Initial lsof profile (+ comments)

2025-08-29 13:28:19 +00:00 · 2025-01-15 18:32:19 -05:00 · 2025-01-15 18:32:19 -05:00 · 05ec9ee0f4
commit 05ec9ee0f4
parent 9b43c479a8
1 changed files with 38 additions and 0 deletions
--- a/profiles/apparmor.d/lsof
+++ b/profiles/apparmor.d/lsof
@ -0,0 +1,38 @@
+#------------------------------------------------------------------
+# Copyright (C) 2024 Canonical Ltd.
+#
+# Author: Nicolas Campuzano Jimenez <nicolas.campuzano@canonical.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile lsof /usr/bin/lsof {
+  include <abstractions/base>
+
+  # Allow to read certain proc filesystem information
+  ptrace read,
+
+  # Networking-related rules for address resolution
+  @{sys}/etc/host.conf r,
+  @{sys}/etc/hosts r,
+  @{sys}/etc/nsswitch.conf r,
+  @{sys}/etc/passwd r,
+  @{sys}/etc/services r,
+  @{run}/systemd/resolve/stub-resolv.conf r,
+
+  # Access specific files (First wildcard matches PID
+  @{PROC}/*/stat r, # process-specific status info.
+  @{PROC}/*/task/ r, # info. about threads open by process
+  @{PROC}/*/fd/ r, # file descriptors in use by process
+  @{PROC}/*/fdinfo/* r, # further info. about file descriptors
+  @{PROC}/*/task/** r, # further info about threads open by process
+
+}
+