Merge parser: Add support for automatic @{attach_path} variable

Have the parser extract the attachment path from the profile declaration and make it available as a local variable within the profile. This allows profile rules to use the executable attachment path in rules. eg. ``` profile ex /bin/** { @{attach_path} r, # ... } profile /path/to/bin { @{attach_path} r, # ... } ``` if a profile does not define an attachment like ``` profile noattach { @{attach_path} r, } ``` the apparmor_parser will fail the compile with the error. ``` Found reference to variable attach_path, but is never declared ``` While not recommended for rules directly in a profile the above the undeclared variable error can be avoided in in abstractions by wrapping the variable in a conditional. ``` if defined @{attach_path} { @{attach_path r, } ``` The attachment xattr/label conditionals are not made available at this time as regular file path rules can not use them. Similarly a @{exec_path} variable is made available. It is different than @{attach_path} in that it is intended to be a kernel variable that represents the specific executable that was matched at run time. However to support policy on kernels that don't define the kernel variable it has a fallback value that is the same as @{attach_path}. This patch is a follow on to MR:1637 (https://gitlab.com/apparmor/apparmor/-/me\ rge_requests/1637) and is similar to how the apparmor.d project uses the manually setup @{exec_path} variable. We can bike shed over the variable name. @{attach_path} was chosen here because this is the attachment conditional path for the executable, not the executable's actual path. While @{exec_path} is intended to be the applications actual executable path. support the @{exec_path} kernel variable (all of them atm). Notes: The minimize.sh tests are changed because this patch causes path based profile names to create an attachment. This could be done by doing the attach_variable expansion in the alternate location marked by the patch, but since the kernel is going to start doing this for all profiles that don't have an attachment it is better for the parser to do it, as it can optimize better. This patch series may cause breakage if policy declares either @{attach_path} or @{exec_path} by shadowing those previously declared variables in the profile block. The previously declared variable is available in the attachment specification so uses like the apparmor.d project won't break as it with transfer its variable value to the attachment which will the transfer that value into the automatic local var. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1643 Approved-by: Maxime Bélair <maxime.belair@canonical.com> Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-22 01:57:43 +00:00 · 2025-05-12 09:08:44 +00:00 · 2025-05-12 09:08:44 +00:00 · 93c660e376
commit 93c660e376
parent d94ff137ef f3178d79b8
320 changed files with 953 additions and 282 deletions
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@ -1802,8 +1802,29 @@ site-specific customization of B<@{HOMEDIRS}>,
 F</etc/apparmor.d/tunables/multiarch.d> for B<@{multiarch}> and
 F</etc/apparmor.d/tunables/xdg-user-dirs.d> for B<@{XDG_*}>.
-The special B<@{profile_name}> variable is set to the profile name and may be
+=head3 Special builtin variables
-used in all policy.
+
 AppArmor has some builtin variables that are not declared in policy
 but are available to be used in policy.
  @{profile_name} - the profile name
  @{attach_path}  - the profile exec attachment path - if one has been defined
  @{exec_path}    - the executables path
 The B<@{profile_name}> variable is set to the profile name and may be
 used in all policy. It is only defined when used inside of a profile.
 The B<@{attach_path}> variable is only defined if the profile will attach
 to an executable. It will be the path attachment specification or
 if that is not defined it may be the profile's name if the profile name
 is a path.
 The B<@{exec_path}> variable like B<@{attach_path}> is only defined if
 the profile attaches to an executable. If the kernel supports it as a
 kernel variable, it will be set to the specific path that matches the
 executable at run time. If the kernel does not support kernel variables
 it will have the same value as B<@{attach_path}>.
 =head3 Notes on variable expansion and the / character
--- a/parser/parser.h
+++ b/parser/parser.h
@ -294,9 +294,10 @@ do {						\
 	version;					\
 })
-/* The parser fills this variable in automatically */
+/* The parser fills these variable in automatically */
 #define PROFILE_NAME_VARIABLE "profile_name"
-
+#define PROFILE_ATTACH_VAR "attach_path"
 #define PROFILE_EXEC_VAR "exec_path"
 /* from parser_common.c */
 extern uint32_t policy_version;
@ -395,6 +396,7 @@ extern const char *basedir;
 #define glob_default	0
 #define glob_null	1
 const char *local_name(const char *name);
 extern pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
 					 std::string& pcre, int *first_re_pos);
 extern bool build_list_val_expr(std::string& buffer, struct value_list *list);
@ -462,12 +464,27 @@ struct set_value {
 	char *val;
 	struct set_value *next;
 };
 enum var_type {
 	sd_boolean,
 	sd_set,
 };
 struct symtab {
 	char *var_name;
 	enum var_type type;
 	int boolean;
 	struct set_value *values;
 	struct set_value *expanded;
 };
 extern int add_boolean_var(const char *var, int boolean);
 extern int get_boolean_var(const char *var);
 extern int new_set_var(const char *var, const char *value);
 extern int add_set_value(const char *var, const char *value);
 extern struct set_value *get_set_var(const char *var);
 extern char *get_next_set_value(struct set_value **context);
 extern int insert_set_var(struct symtab *var);
 extern struct symtab *remove_set_var(const char *var_name);
 extern int delete_set_var(const char *var_name);
 extern void dump_symtab(void);
 extern void dump_expanded_symtab(void);
--- a/parser/parser_symtab.c
+++ b/parser/parser_symtab.c
@ -28,18 +28,6 @@
 typedef int (*comparison_fn_t)(const void *, const void *);
 typedef void (*__free_fn_t)(void *);
 enum var_type {
 	sd_boolean,
 	sd_set,
 };
 struct symtab {
 	char *var_name;
 	enum var_type type;
 	int boolean;
 	struct set_value *values;
 	struct set_value *expanded;
 };
 static void *my_symtab = NULL;
@ -209,12 +197,32 @@ out:
 	return rc;
 }
 int insert_set_var(struct symtab *var)
 {
 	struct symtab **result;
 	result = (struct symtab **) tsearch(var, &my_symtab, (comparison_fn_t) &compare_symtabs);
 	if (!result) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
 		return errno;
 	}
 	if (*result != var) {
 		/* already existing variable */
 		PERROR("'%s' is already defined\n", var->var_name);
 		return 1;
 	}
 	return 0;
 }
 /* new_set_var
 * creates copies of arguments, so caller can free them after use
 */
 int new_set_var(const char *var, const char *value)
 {
-	struct symtab *n, **result;
+	struct symtab *n;
 	int rc = 0;
 	n = new_symtab_entry(var);
@ -226,21 +234,9 @@ int new_set_var(const char *var, const char *value)
 	n->type = sd_set;
 	add_to_set(&(n->values), value);
-	result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
+	rc = insert_set_var(n);
-	if (!result) {
+	if (! rc)
-		PERROR("Failed to allocate memory: %s\n", strerror(errno));
+		return 0;
 		rc = errno;
 		goto err;
 	}
 	if (*result != n) {
 		/* already existing variable */
 		PERROR("'%s' is already defined\n", var);
 		rc = 1;
 		goto err;
 	}
 	return 0;
 err:
 	free_symtab(n);
@ -331,25 +327,21 @@ char *get_next_set_value(struct set_value **list)
 	return ret;
 }
-/* delete_symbol
+
- * removes an individual variable from the symbol table. We don't
+struct symtab *remove_set_var(const char *var_name)
 * support this in the language, but for special variables that change
 * between profiles, we need this.
