From 2b4aa5580fdaf9831d491781dac34e9606e1ea97 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 26 Sep 2021 17:29:28 +0100
Subject: [PATCH] Add new{u,g}idmap

---
 apparmor.d/profiles-m-r/newgidmap | 27 +++++++++++++++++++++++++++
 apparmor.d/profiles-m-r/newuidmap | 27 +++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 apparmor.d/profiles-m-r/newgidmap
 create mode 100644 apparmor.d/profiles-m-r/newuidmap

diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap
new file mode 100644
index 00000000..2da77d9b
--- /dev/null
+++ b/apparmor.d/profiles-m-r/newgidmap
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/newgidmap
+profile newgidmap @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability setgid,
+  capability sys_admin,
+
+  @{exec_path} mr,
+
+  /etc/subgid r,
+
+  @{PROC}/@{pids}/ r,
+  @{PROC}/@{pids}/logingid r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/gid_map w,
+
+  include if exists <local/newgidmap>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap
new file mode 100644
index 00000000..88af9bb6
--- /dev/null
+++ b/apparmor.d/profiles-m-r/newuidmap
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/newuidmap
+profile newuidmap @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability setuid,
+  capability sys_admin,
+
+  @{exec_path} mr,
+
+  /etc/subuid r,
+
+  @{PROC}/@{pids}/ r,
+  @{PROC}/@{pids}/logingid r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/uid_map w,
+
+  include if exists <local/newuidmap>
+}
\ No newline at end of file