mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
b57f29ee7b
apparmor.d/profiles/passwd
Alexandre Pujol b57f29ee7b
Rewrite Copyright header, use SPDX style.
2021-04-01 16:17:47 +01:00

44 lines
1.2 KiB
Plaintext
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/passwd
profile passwd @{exec_path} {
include <abstractions/base>
include <abstractions/wutmp>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/.
# Since passwd reads and writes from /etc/ directory, the write permissions are requried by it.
# Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and
# renames /etc/nshadow to /etc/shadow.
capability chown,
capability fsetid,
# passwd is a SETUID binary, but it looks like it doesn't want this CAP.
#capability setuid,
network netlink raw,
@{exec_path} mr,
owner @{PROC}/@{pid}/loginuid r,
/etc/shadow rw,
/etc/nshadow rw,
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
/etc/.pwd.lock rwk,
include if exists <local/passwd>
}
Reference in New Issue View Git Blame Copy Permalink