From 61038bdfa8cf71fcc15f28bf75f32d71e7dc9a87 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 3 Apr 2021 23:28:16 +0100
Subject: [PATCH] Sudo needs much more cap for normal usage.

---
 apparmor.d/profiles-m-z/sudo | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/apparmor.d/profiles-m-z/sudo b/apparmor.d/profiles-m-z/sudo
index 4a73111d..92c712a8 100644
--- a/apparmor.d/profiles-m-z/sudo
+++ b/apparmor.d/profiles-m-z/sudo
@@ -30,6 +30,12 @@ profile sudo @{exec_path} {
 
   # Needed? (#FIXME#)
   capability sys_resource,
+  capability net_admin,
+  capability sys_ptrace,
+  capability dac_read_search,
+  capability dac_override,
+  capability mknod,
+  ptrace read,
 
   # To remove the following error:
   #  sudo: PAM account management error: Permission denied
@@ -54,6 +60,7 @@ profile sudo @{exec_path} {
   owner @{run}/sudo/ rw,
   owner @{run}/sudo/ts/ rw,
   owner @{run}/sudo/ts/* rwk,
+        @{run}/faillock/{,*} rwk,
 
   @{PROC}/@{pid}/fd/ r,
   @{PROC}/@{pids}/stat r,
@@ -62,6 +69,8 @@ profile sudo @{exec_path} {
 
   /etc/sudoers r,
   /etc/sudoers.d/{,*} r,
+  /etc/environment r,
+  /etc/security/limits.d/{,*} r,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,