From 1eead1e773eff0bae7bdae5e0e667cd45575b8a7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 15 Sep 2021 20:42:26 +0100
Subject: [PATCH] Add apparmor_parser.

---
 apparmor.d/profiles-a-f/apparmor_parser | 30 +++++++++++++++++++++++++
 profiles.flags                          |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/apparmor_parser

diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser
new file mode 100644
index 00000000..b02d2356
--- /dev/null
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/apparmor_parser
+profile apparmor_parser @{exec_path} {
+  include <abstractions/base>
+
+  capability mac_admin,
+
+  @{exec_path} mr,
+
+  /etc/apparmor/{,**} r,
+  /etc/apparmor.d/{,**} r,
+
+  owner /var/cache/apparmor/{,**} rw,
+  owner /var/lib/docker/tmp/docker-default[0-9]* r,
+
+  owner @{sys}/kernel/security/apparmor/{,**} r,
+  owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
+
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/sys/kernel/osrelease r,
+
+  include if exists <local/apparmor_parser>
+}
\ No newline at end of file
diff --git a/profiles.flags b/profiles.flags
index b2e98abb..a1544940 100644
--- a/profiles.flags
+++ b/profiles.flags
@@ -1,6 +1,7 @@
 acpid attach_disconnected,complain
 adb complain
 agetty complain
+apparmor_parser complain
 arch-audit complain
 at-spi-bus-launcher attach_disconnected
 auditd complain