9041844394
- Fix systemd userdb access in unix-chkpwd OBS-URL: https://build.opensuse.org/request/show/1151902 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=396
58 lines
1.7 KiB
Diff
58 lines
1.7 KiB
Diff
Index: apparmor-3.1.7/profiles/apparmor.d/unix-chkpwd
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ apparmor-3.1.7/profiles/apparmor.d/unix-chkpwd
|
|
@@ -0,0 +1,35 @@
|
|
+# apparmor.d - Full set of apparmor profiles
|
|
+# Copyright (C) 2019-2021 Mikhail Morfikov
|
|
+# SPDX-License-Identifier: GPL-2.0-only
|
|
+
|
|
+# The apparmor.d project comes with several variables and abstractions
|
|
+# that are not part of upstream AppArmor yet. Therefore this profile was
|
|
+# adopted to use abstractions and variables that are available.
|
|
+# Copyright (C) Christian Boltz 2024
|
|
+
|
|
+abi <abi/3.0>,
|
|
+
|
|
+include <tunables/global>
|
|
+
|
|
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
|
|
+ include <abstractions/base>
|
|
+ include <abstractions/nameservice>
|
|
+
|
|
+ # To write records to the kernel auditing log.
|
|
+ capability audit_write,
|
|
+
|
|
+ network netlink raw,
|
|
+
|
|
+ /{,usr/}{,s}bin/unix_chkpwd mr,
|
|
+
|
|
+ /etc/shadow r,
|
|
+
|
|
+ # systemd userdb, used in nspawn
|
|
+ /run/host/userdb/*.user r,
|
|
+ /run/host/userdb/*.user-privileged r,
|
|
+
|
|
+ # file_inherit
|
|
+ owner /dev/tty[0-9]* rw,
|
|
+
|
|
+ include if exists <local/unix-chkpwd>
|
|
+}
|
|
Index: apparmor-3.1.7/profiles/apparmor.d/usr.lib.dovecot.auth
|
|
===================================================================
|
|
--- apparmor-3.1.7.orig/profiles/apparmor.d/usr.lib.dovecot.auth
|
|
+++ apparmor-3.1.7/profiles/apparmor.d/usr.lib.dovecot.auth
|
|
@@ -52,8 +52,12 @@ profile dovecot-auth /usr/lib*/dovecot/a
|
|
@{run}/dovecot/stats-user rw,
|
|
@{run}/dovecot/anvil-auth-penalty rw,
|
|
|
|
+ owner /proc/@{pid}/loginuid r,
|
|
+
|
|
/var/spool/postfix/private/auth rw,
|
|
|
|
+ /usr/sbin/unix_chkpwd Px,
|
|
+
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/usr.lib.dovecot.auth>
|
|
}
|