apparmor/profiles/apparmor.d/abstractions/authentication

# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2012 Canonical Ltd
#    Copyright (C) 2019-2021 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  abi <abi/4.0>,


  # Some services need to perform authentication of users
  # Such authentication almost certainly needs access to the local users
  # databases containing passwords, PAM configuration files, PAM libraries
  @{etc_ro}/nologin                r,
  @{etc_ro}/pam.d/*                r,
  @{etc_ro}/securetty              r,
  @{etc_ro}/security/*             r,
  @{etc_ro}/shadow                 r,
  @{etc_ro}/gshadow                r,
  @{etc_ro}/pwdb.conf              r,

  /{usr/,}lib{,32,64}/security/pam_filter/*  mr,
  /{usr/,}lib{,32,64}/security/pam_*.so      mr,
  /{usr/,}lib{,32,64}/security/              r,
  /{usr/,}lib/@{multiarch}/security/pam_filter/*  mr,
  /{usr/,}lib/@{multiarch}/security/pam_*.so      mr,
  /{usr/,}lib/@{multiarch}/security/              r,

  # pam_unix
  owner /proc/@{pid}/loginuid r,
  /{,usr/}{,s}bin/unix_chkpwd Px,

  # pam_env
  @{etc_ro}/environment r,

  # pam_limit
  @{etc_ro}/security/limits.d/ r,
  @{etc_ro}/security/limits.d/*.conf  r,

  # gssapi
  @{etc_ro}/gss/mech               r,
  @{etc_ro}/gss/mech.d/            r,
  @{etc_ro}/gss/mech.d/*.conf      r,

  # kerberos
  include <abstractions/kerberosclient>
  # SuSE's pwdutils are different:
  @{etc_ro}/default/passwd         r,
  @{etc_ro}/login.defs             r,
  @{etc_ro}/login.defs.d/          r,
  @{etc_ro}/login.defs.d/*.defs    r,

  # nis
  include <abstractions/nis>

  # winbind
  include <abstractions/winbind>

  # likewise
  include <abstractions/likewise>

  # smbpass
  include <abstractions/smbpass>

  # p11-kit (PKCS#11 modules configuration)
  include <abstractions/p11-kit>

  # Include additions to the abstraction
  include if exists <abstractions/authentication.d>
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`# ------------------------------------------------------------------`
			`#`
pull in Ubuntu updates to profiles/apparmor.d 2009-11-04 14:25:42 -06:00			`# Copyright (C) 2002-2009 Novell/SUSE`
add p11-kit to authentication abstraction Acked-by: Jamie Strandboge <jamie@canonical.com> 2012-01-06 11:46:52 -06:00			`# Copyright (C) 2009-2012 Canonical Ltd`
Allow reading /etc/login.defs.d/ in abstraction/authentication This directory can include login.defs config sniplets in openSUSE Tumbleweed. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1188296 See also https://en.opensuse.org/openSUSE:Packaging_UsrEtc#pam.2Fpam-config 2021-07-15 13:04:44 +02:00			`# Copyright (C) 2019-2021 Christian Boltz`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

policy: update to use 4.0 abi Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-06-30 23:36:12 -07:00			`abi <abi/4.0>,`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00

			`# Some services need to perform authentication of users`
			`# Such authentication almost certainly needs access to the local users`
			`# databases containing passwords, PAM configuration files, PAM libraries`
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable. 2020-07-23 20:42:42 +02:00			`@{etc_ro}/nologin r,`
			`@{etc_ro}/pam.d/* r,`
			`@{etc_ro}/securetty r,`
			`@{etc_ro}/security/* r,`
			`@{etc_ro}/shadow r,`
			`@{etc_ro}/gshadow r,`
			`@{etc_ro}/pwdb.conf r,`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
Make policy compatible with merged-/usr. 2016-12-03 10:59:01 +01:00			`/{usr/,}lib{,32,64}/security/pam_filter/* mr,`
			`/{usr/,}lib{,32,64}/security/pam_*.so mr,`
			`/{usr/,}lib{,32,64}/security/ r,`
			`/{usr/,}lib/@{multiarch}/security/pam_filter/* mr,`
			`/{usr/,}lib/@{multiarch}/security/pam_*.so mr,`
			`/{usr/,}lib/@{multiarch}/security/ r,`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
Allow pam_unix to execute unix_chkpwd Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading /etc/shadow itsself. Add exec permissions to abstraction/authentication. It also needs to read /proc/@{pid}/loginuid Also cleanup the now-superfluous rules from the smbd profile. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 2024-03-12 22:01:40 +01:00			`# pam_unix`
			`owner /proc/@{pid}/loginuid r,`
			`/{,usr/}{,s}bin/unix_chkpwd Px,`

