Merge Add zgrep and xzgrep profile

This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
aka CVE-2022-1271 (file write and code execution via "funny" filenames)

I propose this addition for 3.0 and master.

(Tested on openSUSE Tumbleweed - tests on other distros welcome ;-)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/870
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>

profiles/apparmor.d/zgrep

@@ -0,0 +1,59 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile zgrep /usr/bin/{x,}zgrep {
+  include <abstractions/base>
+  include <abstractions/bash>
+
+  /dev/tty rw,
+  /usr/bin/{ba,da,}sh ix,
+  /usr/bin/bzip2 Cx -> helper,
+  /usr/bin/cat ix,
+  /usr/bin/grep Cx -> helper,
+  /usr/bin/gzip Cx -> helper,
+  /usr/bin/mktemp ix,
+  /usr/bin/rm ix,
+  /usr/bin/sed Cx -> sed,
+  /usr/bin/xz Cx -> helper,
+  /usr/bin/xzgrep r,
+  /usr/bin/zgrep Cx -> helper,
+  owner /tmp/zgrep* rw,
+  /usr/bin/zgrep r,
+
+  include if exists <local/zgrep>
+
+  profile helper {
+    include <abstractions/base>
+
+    capability dac_override,
+    capability dac_read_search,
+
+    /usr/bin/{ba,da,}sh ix,
+    /usr/bin/bzip2 mr,
+    /usr/bin/grep mr,
+    /usr/bin/gzip mr,
+    /usr/bin/xz mr,
+    /{,**} r,
+
+  }
+
+  profile sed {
+    include <abstractions/base>
+
+    /dev/tty rw,
+    /usr/bin/{ba,da,}sh ix,
+    /usr/bin/sed mr,
+
+  }
+}