diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index b7ea89fc..114f2f13 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/su profile su @{exec_path} { include + include include include include @@ -17,42 +19,45 @@ profile su @{exec_path} { # include capability audit_write, + capability chown, # pseudo-terminal + capability dac_read_search, capability setgid, capability setuid, - capability dac_read_search, capability sys_resource, + # No clear purpose, deny until needed - deny capability net_admin, - #audit deny capability net_bind_service, + audit deny capability net_admin, + audit deny capability net_bind_service, signal (send) set=(term,kill), signal (receive) set=(int,quit,term), signal (receive) set=(cont,hup) peer=sudo, - # unknown, needs to be cleared up; TODO + unix (bind) type=dgram, + network netlink raw, + dbus (send) bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={CreateSession,ReleaseSession}, + @{exec_path} mr, - # Shells to use - /{usr/,}bin/{,b,d,rb}ash rpux, - /{usr/,}bin/{c,k,tc,z}sh rpux, - - # Fake shells to politely refuse a login - #/{usr/,}{s,}bin/nologin rpux, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + /{usr/,}{s,}bin/nologin rPx, /etc/default/locale r, /etc/environment r, /etc/security/limits.d/ r, /etc/shells r, - @{PROC}/1/limits r, owner @{PROC}/@{pids}/loginuid r, owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, - - # For pam_securetty - @{PROC}/cmdline r, + @{PROC}/1/limits r, + @{PROC}/cmdline r, + @{sys}/devices/virtual/tty/console/active r, /dev/{,pts/}ptmx rw, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index a72ee364..94697309 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only @@ -7,11 +7,10 @@ abi , include -@{PATH} = /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin - @{exec_path} = /{usr/,}bin/sudo profile sudo @{exec_path} { include + include include include include @@ -30,57 +29,49 @@ profile sudo @{exec_path} { capability sys_resource, network netlink raw, # PAM - # DNS query? -# network inet dgram, -# network inet6 dgram, ptrace (read), - signal, + + # signal, signal (send) set=(cont,hup) peer=su, @{exec_path} mr, - @{libexec}/sudo/** mr, - # Shells to use - /{usr/,}bin/{,b,d,rb}ash rpux, - /{usr/,}bin/{c,k,tc,z}sh rpux, - - @{PATH}/[a-z0-9]* rPUx, - /{usr/,}lib/cockpit/cockpit-askpass rPUx, - /{usr/,}lib/molly-guard/molly-guard rPx, + @{libexec}/sudo/** mr, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + /{usr/,}lib/cockpit/cockpit-askpass rPx, + /{usr/,}lib/molly-guard/molly-guard rPx, + /etc/default/locale r, /etc/environment r, /etc/machine-id r, /etc/security/limits.d/{,*} r, /etc/sudo.conf r, /etc/sudoers r, /etc/sudoers.d/{,*} r, - /etc/default/locale r, - /var/log/sudo.log wk, + /var/log/sudo.log wk, + owner /var/lib/sudo/lectured/* rw, + + owner @{HOME}/.sudo_as_admin_successful rw, + owner @{HOME}/.xsession-errors w, # For timestampdir owner @{run}/sudo/ rw, owner @{run}/sudo/ts/ rw, owner @{run}/sudo/ts/* rwk, @{run}/faillock/{,*} rwk, + @{run}/resolvconf/resolv.conf r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/limits r, + @{PROC}/sys/kernel/seccomp/actions_avail r, - # File Inherit owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, - - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/resolvconf/resolv.conf r, - - /dev/ r, # interactive login - /dev/ptmx rw, + /dev/ r, # interactive login + /dev/ptmx rw, deny @{user_share_dirs}/gvfs-metadata/* r,