mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-12-26 06:58:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

YubiKey support for sudo

Browse source 
- the yubikey is a u2f usb device, so usb abstraction is required
- the authentication with yubikey against sudo happens as challenge response, which is why rw on the challenge file is required
- the elevator first checks whether a .yubico folder exists, which is why reading the folder (but not the files within) is required
This commit is contained in:
Grimmauld 2024-10-17 22:33:54 +02:00 committed by Alex
parent d406596124
commit b8c052201b
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/abstractions/app/sudo
View file

@ -12,6 +12,7 @@
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
include <abstractions/devices-usb>
capability audit_write,
capability dac_override,
@ -51,6 +52,10 @@
owner @{HOME}/.sudo_as_admin_successful rw,
# yubikey support
owner @{HOME}/.yubico/challenge-* rw,
@{HOME}/.yubico/ r,
@{run}/faillock/ rw,
@{run}/faillock/@{user} rwk,
owner @{run}/sudo/ rw,