6}-l wl,

  owner @{run}/user/@{uid}/xauth_@{rand6} rw,
  owner @{run}/user/@{uid}/xauth_@{rand6}-c w,
--- a/apparmor.d/profiles-s-z/xclip
+++ b/apparmor.d/profiles-s-z/xclip
@ -16,8 +16,8 @@ profile xclip @{exec_path} {

  @{exec_path} mr,

-  owner /tmp/mutt-* rw,
-  owner /tmp/xauth_@{rand6} r,
+  owner @{tmp}/mutt-* rw,
+  owner @{tmp}/xauth_@{rand6} r,

  owner @{HOME}/.Xauthority r,

--- a/apparmor.d/profiles-s-z/xinit
+++ b/apparmor.d/profiles-s-z/xinit
@ -70,8 +70,8 @@ profile xinit @{exec_path} {
  owner @{HOME}/.xserverrc r,
  owner @{HOME}/.xsession-errors w,

-  owner /tmp/file* rw,
-  owner /tmp/tmp.* rw,
+  owner @{tmp}/file* rw,
+  owner @{tmp}/tmp.* rw,

  /dev/tty rw,

--- a/apparmor.d/profiles-s-z/xsel
+++ b/apparmor.d/profiles-s-z/xsel
@ -19,7 +19,7 @@ profile xsel @{exec_path} {
  owner @{user_cache_dirs}/xsel.log rw,

  owner @{HOME}/.Xauthority r,
-  owner /tmp/xauth-@{int}-_[0-9] r,
+  owner @{tmp}/xauth-@{int}-_[0-9] r,

  # file_inherit
  owner /dev/tty@{int} rw,
--- a/apparmor.d/profiles-s-z/zed
+++ b/apparmor.d/profiles-s-z/zed
@ -43,7 +43,7 @@ profile zed @{exec_path} {
  @{run}/zed.state rwkl,
  @{run}/zfs-list.cache@* rw,

-  owner /tmp/tmp.* rw,
+  owner @{tmp}/tmp.* rw,

  @{sys}/bus/pci/slots/ r,
  @{sys}/bus/pci/slots/@{int}/address r,
--- a/apparmor.d/profiles-s-z/zenmap
+++ b/apparmor.d/profiles-s-z/zenmap
@ -37,8 +37,8 @@ profile zenmap @{exec_path} {

  /usr/share/zenmap/** r,

-  owner /tmp/* rw,
-  owner /tmp/zenmap-stdout-* rw,
+  owner @{tmp}/* rw,
+  owner @{tmp}/zenmap-stdout-* rw,

  include if exists <local/zenmap>
 }
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@ -18,15 +18,18 @@ profile zpool @{exec_path} {
  @{sh_path}        rix,
  /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,

+  /usr/share/zfs/{,**} r,
+
  /etc/hostid r,
  /etc/zfs/*.cache rwk,

+  /tmp/tmp.* rw,
+
  @{run}/blkid/blkid.tab rw,
  @{run}/blkid/blkid.tab.old rwl,
  @{run}/blkid/blkid.tab-@{rand6} rwl,

-  /tmp/tmp.* rw,
-
+  @{sys}/module/zfs/** r,
  @{sys}/bus/pci/slots/ r,
  @{sys}/bus/pci/slots/@{int}/address r,