feat(abs): add pgrep.

apparmor.d/abstractions/app/pgrep

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Minimal set of rules for pgrep.
+
+  include <abstractions/consoles>
+
+  capability sys_ptrace,
+
+  ptrace read,
+
+  @{bin}/pgrep mr,
+
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
+  @{PROC}/ r,
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/uptime r,
+
+  include if exists <abstractions/app/pgrep.d>

apparmor.d/groups/gnome/gdm-generate-config

@@ -23,7 +23,7 @@ profile gdm-generate-config @{exec_path} {
   @{sh_path}         rix,
   @{bin}/dconf       rix,
   @{bin}/install     rix,
-  @{bin}/pgrep       rix,
+  @{bin}/pgrep       rCx -> pgrep,
   @{bin}/pkill       rix,
   @{bin}/setpriv     rix,
   @{bin}/setsid      rix,
@@ -46,5 +46,12 @@ profile gdm-generate-config @{exec_path} {
   @{PROC}/@{pid}/stat r,
   @{PROC}/uptime r,
 
+  profile pgrep {
+    include <abstractions/base>
+    include <abstractions/app/pgrep>
+
+    include if exists <local/gdm-generate-config_pgrep>
+  }
+
   include if exists <local/gdm-generate-config>
 }

apparmor.d/groups/kde/kded

@@ -167,24 +167,9 @@ profile kded @{exec_path} {
 
   profile pgrep {
     include <abstractions/base>
-    include <abstractions/consoles>
+    include <abstractions/app/pgrep>
 
-    capability sys_ptrace,
-
-    ptrace (read),
-
-    @{bin}/pgrep mr,
-
-    @{sys}/devices/system/node/ r,
-    @{sys}/devices/system/node/node@{int}/meminfo r,
-
-    @{PROC}/ r,
-    @{PROC}/@{pids}/cgroup r,
-    @{PROC}/@{pids}/cmdline r,
-    @{PROC}/@{pids}/stat r,
-    @{PROC}/sys/kernel/osrelease r,
     @{PROC}/tty/drivers r,
-    @{PROC}/uptime r,
 
     include if exists <local/kded_pgrep>
   }

apparmor.d/profiles-g-l/kanyremote

@@ -90,14 +90,7 @@ profile kanyremote @{exec_path} {
 
   profile pgrep {
     include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/pgrep mr,
-
-    # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
-         @{PROC}/ r,
-         @{PROC}/@{pids}/cmdline r,
-    deny @{PROC}/sys/kernel/osrelease r,
+    include <abstractions/app/pgrep>
 
     /usr/share/anyremote/{,**} r,
 

apparmor.d/profiles-g-l/logrotate

@@ -97,13 +97,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
 
   profile pgrep {
     include <abstractions/base>
-
-    @{bin}/pgrep mr,
-
-    # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
-         @{PROC}/ r,
-         @{PROC}/@{pids}/cmdline r,
-         @{PROC}/sys/kernel/osrelease r,
+    include <abstractions/app/pgrep>
   
     include if exists <local/logrotate_pgrep>
   }

apparmor.d/profiles-s-z/spectre-meltdown-checker

@@ -131,15 +131,7 @@ profile spectre-meltdown-checker @{exec_path} {
 
   profile pgrep {
     include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/pgrep mr,
-
-    # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
-         @{PROC}/ r,
-         @{PROC}/@{pids}/cmdline r,
-         @{PROC}/sys/kernel/osrelease r,
-         @{PROC}/uptime r,
+    include <abstractions/app/pgrep>
 
     include if exists <local/spectre-meltdown-checker_pgrep>
   }