Move pam-related permissions to abstractions/authentication ... instead of keeping them in the smbd profile. For details, see c09f58a364594607cdf5703d6e11aec14ade3ea8 and https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12 Also replace /usr/etc/ with @{etc_ro} to that also /etc/ is covered. 2024-03-24 14:10:33 +01:00			`# pam_env`
			`@{etc_ro}/environment r,`

			`# pam_limit`
			`@{etc_ro}/security/limits.d/ r,`
			`@{etc_ro}/security/limits.d/*.conf r,`

abstractions/authentication: Add GSSAPI mechanism modules config 2023-06-09 00:47:32 -04:00			`# gssapi`
			`@{etc_ro}/gss/mech r,`
			`@{etc_ro}/gss/mech.d/ r,`
			`@{etc_ro}/gss/mech.d/*.conf r,`

Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`# kerberos`
Change `#include` to `include` in abstractions and tunables 2020-06-09 23:28:41 +02:00			`include <abstractions/kerberosclient>`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`# SuSE's pwdutils are different:`
Convert abstractions from /{usr/,}etc/ to @{etc_ro} The authentication, base and nameservice abstraction used /{usr/,}etc/ in several rules. Switch that to the more readable (and tunable) @{etc_ro} variable. 2020-07-23 20:42:42 +02:00			`@{etc_ro}/default/passwd r,`
			`@{etc_ro}/login.defs r,`
Allow reading /etc/login.defs.d/ in abstraction/authentication This directory can include login.defs config sniplets in openSUSE Tumbleweed. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1188296 See also https://en.opensuse.org/openSUSE:Packaging_UsrEtc#pam.2Fpam-config 2021-07-15 13:04:44 +02:00			`@{etc_ro}/login.defs.d/ r,`
			`@{etc_ro}/login.defs.d/*.defs r,`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
Bug 167798 - misc profile modifications from darix -- mlmmj, lighttpd, oidentd profiles in extras/, new postfix helpers in complain mode (enabled), split apart nameservice a little (non destructively), add new abstractions for python, ruby, and php5, add web-data and svn-repositories data-centric abstractions 2006-05-02 00:25:47 +00:00			`# nis`
Change `#include` to `include` in abstractions and tunables 2020-06-09 23:28:41 +02:00			`include <abstractions/nis>`
Bug 167798 - misc profile modifications from darix -- mlmmj, lighttpd, oidentd profiles in extras/, new postfix helpers in complain mode (enabled), split apart nameservice a little (non destructively), add new abstractions for python, ruby, and php5, add web-data and svn-repositories data-centric abstractions 2006-05-02 00:25:47 +00:00
			`# winbind`
Change `#include` to `include` in abstractions and tunables 2020-06-09 23:28:41 +02:00			`include <abstractions/winbind>`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
pull in Ubuntu updates to profiles/apparmor.d 2009-11-04 14:25:42 -06:00			`# likewise`
Change `#include` to `include` in abstractions and tunables 2020-06-09 23:28:41 +02:00			`include <abstractions/likewise>`
pull in Ubuntu updates to profiles/apparmor.d 2009-11-04 14:25:42 -06:00
			`# smbpass`
Change `#include` to `include` in abstractions and tunables 2020-06-09 23:28:41 +02:00			`include <abstractions/smbpass>`
pull in Ubuntu updates to profiles/apparmor.d 2009-11-04 14:25:42 -06:00
add p11-kit to authentication abstraction Acked-by: Jamie Strandboge <jamie@canonical.com> 2012-01-06 11:46:52 -06:00			`# p11-kit (PKCS#11 modules configuration)`
Change `#include` to `include` in abstractions and tunables 2020-06-09 23:28:41 +02:00			`include <abstractions/p11-kit>`
Add support for local additions to abstractions Local policy may want to extend or override abstractions, so add support for including local updates to them. Acked-by: Christian Boltz <apparmor@cboltz.de> Acked-by: intrigeri <intrigeri@boum.org> Signed-off-by: John Johansen <john.johansen@canonical.com> 2019-01-24 03:03:11 -08:00
			`# Include additions to the abstraction`
abstractions: remove '#' from 'include if exists' This matches what we use in the profiles for local abstractions. Also adjust the check in the Makefile to expect the variant without '#'. 2020-05-30 19:46:08 +02:00			`include if exists <abstractions/authentication.d>`