diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap new file mode 100644 index 00000000..2da77d9b --- /dev/null +++ b/apparmor.d/profiles-m-r/newgidmap @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/newgidmap +profile newgidmap @{exec_path} { + include + include + + capability setgid, + capability sys_admin, + + @{exec_path} mr, + + /etc/subgid r, + + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/logingid r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/gid_map w, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap new file mode 100644 index 00000000..88af9bb6 --- /dev/null +++ b/apparmor.d/profiles-m-r/newuidmap @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/newuidmap +profile newuidmap @{exec_path} { + include + include + + capability setuid, + capability sys_admin, + + @{exec_path} mr, + + /etc/subuid r, + + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/logingid r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/uid_map w, + + include if exists +} \ No newline at end of file