Index: apparmor-3.1.7/profiles/apparmor.d/unix-chkpwd
===================================================================
--- /dev/null
+++ apparmor-3.1.7/profiles/apparmor.d/unix-chkpwd
@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+# The apparmor.d project comes with several variables and abstractions
+# that are not part of upstream AppArmor yet. Therefore this profile was
+# adopted to use abstractions and variables that are available.
+# Copyright (C) Christian Boltz 2024
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  # To write records to the kernel auditing log.
+  capability audit_write,
+
+  network netlink raw,
+
+  /{,usr/}{,s}bin/unix_chkpwd mr,
+
+  /etc/shadow r,
+
+  # systemd userdb, used in nspawn
+  /run/host/userdb/*.user r,
+  /run/host/userdb/*.user-privileged r,
+
+  # file_inherit
+  owner /dev/tty[0-9]* rw,
+
+  include if exists <local/unix-chkpwd>
+}
Index: apparmor-3.1.7/profiles/apparmor.d/usr.lib.dovecot.auth
===================================================================
--- apparmor-3.1.7.orig/profiles/apparmor.d/usr.lib.dovecot.auth
+++ apparmor-3.1.7/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -52,8 +52,12 @@ profile dovecot-auth /usr/lib*/dovecot/a
   @{run}/dovecot/stats-user rw,
   @{run}/dovecot/anvil-auth-penalty rw,
 
+  owner /proc/@{pid}/loginuid r,
+
   /var/spool/postfix/private/auth rw,
 
+  /usr/sbin/unix_chkpwd Px,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.auth>
 }