Simon Déziel has proposed merging lp:~sdeziel/apparmor/usr.sbin.sshd-refresh
into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~sdeziel/apparmor/usr.sbin.sshd-refresh/+merge/282088
The proposed profile has been extensively tested on 14.04 (OpenSSH 6.6p1) and
very recently also on 16.04 (OpenSSH 7.1p1). The proposed profile includes
everything that was in [0]. Also in that thread, Seth Arnold suggested [1] to
put the libpam-systemd rules into an abstraction. I hope I got this right.
I tried to break the profile update into smaller chunks but finally gave up
because none of the individual commits would have been working on their own.
For those testing the profile, there is (and always have been AFAICT) a huge
limitation with it: one cannot use other AA profiles from the resulting SSH
shell. In short, the following wouldn't work:
ssh root@localhost tcpdump -ni lo0 -c 10
As tcpdump (also confined by AA) would be unable to output to the console. For
the curious, please refer to John Johansen's excellent explanation in [2].
Fortunately, I was able to find a (work|hack)around:
cat << "EOF" > /etc/profile.d/01-apparmor-pts-bug-workaround.sh
# kludge to change pts if PPID is contained by sshd's Apparmor profile
if echo "$-" | grep -qF i && [ -e "/proc/$PPID/attr/current" ] && \
grep -qw '^/usr/sbin/sshd' "/proc/$PPID/attr/current"; then
exec script --quiet --return --command "$SHELL -l" /dev/null
fi
EOF
Not pretty but it works.
Feedback/suggestions are welcome.
0: https://lists.ubuntu.com/archives/apparmor/2016-January/009059.html
1: https://lists.ubuntu.com/archives/apparmor/2016-January/009105.html
2: https://lists.ubuntu.com/archives/apparmor/2015-September/008624.html
--
Your team AppArmor Developers is requested to review the proposed merge of
lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor.
=== added file 'profiles/apparmor.d/abstractions/libpam-systemd'
--- profiles/apparmor.d/abstractions/libpam-systemd 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/abstractions/libpam-systemd 2016-01-09 02:16:36 +0000
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2015-2016 Simon Deziel
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <abstractions/dbus-strict>
+
+ # libpam-systemd notifies systemd-logind about session logins/logouts
+ dbus send
+ bus=system
+ path=/org/freedesktop/login1
+ interface=org.freedesktop.login1.Manager
+ member={CreateSession,ReleaseSession},
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2013-01-05 06:31:00 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-01-09 02:16:36 +0000
@@ -2,6 +2,7 @@
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2012 Canonical Ltd.
+# Copyright (C) 2015-2016 Simon Deziel
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -19,6 +20,7 @@
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/consoles>
+ #include <abstractions/libpam-systemd>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
@@ -26,16 +28,23 @@
capability sys_resource,
capability sys_tty_config,
capability net_bind_service,
+ capability net_admin,
capability chown,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability audit_control,
+ capability audit_write,
capability dac_override,
capability dac_read_search,
+ capability sys_ptrace,
+
+ # needed when /proc is mounted with hidepid>=1
+ ptrace read peer="unconfined",
/dev/ptmx rw,
+ /dev/pts/[0-9]* rw,
/dev/urandom r,
/etc/default/locale r,
/etc/environment r,
@@ -43,142 +52,175 @@
/etc/hosts.deny r,
/etc/modules.conf r,
/etc/security/** r,
- /etc/ssh/* r,
+ /etc/ssh/** r,
/etc/ssl/openssl.cnf r,
- @{PROC}/@{pid}/oom_adj rw,
- @{PROC}/@{pid}/oom_score_adj rw,
/usr/sbin/sshd mrix,
- /var/log/btmp r,
- /{,var/}run w,
- /{,var/}run/sshd{,.init}.pid wl,
