From e448885b76328adb06f173df28c10cd0c5eb1b76 Mon Sep 17 00:00:00 2001
From: Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>
Date: Thu, 28 Nov 2024 15:37:48 -0330
Subject: [PATCH 1/5] Add lsblk profile

---
 profiles/apparmor.d/lsblk | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 profiles/apparmor.d/lsblk

diff --git a/profiles/apparmor.d/lsblk b/profiles/apparmor.d/lsblk
new file mode 100644
index 000000000..b6c12e0eb
--- /dev/null
+++ b/profiles/apparmor.d/lsblk
@@ -0,0 +1,37 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    Author: Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile lsblk /usr/bin/lsblk {
+  include <abstractions/base>
+
+  / r,
+
+  @{sys}/block/ r,
+  @{sys}/dev/block/ r,
+  @{sys}/devices/pci[0-9]*:[0-9]*/** r,
+  @{sys}/devices/virtual/** r,
+
+  @{run}/mount/** r,
+  @{run}/udev/data/** r,
+
+  @{PROC}/swaps r,
+  @{PROC}/*/mountinfo r,
+
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /etc/group r,
+
+  include if exists <local/lsblk>
+}

From 841cedb976025a47613a2db38fb45ebc674ff2ad Mon Sep 17 00:00:00 2001
From: Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>
Date: Fri, 29 Nov 2024 09:05:23 -0330
Subject: [PATCH 2/5] Remove root listing

---
 profiles/apparmor.d/lsblk | 2 --
 1 file changed, 2 deletions(-)

diff --git a/profiles/apparmor.d/lsblk b/profiles/apparmor.d/lsblk
index b6c12e0eb..3099fe949 100644
--- a/profiles/apparmor.d/lsblk
+++ b/profiles/apparmor.d/lsblk
@@ -16,8 +16,6 @@ include <tunables/global>
 profile lsblk /usr/bin/lsblk {
   include <abstractions/base>
 
-  / r,
-
   @{sys}/block/ r,
   @{sys}/dev/block/ r,
   @{sys}/devices/pci[0-9]*:[0-9]*/** r,

From aba2d18eb345ea58ff3e2b26a2a34e590c76a6b6 Mon Sep 17 00:00:00 2001
From: Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>
Date: Tue, 3 Dec 2024 10:49:29 -0330
Subject: [PATCH 3/5] Merge with other profile

---
 profiles/apparmor.d/lsblk | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/profiles/apparmor.d/lsblk b/profiles/apparmor.d/lsblk
index 3099fe949..0e275eae3 100644
--- a/profiles/apparmor.d/lsblk
+++ b/profiles/apparmor.d/lsblk
@@ -15,21 +15,26 @@ include <tunables/global>
 
 profile lsblk /usr/bin/lsblk {
   include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
 
   @{sys}/block/ r,
+  @{sys}/class/block/ r,
   @{sys}/dev/block/ r,
+
   @{sys}/devices/pci[0-9]*:[0-9]*/** r,
   @{sys}/devices/virtual/** r,
+  @{sys}/devices/platform/** r,
+
+  /dev/sr[0-9]* rk,
 
-  @{run}/mount/** r,
   @{run}/udev/data/** r,
 
+  @{run}/mount/** r,
   @{PROC}/swaps r,
-  @{PROC}/*/mountinfo r,
-
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
-  /etc/group r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
   include if exists <local/lsblk>
 }

From cd1dddc2226bcc3298dcbb895285d5c1ffab8083 Mon Sep 17 00:00:00 2001
From: Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>
Date: Tue, 3 Dec 2024 16:13:33 -0330
Subject: [PATCH 4/5] Remove read_search capability

---
 profiles/apparmor.d/lsblk | 2 --
 1 file changed, 2 deletions(-)

diff --git a/profiles/apparmor.d/lsblk b/profiles/apparmor.d/lsblk
index 0e275eae3..6d803c7fb 100644
--- a/profiles/apparmor.d/lsblk
+++ b/profiles/apparmor.d/lsblk
@@ -18,8 +18,6 @@ profile lsblk /usr/bin/lsblk {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  capability dac_read_search,
-
   @{sys}/block/ r,
   @{sys}/class/block/ r,
   @{sys}/dev/block/ r,

From c6545b44bbe18ca86cd1a2a681fb14329df6cae8 Mon Sep 17 00:00:00 2001
From: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Date: Thu, 23 Jan 2025 13:29:38 +0100
Subject: [PATCH 5/5] tests: add smoke test for lsblk

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com>
---
 tests/profiles/lsblk/task.yaml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 tests/profiles/lsblk/task.yaml

diff --git a/tests/profiles/lsblk/task.yaml b/tests/profiles/lsblk/task.yaml
new file mode 100644
index 000000000..ca28b48e5
--- /dev/null
+++ b/tests/profiles/lsblk/task.yaml
@@ -0,0 +1,7 @@
+summary: smoke test for the lsblk profile
+execute: |
+    # The lsblk program seems to work.
+    lsblk | MATCH vda1
+
+    # The profile is attached based on the program path.
+    "$SPREAD_PATH"/tests/bin/actual-profile-of lsblk | MATCH 'lsblk \(enforce\)'