felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add base mappings definition.

Browse source 
Used by profiles before to confine pre login script bfore transitionning to user hat.

It should only be enabled when mapping is enabled as otherwise the shell is not confined.
This commit is contained in:
Alexandre Pujol 2025-04-12 22:47:33 +02:00
parent cc6fccdcb5
commit 7f904d030c
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 60 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

30
apparmor.d/mappings/login/base Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# It is used by login to run pre login scripts (as root) such as the motd.
# After the login, Apparmor libpam will transition to the roles defined in
# other files under <mappings/login>
@{shells_path} rCx -> shell,
profile shell flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/shells>
@{shells_path} rix,
@{bin}/env rix,
@{bin}/run-parts rix, #aa:only apt
#aa:only apt
/etc/update-motd.d/ r,
/etc/update-motd.d/* rPx,
/usr/share/landscape/landscape-sysinfo.wrapper rPx,
@{run}/motd.dynamic.new rw, #aa:only apt
include if exists <local/mappings/login/shell>
}
# vim:syntax=apparmor

30
apparmor.d/mappings/sshd/base Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# It is used by login to run pre login scripts (as root) such as the motd.
# After the login, Apparmor libpam will transition to the roles defined in
# other files under <mappings/login>
@{shells_path} rCx -> shell,
profile shell flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/shells>
@{shells_path} rix,
@{bin}/env rix,
@{bin}/run-parts rix, #aa:only apt
#aa:only apt
/etc/update-motd.d/ r,
/etc/update-motd.d/* rPx,
/usr/share/landscape/landscape-sysinfo.wrapper rPx,
@{run}/motd.dynamic.new rw, #aa:only apt
include if exists <local/mappings/sshd/shell>
}
# vim:syntax=apparmor