 */
 int delete_set_var(const char *var_name)
 {
-	int rc = 0;
+	struct symtab **result, *n, *var = NULL;
 	struct symtab **result, *n, *var;
 	n = new_symtab_entry(var_name);
 	if (!n) {
-		rc = ENOMEM;
+		//rc = ENOMEM;
 		goto out;
 	}
 	result = (struct symtab **) tfind(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
 	if (!result) {
 		/* XXX Warning? */
 		//rc = ENOENT;
 		goto out;
 	}
@ -368,11 +360,27 @@ int delete_set_var(const char *var_name)
 		exit(1);
 	}
 	free_symtab(var);
 out:
 	free_symtab(n);
-	return rc;
+
 	return var;
 }
 /* delete_symbol
 * removes an individual variable from the symbol table. We don't
 * support this in the language, but for special variables that change
 * between profiles, we need this.
 */
 int delete_set_var(const char *var_name)
 {
 	struct symtab *var;
 	var = remove_set_var(var_name);
 	if (var) {
 		free_symtab(var);
 		return 0;
 	}
 	return ENOENT;
 }
 static void *seenlist = NULL;
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@ -295,8 +295,22 @@ static int process_variables_in_name(Profile &prof)
 	 * setup
 	 */
 	int error = expand_entry_variables(&prof.name);
-	if (!error && prof.attachment)
+	if (!error) {
-		error = expand_entry_variables(&prof.attachment);
+		if (prof.attachment)
 			error = expand_entry_variables(&prof.attachment);
 		else if (prof.name[0] == '/') {
 			/* had to wait to do this until after processing the
 			 * variables in the profile name
 			 */
 			prof.attachment = strdup(local_name(prof.name));
 			if (!prof.attachment) {
 				errno = ENOMEM;
 				return -1;
 			}
 			filter_slashes(prof.attachment);
 		}
 	}
 	if (!error && prof.flags.disconnected_path)
 		error = process_variable_in_attach_disconnected(&prof.flags.disconnected_path);
 	if (!error && prof.flags.disconnected_ipc)
@ -325,29 +339,73 @@ static std::string escape_re(std::string str)
 int process_profile_variables(Profile *prof)
 {
 	int error = 0, rc;
 	struct symtab *saved_exec_path = NULL;
 	struct symtab *saved_attach_path = NULL;
 	/* needs to be before PROFILE_NAME_VARIABLE so that variable will
 	 * have the correct name
 	 */
 	error = process_variables_in_name(*prof);
-	if (!error) {
+	if (error)
-		/* escape profile name elements that could be interpreted
+		goto out;
-		 * as regular expressions.
+
 	/* escape profile name elements that could be interpreted as
 	 * regular expressions.
 	 */
 	error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
 	if (error)
 		goto out;
 	if (prof->attachment) {
 		/* IF we didn't want a path based profile name to generate
 		 * an attachment. The code could be moved here. Add the
 		 * output fed into the vars directly instead of setting
 		 * the attachment.
 		 */
-		error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
+		/* need to take into account alias, but not yet */
 		saved_attach_path = remove_set_var(PROFILE_ATTACH_VAR);
 		error = new_set_var(PROFILE_ATTACH_VAR, prof->attachment);
 		if (error)
 			goto cleanup_name;
 		/* update to use kernel vars if available */
 		saved_exec_path = remove_set_var(PROFILE_EXEC_VAR);
 		error = new_set_var(PROFILE_EXEC_VAR, prof->attachment);
 		if (error)
 			goto cleanup_attach;
 	}
-	if (!error)
+	error = process_variables_in_entries(prof->entries);
-		error = process_variables_in_entries(prof->entries);
+	if (error)
-
+		goto cleanup;
-	if (!error)
+	error = process_variables_in_rules(*prof);
 		error = process_variables_in_rules(*prof);
 cleanup:
 	/* ideally these variables would be local scoped and we would not
 	 * have to clean them up here, but unfortunately variables
 	 * don't support that yet.
