Add some missing AppArmor bits.

o Display ApparmorProfile in "long list" format. o Propagate apparmor_profile setting to commands in a list. o Support apparmor_profile in an LDAP sudoOption.
2025-09-02 07:15:27 +00:00 · 2024-04-30 19:18:00 -06:00
parent ef52db46f9
commit 38b98b4174
4 changed files with 263 additions and 214 deletions
--- a/plugins/sudoers/ldap_util.c
+++ b/plugins/sudoers/ldap_util.c
@@ -443,6 +443,9 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
 	    cmndspec->role = prev_cmndspec->role;
 	    cmndspec->type = prev_cmndspec->type;
 #endif /* HAVE_SELINUX */
+#ifdef HAVE_APPARMOR
+	    cmndspec->apparmor_profile = prev_cmndspec->apparmor_profile;
+#endif /* HAVE_APPARMOR */
 #ifdef HAVE_PRIV_SET
 	    cmndspec->privs = prev_cmndspec->privs;
 	    cmndspec->limitprivs = prev_cmndspec->limitprivs;
@@ -534,6 +537,16 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
 			if ((cmndspec->type = strdup(val)) == NULL)
 			    break;
 #endif /* HAVE_SELINUX */
+#ifdef HAVE_APPARMOR
+		    } else if (strcmp(var, "apparmor_profile") == 0 && val != NULL) {
+			if (cmndspec->apparmor_profile != NULL) {
+			    free(cmndspec->apparmor_profile);
+			    sudo_warnx(U_("duplicate sudoOption: %s%s%s"), var,
+				op == '+' ? "+=" : op == '-' ? "-=" : "=", val);
+			}
+			if ((cmndspec->apparmor_profile = strdup(val)) == NULL)
+			    break;
+#endif /* HAVE_APPARMOR */
 #ifdef HAVE_PRIV_SET
 		    } else if (strcmp(var, "privs") == 0 && val != NULL) {
 			if (cmndspec->privs != NULL) {