From d8184fdb6f5299d5a27593bcf4953661dcb6b726 Mon Sep 17 00:00:00 2001
From: kernelmethod <wss2ec@virginia.edu>
Date: Mon, 23 May 2022 00:45:49 -0600
Subject: [PATCH] Add documentation for AppArmor support

- Document the AppArmor userspec option in the sudoers man pages.
- Add information about the --with-apparmor build configuration option
  to INSTALL.md.
---
 INSTALL.md           |  4 +++
 docs/sudoers.man.in  | 69 +++++++++++++++++++++++++++++++++++++++
 docs/sudoers.mdoc.in | 77 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 150 insertions(+)

diff --git a/INSTALL.md b/INSTALL.md
index 73d19368d..e6a123138 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -375,6 +375,10 @@ Defaults are listed in brackets after the description.
         ldap_sasl_interactive_bind_s() function is present in the
         LDAP libraries.
 
+    --with-apparmor
+        Enable support for the AppArmor Linux Security Module (LSM) on
+        supported systems.
+
     --with-logincap
         This adds support for login classes specified in `/etc/login.conf`.
         It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD, and
diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in
index d1b5cb576..b2a2e573b 100644
--- a/docs/sudoers.man.in
+++ b/docs/sudoers.man.in
@@ -1290,6 +1290,8 @@ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
 
 .\}
+AppArmor_Spec ::= 'APPARMOR_PROFILE=profile'
+
 .if \n(PS \{\
 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
 
@@ -1503,6 +1505,7 @@ Options may consist of
 .if \n(SL \{\
 SELinux roles and/or types,
 .\}
+AppArmor profiles,
 .if \n(PS \{\
 Solaris privileges sets,
 .\}
@@ -1533,6 +1536,59 @@ A role or type specified on the command line,
 however, will supersede the values in
 \fIsudoers\fR.
 .\}
+.SS "AppArmor_Spec"
+On systems supporting AppArmor,
+\fIsudoers\fR
+file entries may optionally specify an AppArmor profile that should be
+used to confine a command.
+If an AppArmor profile is specified with the command, it will override
+any default values specified in
+\fIsudoers\fR.
+Appropriate profile transition rules must be defined to support the
+profile change specified for a user.
+.PP
+AppArmor profiles can be specified in any way that complies with the
+rules of
+aa_change_profile(2).
+For instance, in the following
+\fIsudoers\fR
+entry
+.nf
+.sp
+.RS 0n
+alice	ALL = (root)	APPARMOR_PROFILE=my-profile	ALL
+.RE
+.fi
+.PP
+the user
+\fBalice\fR
+may run any command as root under confinement by the profile
+\(oqmy-profile\(cq.
+You can also stack profiles, or allow a user to run commands unconfined by
+any profile. E.g.,
+.nf
+.sp
+.RS 0n
+bob	ALL = (root)	APPARMOR_PROFILE=foo//&bar	/usr/bin/vi
+cathy	ALL = (root)	APPARMOR_PROFILE=unconfined	/bin/ls
+.RE
+.fi
+.PP
+These
+\fIsudoers\fR
+entries allow user
+\fBbob\fR
+to run
+\fI/usr/bin/vi\fR
+as root under the stacked profiles
+\(oqfoo\(cq
+and
+\(oqbar\(cq,
+and user
+\fBcathy\fR
+to run
+\fI/bin/ls\fR
+without any confinement at all.
 .if \n(PS \{\
 .SS "Solaris_Priv_Spec"
 On Solaris systems,
@@ -4159,6 +4215,19 @@ which does not create a new PAM session.
 .PP
 \fBStrings\fR:
 .TP 18n
+apparmor_profile
+The default AppArmor profile to transition into when executing the
+command.
+The default
+\fIapparmor_profile\fR
+can be overriden for individual
+\fIsudoers\fR
+entries by specifying the
+\fIAPPARMOR_PROFILE\fR
+option.
+This option is only available when sudo is built with AppArmor
+support.
+.TP 18n
 authfail_message
 Message that is displayed after a user fails to authenticate.
 The message may include the
diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
index 04661891c..233270076 100644
--- a/docs/sudoers.mdoc.in
+++ b/docs/sudoers.mdoc.in
@@ -21,6 +21,7 @@
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
 .nr SL @SEMAN@
+.nr AA @AAMAN@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
@@ -1231,13 +1232,23 @@ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 .el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
 .\}
 .el \{\
+.ie \n(AA \{\
+.ie \n(PS Option_Spec ::= (AppArmor_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
+.el Option_Spec ::= (AppArmor_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
+.\}
+.el \{\
 .ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
 .el Option_Spec ::= (Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
 .\}
+.\}
 
 .if \n(SL \{\
 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
 
+.\}
+.if \n(AA \{\
+AppArmor_Spec ::= 'APPARMOR_PROFILE=profile'
+
 .\}
 .if \n(PS \{\
 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@@ -1427,6 +1438,9 @@ Options may consist of
 .if \n(SL \{\
 SELinux roles and/or types,
 .\}
+.if \n(AA \{\
+AppArmor profiles,
+.\}
 .if \n(PS \{\
 Solaris privileges sets,
 .\}
@@ -1457,6 +1471,55 @@ A role or type specified on the command line,
 however, will supersede the values in
 .Em sudoers .
 .\}
+.if \n(AA \{\
+.Ss AppArmor_Spec
+On systems supporting AppArmor,
+.Em sudoers
+file entries may optionally specify an AppArmor profile that should be
+used to confine a command.
+If an AppArmor profile is specified with the command, it will override
+any default values specified in
+.Em sudoers .
+Appropriate profile transition rules must be defined to support the
+profile change specified for a user.
+.Pp
+AppArmor profiles can be specified in any way that complies with the
+rules of
+.Xr aa_change_profile 2 .
+For instance, in the following
+.Em sudoers
+entry
+.Bd -literal
+alice	ALL = (root)	APPARMOR_PROFILE=my-profile	ALL
+.Ed
+.Pp
+the user
+.Sy alice
+may run any command as root under confinement by the profile
+.Ql my-profile .
+You can also stack profiles, or allow a user to run commands unconfined by
+any profile. E.g.,
+.Bd -literal
+bob	ALL = (root)	APPARMOR_PROFILE=foo//&bar	/usr/bin/vi
+cathy	ALL = (root)	APPARMOR_PROFILE=unconfined	/bin/ls
+.Ed
+.Pp
+These
+.Em sudoers
+entries allow user
+.Sy bob
+to run
+.Pa /usr/bin/vi
+as root under the stacked profiles
+.Ql foo
+and
+.Ql bar ,
+and user
+.Sy cathy
+to run
+.Pa /bin/ls
+without any confinement at all.
+.\}
 .if \n(PS \{\
 .Ss Solaris_Priv_Spec
 On Solaris systems,
@@ -3929,6 +3992,20 @@ which does not create a new PAM session.
 .Pp
 .Sy Strings :
 .Bl -tag -width 16n
+.if \n(AA \{\
+.It apparmor_profile
+The default AppArmor profile to transition into when executing the
+command.
+The default
+.Em apparmor_profile
+can be overriden for individual
+.Em sudoers
+entries by specifying the
+.Em APPARMOR_PROFILE
+option.
+This option is only available when sudo is built with AppArmor
+support.
+.\}
 .It authfail_message
 Message that is displayed after a user fails to authenticate.
 The message may include the