From 68d42c3e378c33b12ec5084ed1c90742f62f568c Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 6 Oct 2024 11:05:52 +0200
Subject: [PATCH] zgrep: allow reading /etc/nsswitch.conf and /etc/passwd

Seen on various VMs, my guess is that bash wants to translate a uid to a
username.

Log events (slightly shortened)

apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/nsswitch.conf" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/etc/passwd" comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
---
 profiles/apparmor.d/zgrep | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/profiles/apparmor.d/zgrep b/profiles/apparmor.d/zgrep
index 533b3d4a7..75516be11 100644
--- a/profiles/apparmor.d/zgrep
+++ b/profiles/apparmor.d/zgrep
@@ -17,6 +17,8 @@ profile zgrep /usr/bin/{x,}zgrep {
   include <abstractions/bash>
 
   /dev/tty rw,
+  @{etc_ro}/nsswitch.conf  r,
+  /etc/passwd r,
   /usr/bin/{ba,da,}sh ix,
   /usr/bin/bzip2 Cx -> helper,
   /usr/bin/cat ix,