mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-21 17:47:10 +00:00
41 lines
987 B
Plaintext
41 lines
987 B
Plaintext
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
# The apparmor.d project comes with several variables and abstractions
|
|
# that are not part of upstream AppArmor yet. Therefore this profile was
|
|
# adopted to use abstractions and variables that are available.
|
|
# Copyright (C) Christian Boltz 2024
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
|
|
# To write records to the kernel auditing log.
|
|
capability audit_write,
|
|
# To read shadow with 000 permissions.
|
|
capability dac_read_search,
|
|
|
|
network netlink raw,
|
|
|
|
@{exec_path} mr,
|
|
|
|
/etc/shadow r,
|
|
|
|
# systemd userdb, used in nspawn
|
|
/run/host/userdb/*.user r,
|
|
/run/host/userdb/*.user-privileged r,
|
|
|
|
# authd socket for PAM
|
|
@{run}/authd.sock rw,
|
|
|
|
# file_inherit
|
|
owner /dev/tty[0-9]* rw,
|
|
|
|
include if exists <local/unix-chkpwd>
|
|
}
|