diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 825e48f5..166a3553 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -18,14 +18,17 @@ profile su @{exec_path} { capability audit_write, capability setgid, capability setuid, - #audit deny capability net_bind_service, + capability dac_read_search, capability sys_resource, # No clear purpose, deny until needed deny capability net_admin, + #audit deny capability net_bind_service, signal (send) set=(term,kill), signal (receive) set=(int,quit,term), + signal (receive) set=(cont,hup) peer=sudo, + # unknown, needs to be cleared up; TODO network netlink raw, @{exec_path} mr, @@ -43,15 +46,41 @@ profile su @{exec_path} { /etc/shells r, @{PROC}/1/limits r, - owner @{PROC}/@{pid}/loginuid r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pids}/loginuid r, + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/mountinfo r, # For pam_securetty @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, - + # pseudo-terminal capability chown, + /dev/{,pts/}ptmx rw, + @{run}/dbus/system_bus_socket rw, + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + + dbus (send) + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=org.freedesktop.DBus), + + dbus (send) + bus=system + path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CreateSession,ReleaseSession}, + + unix (bind) type=dgram, + + /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 2b0cea82..637047c8 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -7,6 +7,8 @@ abi , include +@{PATH} = /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin + @{exec_path} = /{usr/,}bin/sudo profile sudo @{exec_path} { include @@ -27,10 +29,14 @@ profile sudo @{exec_path} { capability sys_ptrace, capability sys_resource, - network netlink raw, + network netlink raw, # PAM + # DNS query? +# network inet dgram, +# network inet6 dgram, ptrace (read), signal, + signal (send) set=(cont,hup) peer=su, @{exec_path} mr, @{libexec}/sudo/** mr, @@ -39,8 +45,7 @@ profile sudo @{exec_path} { /{usr/,}bin/{,b,d,rb}ash rpux, /{usr/,}bin/{c,k,tc,z}sh rpux, - /{usr/,}bin/[a-z0-9]* rPUx, - /{usr/,}{s,}bin/[a-z0-9]* rPUx, + @{PATH}/[a-z0-9]* rPUx, /{usr/,}lib/cockpit/cockpit-askpass rPUx, /etc/environment r, @@ -49,6 +54,7 @@ profile sudo @{exec_path} { /etc/sudo.conf r, /etc/sudoers r, /etc/sudoers.d/{,*} r, + /etc/default/locale r, /var/log/sudo.log wk, @@ -58,7 +64,7 @@ profile sudo @{exec_path} { owner @{run}/sudo/ts/* rwk, @{run}/faillock/{,*} rwk, - @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/limits r, @@ -66,7 +72,16 @@ profile sudo @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - /dev/ r, + owner /var/lib/sudo/lectured/* rw, + + owner @{HOME}/.sudo_as_admin_successful rw, + + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + + @{PROC}/sys/kernel/random/boot_id r, + + /dev/ r, # interactive login /dev/ptmx rw, include if exists