 	 */
 	if (prof->attachment) {
 		rc = delete_set_var(PROFILE_EXEC_VAR);
 		if (!error)
 			error = rc;
 		if (saved_exec_path)
 			insert_set_var(saved_exec_path);
 	}
 cleanup_attach:
 	if (prof->attachment) {
 		rc = delete_set_var(PROFILE_ATTACH_VAR);
 		if (!error)
 			error = rc;
 		if (saved_attach_path)
 			insert_set_var(saved_attach_path);
 	}
 cleanup_name:
 	rc = delete_set_var(PROFILE_NAME_VARIABLE);
 	if (!error)
 		error = rc;
 out:
 	return error;
 }
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@ -971,6 +971,144 @@ verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \
 #### end of wrapper fn
 }
 test_parser_variables()
 {
 	######## @{profile_name} #######
 	verify_binary_equality "@{profile_name} expands correctly" \
 				"/t { @{profile_name} r, }" \
 				"/t { /t r, }"
 	verify_binary_equality "@{profile_name} expands correcly - filter /" \
 				"/t { /r/@{profile_name} r, }" \
 				"/t { /r/t r, }"
 	verify_binary_equality "@{profile_name} expands correcly - add globbing" \
 				"/t { @{profile_name}/** r, }" \
 				"/t { /t/** r, }"
 	#re expression are escaped in profile names so /t/* becomes /t/\*
 	verify_binary_inequality "@{profile_name} w/pat expands correctly" \
 				"/t/* { @{profile_name} r, }" \
 				"/t/* { /t/* r, }"
 	verify_binary_equality "@{profile_name} w/pat expands correctly" \
 				"/t/* { @{profile_name} r, }" \
 				"/t/* { /t/\* r, }"
 	verify_binary_inequality "@{profile_name} w/pat expands correcly - filter /" \
 				"/t/* { @{profile_name} r, }" \
 				"/t/* { /t/* r, }"
 	verify_binary_equality "@{profile_name} w/pat expands correcly - filter /" \
 				"/t/* { @{profile_name}/a r, }" \
 				"/t/* { /t/\*/a r, }"
 	verify_binary_inequality "@{profile_name} w/pat expands correcly - add globbing" \
 				"/t/* { @{profile_name}/** r, }" \
 				"/t/* { /t/*/** r, }"
 	verify_binary_equality "@{profile_name} w/pat expands correcly - add globbing" \
 				"/t/** { @{profile_name}/** r, }" \
 				"/t/** { /t/\*\*/** r, }"
 	######## @{attach_path} #######
 	verify_binary_equality "@{attach_path} expands correctly" \
 				"/t { @{attach_path} r, }" \
 				"/t { /t r, }"
 	verify_binary_equality "@{attach_path} expands correcly - filter /" \
 				"/t { /r/@{attach_path} r, }" \
 				"/t { /r/t r, }"
 	verify_binary_equality "@{attach_path} expands correcly - add globbing" \
 				"/t { @{attach_path}/** r, }" \
 				"/t { /t/** r, }"
 	verify_binary_equality "@{attach_path} w/pat expands correctly" \
 				"/t/* { @{attach_path} r, }" \
 				"/t/* { /t/* r, }"
 	verify_binary_equality "@{attach_path} w/pat expands correcly - filter /" \
 				"/t/* { @{attach_path} r, }" \
 				"/t/* { /t/* r, }"
 	verify_binary_equality "@{attach_path} w/pat expands correcly - add globbing" \
 				"/t/* { @{attach_path}/** r, }" \
 				"/t/* { /t/*/** r, }"
 	verify_binary_equality "@{attach_path} w/attachment expands correctly" \
 				"profile a /t { @{attach_path} r, }" \
 				"profile a /t { /t r, }"
 	verify_binary_equality "@{attach_path} w/attachment expands correcly - filter /" \
 				"profile a /t { /r/@{attach_path} r, }" \
 				"profile a /t { /r/t r, }"
 	verify_binary_equality "@{attach_path} w/attachment expands correcly - add globbing" \
 				"profile a /t { @{attach_path}/** r, }" \
 				"profile a /t { /t/** r, }"
 	verify_binary_equality "@{attach_path} w/attachment w/pat expands correctly" \
 				"profile a /t/* { @{attach_path} r, }" \
 				"profile a /t/* { /t/* r, }"
 	verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - filter /" \
 				"profile a /t/* { @{attach_path} r, }" \
 				"profile a /t/* { /t/* r, }"
 	verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - add globbing" \
 				"profile a /t/* { @{attach_path}/** r, }" \
 				"profile a /t/* { /t/*/** r, }"
 	######## @{exec_path} #######
 	verify_binary_equality "@{exec_path} expands correctly" \
 				"/t { @{exec_path} r, }" \
 				"/t { /t r, }"
 	verify_binary_equality "@{exec_path} expands correcly - filter /" \
 				"/t { /r/@{exec_path} r, }" \
 				"/t { /r/t r, }"
 	verify_binary_equality "@{exec_path} expands correcly - add globbing" \
 				"/t { @{exec_path}/** r, }" \
 				"/t { /t/** r, }"
 	verify_binary_equality "@{exec_path} w/pat expands correctly" \
 				"/t/* { @{exec_path} r, }" \
 				"/t/* { /t/* r, }"
 	verify_binary_equality "@{exec_path} w/pat expands correcly - filter /" \
 				"/t/* { @{exec_path} r, }" \
 				"/t/* { /t/* r, }"
 	verify_binary_equality "@{exec_path} w/pat expands correcly - add globbing" \
 				"/t/* { @{exec_path}/** r, }" \
 				"/t/* { /t/*/** r, }"
 	verify_binary_equality "@{exec_path} w/attachment expands correctly" \
 				"profile a /t { @{exec_path} r, }" \
 				"profile a /t { /t r, }"
 	verify_binary_equality "@{exec_path} w/attachment expands correcly - filter /" \
 				"profile a /t { /r/@{exec_path} r, }" \
 				"profile a /t { /r/t r, }"
 	verify_binary_equality "@{exec_path} w/attachment expands correcly - add globbing" \
 				"profile a /t { @{exec_path}/** r, }" \
 				"profile a /t { /t/** r, }"
 	verify_binary_equality "@{exec_path} w/attachment w/pat expands correctly" \
 				"profile a /t/* { @{exec_path} r, }" \
 				"profile a /t/* { /t/* r, }"
 	verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - filter /" \
 				"profile a /t/* { @{exec_path} r, }" \
 				"profile a /t/* { /t/* r, }"
 	verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - add globbing" \
 				"profile a /t/* { @{exec_path}/** r, }" \
 				"profile a /t/* { /t/*/** r, }"
 }
 run_tests()
 {
@ -1082,6 +1220,8 @@ run_tests()
 				"@{BAR}=bin/   \#value
 					/t { /@{BAR} r, }"
