From 05ec9ee0f47d3b6ceb812475cce7c4f6972a04fc Mon Sep 17 00:00:00 2001
From: Nicolas Campuzano Jimenez <nicolas.campuzano@canonical.com>
Date: Wed, 15 Jan 2025 18:32:19 -0500
Subject: [PATCH] Initial lsof profile (+ comments)

---
 profiles/apparmor.d/lsof | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 profiles/apparmor.d/lsof

diff --git a/profiles/apparmor.d/lsof b/profiles/apparmor.d/lsof
new file mode 100644
index 000000000..9034cd475
--- /dev/null
+++ b/profiles/apparmor.d/lsof
@@ -0,0 +1,38 @@
+#------------------------------------------------------------------
+# Copyright (C) 2024 Canonical Ltd.
+#
+# Author: Nicolas Campuzano Jimenez <nicolas.campuzano@canonical.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile lsof /usr/bin/lsof {
+  include <abstractions/base>
+
+  # Allow to read certain proc filesystem information
+  ptrace read,
+
+  # Networking-related rules for address resolution
+  @{sys}/etc/host.conf r,
+  @{sys}/etc/hosts r,
+  @{sys}/etc/nsswitch.conf r,
+  @{sys}/etc/passwd r,
+  @{sys}/etc/services r,
+  @{run}/systemd/resolve/stub-resolv.conf r,
+
+  # Access specific files (First wildcard matches PID
+  @{PROC}/*/stat r, # process-specific status info.
+  @{PROC}/*/task/ r, # info. about threads open by process
+  @{PROC}/*/fd/ r, # file descriptors in use by process
+  @{PROC}/*/fdinfo/* r, # further info. about file descriptors
+  @{PROC}/*/task/** r, # further info about threads open by process
+
+}
+