From 8ec76907c87f85f5321af41cee73bc2ff74ce86d Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Thu, 14 Mar 2024 21:09:59 +0000
Subject: [PATCH] Merge Allow pam_unix to execute unix_chkpwd

Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/authentication.

It also needs to read /proc/@{pid}/loginuid

Also cleanup the now-superfluous rules from the smbd profile.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1181
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 9a1838016c18aea24fde26858311b48b2fd8f3d6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 .../apparmor.d/abstractions/authentication    |  4 +++
 profiles/apparmor.d/unix-chkpwd               | 35 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 profiles/apparmor.d/unix-chkpwd

diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication
index 65cd0d72f..c3404f6be 100644
--- a/profiles/apparmor.d/abstractions/authentication
+++ b/profiles/apparmor.d/abstractions/authentication
@@ -31,6 +31,10 @@
   /{usr/,}lib/@{multiarch}/security/pam_*.so      mr,
   /{usr/,}lib/@{multiarch}/security/              r,
 
+  # pam_unix
+  owner /proc/@{pid}/loginuid r,
+  /{,usr/}{,s}bin/unix_chkpwd Px,
+
   # gssapi
   @{etc_ro}/gss/mech               r,
   @{etc_ro}/gss/mech.d/            r,
diff --git a/profiles/apparmor.d/unix-chkpwd b/profiles/apparmor.d/unix-chkpwd
new file mode 100644
index 000000000..a8ec8d43f
--- /dev/null
+++ b/profiles/apparmor.d/unix-chkpwd
@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+# The apparmor.d project comes with several variables and abstractions
+# that are not part of upstream AppArmor yet. Therefore this profile was
+# adopted to use abstractions and variables that are available.
+# Copyright (C) Christian Boltz 2024
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  # To write records to the kernel auditing log.
+  capability audit_write,
+
+  network netlink raw,
+
+  /{,usr/}{,s}bin/unix_chkpwd mr,
+
+  /etc/shadow r,
+
+  # systemd userdb, used in nspawn
+  /run/host/userdb/*.user r,
+  /run/host/userdb/*.user-privileged r,
+
+  # file_inherit
+  owner /dev/tty[0-9]* rw,
+
+  include if exists <local/unix-chkpwd>
+}