From 8a27caaef5e0bca1fe0c77b72c6bc42e28dd2ffb Mon Sep 17 00:00:00 2001
From: Maximilian Hils <mhils@google.com>
Date: Wed, 13 Nov 2024 14:05:15 +0100
Subject: [PATCH] apparmor: add read permission for executables

---
 examples/apparmorprofile-sleep.yaml                        | 2 +-
 internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/apparmorprofile-sleep.yaml b/examples/apparmorprofile-sleep.yaml
index d64b9d8b78..8cae12df8f 100644
--- a/examples/apparmorprofile-sleep.yaml
+++ b/examples/apparmorprofile-sleep.yaml
@@ -6,7 +6,7 @@ policy: |2
 
     # Executable rules
 
-    /bin/busybox ix,
+    /bin/busybox ixr,
 
 
     /lib/ld-musl-x86_64.so.1 mr,
diff --git a/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go b/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go
index a5b3103321..3ad8d1c2cf 100644
--- a/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go
+++ b/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go
@@ -32,7 +32,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
 
   # Executable rules
 {{ if ne .Abstract.Executable nil }}{{ if ne .Abstract.Executable.AllowedExecutables nil }}
-{{range $allowed := .Abstract.Executable.AllowedExecutables}}  {{$allowed}} ix,
+{{range $allowed := .Abstract.Executable.AllowedExecutables}}  {{$allowed}} ixr,
 {{end}}{{end}}
 {{ if ne .Abstract.Executable.AllowedLibraries nil }}
 {{range $allowedlib := .Abstract.Executable.AllowedLibraries}}  {{$allowedlib}} mr,