mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

usr.bin.passwd profile fixes

Browse Source 
* passwd -e LOGIN was failing
* Allow execution of /usr/sbin/nscd
  See: bee77ffc29/lib/nscd.c (L23-L27)
* Allow pam_passwdqc to read /etc/passwdqc.conf and passwdqc filter
  files (see https://www.openwall.com/passwdqc/)
* Allow setuid & fsetid capabilities
* Allow locking with /etc/shadow.PID & /etc/shadow.lock
* Allow shadow backup /etc/shadow- and whatever /etc/shadow+ is used for
This commit is contained in:
pyllyukko
2025-03-02 16:51:33 +02:00
parent bf2054d963
commit ab1a455f05
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
profiles/apparmor/profiles/extras/usr.bin.passwd
View File

@@ -22,6 +22,8 @@ include <tunables/global>
capability chown, capability chown,
capability sys_resource, capability sys_resource,
capability setuid,
capability fsetid,
/etc/.pwd.lock wk, /etc/.pwd.lock wk,
/etc/pwdutils/logging r, /etc/pwdutils/logging r,
@@ -29,6 +31,10 @@ include <tunables/global>
/etc/shadow rwl, /etc/shadow rwl,
/etc/shadow.old rwl, /etc/shadow.old rwl,
/etc/shadow.tmp?????? rwl, /etc/shadow.tmp?????? rwl,
/etc/shadow.[0-9]* rwl,
/etc/shadow.lock rwl,
/etc/shadow- rw,
/etc/shadow+ rw,
@{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/loginuid r,
@@ -38,6 +44,9 @@ include <tunables/global>
/usr/share/cracklib/pw_dict.hwm r, /usr/share/cracklib/pw_dict.hwm r,
/usr/share/cracklib/pw_dict.pwd r, /usr/share/cracklib/pw_dict.pwd r,
/usr/share/cracklib/pw_dict.pwi r, /usr/share/cracklib/pw_dict.pwi r,
/etc/passwdqc.conf r,
/opt/passwdqc/*.pwq r,
/usr/sbin/nscd Px,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.passwd> include if exists <local/usr.bin.passwd>