 	test_parser_variables
 	# verify combinations of different priority levels
 	# for single rule comparisons, rules should keep same expected result
 	# even when the priorities are different.
--- a/parser/tst/minimize.sh
+++ b/parser/tst/minimize.sh
@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
 # {a} (0x 40030/0/0/0)
 echo -n "Minimize profiles basic perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
+if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
    echo "failed"
    exit 1;
 fi
@ -93,7 +93,7 @@ echo "ok"
 # {9} (0x 12804a/0/2800a/0)
 # {c} (0x 40030/0/0/0)
 echo -n "Minimize profiles audit perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
+if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
    echo "failed"
    exit 1;
 fi
@ -112,7 +112,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)
 echo -n "Minimize profiles deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
+if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
    echo "failed"
    exit 1;
 fi
@ -130,7 +130,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)
 echo -n "Minimize profiles audit deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
+if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
    echo "failed"
    exit 1;
 fi
@ -155,7 +155,7 @@ echo "ok"
 ## NOTE: change count from 6 to 7 when extend perms is not dependent on
 ## prompt rules being present
 echo -n "Minimize profiles extended no-filter audit deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
+if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
    echo "failed"
    exit 1;
 fi
@ -173,7 +173,7 @@ echo "ok"
 # {2} (0x 4/0//0/0/0)   <- from policydb still showing up bug
 echo -n "Minimize profiles extended filter audit deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
+if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
    echo "failed"
    exit 1;
 fi
@ -208,7 +208,7 @@ echo "ok"
 #
 echo -n "Minimize profiles xtrans "
-if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
+if [ "$(echo "profile t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
    echo "failed"
    exit 1;
 fi
@ -216,7 +216,7 @@ echo "ok"
 # same test as above + audit
 echo -n "Minimize profiles audit xtrans "
-if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
+if [ "$(echo "profile t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
    echo "failed"
    exit 1;
 fi
@ -229,7 +229,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/14005)
 echo -n "Minimize profiles deny xtrans "
-if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
+if [ "$(echo "profile t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
    echo "failed"
    exit 1;
 fi
@ -241,7 +241,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/0)
 echo -n "Minimize profiles audit deny xtrans "
-if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
+if [ "$(echo "profile t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
    echo "failed"
    exit 1;
 fi
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd
@ -0,0 +1,9 @@
 #=DESCRIPTION reference auto attach_path variable in rules
 #=EXRESULT PASS
 profile /a/test/profile {
  /a/test/profile rix,
  @{attach_path} rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd
@ -0,0 +1,9 @@
 #=DESCRIPTION reference auto atach_path variable in rules
 #=EXRESULT PASS
 profile this_is_a_test /a/test/profile {
  /a/test/profile rix,
  /run/@{attach_path}/tmp rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd
@ -0,0 +1,9 @@
 #=DESCRIPTION reference auto attach_path from profile
 #=EXRESULT PASS
 /test/profile {
  /test/profile rix,
  /run/@{attach_path}/tmp rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION reference auto attach_path variable in child
 #=EXRESULT PASS
 # no attachment in parent
 profile top_profile {
  profile spork /a/*/c {
    @{attach_path}/** rw,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION reference auto attach_path variable in child
 #=EXRESULT PASS
 # no attachment in parent
 profile top_profile {
  profile /a/b/c {
    @{attach_path}/** rw,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION reference auto attach_path variable in child
 #=EXRESULT PASS
 # no attachment in parent
 profile top_profile {
  profile /a/*/c {
    @{attach_path}/** rw,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd
@ -0,0 +1,20 @@
 #=DESCRIPTION ensure attach_path expansion after subprofiles works
 #=EXRESULT PASS
 profile top_profile /test/profile {
  /first/path/@{attach_path}/tmp rwk,
  profile spork {
    owner /tmp/* r,
    /run/@{profile_name}/** rw,
  }
  hat spelunkk {
    owner /tmp/* r,
    /run/@{profile_name}/** rw,
  }
  # Does this expand properly?
  /second/path/@{attach_path}/tmp rk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION reference auto attach_path variable overrides with user defined
 #=EXRESULT PASS
@{attach_path}=/path
 profile /a/test/profile {
  /a/test/profile rix,
  @{attach_path} rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd
@ -0,0 +1,16 @@
 #=DESCRIPTION user @{attach_path} available after override
 #=EXRESULT PASS
@{attach_path}=/path
 profile /a/test/profile {
  /a/test/profile rix,
  @{attach_path} rwk,
 }
 profile extra {
  @{attach_path} rw,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION user @{attach_path} can set attachment and then auto var used
 #=EXRESULT PASS
@{attach_path}=/path
 profile @{attach_path} {
  /a/test/profile rix,
  @{attach_path} rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd
@ -0,0 +1,9 @@
 #=DESCRIPTION reference auto @{attach_path} variable in rules when not created
 #=EXRESULT FAIL
 test/profile {
  /a/test/profile rix,
  mr @{attach_path},
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd
@ -0,0 +1,12 @@
 #=DESCRIPTION reference auto attach_path from profile
 #=EXRESULT FAIL
 /test/profile {
  /test/profile rix,
  # hat does not have an attachment and profile's attachment doesn't apply
  ^spork {
    owner /tmp/* r,
    /spork/@{attach_path}/** rw,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd
