mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity

Add documentation for AppArmor support

Browse Source 
- Document the AppArmor userspec option in the sudoers man pages.
- Add information about the --with-apparmor build configuration option
  to INSTALL.md.
This commit is contained in:
kernelmethod 2022-05-23 00:45:49 -06:00
parent 58ce33abab
commit d8184fdb6f
3 changed files with 150 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
INSTALL.md
View File

@ -375,6 +375,10 @@ Defaults are listed in brackets after the description.
ldap_sasl_interactive_bind_s() function is present in the ldap_sasl_interactive_bind_s() function is present in the
LDAP libraries. LDAP libraries.
--with-apparmor
Enable support for the AppArmor Linux Security Module (LSM) on
supported systems.
--with-logincap --with-logincap
This adds support for login classes specified in `/etc/login.conf`. This adds support for login classes specified in `/etc/login.conf`.
It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD, and It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD, and

69
docs/sudoers.man.in
View File

@ -1290,6 +1290,8 @@ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
.\} .\}
AppArmor_Spec ::= 'APPARMOR_PROFILE=profile'
.if \n(PS \{\ .if \n(PS \{\
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@ -1503,6 +1505,7 @@ Options may consist of
.if \n(SL \{\ .if \n(SL \{\
SELinux roles and/or types, SELinux roles and/or types,
.\} .\}
AppArmor profiles,
.if \n(PS \{\ .if \n(PS \{\
Solaris privileges sets, Solaris privileges sets,
.\} .\}
@ -1533,6 +1536,59 @@ A role or type specified on the command line,
however, will supersede the values in however, will supersede the values in
\fIsudoers\fR. \fIsudoers\fR.
.\} .\}
.SS "AppArmor_Spec"
On systems supporting AppArmor,
\fIsudoers\fR
file entries may optionally specify an AppArmor profile that should be
used to confine a command.
If an AppArmor profile is specified with the command, it will override
any default values specified in
\fIsudoers\fR.
Appropriate profile transition rules must be defined to support the
profile change specified for a user.
.PP
AppArmor profiles can be specified in any way that complies with the
rules of
aa_change_profile(2).
For instance, in the following
\fIsudoers\fR
entry
.nf
.sp
.RS 0n
alice ALL = (root) APPARMOR_PROFILE=my-profile ALL
.RE
.fi
.PP
the user
\fBalice\fR
may run any command as root under confinement by the profile
\(oqmy-profile\(cq.
You can also stack profiles, or allow a user to run commands unconfined by
any profile. E.g.,
.nf
.sp
.RS 0n
bob ALL = (root) APPARMOR_PROFILE=foo//&bar /usr/bin/vi
cathy ALL = (root) APPARMOR_PROFILE=unconfined /bin/ls
.RE
.fi
.PP
These
\fIsudoers\fR
entries allow user
\fBbob\fR
to run
\fI/usr/bin/vi\fR
as root under the stacked profiles
\(oqfoo\(cq
and
\(oqbar\(cq,
and user
\fBcathy\fR
to run
\fI/bin/ls\fR
without any confinement at all.
.if \n(PS \{\ .if \n(PS \{\
.SS "Solaris_Priv_Spec" .SS "Solaris_Priv_Spec"
On Solaris systems, On Solaris systems,
@ -4159,6 +4215,19 @@ which does not create a new PAM session.
.PP .PP
\fBStrings\fR: \fBStrings\fR:
.TP 18n .TP 18n
apparmor_profile
The default AppArmor profile to transition into when executing the
command.
The default
\fIapparmor_profile\fR
can be overriden for individual
\fIsudoers\fR
entries by specifying the
\fIAPPARMOR_PROFILE\fR
option.
This option is only available when sudo is built with AppArmor
support.
.TP 18n
authfail_message authfail_message
Message that is displayed after a user fails to authenticate. Message that is displayed after a user fails to authenticate.
The message may include the The message may include the

77
docs/sudoers.mdoc.in
View File

@ -21,6 +21,7 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.nr SL @SEMAN@ .nr SL @SEMAN@
.nr AA @AAMAN@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
@ -1231,13 +1232,23 @@ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) .el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
.\} .\}
.el \{\ .el \{\
.ie \n(AA \{\
.ie \n(PS Option_Spec ::= (AppArmor_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
.el Option_Spec ::= (AppArmor_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
.\}
.el \{\
.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) .ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
.el Option_Spec ::= (Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) .el Option_Spec ::= (Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
.\} .\}
.\}
.if \n(SL \{\ .if \n(SL \{\
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
.\}
.if \n(AA \{\
AppArmor_Spec ::= 'APPARMOR_PROFILE=profile'
.\} .\}
.if \n(PS \{\ .if \n(PS \{\
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@ -1427,6 +1438,9 @@ Options may consist of
.if \n(SL \{\ .if \n(SL \{\
SELinux roles and/or types, SELinux roles and/or types,
.\} .\}
.if \n(AA \{\
AppArmor profiles,
.\}
.if \n(PS \{\ .if \n(PS \{\
Solaris privileges sets, Solaris privileges sets,
.\} .\}
@ -1457,6 +1471,55 @@ A role or type specified on the command line,
however, will supersede the values in however, will supersede the values in
.Em sudoers . .Em sudoers .
.\} .\}
.if \n(AA \{\
.Ss AppArmor_Spec
On systems supporting AppArmor,
.Em sudoers
file entries may optionally specify an AppArmor profile that should be
used to confine a command.
If an AppArmor profile is specified with the command, it will override
any default values specified in
.Em sudoers .
Appropriate profile transition rules must be defined to support the
profile change specified for a user.
.Pp
AppArmor profiles can be specified in any way that complies with the
rules of
.Xr aa_change_profile 2 .
For instance, in the following
.Em sudoers
entry
.Bd -literal
alice ALL = (root) APPARMOR_PROFILE=my-profile ALL
.Ed
.Pp
the user
.Sy alice
may run any command as root under confinement by the profile
.Ql my-profile .
You can also stack profiles, or allow a user to run commands unconfined by
any profile. E.g.,
.Bd -literal
bob ALL = (root) APPARMOR_PROFILE=foo//&bar /usr/bin/vi
cathy ALL = (root) APPARMOR_PROFILE=unconfined /bin/ls
.Ed
.Pp
These
.Em sudoers
entries allow user
.Sy bob
to run
.Pa /usr/bin/vi
as root under the stacked profiles
.Ql foo
and
.Ql bar ,
and user
.Sy cathy
to run
.Pa /bin/ls
without any confinement at all.
.\}
.if \n(PS \{\ .if \n(PS \{\
.Ss Solaris_Priv_Spec .Ss Solaris_Priv_Spec
On Solaris systems, On Solaris systems,
@ -3929,6 +3992,20 @@ which does not create a new PAM session.
.Pp .Pp
.Sy Strings : .Sy Strings :
.Bl -tag -width 16n .Bl -tag -width 16n
.if \n(AA \{\
.It apparmor_profile
The default AppArmor profile to transition into when executing the
command.
The default
.Em apparmor_profile
can be overriden for individual
.Em sudoers
entries by specifying the
.Em APPARMOR_PROFILE
option.
This option is only available when sudo is built with AppArmor
support.
.\}
.It authfail_message .It authfail_message
Message that is displayed after a user fails to authenticate. Message that is displayed after a user fails to authenticate.
The message may include the The message may include the