felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/profiles-m-r/pam/mappings
Alexandre Pujol 2cd14aa6bb
chore: add missing and update copyright year.
2024-02-07 00:16:21 +01:00

71 lines
2 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example
# This file contains the mappings from users to roles for the binaries
# confined with AppArmor and configured for use with libpam-apparmor. Users
# without a mapping will not be able to login.
#
# The default hat is a confined user. The hat contains only the permissions
# necessary to transition to the user's login shell. All other permissions have
# been moved into the default_user profile.
^DEFAULT {
include <abstractions/authentication>
include <abstractions/nameservice>
capability dac_override,
capability setgid,
capability setuid,
/etc/default/su r,
@{etc_ro}/environment r,
@{bin}/{,b,d,rb}ash rPx -> default_user,
@{bin}/{c,k,tc,z}sh rPx -> default_user,
include if exists <local/pam_default>
}
# USER is a confined user. The hat contains only the permissions necessary
# to transition to gray's login shell. All other permissions have been
# moved into the confined_user profile.
^USER {
include <abstractions/authentication>
include <abstractions/nameservice>
capability dac_override,
capability audit_write,
capability setgid,
capability setuid,
@{bin}/@{shells} rPx -> confined_user,
/etc/default/su r,
@{etc_ro}/environment r,
include if exists <local/pam_user>
}
# Don't confine members whose primary group is 'admin' who are not specifically
# confined. Systems without this special primary group may want to define an
# unconfined 'root' hat in this manner (depending on site policy).
^root {
include <abstractions/authentication>
include <abstractions/nameservice>
include <abstractions/wutmp>
capability dac_override,
capability audit_write,
capability setgid,
capability setuid,
@{bin}/@{shells} rUx,
/etc/default/su r,
@{etc_ro}/environment r,
include if exists <local/pam_root>
}
Reference in a new issue View git blame Copy permalink