@ -0,0 +1,16 @@
 #=DESCRIPTION ensure attach_path expansion after subprofiles works
 #=EXRESULT FAIL
 profile top_profile /test/profile {
  /first/path/@{attach_path}/tmp rwk,
  # subprofile doesn't have attach_pathes
  hat spelunkk {
    owner /tmp/* r,
    /run/@{attach_path}/** rw,
  }
  # Does this expand properly?
  /second/path/@{attach_path}/tmp rk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd
@ -0,0 +1,11 @@
 #=DESCRIPTION reference auto attach_path variable in rules w/hats
 #=EXRESULT FAIL
 profile idf3s2A6GX8vrk /simple/profile {
  /test/profile rix,
  ^test {
     /run/@{attach_path}/tmp rwk,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd
@ -0,0 +1,9 @@
 #=DESCRIPTION reference auto exec_path variable in rules
 #=EXRESULT PASS
 profile /a/test/profile {
  /a/test/profile rix,
  @{exec_path} rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd
@ -0,0 +1,9 @@
 #=DESCRIPTION reference auto exec_path variable in rules
 #=EXRESULT PASS
 profile this_is_a_test /a/test/profile {
  /a/test/profile rix,
  /run/@{exec_path}/tmp rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd
@ -0,0 +1,9 @@
 #=DESCRIPTION reference auto exec_path from profile
 #=EXRESULT PASS
 /test/profile {
  /test/profile rix,
  /run/@{exec_path}/tmp rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION reference auto exec_path variable in child
 #=EXRESULT PASS
 # no attachment in parent
 profile top_profile {
  profile spork /a/*/c {
    @{exec_path}/** rw,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION reference auto exec_path variable in child
 #=EXRESULT PASS
 # no attachment in parent
 profile top_profile {
  profile /a/b/c {
    @{exec_path}/** rw,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION reference auto exec_path variable in child
 #=EXRESULT PASS
 # no attachment in parent
 profile top_profile {
  profile /a/*/c {
    @{exec_path}/** rw,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd
@ -0,0 +1,20 @@
 #=DESCRIPTION ensure exec_path expansion after subprofiles works
 #=EXRESULT PASS
 profile top_profile /test/profile {
  /first/path/@{exec_path}/tmp rwk,
  profile spork {
    owner /tmp/* r,
    /run/@{profile_name}/** rw,
  }
  hat spelunkk {
    owner /tmp/* r,
    /run/@{profile_name}/** rw,
  }
  # Does this expand properly?
  /second/path/@{exec_path}/tmp rk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION reference auto exec_path variable overrides with user defined
