feat(profile): add base mappings definition.

Used by profiles before to confine pre login script bfore transitionning to user hat. It should only be enabled when mapping is enabled as otherwise the shell is not confined.
2025-04-12 22:47:33 +02:00 · 2025-04-12 22:47:33 +02:00 · c32884ddeb
commit c32884ddeb
parent 6d2147582e
2 changed files with 60 additions and 0 deletions
--- a/apparmor.d/mappings/login/base
+++ b/apparmor.d/mappings/login/base
@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# It is used by login to run pre login scripts (as root) such as the motd.
+# After the login, Apparmor libpam will transition to the roles defined in
+# other files under <mappings/login>
+
+  @{shells_path} rCx -> shell,
+
+  profile shell flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/shells>
+
+    @{shells_path}    rix,
+    @{bin}/env        rix,
+    @{bin}/run-parts  rix, #aa:only apt
+
+    #aa:only apt
+    /etc/update-motd.d/ r,
+    /etc/update-motd.d/*                            rPx,
+    /usr/share/landscape/landscape-sysinfo.wrapper  rPx,
+
+    @{run}/motd.dynamic.new rw,  #aa:only apt
+
+    include if exists <local/mappings/login/shell>
+  }
+
+# vim:syntax=apparmor
--- a/apparmor.d/mappings/sshd/base
+++ b/apparmor.d/mappings/sshd/base
@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# It is used by login to run pre login scripts (as root) such as the motd.
+# After the login, Apparmor libpam will transition to the roles defined in
+# other files under <mappings/login>
+
+  @{shells_path} rCx -> shell,
+
+  profile shell flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/shells>
+
+    @{shells_path}    rix,
+    @{bin}/env        rix,
+    @{bin}/run-parts  rix, #aa:only apt
+
+    #aa:only apt
+    /etc/update-motd.d/ r,
+    /etc/update-motd.d/*                            rPx,
+    /usr/share/landscape/landscape-sysinfo.wrapper  rPx,
+
+    @{run}/motd.dynamic.new rw,  #aa:only apt
+
+    include if exists <local/mappings/sshd/shell>
+  }
+
+# vim:syntax=apparmor