From 2e88bcf9f3cde1bf0e4dc337639e8bf532c4395b Mon Sep 17 00:00:00 2001
From: john-breton <john.breton@canonical.com>
Date: Tue, 22 Apr 2025 07:19:13 -0400
Subject: [PATCH] Deny CAP_SYS_ADMIN and cleanup profile

Signed-off-by: john-breton <john.breton@canonical.com>
---
 profiles/apparmor.d/nslookup | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/profiles/apparmor.d/nslookup b/profiles/apparmor.d/nslookup
index ff62b7192..9628f60b2 100644
--- a/profiles/apparmor.d/nslookup
+++ b/profiles/apparmor.d/nslookup
@@ -16,25 +16,26 @@ include <tunables/global>
 
 profile nslookup /usr/bin/nslookup {
   include <abstractions/base>
-  include <abstractions/terminfo>
   include <abstractions/nameservice-strict>
+  include <abstractions/terminfo>
 
-  # requested on < plucky, no apparent impact if excluded but included as a sanity case
-  capability sys_admin,
+  # Requested on < plucky by libuv (bind9 dependency), no functional impact from denial
+  deny capability sys_admin,
 
-  # needed for network queries
+  # Needed for network queries
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
 
+  # Read access is requested to the following locations during bare `nslookup`
   /usr/bin/nslookup mr,
-  # read access is requested to the following locations during bare `nslookup`
   /proc/version_signature r,
   /sys/kernel/mm/transparent_hugepage/enabled r,
 
   # `nslookup` performs reads to its own thread often, needed for expected functionality
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  # Site-specific additions and overrides. See local/README for details.
   include if exists <local/nslookup>
 }