From 35275230a8c174e7ebb374498452a1fb1c74a335 Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Wed, 16 Apr 2025 16:47:18 -0700
Subject: [PATCH 1/2] profiles: add a who profile

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 profiles/apparmor.d/who | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 profiles/apparmor.d/who

diff --git a/profiles/apparmor.d/who b/profiles/apparmor.d/who
new file mode 100644
index 000000000..ac7c7dee5
--- /dev/null
+++ b/profiles/apparmor.d/who
@@ -0,0 +1,36 @@
+abi <abi/4.0>,
+include <tunables/global>
+
+profile who /usr/bin/who {
+  include <abstractions/base>
+  # who can theoretically take an arbitrary file argument but there seems to be
+  # no common reason why one would want to pass a file not listed in the below
+  # abstraction, or their rotated equivalents
+  include <abstractions/wutmp>
+  # rotated logs
+  /var/log/wtmp.@{d} r,
+  /var/log/btmp.@{d} r,
+  
+  # Despite listing information about consoles, <abstractions/consoles> does not
+  # seem to be needed:
+  # - Current logged-in users and their terminals is grabbed from files listed
+  #   in <abstractions/wutmp>
+  # - Any additional information about the terminals is obtained via a
+  #   combination of dirfd=openat(AT_FDCWD, "/dev", O_RDONLY|O_PATH|O_DIRECTORY)
+  #   and newfstatat(dirfd, terminal_name, out_ptr)
+  # - O_PATH fds bypass mediation so /dev/ r, is not needed for the first step
+  # - fstatat does not require permissions on the file itself, as stated in its
+  #   man page
+  # Overall result: the above calls are not mediated by LSMs
+
+  /usr/bin/who mr,
+
+  # who sends the "exists" signal via kill(pid, 0)
+  capability kill,
+
+  # Deny the writes allowed by abstractions/wutmp
+  audit deny /var/** w,
+  audit deny @{run}/utmp w,
+  
+  include if exists <local/who>
+}

From 4094bc1a05d38428ed5758a4286bd08dc3d1b2fb Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Wed, 16 Apr 2025 16:49:52 -0700
Subject: [PATCH 2/2] profiles: add a smoke test for the who profile

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 tests/profiles/who/task.yaml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 tests/profiles/who/task.yaml

diff --git a/tests/profiles/who/task.yaml b/tests/profiles/who/task.yaml
new file mode 100644
index 000000000..3bcd0fc1c
--- /dev/null
+++ b/tests/profiles/who/task.yaml
@@ -0,0 +1,7 @@
+summary: smoke test for the who profile
+execute: |
+    # who works when asked to grab everything
+    who -a
+
+    # The profile is attached based on the program path.
+    "$SPREAD_PATH"/tests/bin/actual-profile-of who | MATCH 'who \(enforce\)'