From 877452519d3138bd4a98dc7ef3cd3dec78a5b9dc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 14 May 2025 22:49:58 +0200
Subject: [PATCH] feat(profile): unix-chkpwd: Add read capability to profile

Following the Security Technical Implementation Guide, it is better to
set the permissions to 0000 for the shadow file.
However, since PAM version 1.6.0, after this change [0], unix-chkpwd
will unconditionnaly read the shadow file. And with the previous
restriction, the binary has an access denied to the shadow which
blocks user authentications. Moreover the PAM changes is needed to fix
the CVE-2024-10041.
Giving the read capability to the unix-chkpwd profile allows it to
function properly. See bug report [1].

[0] - https://github.com/linux-pam/linux-pam/pull/686
[1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678

Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
---
 apparmor.d/profiles-s-z/unix-chkpwd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd
index 4b7d35c32..7407a9f99 100644
--- a/apparmor.d/profiles-s-z/unix-chkpwd
+++ b/apparmor.d/profiles-s-z/unix-chkpwd
@@ -14,6 +14,7 @@ profile unix-chkpwd @{exec_path} {
   include <abstractions/nameservice-strict>
 
   capability audit_write,
+  capability dac_read_search,  # To read shadow with 000 permissions.
 
   network netlink raw,