 #=EXRESULT PASS
@{exec_path}=/path
 profile /a/test/profile {
  /a/test/profile rix,
  @{exec_path} rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd
@ -0,0 +1,16 @@
 #=DESCRIPTION user @{exec_path} available after override
 #=EXRESULT PASS
@{exec_path}=/path
 profile /a/test/profile {
  /a/test/profile rix,
  @{exec_path} rwk,
 }
 profile extra {
  @{exec_path} rw,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd
@ -0,0 +1,10 @@
 #=DESCRIPTION user @{exec_path} can set attachment and then auto var used
 #=EXRESULT PASS
@{exec_path}=/path
 profile @{exec_path} {
  /a/test/profile rix,
  @{exec_path} rwk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd
@ -0,0 +1,9 @@
 #=DESCRIPTION reference auto @{exec_path} variable in rules when not created
 #=EXRESULT FAIL
 test/profile {
  /a/test/profile rix,
  mr @{exec_path},
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd
@ -0,0 +1,12 @@
 #=DESCRIPTION reference auto exec_path from profile
 #=EXRESULT FAIL
 /test/profile {
  /test/profile rix,
  # hat does not have an attachment and profile's attachment doesn't apply
  ^spork {
    owner /tmp/* r,
    /spork/@{exec_path}/** rw,
  }
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd
@ -0,0 +1,16 @@
 #=DESCRIPTION ensure exec_path expansion after subprofiles works
 #=EXRESULT FAIL
 profile top_profile /test/profile {
  /first/path/@{exec_path}/tmp rwk,
  # subprofile doesn't have exec_pathes
  hat spelunkk {
    owner /tmp/* r,
    /run/@{exec_path}/** rw,
  }
  # Does this expand properly?
  /second/path/@{exec_path}/tmp rk,
 }
--- a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd
+++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd
@ -0,0 +1,11 @@
 #=DESCRIPTION reference auto exec_path variable in rules w/hats
 #=EXRESULT FAIL
 profile idf3s2A6GX8vrk /simple/profile {
  /test/profile rix,
  ^test {
  	/run/@{exec_path}/tmp rwk,
  }
 }
--- a/profiles/apparmor.d/1password
+++ b/profiles/apparmor.d/1password
@ -6,6 +6,7 @@ include <tunables/global>
 profile 1password /opt/1Password/1password flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/1password>
--- a/profiles/apparmor.d/Discord
+++ b/profiles/apparmor.d/Discord
@ -6,6 +6,7 @@ include <tunables/global>
 profile Discord /usr/share/discord/Discord flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/Discord>
--- a/profiles/apparmor.d/MongoDB_Compass
+++ b/profiles/apparmor.d/MongoDB_Compass
@ -6,6 +6,7 @@ include <tunables/global>
 profile "MongoDB Compass" "/usr/lib/mongodb-compass/MongoDB Compass" flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/MongoDB_Compass>
--- a/profiles/apparmor.d/QtWebEngineProcess
+++ b/profiles/apparmor.d/QtWebEngineProcess
@ -6,6 +6,7 @@ include <tunables/global>
 profile QtWebEngineProcess /usr/lib/@{multiarch}/qt{5,6}/libexec/QtWebEngineProcess flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/QtWebEngineProcess>
--- a/profiles/apparmor.d/Xorg
+++ b/profiles/apparmor.d/Xorg
@ -58,7 +58,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
  /{,usr/}bin/{bash,dash,sh} ix,
  /usr/bin/xkbcomp           ix,
-  /usr/lib/xorg/Xorg      mr,
+  @{exec_path}            mr,
  @{PROC}/cmdline         r,
  @{PROC}/@{pid}/cmdline  r,
--- a/profiles/apparmor.d/alsamixer
+++ b/profiles/apparmor.d/alsamixer
@ -10,7 +10,7 @@ profile alsamixer /{usr,}/bin/alsamixer {
    include <abstractions/dbus-session-strict>
-    /{usr,}/bin/alsamixer mr,
+    @{exec_path} mr,
    @{sys}/devices/virtual/dmi/id/sys_vendor r,
--- a/profiles/apparmor.d/babeld
+++ b/profiles/apparmor.d/babeld
@ -17,7 +17,7 @@ profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>
-  /usr/lib/frr/babeld mr,
+  @{exec_path} mr,
  @{run}/frr/babel-state w,
  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/balena-etcher
+++ b/profiles/apparmor.d/balena-etcher
@ -6,6 +6,7 @@ include <tunables/global>
 profile balena-etcher /usr/lib/balena-etcher/balena-etcher flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/balena-etcher>
--- a/profiles/apparmor.d/bfdd
+++ b/profiles/apparmor.d/bfdd
@ -21,7 +21,7 @@ profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) {
  capability sys_admin,
-  /usr/lib/frr/bfdd mr,
+  @{exec_path} mr,
  @{run}/netns/* r,
  @{run}/frr/bfdd.sock w,
--- a/profiles/apparmor.d/bgpd
+++ b/profiles/apparmor.d/bgpd
@ -21,7 +21,7 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) {
  capability net_raw,
  capability sys_admin,
-  /usr/lib/frr/bgpd mr,
+  @{exec_path} mr,
  @{run}/netns/* r,
--- a/profiles/apparmor.d/bin.ping
+++ b/profiles/apparmor.d/bin.ping
@ -22,7 +22,7 @@ profile ping /{usr/,}bin/{,iputils-}ping {
  network inet raw,
  network inet6 raw,
-  /{usr/,}bin/{,iputils-}ping mixr,
+  @{exec_path} mixr,
  /etc/modules.conf r,
  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
--- a/profiles/apparmor.d/brave
+++ b/profiles/apparmor.d/brave
@ -6,6 +6,7 @@ include <tunables/global>
 profile brave /opt/brave.com/brave/brave flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/brave>
--- a/profiles/apparmor.d/buildah
+++ b/profiles/apparmor.d/buildah
@ -6,6 +6,7 @@ include <tunables/global>
 profile buildah /usr/bin/buildah flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/buildah>
--- a/profiles/apparmor.d/busybox
+++ b/profiles/apparmor.d/busybox
@ -6,6 +6,7 @@ include <tunables/global>
 profile busybox /usr/bin/busybox flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/busybox>
--- a/profiles/apparmor.d/cam
+++ b/profiles/apparmor.d/cam
@ -6,6 +6,7 @@ include <tunables/global>
 profile cam /usr/bin/cam flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/cam>
--- a/profiles/apparmor.d/ch-checkns
+++ b/profiles/apparmor.d/ch-checkns
@ -6,6 +6,7 @@ include <tunables/global>
 profile ch-checkns /usr/bin/ch-checkns flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/ch-checkns>
--- a/profiles/apparmor.d/ch-run
+++ b/profiles/apparmor.d/ch-run
@ -6,6 +6,7 @@ include <tunables/global>
 profile ch-run /usr/bin/ch-run flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/ch-run>
--- a/profiles/apparmor.d/chrome
+++ b/profiles/apparmor.d/chrome
@ -6,6 +6,7 @@ include <tunables/global>
 profile chrome /opt/google/chrome/chrome flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/chrome>
--- a/profiles/apparmor.d/chromium
+++ b/profiles/apparmor.d/chromium
@ -8,6 +8,7 @@ include <tunables/global>
 profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/chromium>
--- a/profiles/apparmor.d/code
+++ b/profiles/apparmor.d/code
@ -6,6 +6,7 @@ include <tunables/global>
 profile vscode /usr/share/code{/bin,}/code flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/code>
--- a/profiles/apparmor.d/crun
+++ b/profiles/apparmor.d/crun
@ -6,6 +6,7 @@ include <tunables/global>
 profile crun /usr/bin/crun flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/crun>
--- a/profiles/apparmor.d/devhelp
+++ b/profiles/apparmor.d/devhelp
@ -6,6 +6,7 @@ include <tunables/global>
 profile devhelp /usr/bin/devhelp flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/devhelp>
