From 9df0bd07aa8897d8763dad28948fadcf3c17b256 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 13 Feb 2022 04:32:51 +0300 Subject: [PATCH 1/5] su & sudo: Ubuntu compatibility, Debian polishing --- apparmor.d/profiles-s-z/su | 42 +++++++++++++++++++++++++++++++----- apparmor.d/profiles-s-z/sudo | 22 ++++++++++++------- 2 files changed, 51 insertions(+), 13 deletions(-) diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 825e48f5..2167eccb 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -18,13 +18,12 @@ profile su @{exec_path} { capability audit_write, capability setgid, capability setuid, + capability dac_read_search, #audit deny capability net_bind_service, - capability sys_resource, - # No clear purpose, deny until needed - deny capability net_admin, signal (send) set=(term,kill), signal (receive) set=(int,quit,term), + signal (receive) set=(cont,hup) peer=sudo, network netlink raw, @@ -43,15 +42,48 @@ profile su @{exec_path} { /etc/shells r, @{PROC}/1/limits r, - owner @{PROC}/@{pid}/loginuid r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pids}/loginuid r, + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/mountinfo r, # For pam_securetty @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, - + + # Upstreaming + capability sys_resource, + # No clear purpose, deny until needed + deny capability net_admin, + # pseudo-terminal capability chown, + /dev/{,pts/}ptmx rw, + /var/log/btmp wk, + + @{run}/dbus/system_bus_socket rw, + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + + dbus (send) + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=org.freedesktop.DBus), + + dbus (send) + bus=system + path=/org/freedesktop/login[1-9] + interface=org.freedesktop.login[1-9].Manager + member={CreateSession,ReleaseSession}, + + unix (bind) type=dgram, + + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 2b0cea82..06ca6460 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -1,6 +1,5 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -31,9 +30,9 @@ profile sudo @{exec_path} { ptrace (read), signal, + signal (send) set=(cont,hup) peer=su, @{exec_path} mr, - @{libexec}/sudo/** mr, # Shells to use /{usr/,}bin/{,b,d,rb}ash rpux, @@ -43,12 +42,13 @@ profile sudo @{exec_path} { /{usr/,}{s,}bin/[a-z0-9]* rPUx, /{usr/,}lib/cockpit/cockpit-askpass rPUx, - /etc/environment r, - /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/sudo.conf r, + /etc/sudoers r, /etc/sudoers.d/{,*} r, + /etc/environment r, + /etc/security/limits.d/{,*} r, + /etc/default/locale r, /var/log/sudo.log wk, @@ -58,15 +58,21 @@ profile sudo @{exec_path} { owner @{run}/sudo/ts/* rwk, @{run}/faillock/{,*} rwk, - @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, - @{PROC}/1/limits r, # File Inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - /dev/ r, + owner @{HOME}/.sudo_as_admin_successful rw, + + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + + @{PROC}/sys/kernel/random/boot_id r, + +# /dev/ r, # noise /dev/ptmx rw, include if exists From b5cdd0af44017cae88338540fa9cb095f3b9d5b4 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 20 Feb 2022 02:21:48 +0300 Subject: [PATCH 2/5] update --- apparmor.d/profiles-s-z/su | 6 +++--- apparmor.d/profiles-s-z/sudo | 23 ++++++++++++++++------- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 2167eccb..fa58fac7 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -77,13 +77,13 @@ profile su @{exec_path} { dbus (send) bus=system - path=/org/freedesktop/login[1-9] - interface=org.freedesktop.login[1-9].Manager + path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager member={CreateSession,ReleaseSession}, unix (bind) type=dgram, - owner /dev/tty[0-9]* rw, + /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 06ca6460..f06b6076 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -1,11 +1,14 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include +@{PATH} = /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin + @{exec_path} = /{usr/,}bin/sudo