From ad6833bb3497002833476ffbc5739e53849fcaed Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Fri, 9 Jun 2023 08:45:20 +0000
Subject: [PATCH] Merge abstractions/authentication: Add GSSAPI mechanism
 modules config

Found in testing a slimmed-down `usr.sbin.sshd` profile:
```
Jun  8 21:09:37 testvm kernel: [   54.770501] audit: type=1400 audit(1686272977.933:67): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/etc/gss/mech.d/" pid=1036 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
([Reference](https://web.mit.edu/kerberos/krb5-1.21/doc/admin/host_config.html#gssapi-mechanism-modules) for  GSSAPI mechanism modules)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1049
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit b41fcdce16b9db575f6173417e4027319fc0f810)
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 profiles/apparmor.d/abstractions/authentication | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication
index d5dbd83ad..65cd0d72f 100644
--- a/profiles/apparmor.d/abstractions/authentication
+++ b/profiles/apparmor.d/abstractions/authentication
@@ -31,6 +31,11 @@
   /{usr/,}lib/@{multiarch}/security/pam_*.so      mr,
   /{usr/,}lib/@{multiarch}/security/              r,
 
+  # gssapi
+  @{etc_ro}/gss/mech               r,
+  @{etc_ro}/gss/mech.d/            r,
+  @{etc_ro}/gss/mech.d/*.conf      r,
+
   # kerberos
   include <abstractions/kerberosclient>
   # SuSE's pwdutils are different: