profiles: give lsof CAP_DAC_READ_SEARCH and CAP_DAC_OVERRIDE

This is necessary for lsof run as root to be able to return results from processes run by other users. Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
2025-08-31 14:25:52 +00:00 · 2025-05-02 15:00:23 -07:00
parent e278575799
commit d9028aea4e
1 changed files with 2 additions and 0 deletions
--- a/profiles/apparmor.d/lsof
+++ b/profiles/apparmor.d/lsof
@@ -22,6 +22,8 @@ profile lsof /usr/bin/lsof flags=(attach_disconnected.path=/aa_disconnected/) {
  /usr/bin/lsof mr,

  capability sys_ptrace,
+  capability dac_read_search,
+  capability dac_override,
  ptrace read,

  mqueue getattr type=posix,