profiles: update the rest of the profiles to use @{exec_path}

Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 14:25:52 +00:00 · 2025-04-28 13:17:49 -07:00
parent 6d0834da8e
commit 6e9ff1fa61
253 changed files with 281 additions and 180 deletions
--- a/profiles/apparmor.d/1password
+++ b/profiles/apparmor.d/1password
@@ -6,6 +6,7 @@ include <tunables/global>

 profile 1password /opt/1Password/1password flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/1password>
--- a/profiles/apparmor.d/Discord
+++ b/profiles/apparmor.d/Discord
@@ -6,6 +6,7 @@ include <tunables/global>

 profile Discord /usr/share/discord/Discord flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/Discord>
--- a/profiles/apparmor.d/MongoDB_Compass
+++ b/profiles/apparmor.d/MongoDB_Compass
@@ -6,6 +6,7 @@ include <tunables/global>

 profile "MongoDB Compass" "/usr/lib/mongodb-compass/MongoDB Compass" flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/MongoDB_Compass>
--- a/profiles/apparmor.d/QtWebEngineProcess
+++ b/profiles/apparmor.d/QtWebEngineProcess
@@ -6,6 +6,7 @@ include <tunables/global>

 profile QtWebEngineProcess /usr/lib/@{multiarch}/qt{5,6}/libexec/QtWebEngineProcess flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/QtWebEngineProcess>
--- a/profiles/apparmor.d/Xorg
+++ b/profiles/apparmor.d/Xorg
@@ -58,7 +58,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
  /{,usr/}bin/{bash,dash,sh} ix,
  /usr/bin/xkbcomp           ix,

-  @{exec_path)            mr,
+  @{exec_path}            mr,

  @{PROC}/cmdline         r,
  @{PROC}/@{pid}/cmdline  r,
--- a/profiles/apparmor.d/balena-etcher
+++ b/profiles/apparmor.d/balena-etcher
@@ -6,6 +6,7 @@ include <tunables/global>

 profile balena-etcher /usr/lib/balena-etcher/balena-etcher flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/balena-etcher>
--- a/profiles/apparmor.d/brave
+++ b/profiles/apparmor.d/brave
@@ -6,6 +6,7 @@ include <tunables/global>

 profile brave /opt/brave.com/brave/brave flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/brave>
--- a/profiles/apparmor.d/buildah
+++ b/profiles/apparmor.d/buildah
@@ -6,6 +6,7 @@ include <tunables/global>

 profile buildah /usr/bin/buildah flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/buildah>
--- a/profiles/apparmor.d/busybox
+++ b/profiles/apparmor.d/busybox
@@ -6,6 +6,7 @@ include <tunables/global>

 profile busybox /usr/bin/busybox flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/busybox>
--- a/profiles/apparmor.d/cam
+++ b/profiles/apparmor.d/cam
@@ -6,6 +6,7 @@ include <tunables/global>

 profile cam /usr/bin/cam flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/cam>
--- a/profiles/apparmor.d/ch-checkns
+++ b/profiles/apparmor.d/ch-checkns
@@ -6,6 +6,7 @@ include <tunables/global>

 profile ch-checkns /usr/bin/ch-checkns flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/ch-checkns>
--- a/profiles/apparmor.d/ch-run
+++ b/profiles/apparmor.d/ch-run
@@ -6,6 +6,7 @@ include <tunables/global>

 profile ch-run /usr/bin/ch-run flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/ch-run>
--- a/profiles/apparmor.d/chrome
+++ b/profiles/apparmor.d/chrome
@@ -6,6 +6,7 @@ include <tunables/global>

 profile chrome /opt/google/chrome/chrome flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/chrome>
--- a/profiles/apparmor.d/chromium
+++ b/profiles/apparmor.d/chromium
@@ -8,6 +8,7 @@ include <tunables/global>

 profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/chromium>
--- a/profiles/apparmor.d/code
+++ b/profiles/apparmor.d/code
@@ -6,6 +6,7 @@ include <tunables/global>