-
- @{PROC}/@{pid}/fd/ r,
- @{PROC}/@{pid}/loginuid w,
- @{PROC}/@{pid}/limits r,
-
-# should only be here for use in non-change-hat openssh
-# duplicated from EXEC hat
- /bin/ash rUx,
- /bin/bash rUx,
- /bin/bash2 rUx,
- /bin/bsh rUx,
- /bin/csh rUx,
- /bin/dash rUx,
- /bin/ksh rUx,
- /bin/sh rUx,
- /bin/tcsh rUx,
- /bin/zsh rUx,
- /bin/zsh4 rUx,
- /sbin/nologin rUx,
-
-# Call passwd for password change when expired
-# /usr/bin/passwd Px,
-
-
-# stuff duplicated from PRIVSEP_MONITOR
- @{HOME}/.ssh/authorized_keys{,2} r,
-
- /dev/pts/[0-9]* rw,
- /etc/ssh/moduli r,
- @{PROC}/@{pid}/mounts r,
-
-# duplicated from AUTHENTICATED
- /etc/motd r,
- /{,var/}run/motd{,.new} rw,
- /tmp/ssh-*/agent.[0-9]* rwl,
-
- /tmp/ssh-*[0-9]*/ w,
-
-#
-# default subprofile for when sshd has authenticated the user
-#
- ^EXEC {
- #include <abstractions/base>
-
- /bin/ash Ux,
- /bin/bash Ux,
- /bin/bash2 Ux,
- /bin/bsh Ux,
- /bin/csh Ux,
- /bin/dash Ux,
- /bin/ksh Ux,
- /bin/sh Ux,
- /bin/tcsh Ux,
- /bin/zsh Ux,
- /bin/zsh4 Ux,
- /sbin/nologin Ux,
-
-# for debugging
-# /dev/pts/[0-9]* rw,
- }
-
-#
-# subprofile for handling network input (privilege seperated child)
-#
- ^PRIVSEP {
- #include <abstractions/base>
- #include <abstractions/nameservice>
-
- capability sys_chroot,
- capability setuid,
- capability setgid,
-
-# for debugging
-# /dev/pts/[0-9]* rw,
- }
-
-#
-# subprofile that handles authentication requests from the privilege
-# seperated child
-#
- ^PRIVSEP_MONITOR {
+ /var/log/btmp rw,
+ owner /{,var/}run/sshd{,.init}.pid wl,
+ @{HOME}/.ssh/authorized_keys{,2} r,
+
+
+ @{PROC}/cmdline r,
+ @{PROC}/1/environ r,
+ @{PROC}/@{pids}/fd/ r, # pid of the just-logged in user's shell
+ owner @{PROC}/@{pid}/loginuid rw,
+ owner @{PROC}/@{pid}/limits r,
+ owner @{PROC}/@{pid}/uid_map r,
+ owner @{PROC}/@{pid}/mounts r,
+ owner @{PROC}/@{pid}/oom_adj rw,
+ owner @{PROC}/@{pid}/oom_score_adj rw,
+
+ # should only be here for use in non-change-hat openssh
+ # duplicated from EXEC hat (+r)
+ /bin/ash Uxr,
+ /bin/bash Uxr,
+ /bin/bash2 Uxr,
+ /bin/bsh Uxr,
+ /bin/csh Uxr,
+ /bin/dash Uxr,
+ /bin/ksh Uxr,
+ /bin/sh Uxr,
+ /bin/tcsh Uxr,
+ /bin/zsh Uxr,
+ /bin/zsh4 Uxr,
+ /bin/zsh5 Uxr,
+ /{,usr/}sbin/nologin Uxr,
+ /bin/false Uxr,
+
+ # XXX: this needs to be enabled otherwise we risk locking out a user
+ # Call passwd for password change when expired
+ /usr/bin/passwd Cx -> passwd,
+
+ # to set memory protection for passwd
+ @{PROC}/@{pid}/task/@{pid}/attr/exec w,
+ profile passwd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
- #include <abstractions/wutmp>
-
-
- capability setuid,
- capability setgid,
+
+ capability audit_write,
capability chown,
+ capability fsetid,
+ capability setuid,
+ capability setgid,
- @{HOME}/.ssh/authorized_keys{,2} r,
- /dev/ptmx rw,
+ /usr/bin/passwd r,
/dev/pts/[0-9]* rw,
- /dev/urandom r,
- /etc/hosts.allow r,
- /etc/hosts.deny r,
- /etc/ssh/moduli r,
- @{PROC}/@{pid}/mounts r,
-
-# for debugging
-# /dev/pts/[0-9]* rw,
- }
-
-#
-# subprofile for post-authentication period until the user's shell is spawned
-#
- ^AUTHENTICATED {
- #include <abstractions/authentication>
- #include <abstractions/consoles>
- #include <abstractions/nameservice>
- #include <abstractions/wutmp>
-
- capability sys_tty_config,
- capability setgid,
- capability setuid,
-
- /dev/log w,
- /dev/ptmx rw,
- /etc/default/passwd r,
- /etc/localtime r,
- /etc/login.defs r,
- /etc/motd r,
- /{,var/}run/motd{,.new} rw,
- /tmp/ssh-*/agent.[0-9]* rwl,
- /tmp/ssh-*[0-9]*/ w,
-
-# for debugging
-# /dev/pts/[0-9]* rw,
- }
+ /{,var/}run/utmp rwk,
+
+ owner /etc/.pwd.lock rwk,
+ owner /etc/nshadow rw,
+ owner /etc/shadow rw,
+ owner @{PROC}/@{pid}/loginuid r,
+
+ # XXX: put into another subprofile?
