diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index 61885ed4e..f73ae6709 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,26 +10,19 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include include + include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # gpasswd is a SETUID binary capability setuid, network netlink raw, @{exec_path} mr, - owner @{PROC}/@{pid}/loginuid r, - /etc/shells r, /etc/passwd rw, @@ -44,6 +37,8 @@ profile chsh @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 42ab87607..0fbb9aa6d 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -53,9 +53,9 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.* w, + @{HOME}/.** w, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, + /etc/skel/{,.**} r, profile pam_tally2 { include diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats new file mode 100644 index 000000000..5365fea60 --- /dev/null +++ b/tests/bats/chsh.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=chsh +@test "chsh: [l]ist available shells" { + chsh --list-shells || true + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a specific login [s]hell for the current user" { + chsh --shell /usr/bin/bash + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a login [s]hell for a specific user" { + sudo chsh --shell /usr/bin/sh root + aa_check +} diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats new file mode 100644 index 000000000..8f646d89e --- /dev/null +++ b/tests/bats/lsusb.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=lsusb +@test "lsusb: List all the USB devices available" { + lsusb || true + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List the USB hierarchy as a tree" { + lsusb -t || true + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List verbose information about USB devices" { + lsusb --verbose || true + aa_check +} diff --git a/tests/bats/useradd.bats b/tests/bats/useradd.bats new file mode 100644 index 000000000..833e01606 --- /dev/null +++ b/tests/bats/useradd.bats @@ -0,0 +1,49 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified shell" { + sudo useradd --shell /bin/bash --create-home user2 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified user ID" { + sudo useradd --uid 3000 user3 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { + sudo useradd --groups adm user4 + aa_check +} + + +# bats test_tags=useradd +@test "useradd: Create a new system user without the home directory" { + sudo useradd --system sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user" { + sudo userdel user3 + sudo userdel user4 + sudo userdel sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user along with the home directory and mail spool" { + sudo userdel --remove user2 + aa_check +}