From ab1a455f0595a5f6a7b82fc955f3919093ee3fb6 Mon Sep 17 00:00:00 2001
From: pyllyukko <pyllyukko@maimed.org>
Date: Sun, 2 Mar 2025 16:51:33 +0200
Subject: [PATCH] usr.bin.passwd profile fixes

* passwd -e LOGIN was failing
* Allow execution of /usr/sbin/nscd
  See: https://github.com/shadow-maint/shadow/blob/bee77ffc291dfed2a133496db465eaa55e2b0fec/lib/nscd.c#L23-L27
* Allow pam_passwdqc to read /etc/passwdqc.conf and passwdqc filter
  files (see https://www.openwall.com/passwdqc/)
* Allow setuid & fsetid capabilities
* Allow locking with /etc/shadow.PID & /etc/shadow.lock
* Allow shadow backup /etc/shadow- and whatever /etc/shadow+ is used for
---
 profiles/apparmor/profiles/extras/usr.bin.passwd | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/profiles/apparmor/profiles/extras/usr.bin.passwd b/profiles/apparmor/profiles/extras/usr.bin.passwd
index a137517c1..bdb2c6203 100644
--- a/profiles/apparmor/profiles/extras/usr.bin.passwd
+++ b/profiles/apparmor/profiles/extras/usr.bin.passwd
@@ -22,6 +22,8 @@ include <tunables/global>
 
   capability chown,
   capability sys_resource,
+  capability setuid,
+  capability fsetid,
 
   /etc/.pwd.lock wk,
   /etc/pwdutils/logging r,
@@ -29,6 +31,10 @@ include <tunables/global>
   /etc/shadow rwl,
   /etc/shadow.old rwl,
   /etc/shadow.tmp?????? rwl,
+  /etc/shadow.[0-9]* rwl,
+  /etc/shadow.lock rwl,
+  /etc/shadow- rw,
+  /etc/shadow+ rw,
 
   @{PROC}/@{pid}/loginuid r,
 
@@ -38,6 +44,9 @@ include <tunables/global>
   /usr/share/cracklib/pw_dict.hwm r,
   /usr/share/cracklib/pw_dict.pwd r,
   /usr/share/cracklib/pw_dict.pwi r,
+  /etc/passwdqc.conf r,
+  /opt/passwdqc/*.pwq r,
+  /usr/sbin/nscd Px,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.bin.passwd>