Add support for a custom message when the command execution is denied.

docs/sudoers.man.in

@@ -4507,6 +4507,10 @@ option.
 This option is only available when sudo is built with AppArmor
 support.
 .TP 18n
+cmddenial_message
+Message that is displayed after a user's command execution is denied.
+It does not override the default message, instead, it adds additional information for the user when set.
+.TP 18n
 authfail_message
 Message that is displayed after a user fails to authenticate.
 The message may include the

docs/sudoers.mdoc.in

@@ -4271,6 +4271,9 @@ option.
 This option is only available when sudo is built with AppArmor
 support.
 .\}
+.It cmddenial_message
+Message that is displayed after a user's command execution is denied.
+It does not override the default message, instead, it adds additional information for the user when set.
 .It authfail_message
 Message that is displayed after a user fails to authenticate.
 The message may include the

plugins/sudoers/def_data.c

@@ -695,6 +695,11 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"apparmor_profile", T_STR,
 	N_("AppArmor profile to use in the new security context: %s"),
 	NULL,
+    }, {
+	"cmddenial_message", T_STR,
+	N_("Command denial message: %s"),
+	NULL,
+
     }, {
 	NULL, 0, NULL
     }

plugins/sudoers/def_data.h

@@ -322,6 +322,9 @@
 #define def_intercept_verify    (sudo_defs_table[I_INTERCEPT_VERIFY].sd_un.flag)
 #define I_APPARMOR_PROFILE      160
 #define def_apparmor_profile    (sudo_defs_table[I_APPARMOR_PROFILE].sd_un.str)
+#define I_CMDDENIAL_MESSAGE     161
+#define def_cmddenial_message   (sudo_defs_table[I_CMDDENIAL_MESSAGE].sd_un.str)
+
 
 enum def_tuple {
     never,

plugins/sudoers/logging.c

@@ -349,6 +349,9 @@ log_denial(const struct sudoers_context *ctx, unsigned int status,
 		ctx->runas.gr ? ":" : "",
 		ctx->runas.gr ? ctx->runas.gr->gr_name : "",
 		ctx->user.host);
+	    if (def_cmddenial_message != NULL) {
+		sudo_printf(SUDO_CONV_ERROR_MSG, "%s\n", def_cmddenial_message);
+	    }
 	}
 	if (mailit) {
 	    sudo_printf(SUDO_CONV_ERROR_MSG, "%s",

plugins/sudoers/regress/sudoers/test26.in

@@ -107,6 +107,7 @@ Defaults user_command_timeouts
 Defaults iolog_flush
 Defaults syslog_pid
 Defaults timestamp_type=tty
+Defaults cmddenial_message="That's not allowed!"
 Defaults authfail_message="Learn to type!"
 Defaults case_insensitive_user
 Defaults case_insensitive_group

plugins/sudoers/regress/sudoers/test26.json.ok

@@ -527,6 +527,11 @@
                 { "timestamp_type": "tty" }
             ]
         },
+        {
+            "Options": [
+                { "cmddenial_message": "That's not allowed!" }
+            ]
+        },
         {
             "Options": [
                 { "authfail_message": "Learn to type!" }

plugins/sudoers/regress/sudoers/test26.ldif.ok

@@ -112,6 +112,7 @@ sudoOption: user_command_timeouts
 sudoOption: iolog_flush
 sudoOption: syslog_pid
 sudoOption: timestamp_type=tty
+sudoOption: cmddenial_message=That's not allowed!
 sudoOption: authfail_message=Learn to type!
 sudoOption: case_insensitive_user
 sudoOption: case_insensitive_group

plugins/sudoers/regress/sudoers/test26.ldif2sudo.ok

@@ -107,6 +107,7 @@ Defaults user_command_timeouts
 Defaults iolog_flush
 Defaults syslog_pid
 Defaults timestamp_type=tty
+Defaults cmddenial_message="That's not allowed!"
 Defaults authfail_message="Learn to type!"
 Defaults case_insensitive_user
 Defaults case_insensitive_group

plugins/sudoers/regress/sudoers/test26.out.ok

@@ -101,6 +101,7 @@ Defaults user_command_timeouts
 Defaults iolog_flush
 Defaults syslog_pid
 Defaults timestamp_type=tty
+Defaults cmddenial_message="That's not allowed!"
 Defaults authfail_message="Learn to type!"
 Defaults case_insensitive_user
 Defaults case_insensitive_group

plugins/sudoers/regress/sudoers/test26.toke.ok

@@ -108,6 +108,7 @@ DEFAULTS DEFVAR
 DEFAULTS DEFVAR 
 DEFAULTS DEFVAR = WORD(2) 
 DEFAULTS DEFVAR = BEGINSTR STRBODY ENDSTR WORD(4) 
+DEFAULTS DEFVAR = BEGINSTR STRBODY ENDSTR WORD(4) 
 DEFAULTS DEFVAR 
 DEFAULTS DEFVAR 
 DEFAULTS DEFVAR