From cbd0b614910667041dc0fab88ce7b372ec0a030b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Mar 2024 22:00:05 +0000 Subject: [PATCH] feat(profile): improve sudo abstraction. --- apparmor.d/abstractions/sudo | 10 ++++++ apparmor.d/groups/_full/default-sudo | 47 +--------------------------- apparmor.d/profiles-s-z/sudo | 14 ++------- 3 files changed, 13 insertions(+), 58 deletions(-) diff --git a/apparmor.d/abstractions/sudo b/apparmor.d/abstractions/sudo index 65963bc7b..83e91cb94 100644 --- a/apparmor.d/abstractions/sudo +++ b/apparmor.d/abstractions/sudo @@ -5,6 +5,7 @@ # Minimal set of rules for sudo. Interactive sudo need more rules. include + include include include include @@ -17,6 +18,15 @@ network netlink raw, # PAM + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.logi1.Manager + member=CreateSession + peer=(name=org.freedesktop.login1, label=systemd-logind), + + dbus (send receive) bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd.Manager + member={JobRemoved,StartTransientUnit}, + @{lib}/sudo/** mr, @{etc_ro}/environment r, diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo index f14774a04..629eb3062 100644 --- a/apparmor.d/groups/_full/default-sudo +++ b/apparmor.d/groups/_full/default-sudo @@ -8,56 +8,26 @@ include profile default-sudo @{exec_path} { include - include - include - include - include - include + include - capability audit_write, capability chown, capability dac_override, capability dac_read_search, capability mknod, - capability net_admin, - capability setgid, - capability setuid, capability sys_ptrace, - capability sys_resource, network inet dgram, network inet6 dgram, - network netlink raw, ptrace (read), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.logi1.Manager - member=CreateSession - peer=(name=org.freedesktop.login1, label=systemd-logind), - - dbus (send receive) bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd.Manager - member={JobRemoved,StartTransientUnit}, - @{bin}/sudo mr, @{bin}/su mr, - @{lib}/sudo/** mr, @{bin}/** Px, @{lib}/** Px, /opt/*/** Px, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, - /etc/default/locale r, - /etc/machine-id r, - /etc/sudo.conf r, - /etc/sudoers r, - /etc/sudoers.d/{,*} r, - - / r, - /var/db/sudo/lectured/ r, /var/lib/extrausers/shadow r, /var/lib/sudo/lectured/ r, @@ -68,7 +38,6 @@ profile default-sudo @{exec_path} { owner /var/lib/sudo/lectured/* rw, owner @{HOME}/.sudo_as_admin_successful rw, - owner @{HOME}/.xsession-errors w, @{run}/ r, @{run}/faillock/{,*} rwk, @@ -77,19 +46,5 @@ profile default-sudo @{exec_path} { owner @{run}/sudo/ts/ rw, owner @{run}/sudo/ts/* rwk, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/loginuid r, - @{PROC}/@{pids}/stat r, - @{PROC}/1/limits r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - - /dev/ r, # interactive login - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 6c333ad76..f513bce7e 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -21,7 +21,6 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - network netlink raw, # PAM ptrace (read), @@ -30,20 +29,11 @@ profile sudo @{exec_path} flags=(attach_disconnected) { signal (send) set=(cont,hup) peer=su, signal (send) set=(winch), - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.logi1.Manager - member={CreateSession,ReleaseSession} - peer=(name=org.freedesktop.login1, label=systemd-logind), - - dbus (send receive) bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd.Manager - member={JobRemoved,StartTransientUnit}, - @{exec_path} mr, @{bin}/@{shells} rUx, - @{lib}/** rPUx, - /opt/*/** rPUx, + @{lib}/** PUx, + /opt/*/** PUx, /snap/snapd/@{int}@{bin}/snap rPUx, /var/db/sudo/lectured/ r,