[ Avaa Bypassed ]

# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> lsb_release" exec transitions from
# other profiles. We want to confine the lsb_release(1) utility when it
# is invoked from other confined applications, but not when it is used
# in regular (unconfined) shell scripts or run directly by the user.

#include <tunables/global>

# Do not attach to /usr/bin/lsb_release by default
profile lsb_release {
  #include <abstractions/base>
  #include <abstractions/python>

  owner @{PROC}/@{pid}/fd/ r,

  /dev/tty rw,

  /usr/bin/lsb_release r,
  /usr/bin/python3.[0-9] mr,

  /etc/debian_version r,
  /etc/default/apport r,
  /etc/dpkg/origins/** r,
  /etc/lsb-release r,
  /etc/lsb-release.d/ r,

  /{usr/,}bin/bash ixr,
  /{usr/,}bin/dash ixr,
  /usr/bin/basename ixr,
  /usr/bin/dpkg-query ixr,
  /usr/bin/getopt ixr,
  /usr/bin/sed ixr,
  /usr/bin/tr ixr,

  # TODO - many more permissions needed for this to work
  deny /usr/bin/apt-cache x,

  /usr/bin/ r,
  /usr/include/python*/pyconfig.h r,
  /usr/share/distro-info/** r,
  /usr/share/dpkg/** r,
  /usr/share/terminfo/** r,
  /var/lib/dpkg/** r,

  # file_inherit
  deny /tmp/gtalkplugin.log w,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/lsb_release>
}