 profile vscode /usr/share/code{/bin,}/code flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/code>
--- a/profiles/apparmor.d/crun
+++ b/profiles/apparmor.d/crun
@@ -6,6 +6,7 @@ include <tunables/global>

 profile crun /usr/bin/crun flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/crun>
--- a/profiles/apparmor.d/devhelp
+++ b/profiles/apparmor.d/devhelp
@@ -6,6 +6,7 @@ include <tunables/global>

 profile devhelp /usr/bin/devhelp flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/devhelp>
--- a/profiles/apparmor.d/element-desktop
+++ b/profiles/apparmor.d/element-desktop
@@ -6,6 +6,7 @@ include <tunables/global>

 profile element-desktop /opt/Element/element-desktop flags=(unconfined) {
  userns,
+  @{exec_path} mr,

 # Site-specific additions and overrides. See local/README for details.
  include if exists <local/element-desktop>
--- a/profiles/apparmor.d/epiphany
+++ b/profiles/apparmor.d/epiphany
@@ -6,6 +6,7 @@ include <tunables/global>

 profile epiphany /usr/bin/epiphany{,-browser} flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/epiphany>
--- a/profiles/apparmor.d/evolution
+++ b/profiles/apparmor.d/evolution
@@ -6,6 +6,7 @@ include <tunables/global>

 profile evolution /usr/bin/evolution flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/evolution>
--- a/profiles/apparmor.d/firefox
+++ b/profiles/apparmor.d/firefox
@@ -7,6 +7,8 @@ include <tunables/global>
 profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) {
  userns,

+  @{exec_path} mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/firefox>
 }
--- a/profiles/apparmor.d/flatpak
+++ b/profiles/apparmor.d/flatpak
@@ -6,6 +6,7 @@ include <tunables/global>

 profile flatpak /usr/bin/flatpak flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/flatpak>
--- a/profiles/apparmor.d/foliate
+++ b/profiles/apparmor.d/foliate
@@ -6,6 +6,7 @@ include <tunables/global>

 profile foliate /usr/bin/foliate flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/foliate>
--- a/profiles/apparmor.d/fusermount3
+++ b/profiles/apparmor.d/fusermount3
@@ -36,7 +36,7 @@ profile fusermount3 /usr/bin/fusermount3 {
  @{etc_ro}/fuse.conf r,
  @{PROC}/@{pid}/mounts r,

-  /usr/bin/fusermount3 mr,
+  @{exec_path} mr,

  include if exists <local/fusermount3>
 }
--- a/profiles/apparmor.d/geary
+++ b/profiles/apparmor.d/geary
@@ -6,6 +6,7 @@ include <tunables/global>

 profile geary /usr/bin/geary flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/geary>
--- a/profiles/apparmor.d/github-desktop
+++ b/profiles/apparmor.d/github-desktop
@@ -6,6 +6,7 @@ include <tunables/global>

 profile github-desktop /usr/lib/github-desktop/github-desktop flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/github-desktop>
--- a/profiles/apparmor.d/goldendict
+++ b/profiles/apparmor.d/goldendict
@@ -6,6 +6,7 @@ include <tunables/global>

 profile goldendict /usr/bin/goldendict flags=(unconfined) {
  userns,
+  @{exec_path} mr,
  
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/goldendict>
--- a/profiles/apparmor.d/iotop-c
+++ b/profiles/apparmor.d/iotop-c
@@ -15,7 +15,7 @@ profile iotop-c /usr/sbin/iotop-c {

  /proc/*/cmdline r,
  /proc/*/task/ r,
-  /usr/sbin/iotop-c mr,
+  @{exec_path} mr,
  /proc/ r,
  /proc/sys/kernel/task_delayacct rw,
  /proc/vmstat r,
--- a/profiles/apparmor.d/ipa_verify
+++ b/profiles/apparmor.d/ipa_verify
@@ -3,6 +3,9 @@ abi <abi/4.0>,
 include <tunables/global>

