apparmor/profiles/apparmor.d/abstractions/authentication

# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2012 Canonical Ltd
#    Copyright (C) 2019-2021 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  abi <abi/4.0>,


  # Some services need to perform authentication of users
  # Such authentication almost certainly needs access to the local users
  # databases containing passwords, PAM configuration files, PAM libraries
  @{etc_ro}/nologin                r,
  @{etc_ro}/pam.d/*                r,
  @{etc_ro}/securetty              r,
  @{etc_ro}/security/*             r,
  @{etc_ro}/shadow                 r,
  @{etc_ro}/gshadow                r,
  @{etc_ro}/pwdb.conf              r,

  /{usr/,}lib{,32,64}/security/pam_filter/*  mr,
  /{usr/,}lib{,32,64}/security/pam_*.so      mr,
  /{usr/,}lib{,32,64}/security/              r,
  /{usr/,}lib/@{multiarch}/security/pam_filter/*  mr,
  /{usr/,}lib/@{multiarch}/security/pam_*.so      mr,
  /{usr/,}lib/@{multiarch}/security/              r,

  # pam_unix
  owner /proc/@{pid}/loginuid r,
  /{,usr/}{,s}bin/unix_chkpwd Px,

  # pam_env
  @{etc_ro}/environment r,

  # pam_limit
  @{etc_ro}/security/limits.d/ r,
  @{etc_ro}/security/limits.d/*.conf  r,

  # gssapi
  @{etc_ro}/gss/mech               r,
  @{etc_ro}/gss/mech.d/            r,
  @{etc_ro}/gss/mech.d/*.conf      r,

  # kerberos
  include <abstractions/kerberosclient>
  # SuSE's pwdutils are different:
  @{etc_ro}/default/passwd         r,
  @{etc_ro}/login.defs             r,
  @{etc_ro}/login.defs.d/          r,
  @{etc_ro}/login.defs.d/*.defs    r,

  # nis
  include <abstractions/nis>

  # winbind
  include <abstractions/winbind>

  # likewise
  include <abstractions/likewise>

  # smbpass
  include <abstractions/smbpass>

  # p11-kit (PKCS#11 modules configuration)
  include <abstractions/p11-kit>

  # Include additions to the abstraction
  include if exists <abstractions/authentication.d>