feat: profile update.

apparmor.d/profiles-m-r/pass-import

@@ -22,7 +22,7 @@ profile pass-import @{exec_path} {
   /{usr/,}bin/python3.[0-9]*   rix,
   /{usr/,}lib/gcc/**/collect2  rix,
 
-  /{usr/,}lib/python{2.[4-7],3,3.[0-9]}/** w,
+  /{usr/,}lib/python{2.[4-7],3,3.[0-9]*}/** w,
 
   /usr/share/file/misc/magic.mgc r,
 

apparmor.d/profiles-m-r/passwd

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,38 +10,31 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/passwd
 profile passwd @{exec_path} {
   include <abstractions/base>
-  include <abstractions/wutmp>
   include <abstractions/authentication>
   include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
-  # To write records to the kernel auditing log.
   capability audit_write,
-
-  # To set the right permission to the files in the /etc/.
-  # Since passwd reads and writes from /etc/ directory, the write permissions are requried by it.
-  # Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and
-  # renames /etc/nshadow to /etc/shadow.
   capability chown,
   capability fsetid,
-
   capability setuid,
 
   network netlink raw,
 
   @{exec_path} mr,
 
-  owner @{PROC}/@{pid}/loginuid r,
-
+  /etc/nshadow rw,
   /etc/shadow rw,
+  /etc/shadow- rw,
   /etc/shadow.[0-9]* rw,
   /etc/shadow.lock rwl,
-  /etc/shadow- rw,
   /etc/shadow+ rw,
-  /etc/nshadow rw,
 
   # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
+  owner @{PROC}/@{pid}/loginuid r,
+
   include if exists <local/passwd>
 }