feat(fsp): setup RBAC mapping in auth enabled profiles.

apparmor.d/groups/ssh/sshd

@@ -25,6 +25,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/wutmp>
+  include <mappings/sshd> #aa:only RBAC
 
   capability audit_write,
   capability chown,
@@ -60,13 +61,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{bin}/@{shells}                  rUx,
+  @{bin}/@{shells}                   Ux, #aa:exclude RBAC
-  @{bin}/false                      rix,
+  @{bin}/false                       ix,
-  @{sbin}/nologin                   rPx,
+  @{sbin}/nologin                    Px,
-  @{bin}/passwd                     rPx,
+  @{bin}/passwd                      Px,
-  @{lib}/{openssh,ssh}/sftp-server  rPx,
+  @{lib}/{openssh,ssh}/sftp-server   Px,
-  @{lib}/{openssh,ssh}/sshd-auth    rPx,
+  @{lib}/{openssh,ssh}/sshd-auth     Px,
-  @{lib}/{openssh,ssh}/sshd-session rix,
+  @{lib}/{openssh,ssh}/sshd-session  ix,
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*.conf} r,

apparmor.d/groups/utils/chfn

@@ -15,6 +15,7 @@ profile chfn @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
+  include <mappings/shadow>  #aa:only RBAC
 
   capability audit_write,
   capability chown,

apparmor.d/groups/utils/chsh

@@ -15,6 +15,7 @@ profile chsh @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
+  include <mappings/shadow> #aa:only RBAC
 
   capability audit_write,
   capability chown,

apparmor.d/groups/utils/login

@@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
+  include <mappings/login>  #aa:only RBAC
 
   capability audit_write,
   capability chown,
@@ -38,7 +39,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{shells_path}     rUx,
+  @{shells_path}     Ux, #aa:exclude RBAC
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/group.conf r,

apparmor.d/groups/utils/su

@@ -12,6 +12,7 @@ profile su @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
   include <abstractions/app/sudo>
+  include <mappings/su>  #aa:only RBAC
 
   capability chown,  # pseudo-terminal
 
@@ -21,8 +22,8 @@ profile su @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/@{shells}     rUx,
+  @{bin}/@{shells}     Ux, #aa:exclude RBAC
-  @{sbin}/nologin      rPx,
+  @{sbin}/nologin      Px,
 
   @{etc_ro}/default/su r,
   /etc/default/locale r,

apparmor.d/mappings/sudo/base

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# It is used by su/sudo to run pre login scripts (as root) such as the motd.
+# After the login, Apparmor libpam will transition to the roles defined in
+# other files under <mappings/sudo>
+
+  @{shells_path} rCx -> shell,
+
+  profile shell flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/shells>
+
+    @{shells_path}    rix,
+    @{bin}/env        rix,
+    @{bin}/run-parts  rix, #aa:only apt
+
+    #aa:only apt
+    /etc/update-motd.d/ r,
+    /etc/update-motd.d/*                            rPx,
+    /usr/share/landscape/landscape-sysinfo.wrapper  rPx,
+
+    @{run}/motd.dynamic.new rw,  #aa:only apt
+
+    include if exists <local/mappings/sudo/shell>
+  }
+
+# vim:syntax=apparmor