From 667816fe43edbe932eaf15d9f74664eac8611e37 Mon Sep 17 00:00:00 2001
From: Octavio Galland <octavio.galland@canonical.com>
Date: Fri, 13 Dec 2024 12:44:48 -0300
Subject: [PATCH] explictly allow binaries from certain directories

---
 profiles/apparmor.d/tar | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/tar b/profiles/apparmor.d/tar
index 3de266340..dd314a9ea 100644
--- a/profiles/apparmor.d/tar
+++ b/profiles/apparmor.d/tar
@@ -17,7 +17,9 @@ profile tar /usr/bin/tar {
   file rwl /**,
 
   # tar can be made to filter archives through an arbitrary program
-  /** mrwlkix,
+  /{usr{/local,},}/{bin,sbin}/* Pix,
+  /opt/** Pix,
+  @{HOME}/bin/* Pix,
 
   # used to extract user files as root
   capability chown,