# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example

# This file contains the mappings from users to roles for the binaries
# confined with AppArmor and configured for use with libpam-apparmor. Users
# without a mapping will not be able to login.
#
# The default hat is a confined user. The hat contains only the permissions
# necessary to transition to the user's login shell. All other permissions have
# been moved into the default_user profile.
^DEFAULT flags=(complain) {
  include <abstractions/authentication>
  include <abstractions/nameservice>

  capability dac_override,
  capability setgid,
  capability setuid,

  /etc/default/su r,
  @{etc_ro}/environment r,

  @{bin}/{,b,d,rb}ash rPx -> default_user,
  @{bin}/{c,k,tc,z}sh rPx -> default_user,

  include if exists <local/pam_default>
}

# USER is a confined user. The hat contains only the permissions necessary
# to transition to gray's login shell. All other permissions have been
# moved into the confined_user profile.
^USER flags=(complain) {
  include <abstractions/authentication>
  include <abstractions/nameservice>

  capability dac_override,
  capability audit_write,
  capability setgid,
  capability setuid,

  @{bin}/@{shells}    rPx -> confined_user,

  /etc/default/su r,
  @{etc_ro}/environment r,

  include if exists <local/pam_user>
}

# Don't confine members whose primary group is 'admin' who are not specifically
# confined. Systems without this special primary group may want to define an
# unconfined 'root' hat in this manner (depending on site policy).
^root flags=(complain) {
  include <abstractions/authentication>
  include <abstractions/nameservice>
  include <abstractions/wutmp>

  capability dac_override,
  capability audit_write,
  capability setgid,
  capability setuid,

  @{bin}/@{shells}     rUx,

  /etc/default/su r,
  @{etc_ro}/environment r,

  include if exists <local/pam_root>
}
