isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add an apparmor_profile sudo setting

Browse Source 
Define a new sudo setting, `apparmor_profile`, that can be used to pass
in an AppArmor profile that should be used to confine commands. If
apparmor_profile is specified, sudo will execute the command using the
new `apparmor_execve` function, which confines the command under the
provided profile before exec'ing it.
This commit is contained in:
kernelmethod
2022-05-23 13:41:42 -06:00
parent 0b541c2029
commit bd25b85a66
7 changed files with 150 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/sudo.c
View File

@@ -689,6 +689,9 @@ command_info_to_details(char * const info[], struct command_details *details)
for (i = 0; info[i] != NULL; i++) {
sudo_debug_printf(SUDO_DEBUG_INFO, " %d: %s", i, info[i]);
switch (info[i][0]) {
case 'a':
SET_STRING("apparmor_profile=", apparmor_profile);
break;
case 'c':
SET_STRING("chroot=", chroot)
SET_STRING("command=", command)
@@ -897,6 +900,15 @@ command_info_to_details(char * const info[], struct command_details *details)
exit(EXIT_FAILURE);
}
#endif
#ifdef HAVE_APPARMOR
if (details->apparmor_profile != NULL && apparmor_is_enabled()) {
i = apparmor_prepare(details->apparmor_profile);
if (i != 0)
exit(EXIT_FAILURE);
}
#endif
debug_return;
}