@{arg1}=/**/*.so
+profile ipa_verify /usr/bin/ipa_verify flags=(unconfined) {
+  userns,
+  @{exec_path} mr,

 profile ipa_verify /usr/bin/ipa_verify {
    include <abstractions/base>
--- a/profiles/apparmor.d/kchmviewer
+++ b/profiles/apparmor.d/kchmviewer
@@ -6,6 +6,7 @@ include <tunables/global>

 profile kchmviewer /usr/bin/kchmviewer flags=(unconfined) {
  userns,
+  @{exec_path} mr,
  
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/kchmviewer>
--- a/profiles/apparmor.d/keybase
+++ b/profiles/apparmor.d/keybase
@@ -6,6 +6,7 @@ include <tunables/global>

 profile keybase /opt/keybase/Keybase flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/keybase>
--- a/profiles/apparmor.d/lc-compliance
+++ b/profiles/apparmor.d/lc-compliance
@@ -6,6 +6,7 @@ include <tunables/global>

 profile lc-compliance /usr/bin/lc-compliance flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lc-compliance>
--- a/profiles/apparmor.d/ldpd
+++ b/profiles/apparmor.d/ldpd
@@ -18,7 +18,7 @@ profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) {
  include <abstractions/frr>
  include <abstractions/frr-snmp>

-  /usr/lib/frr/ldpd ix,
+  @{exec_path} mrix,
  @{run}/frr/ldpd.sock rw,

  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/libcamerify
+++ b/profiles/apparmor.d/libcamerify
@@ -6,6 +6,7 @@ include <tunables/global>

 profile libcamerify /usr/bin/libcamerify flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/libcamerify>
--- a/profiles/apparmor.d/linux-sandbox
+++ b/profiles/apparmor.d/linux-sandbox
@@ -6,6 +6,7 @@ include <tunables/global>

 profile linux-sandbox /usr/libexec/@{multiarch}/bazel/linux-sandbox flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/linux-sandbox>
--- a/profiles/apparmor.d/loupe
+++ b/profiles/apparmor.d/loupe
@@ -6,6 +6,7 @@ include <tunables/global>

 profile loupe /usr/bin/loupe flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/loupe>
--- a/profiles/apparmor.d/lsb_release
+++ b/profiles/apparmor.d/lsb_release
@@ -18,7 +18,6 @@ profile lsb_release {

  /dev/tty rw,

-  /usr/bin/lsb_release r,
  /usr/bin/python3.{1,}[0-9] mr,

  /etc/debian_version r,
--- a/profiles/apparmor.d/lsblk
+++ b/profiles/apparmor.d/lsblk
@@ -17,7 +17,7 @@ profile lsblk /usr/bin/lsblk {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  /usr/bin/lsblk mr,
+  @{exec_path} mr,

  @{sys}/block/ r,
  @{sys}/class/block/ r,
--- a/profiles/apparmor.d/lxc-attach
+++ b/profiles/apparmor.d/lxc-attach
@@ -6,6 +6,7 @@ include <tunables/global>

 profile lxc-attach /usr/bin/lxc-attach flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-attach>
--- a/profiles/apparmor.d/lxc-create
+++ b/profiles/apparmor.d/lxc-create
@@ -6,6 +6,7 @@ include <tunables/global>

 profile lxc-create /usr/bin/lxc-create flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-create>
--- a/profiles/apparmor.d/lxc-destroy
+++ b/profiles/apparmor.d/lxc-destroy
@@ -6,6 +6,7 @@ include <tunables/global>

 profile lxc-destroy /usr/bin/lxc-destroy flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-destroy>
--- a/profiles/apparmor.d/lxc-execute
+++ b/profiles/apparmor.d/lxc-execute
@@ -6,6 +6,7 @@ include <tunables/global>

 profile lxc-execute /usr/bin/lxc-execute flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-execute>
--- a/profiles/apparmor.d/lxc-stop
+++ b/profiles/apparmor.d/lxc-stop
@@ -6,6 +6,7 @@ include <tunables/global>

