diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 825e48f5..2167eccb 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -18,13 +18,12 @@ profile su @{exec_path} { capability audit_write, capability setgid, capability setuid, + capability dac_read_search, #audit deny capability net_bind_service, - capability sys_resource, - # No clear purpose, deny until needed - deny capability net_admin, signal (send) set=(term,kill), signal (receive) set=(int,quit,term), + signal (receive) set=(cont,hup) peer=sudo, network netlink raw, @@ -43,15 +42,48 @@ profile su @{exec_path} { /etc/shells r, @{PROC}/1/limits r, - owner @{PROC}/@{pid}/loginuid r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pids}/loginuid r, + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/mountinfo r, # For pam_securetty @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, - + + # Upstreaming + capability sys_resource, + # No clear purpose, deny until needed + deny capability net_admin, + # pseudo-terminal capability chown, + /dev/{,pts/}ptmx rw, + /var/log/btmp wk, + + @{run}/dbus/system_bus_socket rw, + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + + dbus (send) + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=org.freedesktop.DBus), + + dbus (send) + bus=system + path=/org/freedesktop/login[1-9] + interface=org.freedesktop.login[1-9].Manager + member={CreateSession,ReleaseSession}, + + unix (bind) type=dgram, + + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 2b0cea82..06ca6460 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -1,6 +1,5 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -31,9 +30,9 @@ profile sudo @{exec_path} { ptrace (read), signal, + signal (send) set=(cont,hup) peer=su, @{exec_path} mr, - @{libexec}/sudo/** mr, # Shells to use /{usr/,}bin/{,b,d,rb}ash rpux, @@ -43,12 +42,13 @@ profile sudo @{exec_path} { /{usr/,}{s,}bin/[a-z0-9]* rPUx, /{usr/,}lib/cockpit/cockpit-askpass rPUx, - /etc/environment r, - /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/sudo.conf r, + /etc/sudoers r, /etc/sudoers.d/{,*} r, + /etc/environment r, + /etc/security/limits.d/{,*} r, + /etc/default/locale r, /var/log/sudo.log wk, @@ -58,15 +58,21 @@ profile sudo @{exec_path} { owner @{run}/sudo/ts/* rwk, @{run}/faillock/{,*} rwk, - @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, - @{PROC}/1/limits r, # File Inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, - /dev/ r, + owner @{HOME}/.sudo_as_admin_successful rw, + + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + + @{PROC}/sys/kernel/random/boot_id r, + +# /dev/ r, # noise /dev/ptmx rw, include if exists