From 45ae8f5d27af5d9d8d04738ab05fa32329b4c033 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 30 May 2024 21:08:03 +0100
Subject: [PATCH] feat(abs): add pgrep.

---
 apparmor.d/abstractions/app/pgrep             | 25 +++++++++++++++++++
 apparmor.d/groups/gnome/gdm-generate-config   |  9 ++++++-
 apparmor.d/groups/kde/kded                    | 17 +------------
 apparmor.d/profiles-g-l/kanyremote            |  9 +------
 apparmor.d/profiles-g-l/logrotate             | 10 ++------
 .../profiles-s-z/spectre-meltdown-checker     | 10 +-------
 6 files changed, 38 insertions(+), 42 deletions(-)
 create mode 100644 apparmor.d/abstractions/app/pgrep

diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep
new file mode 100644
index 00000000..a225ce11
--- /dev/null
+++ b/apparmor.d/abstractions/app/pgrep
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Minimal set of rules for pgrep.
+
+  include <abstractions/consoles>
+
+  capability sys_ptrace,
+
+  ptrace read,
+
+  @{bin}/pgrep mr,
+
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
+  @{PROC}/ r,
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/uptime r,
+
+  include if exists <abstractions/app/pgrep.d>
diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config
index 00acd2c9..7d24d304 100644
--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@@ -23,7 +23,7 @@ profile gdm-generate-config @{exec_path} {
   @{sh_path}         rix,
   @{bin}/dconf       rix,
   @{bin}/install     rix,
-  @{bin}/pgrep       rix,
+  @{bin}/pgrep       rCx -> pgrep,
   @{bin}/pkill       rix,
   @{bin}/setpriv     rix,
   @{bin}/setsid      rix,
@@ -46,5 +46,12 @@ profile gdm-generate-config @{exec_path} {
   @{PROC}/@{pid}/stat r,
   @{PROC}/uptime r,
 
+  profile pgrep {
+    include <abstractions/base>
+    include <abstractions/app/pgrep>
+
+    include if exists <local/gdm-generate-config_pgrep>
+  }
+
   include if exists <local/gdm-generate-config>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded
index 7c675c11..cb719c10 100644
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@@ -167,24 +167,9 @@ profile kded @{exec_path} {
 
   profile pgrep {
     include <abstractions/base>
-    include <abstractions/consoles>
+    include <abstractions/app/pgrep>
 
-    capability sys_ptrace,
-
-    ptrace (read),
-
-    @{bin}/pgrep mr,
-
-    @{sys}/devices/system/node/ r,
-    @{sys}/devices/system/node/node@{int}/meminfo r,
-
-    @{PROC}/ r,
-    @{PROC}/@{pids}/cgroup r,
-    @{PROC}/@{pids}/cmdline r,
-    @{PROC}/@{pids}/stat r,
-    @{PROC}/sys/kernel/osrelease r,
     @{PROC}/tty/drivers r,
-    @{PROC}/uptime r,
 
     include if exists <local/kded_pgrep>
   }
diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote
index b9f22923..fb11c31c 100644
--- a/apparmor.d/profiles-g-l/kanyremote
+++ b/apparmor.d/profiles-g-l/kanyremote
@@ -90,14 +90,7 @@ profile kanyremote @{exec_path} {
 
   profile pgrep {
     include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/pgrep mr,
-
-    # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
-         @{PROC}/ r,
-         @{PROC}/@{pids}/cmdline r,
-    deny @{PROC}/sys/kernel/osrelease r,
+    include <abstractions/app/pgrep>
 
     /usr/share/anyremote/{,**} r,
 
diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate
index 83f1ac55..ffc4099d 100644
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@@ -97,14 +97,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
 
   profile pgrep {
     include <abstractions/base>
-
-    @{bin}/pgrep mr,
-
-    # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
-         @{PROC}/ r,
-         @{PROC}/@{pids}/cmdline r,
-         @{PROC}/sys/kernel/osrelease r,
-
+    include <abstractions/app/pgrep>
+  
     include if exists <local/logrotate_pgrep>
   }
 
diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker
index 94fa14f0..2ff6defc 100644
--- a/apparmor.d/profiles-s-z/spectre-meltdown-checker
+++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker
@@ -131,15 +131,7 @@ profile spectre-meltdown-checker @{exec_path} {
 
   profile pgrep {
     include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/pgrep mr,
-
-    # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
-         @{PROC}/ r,
-         @{PROC}/@{pids}/cmdline r,
-         @{PROC}/sys/kernel/osrelease r,
-         @{PROC}/uptime r,
+    include <abstractions/app/pgrep>
 
     include if exists <local/spectre-meltdown-checker_pgrep>
   }