# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gpasswd
@{att} = /att/gpasswd/
profile gpasswd /{,usr/}bin/gpasswd  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/attached/consoles>
  include <abstractions/nameservice-strict>

  # To write records to the kernel auditing log.
  capability audit_write,

  # To set the right permission to the files in the /etc/ dir.
  capability chown,
  capability fsetid,

  # gpasswd is a SETUID binary
  capability setuid,

  network netlink raw,

  @{exec_path} mr,

  owner @{PROC}/@{pid}/loginuid r,

  @{etc_ro}/login.defs r,

  /etc/{group,gshadow} rw,
  /etc/{group,gshadow}.@{pid} w,
  /etc/{group,gshadow}- w,
  /etc/{group,gshadow}+ rw,
  /etc/group.lock wl -> /etc/group.@{pid},
  /etc/gshadow.lock wl -> /etc/gshadow.@{pid},

  # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
  # modify the /etc/passwd or /etc/shadow password database.
  /etc/.pwd.lock rwk,

  include if exists <local/gpasswd>
}

# vim:syntax=apparmor
