apparmor.d/apparmor.d/profiles-m-z/sudo

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/sudo
profile sudo @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/authentication>
  include <abstractions/wutmp>
  include <abstractions/nameservice-strict>
# include <pam/mappings>

  # To remove the following errors:
  #  sudo: unable to change to root gid: Operation not permitted
  capability setgid,

  # To remove the following errors:
  #  sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
  #  sudo: no valid sudoers sources found, quitting
  #  sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted
  capability setuid,

  # To write records to the kernel auditing log.
  capability audit_write,

  # Needed? (#FIXME#)
  capability sys_resource,

  # To remove the following error:
  #  sudo: PAM account management error: Permission denied
  #  sudo: unable to open audit system: Permission denied
  #  sudo: a password is required
  network netlink raw,

  signal,

  @{exec_path} mr,

  # Shells to use
  /{usr/,}bin/{,b,d,rb}ash rpux,
  /{usr/,}bin/{c,k,tc,z}sh rpux,

  /{usr/,}bin/[a-z0-9]* rPUx,
  /{usr/,}{s,}bin/[a-z0-9]* rPUx,

  /dev/ r,

  # For timestampdir
  owner @{run}/sudo/ rw,
  owner @{run}/sudo/ts/ rw,
  owner @{run}/sudo/ts/* rwk,

  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pids}/stat r,

  /etc/sudo.conf r,

  /etc/sudoers r,
  /etc/sudoers.d/{,*} r,

  # file_inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,

  include if exists <local/sudo>
}
Rewrite Copyright header, use SPDX style. 2021-04-01 17:17:47 +02:00			`# apparmor.d - Full set of apparmor profiles`
			`# Copyright (C) 2019-2021 Mikhail Morfikov`
			`# SPDX-License-Identifier: GPL-2.0-only`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`abi <abi/3.0>,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <tunables/global>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`@{exec_path} = /{usr/,}bin/sudo`
			`profile sudo @{exec_path} {`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/base>`
			`include <abstractions/consoles>`
			`include <abstractions/authentication>`
			`include <abstractions/wutmp>`
			`include <abstractions/nameservice-strict>`
			`# include <pam/mappings>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`# To remove the following errors:`
			`# sudo: unable to change to root gid: Operation not permitted`
			`capability setgid,`

			`# To remove the following errors:`
			`# sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted`
			`# sudo: no valid sudoers sources found, quitting`
			`# sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted`
			`capability setuid,`

			`# To write records to the kernel auditing log.`
			`capability audit_write,`

			`# Needed? (#FIXME#)`
			`capability sys_resource,`

update apparmor profiles 2020-12-24 13:55:12 +01:00			`# To remove the following error:`
			`# sudo: PAM account management error: Permission denied`
			`# sudo: unable to open audit system: Permission denied`
			`# sudo: a password is required`
			`network netlink raw,`

move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`signal,`

			`@{exec_path} mr,`

			`# Shells to use`
			`/{usr/,}bin/{,b,d,rb}ash rpux,`
			`/{usr/,}bin/{c,k,tc,z}sh rpux,`

			`/{usr/,}bin/[a-z0-9]* rPUx,`
Archlinux has no sbin. sbin -> {s,}bin for Archlinux support. Purposelly not replaced on Debian only programs 2021-04-02 00:15:47 +02:00			`/{usr/,}{s,}bin/[a-z0-9]* rPUx,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`/dev/ r,`

			`# For timestampdir`
update apparmor profiles 2020-10-25 10:23:34 +01:00			`owner @{run}/sudo/ rw,`
			`owner @{run}/sudo/ts/ rw,`
			`owner @{run}/sudo/ts/* rwk,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`@{PROC}/@{pid}/fd/ r,`
			`@{PROC}/@{pids}/stat r,`

			`/etc/sudo.conf r,`

			`/etc/sudoers r,`
			`/etc/sudoers.d/{,*} r,`

			`# file_inherit`
			`owner /dev/tty[0-9]* rw,`
			`owner @{HOME}/.xsession-errors w,`

update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include if exists <local/sudo>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`}`