From d544c386f7cfcefbd55657052a3f29645686b8c1 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 5 May 2024 17:42:32 +0100
Subject: [PATCH] fix(profile): ensure PAM & systemd-homed  compatibility.

see #321
---
 apparmor.d/abstractions/app/sudo    | 1 +
 apparmor.d/profiles-g-l/groups      | 6 +-----
 apparmor.d/profiles-s-z/unix-chkpwd | 1 +
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index e791caea..49b742b0 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -39,6 +39,7 @@
   @{etc_ro}/sudoers.d/{,*} r,
 
   / r,
+  /etc/machine-id r,
 
   owner /var/lib/sudo/ts/ rw,   
   owner /var/lib/sudo/ts/@{uid} rwk,
diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups
index 79ec2587..625632e7 100644
--- a/apparmor.d/profiles-g-l/groups
+++ b/apparmor.d/profiles-g-l/groups
@@ -11,14 +11,10 @@ include <tunables/global>
 profile groups @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
-  /etc/group r,
-  /etc/nsswitch.conf r,
-
-  @{run}/systemd/userdb r,
-
   @{PROC}/sys/kernel/random/boot_id r,
 
   /dev/tty@{int} rw,
diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd
index 97ef4359..65fd4330 100644
--- a/apparmor.d/profiles-s-z/unix-chkpwd
+++ b/apparmor.d/profiles-s-z/unix-chkpwd
@@ -19,6 +19,7 @@ profile unix-chkpwd @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/machine-id r,
   /etc/shadow r,
 
   # systemd userdb, used in nspawn