# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/passwd
profile passwd @{exec_path} {
  include <abstractions/base>
  include <abstractions/wutmp>
  include <abstractions/authentication>
  include <abstractions/nameservice-strict>

  # To write records to the kernel auditing log.
  capability audit_write,

  # To set the right permission to the files in the /etc/.
  # Since passwd reads and writes from /etc/ directory, the write permissions are requried by it.
  # Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and
  # renames /etc/nshadow to /etc/shadow.
  capability chown,
  capability fsetid,

  # passwd is a SETUID binary, but it looks like it doesn't want this CAP.
  #capability setuid,

  network netlink raw,

  @{exec_path} mr,

  owner @{PROC}/@{pid}/loginuid r,

  /etc/shadow rw,
  /etc/nshadow rw,

  # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
  # modify the /etc/passwd or /etc/shadow password database.
  /etc/.pwd.lock rwk,

  include if exists <local/passwd>
}