lsb_release (1379B)
- # Note: This profile does not specify an attachment path because it is
- # intended to be used only via "Px -> lsb_release" exec transitions from
- # other profiles. We want to confine the lsb_release(1) utility when it
- # is invoked from other confined applications, but not when it is used
- # in regular (unconfined) shell scripts or run directly by the user.
- abi <abi/3.0>,
- include <tunables/global>
- # Do not attach to /usr/bin/lsb_release by default
- profile lsb_release {
- include <abstractions/base>
- include <abstractions/python>
- owner @{PROC}/@{pid}/fd/ r,
- /dev/tty rw,
- /usr/bin/lsb_release r,
- /usr/bin/python3.{1,}[0-9] mr,
- /etc/debian_version r,
- /etc/default/apport r,
- /etc/dpkg/origins/** r,
- /etc/lsb-release r,
- /etc/lsb-release.d/ r,
- /{usr/,}bin/bash ixr,
- /{usr/,}bin/dash ixr,
- /usr/bin/basename ixr,
- /usr/bin/dpkg-query ixr,
- /usr/bin/cat ixr,
- /usr/bin/cut ixr,
- /usr/bin/getopt ixr,
- /usr/bin/sed ixr,
- /usr/bin/tr ixr,
- # TODO - many more permissions needed for this to work
- deny /usr/bin/apt-cache x,
- /usr/bin/ r,
- /usr/include/python*/pyconfig.h r,
- /usr/share/distro-info/** r,
- /usr/share/dpkg/** r,
- /usr/share/terminfo/** r,
- /var/lib/dpkg/** r,
- # file_inherit
- deny /tmp/gtalkplugin.log w,
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/lsb_release>
- }