Sudo needs much more cap for normal usage.

apparmor.d/profiles-m-z/sudo

@@ -30,6 +30,12 @@ profile sudo @{exec_path} {
 
   # Needed? (#FIXME#)
   capability sys_resource,
+  capability net_admin,
+  capability sys_ptrace,
+  capability dac_read_search,
+  capability dac_override,
+  capability mknod,
+  ptrace read,
 
   # To remove the following error:
   #  sudo: PAM account management error: Permission denied
@@ -54,6 +60,7 @@ profile sudo @{exec_path} {
   owner @{run}/sudo/ rw,
   owner @{run}/sudo/ts/ rw,
   owner @{run}/sudo/ts/* rwk,
+        @{run}/faillock/{,*} rwk,
 
   @{PROC}/@{pid}/fd/ r,
   @{PROC}/@{pids}/stat r,
@@ -62,6 +69,8 @@ profile sudo @{exec_path} {
 
   /etc/sudoers r,
   /etc/sudoers.d/{,*} r,
+  /etc/environment r,
+  /etc/security/limits.d/{,*} r,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,