# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/sudo profile sudo @{exec_path} { include include include include include # include # To remove the following errors: # sudo: unable to change to root gid: Operation not permitted capability setgid, # To remove the following errors: # sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted # sudo: no valid sudoers sources found, quitting # sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted capability setuid, # To write records to the kernel auditing log. capability audit_write, # Needed? (#FIXME#) capability sys_resource, # To remove the following error: # sudo: PAM account management error: Permission denied # sudo: unable to open audit system: Permission denied # sudo: a password is required network netlink raw, signal, @{exec_path} mr, # Shells to use /{usr/,}bin/{,b,d,rb}ash rpux, /{usr/,}bin/{c,k,tc,z}sh rpux, /{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}{s,}bin/[a-z0-9]* rPUx, /dev/ r, # For timestampdir owner @{run}/sudo/ rw, owner @{run}/sudo/ts/ rw, owner @{run}/sudo/ts/* rwk, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, /etc/sudo.conf r, /etc/sudoers r, /etc/sudoers.d/{,*} r, # file_inherit owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, include if exists }