[sudo-workers] sudo support for AppArmor

[Will Shand]

Hi there --

sudo has had excellent support for working with SELinux for some time
now. Linux distros using AppArmor have unfortunately been left behind a
bit, which is a shame, as AppArmor has a nice API for specifying access
controls and profile transitions that sudo could leverage.

As a starting point, I was thinking that a PROFILE (or similarly-named)
user specification option could be added to sudoers:

    alice       ALL=(ALL:ALL)   PROFILE=alices-profile  /bin/cat

This sudoers entry would let Alice run /bin/cat as any user under
confinement by the 'alices-profile' AppArmor profile, specified as
something like

    #include <tunables/global>

    profile alices-profile {
        #include <abstractions/base>

        # Allow Alice to cat any file in /etc
        /bin/cat    rix,
        /etc/**     r,
    }

The syntax 'PROFILE=^subprofile could' be used to let alice change hat
into a subprofile (see aa_change_hat(2)), and 'PROFILE=unconfined' could
let a user shift into an unconfined process after proper authentication.

This feature could make it easier to grant users root privileges for
certain actions within the confines of an AppArmor profile, as well as
restrict which users get unconfined system access. A very rough
approximation to this can currently be achieved through libpam-apparmor
and sufficient hacking on AppArmor profiles, but it requires some absurd
workarounds (e.g., creating copies/hardlinks of the sudo binary and
defining custom profiles for them for each user). Adding this
functionality to sudo itself seems like a more appropriate way to
implement it.

Before I do any significant work towards implementing this feature, I
wanted to check whether it's something of sufficient interest to
possibly be accepted into sudo.

Thank you,
- Will