# apparmor.d - Full set of apparmor profiles # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include profile default-sudo @{exec_path} { include include include include include include capability audit_write, capability chown, capability dac_override, capability dac_read_search, capability mknod, capability net_admin, capability setgid, capability setuid, capability sys_ptrace, capability sys_resource, network inet dgram, network inet6 dgram, network netlink raw, ptrace (read), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.logi1.Manager member=CreateSession peer=(name=org.freedesktop.login1, label=systemd-logind), dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager member={JobRemoved,StartTransientUnit}, @{bin}/sudo mr, @{bin}/su mr, @{lib}/sudo/** mr, @{bin}/** Px, @{lib}/** Px, /opt/*/** Px, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, /etc/machine-id r, /etc/sudo.conf r, /etc/sudoers r, /etc/sudoers.d/{,*} r, / r, /var/db/sudo/lectured/ r, /var/lib/extrausers/shadow r, /var/lib/sudo/lectured/ r, /var/lib/sudo/ts/ rw, /var/lib/sudo/ts/* rwk, /var/log/sudo.log wk, owner /var/db/sudo/lectured/@{uid} rw, owner /var/lib/sudo/lectured/* rw, owner @{HOME}/.sudo_as_admin_successful rw, owner @{HOME}/.xsession-errors w, @{run}/ r, @{run}/faillock/{,*} rwk, @{run}/systemd/sessions/* r, owner @{run}/sudo/ rw, owner @{run}/sudo/ts/ rw, owner @{run}/sudo/ts/* rwk, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/1/limits r, @{PROC}/sys/kernel/seccomp/actions_avail r, /dev/ r, # interactive login /dev/ptmx rwk, /dev/tty rwk, owner /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists }