This file is indexed.

/usr/sbin/aa-update-browser is in apparmor-utils 2.11.0-3+deb9u2.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/sh
#
# Copyright (C) 2010 Canonical, Ltd.
# Author: Jamie Strandboge <jamie@canonical.com>
# License: GPLv2
#
# Program for updating browser abstractions in Ubuntu. The program will
# search the specified profile for an include directive for a file in
# abstractions/ubuntu-browsers.d and update this file with the specified
# browsers abstractions.

set -e

topdir="/etc/apparmor.d"
reldir="abstractions/ubuntu-browsers.d"
dir="$topdir/$reldir"

if [ ! -d "$dir" ]; then
    echo "'$dir' is not a directory" >&2
    exit 1
fi

help() {
    cat <<EOM
`basename $0`

Usage: `basename $0` [OPTIONS] <profile>
  -u		comma separated list of abstractions for profile to use
  -d		dry-run. Only show what would be done.
  -l		list available abstractions
  -h		this message

Eg:
$ aa-update-browser -l
# aa-update-browser -u multimedia,productivity /etc/apparmor.d/usr.bin.firefox
EOM
}

find_browser_include() {
    fn="$1"
    r=`egrep " *#include <$reldir/.*> *(|#.*)" "$fn" | cut -f 2 -d '<' | cut -f 1 -d '>'`
    if [ -z "$r" ]; then
        echo "Could not find '#include <$reldir/...>' in" >&2
        echo "$fn" >&2
        return
    fi
    basename "$r"
}

existing_abstractions=""
for i in $dir/* ; do
    if [ ! -s "$i" ]; then
        continue
    fi

    if head -1 "$i" | grep -q '^# This file is updated' ; then
        continue
    fi

    # This has a leading space, which we use below.
    existing_abstractions="$existing_abstractions `basename $i`"
done

updated=
dryrun=
while getopts "dhlu:" opt
do
    case "$opt" in
        d) dryrun="yes";;
        u) updated="$OPTARG";;
        l)
            echo "$existing_abstractions"
            exit 0
            ;;
        h)
            help
            exit 0
            ;;
        ?)
            help
            exit 1
            ;;
    esac
done
shift $(($OPTIND - 1))

if [ -z "$1" ]; then
    help
    exit 1
fi

for p in $* ; do
    if [ ! -s "$p" ]; then
        echo "Could not find '$p'" >&2
        exit 1
    fi

    include=`find_browser_include $p`
    if [ -z "$include" ]; then
        exit 1
    fi

    if echo "$existing_abstractions" | grep -q " $include" ; then
        echo "'$reldir/$include' is an existing abstraction" >&2
        exit 1
    fi

    tmp=`mktemp`
    plugins_common_path="$dir/plugins-common"
    cat > "$tmp" <<EOM
# This file is updated by '`basename $0`' and may be overwritten on
# upgrades.
#
# For site-specific adjustments, please see /etc/apparmor.d/local/<binary>

EOM
    for a in `echo "$updated" | tr [,] ' '`; do
        echo "$existing_abstractions" | egrep -q " $a( |$)" || {
            echo "'$a' is not an existing abstraction. Skipping." >&2
            continue
        }
        if [ -f "$dir/$a" ]; then
            # TODO: add $plugins_common_path only for those browser abstractions
            # that actually need it.
            if [ -n "$plugins_common_path" ] && [ -e "$plugins_common_path" ]; then
                echo "#include <$reldir/`basename $plugins_common_path`>" >> "$tmp"
                plugins_common_path=""
            fi
            echo "#include <$reldir/$a>" >> "$tmp"
        else
            echo "Skipping '$a' (not found in '$dir')" >&2
            continue
        fi
    done

    if [ "$dryrun" = "yes" ]; then
        echo "Skipping commit to '$dir/$include' (dry run)" >&2
        cat "$tmp"
        rm -f "$tmp"
        continue
    fi
    mv -f "$tmp" "$dir/$include" || {
        rm -f "$tmp"
        exit 1
    }
    chmod 644 "$dir/$include"
done