From 09fdd074f83931379dd1aa3344c6b3c6e46a6edd Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 12 Dec 2021 18:16:30 +0000 Subject: [PATCH] Update su --- apparmor.d/profiles-s-z/su | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index e1e0572c..825e48f5 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -19,6 +19,9 @@ profile su @{exec_path} { capability setgid, capability setuid, #audit deny capability net_bind_service, + capability sys_resource, + # No clear purpose, deny until needed + deny capability net_admin, signal (send) set=(term,kill), signal (receive) set=(int,quit,term), @@ -45,6 +48,10 @@ profile su @{exec_path} { # For pam_securetty @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, + + # pseudo-terminal + capability chown, + /dev/{,pts/}ptmx rw, include if exists }