 profile lxc-stop /usr/bin/lxc-stop flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-stop>
--- a/profiles/apparmor.d/lxc-unshare
+++ b/profiles/apparmor.d/lxc-unshare
@@ -6,6 +6,7 @@ include <tunables/global>

 profile lxc-unshare /usr/bin/lxc-unshare flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-unshare>
--- a/profiles/apparmor.d/lxc-usernsexec
+++ b/profiles/apparmor.d/lxc-usernsexec
@@ -6,6 +6,7 @@ include <tunables/global>

 profile lxc-usernsexec /usr/bin/lxc-usernsexec flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-usernsexec>
--- a/profiles/apparmor.d/mmdebstrap
+++ b/profiles/apparmor.d/mmdebstrap
@@ -6,6 +6,7 @@ include <tunables/global>

 profile mmdebstrap /usr/bin/mmdebstrap flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/mmdebstrap>
--- a/profiles/apparmor.d/msedge
+++ b/profiles/apparmor.d/msedge
@@ -6,6 +6,7 @@ include <tunables/global>

 profile msedge /opt/microsoft/msedge/msedge flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/msedge>
--- a/profiles/apparmor.d/nautilus
+++ b/profiles/apparmor.d/nautilus
@@ -6,6 +6,7 @@ include <tunables/global>

 profile nautilus /usr/bin/nautilus flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides.  See local/README for details.
  include if exists <local/nautilus>
--- a/profiles/apparmor.d/notepadqq
+++ b/profiles/apparmor.d/notepadqq
@@ -6,6 +6,7 @@ include <tunables/global>

 profile notepadqq /{{usr/bin,etc/alternatives}/notepadqq,usr/lib/notepadqq/notepadqq.sh} flags=(unconfined) {
  userns,
+  @{exec_path} mr,
  
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/notepadqq>
--- a/profiles/apparmor.d/nvidia_modprobe
+++ b/profiles/apparmor.d/nvidia_modprobe
@@ -16,8 +16,6 @@ profile nvidia_modprobe {

  # Main executable

-  /usr/bin/nvidia-modprobe mr,
-
  # Other executables

  /usr/bin/kmod Cx -> kmod,
--- a/profiles/apparmor.d/obsidian
+++ b/profiles/apparmor.d/obsidian
@@ -6,6 +6,7 @@ include <tunables/global>

 profile obsidian /opt/Obsidian/obsidian flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/obsidian>
--- a/profiles/apparmor.d/opam
+++ b/profiles/apparmor.d/opam
@@ -6,6 +6,7 @@ include <tunables/global>

 profile opam /usr/bin/opam flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/opam>
--- a/profiles/apparmor.d/opera
+++ b/profiles/apparmor.d/opera
@@ -6,6 +6,7 @@ include <tunables/global>

 profile opera /usr/lib/@{multiarch}/opera/opera flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/opera>
--- a/profiles/apparmor.d/pageedit
+++ b/profiles/apparmor.d/pageedit
@@ -6,6 +6,7 @@ include <tunables/global>

 profile pageedit /usr/bin/pageedit flags=(unconfined) {
  userns,
+  @{exec_path} mr,
  
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/pageedit>
--- a/profiles/apparmor.d/php-fpm
+++ b/profiles/apparmor.d/php-fpm
@@ -40,7 +40,7 @@ profile php-fpm /usr/{bin,sbin}/php-fpm* flags=(attach_disconnected) {
  owner @{run}/systemd/notify w,

  # to reload
-  /usr/{bin,sbin}/php-fpm* rix,
+  @{exec_path} rix,

  # no idea why php tries to open / read/write
  deny / rw,
--- a/profiles/apparmor.d/plasmashell
+++ b/profiles/apparmor.d/plasmashell
@@ -26,6 +26,7 @@ profile plasmashell /usr/bin/plasmashell {
  /** pux,

