Skip to content

Add AppArmor support to sudo #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
millert merged 6 commits into from
May 27, 2022
Merged

Add AppArmor support to sudo #148

millert merged 6 commits into from
May 27, 2022

Conversation

@kernelmethod
Copy link
Contributor

@kernelmethod kernelmethod commented May 23, 2022

This pull request adds AppArmor support to sudo by making it possible to specify
an AppArmor profile that should be used to confine a command. In particular, it
adds a new APPARMOR_PROFILE user specification option to sudoers, which can be
specified as e.g.

alice   ALL = (root)    APPARMOR_PROFILE=my-profile     ALL

This sudoers entry says "user alice can run any command as root under
confinement by the AppArmor profile my-profile." System administrators still
need to define appropriate profile transitions to support the transition into
the specified profile.

This feature makes it possible to specify much finer-grained access controls for
users with sudo permissions on systems supporting AppArmor, and makes
privilege escalation much harder. It can also be used to limit which users are
able to obtain unconfined system access, by enabling a default AppArmor profile
for all users and specifying APPARMOR_PROFILE=unconfined for a privileged
subset of users.

To build sudo with AppArmor support, you can pass in the --with-apparmor flag
to the configure script. The scripts/mkpkg shell script has also been
updated to build sudo with AppArmor support on Debian and Ubuntu systems by
default.

@kernelmethod
Copy link
Contributor Author

kernelmethod commented May 23, 2022
edited
Loading

This PR doesn't include some of the larger autogenerated files since I figured you'd rather generate them yourself than go through and audit them. In particular, I've excluded the new versions of

configure
plugins/sudoers/gram.c
plugins/sudoers/gram.h
plugins/sudoers/toke.c

but you should be able to recreate them with autoconf && ./configure --with-apparmor --with-devel && make.

I also haven't included any regression tests here since truthfully I'm not sure what the best way is to write tests for this feature that works with your CI/testing pipeline (although I've verified that it works locally). I wanted to confirm whether this was a feature you'd be interested in including into sudo before figuring out whether there's a good way to incorporate it into your regression testing.

@kernelmethod kernelmethod force-pushed the apparmor_support branch 2 times, most recently from c282c22 to 5e12da6 Compare May 23, 2022 19:37
@kernelmethod
Add a --with-apparmor build flag
0b541c2 
Add a new build flag, --with-apparmor, that builds sudo with AppArmor
support. Modify the build script for Debian and Ubuntu to enable this
flag by default.
@kernelmethod
Add an apparmor_profile sudo setting
bd25b85 
Define a new sudo setting, `apparmor_profile`, that can be used to pass
in an AppArmor profile that should be used to confine commands. If
apparmor_profile is specified, sudo will execute the command using the
new `apparmor_execve` function, which confines the command under the
provided profile before exec'ing it.
@kernelmethod
Add an APPARMOR_PROFILE user spec option to sudoers
c20859d 
sudoers now supports an APPARMOR_PROFILE option, which can be specified
as e.g.

    alice       ALL=(ALL:ALL)   APPARMOR_PROFILE=foo    ALL

The line above says "user alice can run any command as any user/group,
under confinement by the AppArmor profile 'foo'." Profiles can be
specified in any way that complies with the rules of
aa_change_profile(2). For instance, the sudoers configuration

    alice       ALL=(ALL:ALL)   APPARMOR_PROFILE=unconfined     ALL

allows alice to run any command unconfined (i.e., without an AppArmor
profile), while

    alice       ALL=(ALL:ALL)   APPARMOR_PROFILE=foo//&bar      ALL

tells sudoers that alice can run any command under the stacked AppArmor
profiles 'foo' and 'bar'.

The intention of this option is to give sysadmins on Linux distros
supporting AppArmor better options for fine-grained access control.
Among other things, this option can enforce mandatory access control
(MAC) over the operations that a privileged user is able to perform to
ensure that they cannot privesc past the boundaries of a specified
profile. It can also be used to limit which users are able to get
unconfined system access, by enforcing a default AppArmor profile on all
users and then specifying 'APPARMOR_PROFILE=unconfined' for a privileged
subset of users.
@kernelmethod
Add libapparmor-dev to the Debian and Ubuntu Dockerfiles
58ce33a 
Install libapparmor-dev on Debian- and Ubuntu-based Docker images so
that they can build sudo with AppArmor support.
@kernelmethod
Add documentation for AppArmor support
d8184fd 
- Document the AppArmor userspec option in the sudoers man pages.
- Add information about the --with-apparmor build configuration option
  to INSTALL.md.
millert
millert requested changes May 26, 2022
View reviewed changes
Copy link
Collaborator

@millert millert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good, thanks. I appreciate how complete your changes are. I'm afraid that my recent commits have created some minor conflicts but those should be easy to address. Once that is done I will merge this PR.

@millert millert merged commit 402fc83 into sudo-project:main May 27, 2022
@kernelmethod kernelmethod deleted the apparmor_support branch May 27, 2022 14:48
@kernelmethod kernelmethod mentioned this pull request Jan 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@millert millert millert approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kernelmethod @millert