feat(profiles): rethink the su & sudo profiles.

2025-02-06 18:25:05 +01:00 · 2022-06-12 22:19:13 +01:00 · 2022-06-12 22:19:13 +01:00 · 9493e783ce
commit 9493e783ce
parent 0896343bbc
2 changed files with 39 additions and 43 deletions
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -9,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/su
 profile su @{exec_path} {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
  include <abstractions/authentication>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
@ -17,42 +19,45 @@ profile su @{exec_path} {
 # include <pam/mappings>
  capability audit_write,
  capability chown,  # pseudo-terminal
  capability dac_read_search,
  capability setgid,
  capability setuid,
  capability dac_read_search,
  capability sys_resource,
  # No clear purpose, deny until needed
-  deny capability net_admin,
+  audit deny capability net_admin,
-  #audit deny capability net_bind_service,
+  audit deny capability net_bind_service,
  signal (send)    set=(term,kill),
  signal (receive) set=(int,quit,term),
  signal (receive) set=(cont,hup)       peer=sudo,
-  # unknown, needs to be cleared up; TODO
+  unix (bind) type=dgram,
  network netlink raw,
  dbus (send) bus=system path=/org/freedesktop/login[0-9]
    interface=org.freedesktop.login[0-9].Manager
    member={CreateSession,ReleaseSession},
  @{exec_path} mr,
-  # Shells to use
+  /{usr/,}bin/{,b,d,rb}ash  rUx,
-  /{usr/,}bin/{,b,d,rb}ash rpux,
+  /{usr/,}bin/{c,k,tc,z}sh  rUx,
-  /{usr/,}bin/{c,k,tc,z}sh rpux,
+  /{usr/,}{s,}bin/nologin   rPx,
  # Fake shells to politely refuse a login
  #/{usr/,}{s,}bin/nologin rpux,
  /etc/default/locale r,
  /etc/environment r,
  /etc/security/limits.d/ r,
  /etc/shells r,
        @{PROC}/1/limits r,
  owner @{PROC}/@{pids}/loginuid r,
  owner @{PROC}/@{pids}/cgroup r,
  owner @{PROC}/@{pids}/mountinfo r,
-
+        @{PROC}/1/limits r,
  # For pam_securetty
        @{PROC}/cmdline r,
  @{sys}/devices/virtual/tty/console/active r,
  /dev/{,pts/}ptmx rw,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
@ -7,11 +7,10 @@ abi <abi/3.0>,
 include <tunables/global>
@{PATH} = /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin
@{exec_path} = /{usr/,}bin/sudo
 profile sudo @{exec_path} {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
  include <abstractions/authentication>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
@ -30,55 +29,47 @@ profile sudo @{exec_path} {
  capability sys_resource,
  network netlink raw,   # PAM
  # DNS query?
 #  network inet dgram,
 #  network inet6 dgram,
  ptrace (read),
-  signal,
+
  # signal,
  signal (send) set=(cont,hup) peer=su,
  @{exec_path} mr,
  @{libexec}/sudo/**                   mr,
-
+  /{usr/,}bin/{,b,d,rb}ash             rUx,
-  # Shells to use
+  /{usr/,}bin/{c,k,tc,z}sh             rUx,
-  /{usr/,}bin/{,b,d,rb}ash rpux,
+  /{usr/,}lib/cockpit/cockpit-askpass  rPx,
  /{usr/,}bin/{c,k,tc,z}sh rpux,
  @{PATH}/[a-z0-9]*                   rPUx,
  /{usr/,}lib/cockpit/cockpit-askpass rPUx,
  /{usr/,}lib/molly-guard/molly-guard  rPx,
  /etc/default/locale r,
  /etc/environment r,
  /etc/machine-id r,
  /etc/security/limits.d/{,*} r,
  /etc/sudo.conf r,
  /etc/sudoers r,
  /etc/sudoers.d/{,*} r,
  /etc/default/locale r,
        /var/log/sudo.log wk,
  owner /var/lib/sudo/lectured/* rw,
  owner @{HOME}/.sudo_as_admin_successful rw,
  owner @{HOME}/.xsession-errors w,
  # For timestampdir
  owner @{run}/sudo/ rw,
  owner @{run}/sudo/ts/ rw,
  owner @{run}/sudo/ts/* rwk,
        @{run}/faillock/{,*} rwk,
        @{run}/resolvconf/resolv.conf r,
  @{PROC}/@{pids}/fd/ r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/1/limits r,
  @{PROC}/sys/kernel/seccomp/actions_avail r,
  # File Inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,
  owner /var/lib/sudo/lectured/* rw,
  owner @{HOME}/.sudo_as_admin_successful rw,
  @{run}/resolvconf/resolv.conf r,
        /dev/ r,    # interactive login
        /dev/ptmx rw,