Define a new sudo setting, `apparmor_profile`, that can be used to pass
in an AppArmor profile that should be used to confine commands. If
apparmor_profile is specified, sudo will execute the command using the
new `apparmor_execve` function, which confines the command under the
provided profile before exec'ing it.
We can skip the policy check for the execve(2) of the initial command
since it has already been check. Otherwise, we would log the command
twice. When using fexecve(2) due to a digest check, there should
be no need to skip the initial command since it will be executed
via execveat(2) not execve(2). However, on older kernels without
execveat(2), glibc will emulate fexecve(2) using /proc which will
result in the extra log entry.
The special value "user" means preserve the invoking user's limit.
The value "default" means don't override the default limit for the
user as assigned by the system (PAM, loging.conf, userdb, etc).
This makes it possible to determine whether we really need to execute
the command via the sesh helper. What was left of selinux_setup()
is now selinux_relabel_tty() and selinux_audit_role_change().
The front-end uses this to decide whether or not to enable SELinux.
If selinux-rbac is true _or_ if it is not present and selinux_role or
selinux_type are set, SELinux support is enabled.
Previously, SELinux support was only enabled if a role was specified.
This makes sudo_settings, user_info, submit_argv, submit_envp and
submit_optind global. This will be required for calling the wrapper
from outside of sudo.c where we may not have access to those
variables.
On systems where getgroups() returns results based on more than
just the per-process group vector in the kernel it is possible for
the number of groups to change in between invocations.
Based on GitHub PR #106 from Pierre-Olivier Martel.
The ngroups parameter is an out parameter that is filled in with
the actual number of groups, which may be less than the static
number allocated when max_groups is set in sudo.conf.
Fixes a potential out of bounds read found by LLVM libFuzzer.
The program name is also used when matching Debug lines in sudo.conf.
We don't want the user to be able to influence sudo.conf Debug matching.
The string "sudoedit" is treated the same as "sudo" in sudo.conf.
Problem reported by Matthias Gerstner of SUSE.
With this change, the sudo front-end will send an "accept" audit
event to the audit plugins after all the I/O logging plugins have
been initialized. This can be used by an audit plugin that does
not care about the result of the individual policy and approval
plugins and only wants to receive a single "accept" event if all
policy and approval plugins have succeeded. The plugin_type argument
for events sent by the front-end is SUDO_FRONT_END (0).
Fixes a problem when there are multiple users with the same user-ID
where the PAM session modules could be called with the wrong user name.
Debian bug #734752
We can't use run_command() to run sesh, that will use the sudo event
loop (and might run it in a pty!).
There's no need to relabel the tty when copying files.
Get the path to sesh from sudo.conf.
Currently, for SELinux RBAC, the editor runs with the target user's
security context. This defeats the purpose of sudoedit. Fixing
that requires passing file descriptors between the main sudo process
(running with the invoking user's security context) and sesh (runnning
with the target user's security context).
We need a close function to be able to to free memory allocated for
errstr. Unlike the other plugins, the close function is called
immediately after the plugin's check or show_version function.
The plugin does not remain open until the command completes.