  /{,**} mrwlk,
+  @{exec_path} mr,

  profile QtWebEngineProcess {
    capability,
--- a/profiles/apparmor.d/podman
+++ b/profiles/apparmor.d/podman
@@ -6,6 +6,7 @@ include <tunables/global>

 profile podman /usr/bin/podman flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/podman>
--- a/profiles/apparmor.d/polypane
+++ b/profiles/apparmor.d/polypane
@@ -6,6 +6,7 @@ include <tunables/global>

 profile polypane /opt/Polypane/polypane flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/polypane>
--- a/profiles/apparmor.d/privacybrowser
+++ b/profiles/apparmor.d/privacybrowser
@@ -6,6 +6,7 @@ include <tunables/global>

 profile privacybrowser /usr/bin/privacybrowser flags=(unconfined) {
  userns,
+  @{exec_path} mr,
  
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/privacybrowser>
--- a/profiles/apparmor.d/qcam
+++ b/profiles/apparmor.d/qcam
@@ -6,6 +6,7 @@ include <tunables/global>

 profile qcam /usr/bin/qcam flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/qcam>
--- a/profiles/apparmor.d/qmapshack
+++ b/profiles/apparmor.d/qmapshack
@@ -6,6 +6,7 @@ include <tunables/global>

 profile qmapshack /usr/bin/qmapshack flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/qmapshack>
--- a/profiles/apparmor.d/qutebrowser
+++ b/profiles/apparmor.d/qutebrowser
@@ -6,6 +6,7 @@ include <tunables/global>

 profile qutebrowser /usr/bin/qutebrowser flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/qutebrowser>
--- a/profiles/apparmor.d/remmina
+++ b/profiles/apparmor.d/remmina
@@ -49,7 +49,7 @@ profile remmina /usr/bin/remmina {
  dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member=RegisterStatusNotifierItem peer=(label=@{StatusNotifierWatcher}),

  @{etc_ro}/fstab r,
-  /usr/bin/remmina mr,
+  @{exec_path} mr,
  /usr/share/remmina/{,**} r,
  /var/lib/snapd/desktop/icons/{,**} r,
  /etc/debian_version r,
--- a/profiles/apparmor.d/rootlesskit
+++ b/profiles/apparmor.d/rootlesskit
@@ -6,6 +6,7 @@ include <tunables/global>

 profile rootlesskit /usr/bin/rootlesskit flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/rootlesskit>
--- a/profiles/apparmor.d/rpm
+++ b/profiles/apparmor.d/rpm
@@ -6,6 +6,7 @@ include <tunables/global>

 profile rpm /usr/bin/rpm flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/rpm>
--- a/profiles/apparmor.d/rssguard
+++ b/profiles/apparmor.d/rssguard
@@ -6,6 +6,7 @@ include <tunables/global>

 profile rssguard /usr/bin/rssguard flags=(unconfined) {
  userns,
+  @{exec_path} mr,
  
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/rssguard>
--- a/profiles/apparmor.d/runc
+++ b/profiles/apparmor.d/runc
@@ -6,6 +6,7 @@ include <tunables/global>

 profile runc /usr/{bin,sbin}/runc flags=(unconfined) {
  userns,
+  @{exec_path} mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/runc>
--- a/profiles/apparmor.d/rygel
+++ b/profiles/apparmor.d/rygel
@@ -32,7 +32,7 @@ profile rygel /usr/bin/rygel {

  file r @{etc_ro}/rygel.conf,

-  file mr /usr/bin/rygel,
+  file mr @{exec_path},

  file Cx /usr/libexec/rygel/mx-extract -> mx-extract,

--- a/profiles/apparmor.d/samba-bgqd
+++ b/profiles/apparmor.d/samba-bgqd
@@ -15,7 +15,7 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {

  @{run}/{,samba/}samba-bgqd.pid rwk,

-  /usr/lib*/samba/{,samba/}samba-bgqd mr,
+  @{exec_path} mr,
  /var/cache/samba/printing/*.tdb rwk,

