From b8c052201b1bbbe3c27e4cfbb0dafba6e672fb74 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Thu, 17 Oct 2024 22:33:54 +0200 Subject: [PATCH] YubiKey support for sudo - the yubikey is a u2f usb device, so usb abstraction is required - the authentication with yubikey against sudo happens as challenge response, which is why rw on the challenge file is required - the elevator first checks whether a .yubico folder exists, which is why reading the folder (but not the files within) is required --- apparmor.d/abstractions/app/sudo | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 53bb50f3..b83c2d16 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -12,6 +12,7 @@ include include include + include capability audit_write, capability dac_override, @@ -51,6 +52,10 @@ owner @{HOME}/.sudo_as_admin_successful rw, + # yubikey support + owner @{HOME}/.yubico/challenge-* rw, + @{HOME}/.yubico/ r, + @{run}/faillock/ rw, @{run}/faillock/@{user} rwk, owner @{run}/sudo/ rw,