[Extended to include the fix from https://gitlab.com/apparmor/apparmor/-/merge_requests/873]
[Extended to include the fix from https://gitlab.com/apparmor/apparmor/-/merge_requests/892]


From 3a3b49ccd93d00cbc373319b90c6acecdd6f45fa Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 10 Apr 2022 15:03:08 +0200
Subject: [PATCH] Add zgrep and xzgrep profile

This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
(code execution via "funny" filenames)
---
 profiles/apparmor.d/zgrep | 59 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 profiles/apparmor.d/zgrep

Index: apparmor-3.0.4/profiles/apparmor.d/zgrep
===================================================================
--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/zgrep
@@ -0,0 +1,66 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile zgrep /usr/bin/{x,}zgrep {
+  include <abstractions/base>
+  include <abstractions/bash>
+
+  /dev/tty rw,
+  /usr/bin/{ba,da,}sh ix,
+  /usr/bin/bzip2 Cx -> helper,
+  /usr/bin/cat ix,
+  /usr/bin/egrep Cx -> helper,
+  /usr/bin/expr ix,
+  /usr/bin/fgrep Cx -> helper,
+  /usr/bin/grep Cx -> helper,
+  /usr/bin/gzip Cx -> helper,
+  /usr/bin/mktemp ix,
+  /usr/bin/rm ix,
+  /usr/bin/sed Cx -> sed,
+  /usr/bin/xz Cx -> helper,
+  /usr/bin/xzgrep r,
+  /usr/bin/zgrep Cx -> helper,
+  /usr/bin/zstd Cx -> helper,
+  owner /tmp/zgrep* rw,
+  /usr/bin/zgrep r,
+
+  include if exists <local/zgrep>
+
+  profile helper {
+    include <abstractions/base>
+
+    capability dac_override,
+    capability dac_read_search,
+
+    /dev/tty w,
+
+    /usr/bin/{ba,da,}sh ix,
+    /usr/bin/bzip2 mr,
+    /usr/bin/grep mrix,
+    /usr/bin/gzip mr,
+    /usr/bin/xz mr,
+    /usr/bin/zstd mr,
+    /{,**} r,
+
+  }
+
+  profile sed {
+    include <abstractions/base>
+
+    /dev/tty rw,
+    /usr/bin/{ba,da,}sh ix,
+    /usr/bin/sed mr,
+
+  }
+}