apparmor/dovecot-unix_chkpwd.diff

Index: apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd	2024-01-29 21:53:27.234254724 +0100
@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+# The apparmor.d project comes with several variables and abstractions
+# that are not part of upstream AppArmor yet. Therefore this profile was
+# adopted to use abstractions and variables that are available.
+# Copyright (C) Christian Boltz 2024
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  # To write records to the kernel auditing log.
+  capability audit_write,
+
+  network netlink raw,
+
+  /{,usr/}{,s}bin/unix_chkpwd mr,
+
+  /etc/shadow r,
+
+  # file_inherit
+  owner /dev/tty[0-9]* rw,
+
+  include if exists <local/unix-chkpwd>
+}
Index: apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth
===================================================================
--- apparmor-3.1.6.orig/profiles/apparmor.d/usr.lib.dovecot.auth	2023-06-21 23:13:41.000000000 +0200
+++ apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth	2024-01-29 21:45:32.528140518 +0100
@@ -52,8 +52,12 @@ profile dovecot-auth /usr/lib/dovecot/au
   @{run}/dovecot/stats-user rw,
   @{run}/dovecot/anvil-auth-penalty rw,
 
+  owner /proc/@{pid}/loginuid r,
+
   /var/spool/postfix/private/auth rw,
 
+  /usr/sbin/unix_chkpwd Px,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.auth>
 }