--- a/profiles/apparmor.d/eigrpd
+++ b/profiles/apparmor.d/eigrpd
@ -19,7 +19,7 @@ profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) {
  capability net_raw,
-  /usr/lib/frr/eigrpd mr,
+  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/eigrpd>
--- a/profiles/apparmor.d/element-desktop
+++ b/profiles/apparmor.d/element-desktop
@ -6,6 +6,7 @@ include <tunables/global>
 profile element-desktop /opt/Element/element-desktop flags=(unconfined) {
  userns,
  @{exec_path} mr,
 # Site-specific additions and overrides. See local/README for details.
  include if exists <local/element-desktop>
--- a/profiles/apparmor.d/epiphany
+++ b/profiles/apparmor.d/epiphany
@ -6,6 +6,7 @@ include <tunables/global>
 profile epiphany /usr/bin/epiphany{,-browser} flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/epiphany>
--- a/profiles/apparmor.d/evolution
+++ b/profiles/apparmor.d/evolution
@ -6,6 +6,7 @@ include <tunables/global>
 profile evolution /usr/bin/evolution flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/evolution>
--- a/profiles/apparmor.d/fabricd
+++ b/profiles/apparmor.d/fabricd
@ -17,7 +17,7 @@ profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>
-  /usr/lib/frr/fabricd mr,
+  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/fabricd>
--- a/profiles/apparmor.d/firefox
+++ b/profiles/apparmor.d/firefox
@ -7,6 +7,8 @@ include <tunables/global>
 profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/firefox>
 }
--- a/profiles/apparmor.d/flatpak
+++ b/profiles/apparmor.d/flatpak
@ -6,6 +6,7 @@ include <tunables/global>
 profile flatpak /usr/bin/flatpak flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/flatpak>
--- a/profiles/apparmor.d/foliate
+++ b/profiles/apparmor.d/foliate
@ -6,6 +6,7 @@ include <tunables/global>
 profile foliate /usr/bin/foliate flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/foliate>
--- a/profiles/apparmor.d/fusermount3
+++ b/profiles/apparmor.d/fusermount3
@ -36,7 +36,7 @@ profile fusermount3 /usr/bin/fusermount3 {
  @{etc_ro}/fuse.conf r,
  @{PROC}/@{pid}/mounts r,
-  /usr/bin/fusermount3 mr,
+  @{exec_path} mr,
  include if exists <local/fusermount3>
 }
--- a/profiles/apparmor.d/geary
+++ b/profiles/apparmor.d/geary
@ -6,6 +6,7 @@ include <tunables/global>
 profile geary /usr/bin/geary flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/geary>
--- a/profiles/apparmor.d/github-desktop
+++ b/profiles/apparmor.d/github-desktop
@ -6,6 +6,7 @@ include <tunables/global>
 profile github-desktop /usr/lib/github-desktop/github-desktop flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/github-desktop>
--- a/profiles/apparmor.d/goldendict
+++ b/profiles/apparmor.d/goldendict
@ -6,6 +6,7 @@ include <tunables/global>
 profile goldendict /usr/bin/goldendict flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/goldendict>
--- a/profiles/apparmor.d/iotop-c
+++ b/profiles/apparmor.d/iotop-c
@ -15,7 +15,7 @@ profile iotop-c /usr/sbin/iotop-c {
  /proc/*/cmdline r,
  /proc/*/task/ r,
-  /usr/sbin/iotop-c mr,
+  @{exec_path} mr,
  /proc/ r,
  /proc/sys/kernel/task_delayacct rw,
  /proc/vmstat r,
--- a/profiles/apparmor.d/ipa_verify
+++ b/profiles/apparmor.d/ipa_verify
@ -3,13 +3,12 @@ abi <abi/4.0>,
 include <tunables/global>
@{arg1}=/**/*.so
 profile ipa_verify /usr/bin/ipa_verify {
    include <abstractions/base>
    # Until we can replace arg1 above with real arg parsing
    include <abstractions/private-files-strict>
-    /usr/bin/ipa_verify r,
+    @{exec_path} mr,
    # Probably enumerated by libcamera initialization but not needed for this tool's functionality
    deny /sys/devices/system/node/ r,
--- a/profiles/apparmor.d/isisd
+++ b/profiles/apparmor.d/isisd
@ -20,7 +20,7 @@ profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) {
  capability net_raw,
-  /usr/lib/frr/isisd mr,
+  @{exec_path} mr,
  /var/lib/frr/ r, 
  /var/lib/frr/isisd.json{,.sav} rw,
--- a/profiles/apparmor.d/kchmviewer
+++ b/profiles/apparmor.d/kchmviewer
@ -6,6 +6,7 @@ include <tunables/global>
 profile kchmviewer /usr/bin/kchmviewer flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/kchmviewer>
--- a/profiles/apparmor.d/keybase
+++ b/profiles/apparmor.d/keybase
@ -6,6 +6,7 @@ include <tunables/global>
 profile keybase /opt/keybase/Keybase flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/keybase>
--- a/profiles/apparmor.d/lc-compliance
+++ b/profiles/apparmor.d/lc-compliance
@ -6,6 +6,7 @@ include <tunables/global>
 profile lc-compliance /usr/bin/lc-compliance flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lc-compliance>
--- a/profiles/apparmor.d/ldpd
+++ b/profiles/apparmor.d/ldpd
@ -18,7 +18,7 @@ profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) {
  include <abstractions/frr>
  include <abstractions/frr-snmp>
-  /usr/lib/frr/ldpd ix,
+  @{exec_path} mrix,
  @{run}/frr/ldpd.sock rw,
  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/libcamerify
+++ b/profiles/apparmor.d/libcamerify
@ -6,6 +6,7 @@ include <tunables/global>
 profile libcamerify /usr/bin/libcamerify flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/libcamerify>
--- a/profiles/apparmor.d/linux-sandbox
+++ b/profiles/apparmor.d/linux-sandbox
@ -6,6 +6,7 @@ include <tunables/global>
 profile linux-sandbox /usr/libexec/@{multiarch}/bazel/linux-sandbox flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/linux-sandbox>
