GitLab

A software package that uses pam_exec was developed by me. Now, unrelated packages using sudo are denied from using the pam_exec that was implemented. That same is happening when slotting in wrappers in between.

Currently we are (ab)using /etc/apparmor.d/abstractions/base to add permissions to apparmor profiles which cannot know about our modifications. Profile local files aren't suitable either since it cannot be expected with which applications that would happen and local profiles files are for local administrators, not linux distributions.

I don't think there is currently a way to express add "/usr/lib/security-misc/permission-lockdown rix," to all profiles globally?

Therefore, could you please implement /etc/apparmor.d/abstractions/base.d or /etc/apparmor.d/turntables/base.d or so?