  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/samba-dcerpcd
+++ b/profiles/apparmor.d/samba-dcerpcd
@@ -20,7 +20,7 @@ profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {

  @{run}/{,samba/}samba-dcerpcd.pid rwk,

-  /usr/lib*/samba/{,samba/}samba-dcerpcd mr,
+  @{exec_path} mr,

  /usr/lib*/samba/ r,
  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd,
--- a/profiles/apparmor.d/samba-rpcd
+++ b/profiles/apparmor.d/samba-rpcd
@@ -18,7 +18,7 @@ profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,

  capability sys_resource,

-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr,
+  @{exec_path} mr,

  @{run}/samba/ncalrpc/np/lsarpc wr,
  @{run}/samba/ncalrpc/np/mdssvc wr,
--- a/profiles/apparmor.d/samba-rpcd-classic
+++ b/profiles/apparmor.d/samba-rpcd-classic
@@ -19,7 +19,7 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {

  capability sys_resource,

-  /usr/lib*/samba/{,samba/}rpcd_classic mr,
+  @{exec_path} mr,

  @{run}/samba/ncalrpc/np/srvsvc wr,
  @{run}/samba/ncalrpc/np/winreg wr,
--- a/profiles/apparmor.d/samba-rpcd-spoolss
+++ b/profiles/apparmor.d/samba-rpcd-spoolss
@@ -16,7 +16,7 @@ include <tunables/global>
 profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
  include <abstractions/samba-rpcd>

-  /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
+  @{exec_path} mr,
  /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
  /var/cache/samba/printing/ w,
  /var/cache/samba/printing/*.tdb rwk,
--- a/profiles/apparmor.d/sbin.klogd
+++ b/profiles/apparmor.d/sbin.klogd
@@ -26,7 +26,7 @@ profile klogd /{usr/,}{bin,sbin}/klogd {
  @{PROC}/kallsyms	r,
  /dev/tty		rw,

-  /{usr/,}{bin,sbin}/klogd	rmix,
+  @{exec_path} mrix,
  /var/log/boot.msg     rwl,
  @{run}/klogd.pid    krwl,
  @{run}/klogd/klogd.pid krwl,
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@@ -47,7 +47,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
  /etc/syslog-ng/conf.d/ r,
  /etc/syslog-ng/conf.d/* r,
  @{PROC}/kmsg r,
-  /{usr/,}{bin,sbin}/syslog-ng mr,
+  @{exec_path} mr,
  @{sys}/devices/system/cpu/online r,
  /usr/share/syslog-ng/** r,
  /var/lib/syslog-ng/syslog-ng-?????.qf rw,
--- a/profiles/apparmor.d/sbin.syslogd
+++ b/profiles/apparmor.d/sbin.syslogd
@@ -38,7 +38,7 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd {
  /etc/syslog.conf              r,
  /etc/syslog.d/                r,
  /etc/syslog.d/*               r,
-  /{usr/,}{bin,sbin}/syslogd    rmix,
+  @{exec_path} mrix,
  /var/log/**                   rw,
  @{run}/syslog.pid           krwl,
  @{run}/syslogd.pid          krwl,
--- a/profiles/apparmor.d/sbuild
+++ b/profiles/apparmor.d/sbuild
@@ -8,8 +8,9 @@ profile sbuild /usr/bin/sbuild flags=(attach_disconnected mediate_deleted) {
  allow all,

  userns,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at lower priority
  /usr/bin/unshare ix,