+ /usr/bin/gnome-keyring-daemon ix,
+ capability ipc_lock,
+ owner @{PROC}/@{pid}/status r,
+ owner @{HOME}/.cache/keyring-*/ rw,
+ owner @{HOME}/.cache/keyring-*/control rw,
+ }
+
+ # duplicated from AUTHENTICATED
+ /etc.legal r,
+ /etc/motd r,
+ /{,var/}run/motd{,.dynamic}{,.new} rw,
+ /tmp/ssh-[a-zA-Z0-9]*/ w,
+ /tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,
+
+ # for internal-sftp
+ / r,
+ /** r,
+ owner /** rwl,
+
+ /usr/lib/openssh/sftp-server PUx,
+
+ #
+ # default subprofile for when sshd has authenticated the user
+ #
+ #^EXEC {
+ # #include <abstractions/base>
+
+ # /bin/ash Ux,
+ # /bin/bash Ux,
+ # /bin/bash2 Ux,
+ # /bin/bsh Ux,
+ # /bin/csh Ux,
+ # /bin/dash Ux,
+ # /bin/ksh Ux,
+ # /bin/sh Ux,
+ # /bin/tcsh Ux,
+ # /bin/zsh Ux,
+ # /bin/zsh4 Ux,
+ # /bin/zsh5 Ux,
+ # /bin/false Ux,
+ # /{,usr/}sbin/nologin Ux,
+ #}
+
+ #
+ # subprofile for handling network input (privilege seperated child)
+ #
+ #^PRIVSEP {
+ # #include <abstractions/base>
+ # #include <abstractions/nameservice>
+
+ # capability sys_chroot,
+ # capability setuid,
+ # capability setgid,
+ #}
+
+ #
+ # subprofile that handles authentication requests from the privilege
+ # seperated child
+ #
+ #^PRIVSEP_MONITOR {
+ # #include <abstractions/authentication>
+ # #include <abstractions/base>
+ # #include <abstractions/nameservice>
+ # #include <abstractions/wutmp>
+
+ # capability setuid,
+ # capability setgid,
+ # capability chown,
+
+ # owner @{HOME}/.ssh/authorized_keys{,2} r,
+ # /dev/ptmx rw,
+ # /dev/pts/[0-9]* rw,
+ # /dev/urandom r,
+ # /etc/hosts.allow r,
+ # /etc/hosts.deny r,
+ # /etc/ssh/moduli r,
+ # owner @{PROC}/@{pid}/mounts r,
+ #}
+
+
+ #
+ # subprofile for post-authentication period until the user's shell is spawned
+ #
+ #^AUTHENTICATED {
+ # #include <abstractions/authentication>
+ # #include <abstractions/consoles>
+ # #include <abstractions/nameservice>
+ # #include <abstractions/wutmp>
+
+ # capability sys_tty_config,
+ # capability setgid,
+ # capability setuid,
+
+ # /dev/log w,
+ # /dev/ptmx rw,
+ # /etc/default/passwd r,
+ # /etc/localtime r,
+ # /etc/writable/localtime r,
+ # /etc/login.defs r,
+ # /etc.legal r,
+ # /etc/motd r,
+ # /{,var/}run/motd{,.dynamic}{,.new} rw,
+
+ # owner /tmp/ssh-[a-zA-Z0-9]*/ w,
+ # owner /tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,
+ #}
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.sshd>
}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
