# Last Modified: Wed Apr 21 08:28:59 2021
# This file contains the policy for the confined binaries that use
# libpam-apparmor.

# This file was initially generated using aa-genprof.

#include <tunables/global>
#include <tunables/wg_system>

/bin/login {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>

  # Include the file with all of our username/group to role mappings

  #include <pam/mappings>

  capability audit_write,
  capability chown,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  /bin/* ixmr,
  /dev/tty* rw,
  /etc/apt/apt.conf.d/ r,
  /etc/apt/apt.conf.d/* r,
  /etc/default/* r,
  /etc/environment r,
  /etc/group r,
  /etc/ld.so.cache r,
  /etc/legal r,
  /etc/login.defs r,
  /etc/lsb-release r,
  /etc/nshadow rw,
  /etc/nsswitch.conf r,
  /etc/pam.d/* r,
  /etc/passwd r,
  /etc/.pwd.lock rwk,
  /etc/security/limits.d/ r,
  /etc/shadow rw,
  /etc/update-motd.d/ r,
  /etc/update-motd.d/* ixmr,
  owner @{HOME}/.cache/ rw,
  owner @{HOME}/.cache/* rw,
  /lib/** ixmr,
  @{PROC}/** r,
  @{PROC}/*/loginuid rw,
  @{PROC}/*/oom_* rw,
  @{PROC}/self/ rw,
  @{PROC}/self/loginuid rw,
  /run/ rw,
  /run/motd* rw,
  /usr/bin/ r,
  /usr/bin/* ixmr,
  /usr/lib/** ixmr,
  /usr/local/lib/** ixmr,
  /var/lib/ubuntu-release-upgrader/ rw,
  /var/lib/ubuntu-release-upgrader/release-upgrade-available rw,
  /var/log/btmp w,
  @{WG_BINDIR}/* ixmr,
  @{WG_LIBDIR}/** mr,
}

/usr/sbin/sshd {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>

  # Include the file with all of our username/group to role mappings

  #include <pam/mappings>

  capability audit_write,
  capability chown,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_ptrace,
  capability sys_resource,

  network unix dgram,

  /bin/* ixmr,
  /etc/default/* r,
  /etc/apt/apt.conf.d/ r,
  /etc/apt/apt.conf.d/* r,
  /etc/environment r,
  /etc/group r,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/ld.so.cache r,
  /etc/legal r,
  /etc/login.defs r,
  /etc/lsb-release r,
  /etc/nshadow rw,
  /etc/nsswitch.conf r,
  /etc/pam.d/* r,
  /etc/passwd r,
  /etc/.pwd.lock rwk,
  /etc/security/limits.d/ r,
  /etc/shadow rw,
  /etc/ssh/ssh_host_*_key r,
  /etc/ssh/ssh_host_*_key.pub r,
  /etc/ssh/sshd_ca_keys r,
  /etc/ssh/sshd_config r,
  /etc/update-motd.d/ r,
  /etc/update-motd.d/* ixmr,
  owner @{HOME}/.cache/ rw,
  owner @{HOME}/.cache/* rw,
  owner @{HOME}/.ssh/* r,
  /lib/** ixmr,
  @{PROC}/** r,
  owner @{PROC}/*/loginuid rw,
  @{PROC}/*/oom_* rw,
  @{PROC}/self/ rw,
  @{PROC}/self/loginuid rw,
  /run/ rw,
  /run/motd* rw,
  /run/sshd.pid rw,
  /usr/bin/ r,
  /usr/bin/* ixmr,
  /usr/bin/dash ix,
  /usr/lib/** ixmr,
  /usr/local/lib/** ixmr,
  /usr/sbin/sshd ixmr,
  /usr/share/unattended-upgrades/update-motd-unattended-upgrades mrix,
  /usr/share/unattended-upgrades/update-motd-unattended-upgrades r,
  /var/lib/ubuntu-release-upgrader/ rw,
  /var/lib/ubuntu-release-upgrader/release-upgrade-available rw,
  /var/log/btmp w,
  @{WG_BINDIR}/* ixmr,
  @{WG_LIBDIR}/** mr,
  @{WG_ETCDIR}/** mr,
  @{WG_VARDIR}/** mr,
  @{WG_RUNDIR}/wgdevice_sshd/ rw,
  @{WG_RUNDIR}/wgdevice_sshd/* rw,
  owner /etc/gss/mech.d/ r,
  owner /run/systemd/notify w,
  owner /var/cache/motd-news r,
}
