From 601e5ab35c523b8d32215e45d49d71f60791407f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 20 Jul 2025 14:46:22 +0200
Subject: [PATCH] feat(profile): add lsfd

---
 apparmor.d/groups/utils/lsfd      | 59 +++++++++++++++++++++++++++++++
 tests/integration/utils/lsfd.bats | 19 ++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 apparmor.d/groups/utils/lsfd
 create mode 100644 tests/integration/utils/lsfd.bats

diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd
new file mode 100644
index 000000000..6b30f63a9
--- /dev/null
+++ b/apparmor.d/groups/utils/lsfd
@@ -0,0 +1,59 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lsfd
+profile lsfd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability checkpoint_restore,
+  capability dac_read_search,
+  capability sys_admin,
+  capability sys_ptrace,
+  capability sys_resource,
+  capability syslog,
+
+  network netlink dgram,
+  network netlink raw,
+
+  ptrace read,
+  ptrace trace,
+
+  mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int},
+
+  @{exec_path} mr,
+
+  / r,
+  @{att}/ r,
+
+  owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw,
+
+  @{run}/ r,
+  @{run}/netns/ r,
+
+  @{sys}/kernel/cpu_byteorder r,
+
+        @{PROC}/ r,
+        @{PROC}/@{pid}/ r,
+        @{PROC}/@{pid}/comm r,
+        @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pid}/fdinfo/@{int} r,
+        @{PROC}/@{pid}/mountinfo r,
+        @{PROC}/@{pid}/net/* r,
+        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/task/ r,
+        @{PROC}/devices r,
+        @{PROC}/misc r,
+        @{PROC}/partitions r,
+        @{PROC}/tty/drivers r,
+  owner @{PROC}/@{pid}/syscall r,
+
+  include if exists <local/lsfd>
+}
+
+# vim:syntax=apparmor
diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats
new file mode 100644
index 000000000..bf0c4de0c
--- /dev/null
+++ b/tests/integration/utils/lsfd.bats
@@ -0,0 +1,19 @@
+#!/usr/bin/env bats
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+load ../common
+
+@test "lsfd: List all open file descriptors" {
+    lsfd
+}
+
+@test "lsfd: List all files kept open by a specific program" {
+    sudo lsfd --filter 'PID == 1'
+}
+
+@test "lsfd: List open IPv4 or IPv6 sockets" {
+    sudo lsfd -i4
+    sudo lsfd -i6
+}