-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello,
I've been testing those 2 profiles for a bit and feel they are ready to be tested by a larger audience. If any of you is interested, feedback/comments/pull requests(*) are welcome! Regards, Simon *: https://github.com/simondeziel/aa-profiles/tree/master/14.04 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJT9/ugXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1NjVDMzc0QUZCQUQyRkM2MjBDNkMxQkI3 MkZFMERBRTkwMEIyQzM0AAoJEHL+Da6QCyw0a40P/39APPGdrTbw/heH/mp/TD3p AZ/C3vDLeUz6gxvca5BUq2SPL2qvDL5y8H8Uii4hAQuklY+Au0Wy+Jx3rKoiFnb9 F0ZyczJvfPnF5H+jJ+ylHjzh+MlVyHKRXRqdohD4nL7jdgrCs63TNrfB6u7vBVVs 95Ook7r6oKW54F9ZudajHlgWFlgv5zGvfs6jvrLBkE8FiQepeVIoq+ugVQK2ztNU o3BjvkG1LJqrgnSL1udmTcdL/qIGjs+pDZmI47POM8cUseuFk33t65T+qQMsT8+A Rg3UZGAecbOgEXyrygdmBPM0gbsNOCZ33FNp/VlayeL+TxxRje2G4gnz9XbGz5Jl mGePCmCI7ZhdE0NocgCqAwvYl+P3eJG4TDMcf0a5YVBmmmiwOub2TkDcgaw2qe/p LqcNHBegWwsx8rR+N3X5Q8kop9TtZQibda7y7tfDd3RbkxjyX9ij4T8bvUs+FBSt qatjeSOBfKmKi33r39XPxwELw7r0N9qddU9oocoQejREDhXTbeSSgh2l7Ot17zph Ssw71ePMa00geXDUUZIIKeONhWPXPwLg/XceVYvsEglcmj61KXPl101rrzleLU7q YzKi2KWxlmfKN0lEVtbcLvVEbNM4jBy5KT+5+BtAU+flGw95TPHiQonN3VH99bcy 00KVUqdFZVbrHL9Aqlct =nci7 -----END PGP SIGNATURE-----
# Author: Simon Deziel <simon.dez...@gmail.com>
#include <tunables/global>
/usr/bin/scp {
#include <abstractions/base>
# scp is almost just a wrapper around ssh
/usr/bin/ssh Px,
# for file transfers
owner /** rw,
/** r,
#include <local/usr.bin.scp>
}
# Author: Simon Deziel <simon.dez...@gmail.com>
#include <tunables/global>
/usr/bin/ssh {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
/etc/ssh/ssh_config r,
# to unlock private keys
/dev/tty rw,
/usr/lib/openssh/gnome-ssh-askpass mix,
owner @{HOME}/.ssh/ rw,
owner @{HOME}/.ssh/** rl,
owner @{HOME}/.ssh/known_hosts rwl,
# use with "ControlPath ~/.ssh/%r@%h:%p"
owner @{HOME}/.ssh/*@*:* rwl,
audit deny @{HOME}/.ssh/authorized_keys{,2} rw,
audit deny @{HOME}/.ssh/config w,
audit deny @{HOME}/.ssh/id_{dsa,rsa,ecdsa,ed25519}{,.pub} w,
owner /tmp/ssh-*/ rw,
owner /tmp/ssh-*/agent.@{pid} rw,
owner /run/user/[0-9]*/keyring-*/ssh rw,
owner @{PROC}/@{pid}/fd/ r,
# for ProxyCommand
/bin/bash Cx -> proxycommand,
/usr/bin/ssh rm,
/bin/nc.openbsd rm,
# Allow to HUP ProxyCommand from subprofile
signal (send) set=("hup") peer=/usr/bin/ssh//nc,
profile proxycommand {
#include <abstractions/base>
/bin/bash rm,
/usr/bin/ssh Px,
# XXX: Cx doesn't work. For details, see
# https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
#/bin/nc.openbsd Cx -> nc,
/bin/nc.openbsd Px -> /usr/bin/ssh//nc,
# unlocking the key is done by the parent so why is this needed?
/dev/tty rw,
}
profile nc {
#include <abstractions/base>
#include <abstractions/nameservice>
# Accept HUP from parent
signal (receive) set=("hup") peer=/usr/bin/ssh,
/bin/nc.openbsd rix,
}
#include <local/usr.bin.ssh>
}
usr.bin.scp.sig
Description: PGP signature
usr.bin.ssh.sig
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
