Update su

2024-11-14 23:43:56 +01:00 · 2021-12-12 18:16:30 +00:00 · 2021-12-12 18:16:30 +00:00 · 09fdd074f8
commit 09fdd074f8
parent 3430e3df90
1 changed files with 7 additions and 0 deletions
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -19,6 +19,9 @@ profile su @{exec_path} {
  capability setgid,
  capability setuid,
  #audit deny capability net_bind_service,
+  capability sys_resource,
+  # No clear purpose, deny until needed
+  deny capability net_admin,

  signal (send)    set=(term,kill),
  signal (receive) set=(int,quit,term),
@ -45,6 +48,10 @@ profile su @{exec_path} {
  # For pam_securetty
  @{PROC}/cmdline r,
  @{sys}/devices/virtual/tty/console/active r,
+  
+  # pseudo-terminal
+  capability chown,
+  /dev/{,pts/}ptmx rw,

  include if exists <local/su>
 }