  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/sbuild-abort
+++ b/profiles/apparmor.d/sbuild-abort
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-abort /usr/bin/sbuild-abort flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all is at lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-adduser
+++ b/profiles/apparmor.d/sbuild-adduser
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-apt
+++ b/profiles/apparmor.d/sbuild-apt
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-apt /usr/bin/sbuild-apt flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-checkpackages
+++ b/profiles/apparmor.d/sbuild-checkpackages
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow ix is at lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-clean
+++ b/profiles/apparmor.d/sbuild-clean
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-clean /usr/bin/sbuild-clean flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-createchroot
+++ b/profiles/apparmor.d/sbuild-createchroot
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-destroychroot
+++ b/profiles/apparmor.d/sbuild-destroychroot
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-distupgrade
+++ b/profiles/apparmor.d/sbuild-distupgrade
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-hold
+++ b/profiles/apparmor.d/sbuild-hold
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-hold /usr/bin/sbuild-hold flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-shell
+++ b/profiles/apparmor.d/sbuild-shell
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-shell /usr/bin/sbuild-shell flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-unhold
+++ b/profiles/apparmor.d/sbuild-unhold
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-unhold /usr/bin/sbuild-unhold flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-update
+++ b/profiles/apparmor.d/sbuild-update
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-update /usr/bin/sbuild-update flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/sbuild-upgrade
+++ b/profiles/apparmor.d/sbuild-upgrade
@@ -6,8 +6,9 @@ include <tunables/global>

 profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(attach_disconnected mediate_deleted) {
  allow all,
+  @{exec_path} mrix,

-  # override default pix
+  # override default pix, assumes allow all ix is at a lower priority
  /usr/bin/unshare ix,

  userns,
--- a/profiles/apparmor.d/scide
+++ b/profiles/apparmor.d/scide
@@ -7,6 +7,7 @@ include <tunables/global>
 #supercollider-ide
 profile scide /usr/bin/scide flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/scide>
--- a/profiles/apparmor.d/signal-desktop
+++ b/profiles/apparmor.d/signal-desktop
@@ -6,6 +6,7 @@ include <tunables/global>

 profile signal-desktop /opt/Signal/signal-desktop flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/signal-desktop>
--- a/profiles/apparmor.d/slack
+++ b/profiles/apparmor.d/slack
@@ -6,6 +6,7 @@ include <tunables/global>

 profile slack /usr/lib/slack/slack flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/slack>
--- a/profiles/apparmor.d/slirp4netns
+++ b/profiles/apparmor.d/slirp4netns
@@ -6,6 +6,7 @@ include <tunables/global>

 profile slirp4netns /usr/bin/slirp4netns flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # pivot_root is required for running `slirp4netns --enable-sandbox` inside LXD.
  # https://github.com/rootless-containers/slirp4netns/issues/348
--- a/profiles/apparmor.d/steam
+++ b/profiles/apparmor.d/steam
@@ -6,6 +6,7 @@ include <tunables/global>

 profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/steam>
--- a/profiles/apparmor.d/stress-ng
+++ b/profiles/apparmor.d/stress-ng
@@ -6,6 +6,7 @@ include <tunables/global>

 profile stress-ng /usr/bin/stress-ng flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/stress-ng>
--- a/profiles/apparmor.d/surfshark
+++ b/profiles/apparmor.d/surfshark
@@ -6,6 +6,7 @@ include <tunables/global>

 profile surfshark /opt/Surfshark/surfshark flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/surfshark>
--- a/profiles/apparmor.d/systemd-coredump
+++ b/profiles/apparmor.d/systemd-coredump
@@ -6,6 +6,7 @@ include <tunables/global>

 profile systemd-coredump /usr/lib/systemd/systemd-coredump flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/systemd-coredump>
--- a/profiles/apparmor.d/tar
+++ b/profiles/apparmor.d/tar
@@ -25,6 +25,7 @@ profile tar /usr/bin/tar {
  file rwl /**,

  # tar can be made to filter archives through an arbitrary program
+  @{exec_path} mr,
  /{usr{/local,},}/{bin,sbin}/* ix,
  /opt/** ix,

--- a/profiles/apparmor.d/thunderbird
+++ b/profiles/apparmor.d/thunderbird
@@ -6,6 +6,7 @@ include <tunables/global>

 profile thunderbird /usr/bin/thunderbird flags=(unconfined) {
  userns,
+  @{exec_path} mrix,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/thunderbird>
--- a/Show More
+++ b/Show More