From 9493e783ce2d5b4b5cd75e56aaadab6d12a89330 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 12 Jun 2022 22:19:13 +0100
Subject: [PATCH] feat(profiles): rethink the su & sudo profiles.

---
 apparmor.d/profiles-s-z/su   | 35 +++++++++++++++------------
 apparmor.d/profiles-s-z/sudo | 47 +++++++++++++++---------------------
 2 files changed, 39 insertions(+), 43 deletions(-)

diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su
index b7ea89fc..114f2f13 100644
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/su
 profile su @{exec_path} {
   include <abstractions/base>
+  include <abstractions/app-launcher-root>
   include <abstractions/authentication>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
@@ -17,42 +19,45 @@ profile su @{exec_path} {
 # include <pam/mappings>
 
   capability audit_write,
+  capability chown,  # pseudo-terminal
+  capability dac_read_search,
   capability setgid,
   capability setuid,
-  capability dac_read_search,
   capability sys_resource,
+
   # No clear purpose, deny until needed
-  deny capability net_admin,
-  #audit deny capability net_bind_service,
+  audit deny capability net_admin,
+  audit deny capability net_bind_service,
 
   signal (send)    set=(term,kill),
   signal (receive) set=(int,quit,term),
   signal (receive) set=(cont,hup)       peer=sudo,
 
-  # unknown, needs to be cleared up; TODO
+  unix (bind) type=dgram,
+
   network netlink raw,
 
+  dbus (send) bus=system path=/org/freedesktop/login[0-9]
+    interface=org.freedesktop.login[0-9].Manager
+    member={CreateSession,ReleaseSession},
+
   @{exec_path} mr,
 
-  # Shells to use
-  /{usr/,}bin/{,b,d,rb}ash rpux,
-  /{usr/,}bin/{c,k,tc,z}sh rpux,
-
-  # Fake shells to politely refuse a login
-  #/{usr/,}{s,}bin/nologin rpux,
+  /{usr/,}bin/{,b,d,rb}ash  rUx,
+  /{usr/,}bin/{c,k,tc,z}sh  rUx,
+  /{usr/,}{s,}bin/nologin   rPx,
 
   /etc/default/locale r,
   /etc/environment r,
   /etc/security/limits.d/ r,
   /etc/shells r,
 
-        @{PROC}/1/limits r,
   owner @{PROC}/@{pids}/loginuid r,
   owner @{PROC}/@{pids}/cgroup r,
   owner @{PROC}/@{pids}/mountinfo r,
-
-  # For pam_securetty
-  @{PROC}/cmdline r,
+        @{PROC}/1/limits r,
+        @{PROC}/cmdline r,
+  
   @{sys}/devices/virtual/tty/console/active r,
 
   /dev/{,pts/}ptmx rw,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index a72ee364..94697309 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
@@ -7,11 +7,10 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{PATH} = /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin
-
 @{exec_path} = /{usr/,}bin/sudo
 profile sudo @{exec_path} {
   include <abstractions/base>
+  include <abstractions/app-launcher-root>
   include <abstractions/authentication>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -30,57 +29,49 @@ profile sudo @{exec_path} {
   capability sys_resource,
 
   network netlink raw,   # PAM
-  # DNS query?
-#  network inet dgram,
-#  network inet6 dgram,
 
   ptrace (read),
-  signal,
+
+  # signal,
   signal (send) set=(cont,hup) peer=su,
 
   @{exec_path} mr,
-  @{libexec}/sudo/** mr,
 
-  # Shells to use
-  /{usr/,}bin/{,b,d,rb}ash rpux,
-  /{usr/,}bin/{c,k,tc,z}sh rpux,
-
-  @{PATH}/[a-z0-9]*                   rPUx,
-  /{usr/,}lib/cockpit/cockpit-askpass rPUx,
-  /{usr/,}lib/molly-guard/molly-guard rPx,
+  @{libexec}/sudo/**                   mr,
+  /{usr/,}bin/{,b,d,rb}ash             rUx,
+  /{usr/,}bin/{c,k,tc,z}sh             rUx,
+  /{usr/,}lib/cockpit/cockpit-askpass  rPx,
+  /{usr/,}lib/molly-guard/molly-guard  rPx,
 
+  /etc/default/locale r,
   /etc/environment r,
   /etc/machine-id r,
   /etc/security/limits.d/{,*} r,
   /etc/sudo.conf r,
   /etc/sudoers r,
   /etc/sudoers.d/{,*} r,
-  /etc/default/locale r,
 
-  /var/log/sudo.log wk,
+        /var/log/sudo.log wk,
+  owner /var/lib/sudo/lectured/* rw,
+
+  owner @{HOME}/.sudo_as_admin_successful rw,
+  owner @{HOME}/.xsession-errors w,
 
   # For timestampdir
   owner @{run}/sudo/ rw,
   owner @{run}/sudo/ts/ rw,
   owner @{run}/sudo/ts/* rwk,
         @{run}/faillock/{,*} rwk,
+        @{run}/resolvconf/resolv.conf r,
 
   @{PROC}/@{pids}/fd/ r,
   @{PROC}/@{pids}/stat r,
   @{PROC}/1/limits r,
+  @{PROC}/sys/kernel/seccomp/actions_avail r,
 
-  # File Inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
-
-  owner /var/lib/sudo/lectured/* rw,
-
-  owner @{HOME}/.sudo_as_admin_successful rw,
-
-  @{run}/resolvconf/resolv.conf r,
-
-  /dev/ r,    # interactive login
-  /dev/ptmx rw,
+        /dev/ r,    # interactive login
+        /dev/ptmx rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,