From c33cd740c93d0364531971e97921a3be2e5885dd Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 13 Mar 2024 16:17:20 +0000
Subject: [PATCH] feat(profile): start using the sudo abstraction.

---
 apparmor.d/profiles-m-r/rustdesk | 29 ++--------------------
 apparmor.d/profiles-s-z/su       | 42 +-------------------------------
 apparmor.d/profiles-s-z/sudo     | 41 +++----------------------------
 3 files changed, 6 insertions(+), 106 deletions(-)

diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk
index 12edc295..8be7412f 100644
--- a/apparmor.d/profiles-m-r/rustdesk
+++ b/apparmor.d/profiles-m-r/rustdesk
@@ -59,39 +59,14 @@ profile rustdesk @{exec_path} {
 
   profile sudo {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-    include <abstractions/consoles>
     include <abstractions/python>
-    include <abstractions/wutmp>
-
-    capability sys_resource,
-    capability setuid,
-    capability setgid,
-    capability audit_write,
-
-    network netlink raw,
+    include <abstractions/sudo>
 
     @{bin}/sudo rm,
+  
     @{bin}/rustdesk rPx,
     @{bin}/python3.@{int}    rPx -> rustdesk_python,
 
-    /etc/sudo.conf r,
-    /etc/sudoers r,
-    /etc/pam.d/* r,
-    /etc/login.defs r,
-    /etc/shadow r,
-    /etc/security/capability.conf r,
-    /etc/security/limits.conf r,
-    /etc/security/limits.d/{,*} r,
-    /etc/security/pam_env.conf r,
-    /etc/sudoers.d/{,*} r,
-    /etc/environment r,
-    /etc/default/locale r,
-
-          @{PROC}/1/limits r,
-    owner @{PROC}/@{pid}/stat r,
-    owner @{PROC}/@{pid}/fd/ r,
-
     include if exists <local/rustdesk_sudo>
   }
 
diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su
index 6c5e34ff..ed8049f7 100644
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@@ -11,23 +11,10 @@ include <tunables/global>
 profile su @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
-  include <abstractions/authentication>
-  include <abstractions/bus-system>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-  include <abstractions/wutmp>
-# include <pam/mappings>
+  include <abstractions/sudo>
 
-  capability audit_write,
   capability chown,  # pseudo-terminal
   capability dac_read_search,
-  capability setgid,
-  capability setuid,
-  capability sys_resource,
-
-  # No clear purpose, deny until needed
-  audit deny capability net_admin,
-  audit deny capability net_bind_service,
 
   signal (send)    set=(term,kill),
   signal (receive) set=(int,quit,term),
@@ -35,37 +22,10 @@ profile su @{exec_path} {
 
   unix (bind) type=dgram,
 
-  network netlink raw,
-
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.logi1.Manager
-       member={CreateSession,ReleaseSession}
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
-
   @{exec_path} mr,
 
   @{bin}/@{shells}     rUx,
-
   @{bin}/nologin       rPx,
 
-  @{etc_ro}/default/su r,
-  @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/{,*.conf} r,
-  /etc/default/locale r,
-  /etc/shells r,
-
-  owner @{HOME}/.xauth@{rand6} rw,
-
-  owner @{PROC}/@{pids}/loginuid r,
-  owner @{PROC}/@{pids}/cgroup r,
-  owner @{PROC}/@{pids}/mountinfo r,
-        @{PROC}/1/limits r,
-        @{PROC}/cmdline r,
-  
-  @{sys}/devices/virtual/tty/console/active r,
-
-  /dev/{,pts/}ptmx rw,
-  /dev/tty@{int} rw,
-
   include if exists <local/su>
 }
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index 6d712b7b..6c333ad7 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -8,27 +8,16 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/sudo
-#@{bin}/su
-profile sudo @{exec_path} {
+profile sudo @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
-  include <abstractions/authentication>
-  include <abstractions/bus-system>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-  include <abstractions/wutmp>
-# include <pam/mappings>
+  include <abstractions/sudo>
 
-  capability audit_write,
   capability chown,
   capability dac_override,
   capability dac_read_search,
   capability mknod,
-  capability net_admin,
-  capability setgid,
-  capability setuid,
   capability sys_ptrace,
-  capability sys_resource,
 
   network inet dgram,
   network inet6 dgram,
@@ -37,7 +26,7 @@ profile sudo @{exec_path} {
   ptrace (read),
 
   signal (send,receive) peer=cockpit-bridge,
-  signal (send) peer=unconfined,
+  signal (send) peer=@{systemd},
   signal (send) set=(cont,hup) peer=su,
   signal (send) set=(winch),
 
@@ -51,21 +40,12 @@ profile sudo @{exec_path} {
          member={JobRemoved,StartTransientUnit},
 
   @{exec_path} mr,
-  @{lib}/sudo/** mr,
 
   @{bin}/@{shells}                 rUx,
   @{lib}/**                        rPUx,
   /opt/*/**                        rPUx,
   /snap/snapd/@{int}@{bin}/snap    rPUx,
 
-  @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/{,*} r,
-  /etc/default/locale r,
-  /etc/machine-id r,
-  /etc/sudo.conf r,
-  /etc/sudoers r,
-  /etc/sudoers.d/{,*} r,
-
         /var/db/sudo/lectured/ r,
         /var/lib/extrausers/shadow r,
         /var/lib/sudo/lectured/ r,
@@ -76,7 +56,6 @@ profile sudo @{exec_path} {
   owner /var/lib/sudo/lectured/* rw,
 
   owner @{HOME}/.sudo_as_admin_successful rw,
-  owner @{HOME}/.xsession-errors w,
 
         @{run}/ r,
         @{run}/faillock/{,*} rwk,
@@ -85,19 +64,5 @@ profile sudo @{exec_path} {
   owner @{run}/sudo/ts/ rw,
   owner @{run}/sudo/ts/* rwk,
 
-  @{PROC}/@{pids}/cgroup r,
-  @{PROC}/@{pids}/fd/ r,
-  @{PROC}/@{pids}/loginuid r,
-  @{PROC}/@{pids}/stat r,
-  @{PROC}/1/limits r,
-  @{PROC}/sys/kernel/seccomp/actions_avail r,
-
-        /dev/ r,    # interactive login
-        /dev/ptmx rwk,
-  owner /dev/tty rwk,
-  owner /dev/tty@{int} rw,
-
-  deny @{user_share_dirs}/gvfs-metadata/* r,
-
   include if exists <local/sudo>
 }