This file is indexed.

/usr/bin/aa-exec-click is in click-apparmor 0.3.13.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
# ------------------------------------------------------------------
#
#    Copyright (C) 2013 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

set -e

# Wrapper around aa-exec to set various click variables:
# https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement#Launching_applications

usage() {
    echo "`basename $0` -p <profile> <args to aa-exec> -- <command> <arg1> ..."
}

profile=""
use_insecure_x=""
xpos=""
while getopts hxp: f ; do
    case "$f" in
        p) profile="$OPTARG";;
        x) use_insecure_x="yes"
           xpos=$((OPTIND-1))
           ;;
        h) usage; exit 0;;
        *) usage; exit 1;;
    esac
done

# strip -x from the list since we pass arguments straight to aa-exec
if [ -z "$xpos" ]; then
    if [ "$1" = "-x" ]; then
        shift
    fi
else
    set -- "${@:1:$((xpos-1))}" "${@:$((xpos+1)):$#}"
fi

if [ -z "$profile" ]; then
    usage
    exit 1
fi

# Perhaps there is a better way to detect this, but for now, this works
if [ -d "/tmp/.X11-unix" ]; then
    num_sockets=`ls -1 /tmp/.X11-unix | wc -l`
    if [ "$num_sockets" != "0" ] && [ "$use_insecure_x" != "yes" ]; then
        echo "Detected click app running under X! Aborting"
        exit 1
    fi
fi

# gnutriplet should be updated during package build
gnutriplet='x86_64-linux-gnu'

pkgname=`echo "$profile" | cut -d '_' -f 1`

# Make sure we have sane defaults based on the XDG spec
if [ -z "$XDG_CACHE_HOME" ]; then
    export XDG_CACHE_HOME="$HOME/.cache"
fi
if [ -z "$XDG_CONFIG_HOME" ]; then
    export XDG_CONFIG_HOME="$HOME/.config"
fi
if [ -z "$XDG_DATA_HOME" ]; then
    export XDG_DATA_HOME="$HOME/.local/share"
fi
if [ -z "$XDG_RUNTIME_DIR" ]; then
    export XDG_RUNTIME_DIR="/run/user/$(id -ru)" # Ubuntu-specific
fi

# Set up various environment variables based on the click install directory
# (click is guaranteed to be installed since click-apparmor Depends on it).
# Also, while 'click pkgdir' should only return a path with the click package
# name, and click package names follow Debian source package rules (see
# (Debian policy 5.6.1), let's be extra careful and filter out any ':' in the
# pkgdir
pkgdir=`click pkgdir "$pkgname" | sed 's/://g'` && {
    if [ -n "$pkgdir" ]; then
        if [ -n "$XDG_DATA_DIRS" ]; then
            export XDG_DATA_DIRS="$pkgdir:$XDG_DATA_DIRS"
        else
            export XDG_DATA_DIRS="$pkgdir:/usr/share"
        fi

        if [ -n "$PATH" ]; then
            export PATH="$pkgdir:$PATH"
        else
            export PATH="$pkgdir:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        fi

        if [ "$gnutriplet" != "###GNUTRIPLET###" ]; then
            libdir="$pkgdir/lib/$gnutriplet"

            # We set PATH above, but if have compiled code, also prepend
            # $libdir/bin
            export PATH="$libdir/bin:$PATH"

            # LD_LIBRARY_PATH is searched forwards, so prepend
            if [ -n "$LD_LIBRARY_PATH" ]; then
                export LD_LIBRARY_PATH="$libdir:$pkgdir/lib:$LD_LIBRARY_PATH"
            else
                export LD_LIBRARY_PATH="$libdir:$pkgdir/lib"
            fi

            # QML2_IMPORT_PATH is search backwards, so append
            if [ -n "$QML2_IMPORT_PATH" ]; then
                export QML2_IMPORT_PATH="$QML2_IMPORT_PATH:$libdir"
            else
                export QML2_IMPORT_PATH="$libdir"
            fi
        fi
    fi
}

# This may be useful to apps
export APP_ID="$profile"

# Set application isolation environment
export UBUNTU_APPLICATION_ISOLATION=1
export TMPDIR="$XDG_RUNTIME_DIR/confined/$pkgname"
mkdir -p "$TMPDIR" || true
export __GL_SHADER_DISK_CACHE_PATH="$XDG_CACHE_HOME/$pkgname"

aa_exec="aa-exec"
if ! which $aa_exec >/dev/null ; then
    aa_exec="/usr/sbin/aa-exec"
fi
exec $aa_exec "$@"