--- a/profiles/apparmor.d/loupe
+++ b/profiles/apparmor.d/loupe
@ -6,6 +6,7 @@ include <tunables/global>
 profile loupe /usr/bin/loupe flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/loupe>
--- a/profiles/apparmor.d/lsb_release
+++ b/profiles/apparmor.d/lsb_release
@ -18,7 +18,6 @@ profile lsb_release {
  /dev/tty rw,
  /usr/bin/lsb_release r,
  /usr/bin/python3.{1,}[0-9] mr,
  /etc/debian_version r,
--- a/profiles/apparmor.d/lsblk
+++ b/profiles/apparmor.d/lsblk
@ -17,7 +17,7 @@ profile lsblk /usr/bin/lsblk {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  /usr/bin/lsblk mr,
+  @{exec_path} mr,
  @{sys}/block/ r,
  @{sys}/class/block/ r,
--- a/profiles/apparmor.d/lxc-attach
+++ b/profiles/apparmor.d/lxc-attach
@ -6,6 +6,7 @@ include <tunables/global>
 profile lxc-attach /usr/bin/lxc-attach flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-attach>
--- a/profiles/apparmor.d/lxc-create
+++ b/profiles/apparmor.d/lxc-create
@ -6,6 +6,7 @@ include <tunables/global>
 profile lxc-create /usr/bin/lxc-create flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-create>
--- a/profiles/apparmor.d/lxc-destroy
+++ b/profiles/apparmor.d/lxc-destroy
@ -6,6 +6,7 @@ include <tunables/global>
 profile lxc-destroy /usr/bin/lxc-destroy flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-destroy>
--- a/profiles/apparmor.d/lxc-execute
+++ b/profiles/apparmor.d/lxc-execute
@ -6,6 +6,7 @@ include <tunables/global>
 profile lxc-execute /usr/bin/lxc-execute flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-execute>
--- a/profiles/apparmor.d/lxc-stop
+++ b/profiles/apparmor.d/lxc-stop
@ -6,6 +6,7 @@ include <tunables/global>
 profile lxc-stop /usr/bin/lxc-stop flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-stop>
--- a/profiles/apparmor.d/lxc-unshare
+++ b/profiles/apparmor.d/lxc-unshare
@ -6,6 +6,7 @@ include <tunables/global>
 profile lxc-unshare /usr/bin/lxc-unshare flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-unshare>
--- a/profiles/apparmor.d/lxc-usernsexec
+++ b/profiles/apparmor.d/lxc-usernsexec
@ -6,6 +6,7 @@ include <tunables/global>
 profile lxc-usernsexec /usr/bin/lxc-usernsexec flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/lxc-usernsexec>
--- a/profiles/apparmor.d/mmdebstrap
+++ b/profiles/apparmor.d/mmdebstrap
@ -6,6 +6,7 @@ include <tunables/global>
 profile mmdebstrap /usr/bin/mmdebstrap flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/mmdebstrap>
--- a/profiles/apparmor.d/msedge
+++ b/profiles/apparmor.d/msedge
@ -6,6 +6,7 @@ include <tunables/global>
 profile msedge /opt/microsoft/msedge/msedge flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/msedge>
--- a/profiles/apparmor.d/nautilus
+++ b/profiles/apparmor.d/nautilus
@ -6,6 +6,7 @@ include <tunables/global>
 profile nautilus /usr/bin/nautilus flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides.  See local/README for details.
  include if exists <local/nautilus>
--- a/profiles/apparmor.d/nhrpd
+++ b/profiles/apparmor.d/nhrpd
@ -20,7 +20,7 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) {
  capability net_raw,
  capability net_admin,
-  /usr/lib/frr/nhrpd mr,
+  @{exec_path} mr,
  /usr/bin/dash ix,
  @{PROC}/sys/net/ipv4/conf/*/send_redirects w,
--- a/profiles/apparmor.d/notepadqq
+++ b/profiles/apparmor.d/notepadqq
@ -6,6 +6,7 @@ include <tunables/global>
 profile notepadqq /{{usr/bin,etc/alternatives}/notepadqq,usr/lib/notepadqq/notepadqq.sh} flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/notepadqq>
--- a/profiles/apparmor.d/nvidia_modprobe
+++ b/profiles/apparmor.d/nvidia_modprobe
@ -16,8 +16,6 @@ profile nvidia_modprobe {
  # Main executable
  /usr/bin/nvidia-modprobe mr,
  # Other executables
  /usr/bin/kmod Cx -> kmod,
--- a/profiles/apparmor.d/obsidian
+++ b/profiles/apparmor.d/obsidian
@ -6,6 +6,7 @@ include <tunables/global>
 profile obsidian /opt/Obsidian/obsidian flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/obsidian>
--- a/profiles/apparmor.d/opam
+++ b/profiles/apparmor.d/opam
@ -6,6 +6,7 @@ include <tunables/global>
 profile opam /usr/bin/opam flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/opam>
--- a/profiles/apparmor.d/opera
+++ b/profiles/apparmor.d/opera
@ -6,6 +6,7 @@ include <tunables/global>
 profile opera /usr/lib/@{multiarch}/opera/opera flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/opera>
--- a/profiles/apparmor.d/ospf6d
+++ b/profiles/apparmor.d/ospf6d
@ -21,7 +21,7 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) {
  capability net_raw,
  capability sys_admin,
-  /usr/lib/frr/ospf6d mr,
+  @{exec_path} mr,
  @{run}/netns/* r,
--- a/profiles/apparmor.d/ospfd
+++ b/profiles/apparmor.d/ospfd
@ -21,7 +21,7 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) {
  capability net_raw,
  capability sys_admin,
-  /usr/lib/frr/ospfd mr,
+  @{exec_path} mr,
  @{run}/netns/* r,
--- a/profiles/apparmor.d/pageedit
+++ b/profiles/apparmor.d/pageedit
@ -6,6 +6,7 @@ include <tunables/global>
 profile pageedit /usr/bin/pageedit flags=(unconfined) {
  userns,
  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/pageedit>
--- a/profiles/apparmor.d/pathd
+++ b/profiles/apparmor.d/pathd
@ -17,7 +17,7 @@ profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>
-  /usr/lib/frr/pathd mr,
+  @{exec_path} mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/pathd>
--- a/Show More
+++ b/Show More