2021-04-01 17:17:47 +02:00
|
|
|
# apparmor.d - Full set of apparmor profiles
|
|
|
|
|
# Copyright (C) 2019-2021 Mikhail Morfikov
|
|
|
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
2020-09-12 17:19:23 +02:00
|
|
|
|
2020-12-10 22:33:39 +01:00
|
|
|
abi <abi/3.0>,
|
2020-09-12 17:19:23 +02:00
|
|
|
|
2020-12-10 22:33:39 +01:00
|
|
|
include <tunables/global>
|
2020-09-12 17:19:23 +02:00
|
|
|
|
|
|
|
|
@{exec_path} = /{usr/,}bin/passwd
|
|
|
|
|
profile passwd @{exec_path} {
|
2020-12-10 22:33:39 +01:00
|
|
|
include <abstractions/base>
|
|
|
|
|
include <abstractions/wutmp>
|
|
|
|
|
include <abstractions/authentication>
|
|
|
|
|
include <abstractions/nameservice-strict>
|
2020-09-12 17:19:23 +02:00
|
|
|
|
|
|
|
|
# To write records to the kernel auditing log.
|
|
|
|
|
capability audit_write,
|
|
|
|
|
|
|
|
|
|
# To set the right permission to the files in the /etc/.
|
|
|
|
|
# Since passwd reads and writes from /etc/ directory, the write permissions are requried by it.
|
|
|
|
|
# Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and
|
|
|
|
|
# renames /etc/nshadow to /etc/shadow.
|
|
|
|
|
capability chown,
|
|
|
|
|
capability fsetid,
|
|
|
|
|
|
|
|
|
|
# passwd is a SETUID binary, but it looks like it doesn't want this CAP.
|
|
|
|
|
#capability setuid,
|
|
|
|
|
|
2020-12-10 22:33:39 +01:00
|
|
|
network netlink raw,
|
|
|
|
|
|
2020-09-12 17:19:23 +02:00
|
|
|
@{exec_path} mr,
|
|
|
|
|
|
|
|
|
|
owner @{PROC}/@{pid}/loginuid r,
|
|
|
|
|
|
|
|
|
|
/etc/shadow rw,
|
|
|
|
|
/etc/nshadow rw,
|
|
|
|
|
|
|
|
|
|
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
|
|
|
|
|
# modify the /etc/passwd or /etc/shadow password database.
|
|
|
|
|
/etc/.pwd.lock rwk,
|
|
|
|
|
|
2020-12-10 22:33:39 +01:00
|
|
|
include if exists <local/passwd>
|
2020-09-12 17:19:23 +02:00
|
|
|
}
|