profile sudo @{exec_path} { include @@ -27,27 +30,30 @@ profile sudo @{exec_path} { capability sys_resource, network netlink raw, + # dns query? +# network inet dgram, +# network inet6 dgram, ptrace (read), signal, signal (send) set=(cont,hup) peer=su, @{exec_path} mr, + @{libexec}/sudo/** mr, # Shells to use /{usr/,}bin/{,b,d,rb}ash rpux, /{usr/,}bin/{c,k,tc,z}sh rpux, - /{usr/,}bin/[a-z0-9]* rPUx, - /{usr/,}{s,}bin/[a-z0-9]* rPUx, + @{PATH}/[a-z0-9]* rPUx, /{usr/,}lib/cockpit/cockpit-askpass rPUx, + /etc/environment r, + /etc/machine-id r, + /etc/security/limits.d/{,*} r, /etc/sudo.conf r, - /etc/sudoers r, /etc/sudoers.d/{,*} r, - /etc/environment r, - /etc/security/limits.d/{,*} r, /etc/default/locale r, /var/log/sudo.log wk, @@ -60,11 +66,14 @@ profile sudo @{exec_path} { @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, + @{PROC}/1/limits r, # File Inherit - owner /dev/tty[0-9]* rw, + owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + /var/lib/sudo/lectured/user rw, + owner @{HOME}/.sudo_as_admin_successful rw, @{run}/systemd/userdb/ r, @@ -72,7 +81,7 @@ profile sudo @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, -# /dev/ r, # noise + /dev/ r, # interactive login /dev/ptmx rw, include if exists From ceb60bde82a9e7c45057b19cf3ef40af07bcfc42 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 20 Feb 2022 02:29:31 +0300 Subject: [PATCH 3/5] update --- apparmor.d/profiles-s-z/su | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index fa58fac7..3e9481e6 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -19,6 +19,9 @@ profile su @{exec_path} { capability setgid, capability setuid, capability dac_read_search, + capability sys_resource, + # No clear purpose, deny until needed + deny capability net_admin, #audit deny capability net_bind_service, signal (send) set=(term,kill), @@ -51,11 +54,6 @@ profile su @{exec_path} { @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, - # Upstreaming - capability sys_resource, - # No clear purpose, deny until needed - deny capability net_admin, - # pseudo-terminal capability chown, From a3a6a0fa1abea34283a9e24c959db419ed445551 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 20 Feb 2022 02:33:32 +0300 Subject: [PATCH 4/5] update --- apparmor.d/profiles-s-z/sudo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index f06b6076..6cd58bb3 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -69,7 +69,7 @@ profile sudo @{exec_path} { @{PROC}/1/limits r, # File Inherit - owner /dev/tty[0-9]* rw, + owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, /var/lib/sudo/lectured/user rw, From 53ee5d0c83ec73f57b2d170e89bf62a17bfedb1f Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 21 Feb 2022 21:46:55 +0300 Subject: [PATCH 5/5] update --- apparmor.d/profiles-s-z/su | 5 ++--- apparmor.d/profiles-s-z/sudo | 6 +++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 3e9481e6..166a3553 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -26,8 +26,9 @@ profile su @{exec_path} { signal (send) set=(term,kill), signal (receive) set=(int,quit,term), - signal (receive) set=(cont,hup) peer=sudo, + signal (receive) set=(cont,hup) peer=sudo, + # unknown, needs to be cleared up; TODO network netlink raw, @{exec_path} mr, @@ -59,8 +60,6 @@ profile su @{exec_path} { /dev/{,pts/}ptmx rw, - /var/log/btmp wk, - @{run}/dbus/system_bus_socket rw, @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.Machine rw, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 6cd58bb3..637047c8 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -29,8 +29,8 @@ profile sudo @{exec_path} { capability sys_ptrace, capability sys_resource, - network netlink raw, - # dns query? + network netlink raw, # PAM + # DNS query? # network inet dgram, # network inet6 dgram, @@ -72,7 +72,7 @@ profile sudo @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - /var/lib/sudo/lectured/user rw, + owner /var/lib/sudo/lectured/* rw, owner @{HOME}/.sudo_as_admin_successful rw,