Overview

File allow-pam_unix-to-execute-unix_chkpwd.patch of Package apparmor.38599

From 243162ca2938b391724f547596787c7f77d1fc5f Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Tue, 12 Mar 2024 22:01:40 +0100
Subject: [PATCH] Allow pam_unix to execute unix_chkpwd

Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/authentication.

It also needs to read /proc/@{pid}/loginuid

Also cleanup the now-superfluous rules from the smbd profile.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139
---
 .../apparmor.d/abstractions/authentication    |  4 +++
 profiles/apparmor.d/unix-chkpwd               | 35 +++++++++++++++++++
 profiles/apparmor.d/usr.sbin.smbd             |  3 --
 3 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 profiles/apparmor.d/unix-chkpwd

diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication
index a063a574b..11ba42912 100644
--- a/profiles/apparmor.d/abstractions/authentication
+++ b/profiles/apparmor.d/abstractions/authentication
@@ -31,6 +31,10 @@
   /{usr/,}lib/@{multiarch}/security/pam_*.so      mr,
   /{usr/,}lib/@{multiarch}/security/              r,
 
+  # pam_unix
+  owner /proc/@{pid}/loginuid r,
+  /{,usr/}{,s}bin/unix_chkpwd Px,
+
   # kerberos
   #include <abstractions/kerberosclient>
   # SuSE's pwdutils are different:
diff --git a/profiles/apparmor.d/unix-chkpwd b/profiles/apparmor.d/unix-chkpwd
new file mode 100644
index 000000000..a8ec8d43f
--- /dev/null
+++ b/profiles/apparmor.d/unix-chkpwd
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+# The apparmor.d project comes with several variables and abstractions
+# that are not part of upstream AppArmor yet. Therefore this profile was
+# adopted to use abstractions and variables that are available.
+# Copyright (C) Christian Boltz 2024
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  # To write records to the kernel auditing log.
+  capability audit_write,
+
+  network netlink raw,
+
+  /{,usr/}{,s}bin/unix_chkpwd mr,
+
+  /etc/shadow r,
+
+  # file_inherit
+  owner /dev/tty[0-9]* rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/unix-chkpwd>
+}
openSUSE Build Service is sponsored by
Places