# This file contains the mappings from users to roles for the binaries
# confined with AppArmor and configured for use with libpam-apparmor.
# Users without a mapping will not be able to login.

# The default hat is a default user. The hat contains only the
# permissions necessary to transition to the user's login shell.  All
# other permissions have been moved into the default_user profile.

^DEFAULT {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  /dev/ptmx rw,
  /dev/tty* rw,
  /etc/default/su r,
  /etc/environment r,
  /lib/** ixmr,
  @{PROC}/** r,
  @{PROC}/*/oom_* rw,
  /usr/bin/ r,
  /usr/bin/* ixmr,
  /usr/lib/** ixmr,
  /usr/local/lib/** ixmr,

  /bin/{,b,d,rb}ash Px -> wg_support_user,
  /bin/{c,k,tc}sh Px -> wg_support_user,
  /usr/bin/{,b,d,rb}ash Px -> wg_support_user,
  /usr/bin/{c,k,tc}sh Px -> wg_support_user,
}

# Don't confine root.

^root {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  /dev/ptmx rw,
  /dev/tty* rw,
  /etc/default/su r,
  /etc/environment r,
  /lib/** ixmr,
  @{PROC}/** r,
  @{PROC}/*/oom_* rw,
  /usr/bin/ r,
  /usr/bin/* ixmr,
  /usr/lib/** ixmr,
  /usr/local/lib/** ixmr,

  /bin/{,b,d,rb}ash Ux,
  /bin/{c,k,tc}sh Ux,
  /usr/bin/{,b,d,rb}ash Ux,
  /usr/bin/{c,k,tc}sh Ux,
}

# Don't confine members whose primary group is 'wgadmin' who are not
# specifically confined.  Systems without this special primary group
# may want to define an unconfined 'root' hat in this manner
# (depending on site policy).

^wgadmin {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  /dev/ptmx rw,
  /dev/tty* rw,
  /etc/default/su r,
  /etc/environment r,
  /lib/** ixmr,
  @{PROC}/** r,
  @{PROC}/*/oom_* rw,
  /usr/bin/ r,
  /usr/bin/* ixmr,
  /usr/lib/** ixmr,
  /usr/local/lib/** ixmr,

  /bin/{,b,d,rb}ash Ux,
  /bin/{c,k,tc}sh Ux,
  /usr/bin/{,b,d,rb}ash Ux,
  /usr/bin/{c,k,tc}sh Ux,
}

# This hat contains only the permissions necessary to transition to
# wgsupport's login shell.  All other permissions have been moved into
# the wg_support_user profile.

^wgsupport {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  /dev/ptmx rw,
  /dev/tty* rw,
  /etc/default/su r,
  /etc/environment r,
  /lib/** ixmr,
  @{PROC}/** r,
  @{PROC}/*/oom_* rw,
  /usr/bin/ r,
  /usr/bin/* ixmr,
  /usr/lib/** ixmr,
  /usr/local/lib/** ixmr,

  /bin/{,b,d,rb}ash Px -> wg_support_user,
  /bin/{c,k,tc}sh Px -> wg_support_user,
  /usr/bin/{,b,d,rb}ash Px -> wg_support_user,
  /usr/bin/{c,k,tc}sh Px -> wg_support_user,
}
