[apparmor] trouble confining sshd
Seth Arnold
seth.arnold at gmail.com
Tue Mar 29 09:53:05 UTC 2011
I'm trying to build a profile for sshd 1:5.5p1-4ubuntu5, and I think
the upstream kernel AppArmor doesn't work quite right:
Linux haig 2.6.38-02063802-generic #201103281246 SMP Mon Mar 28
12:50:24 UTC 2011 x86_64 GNU/Linux
$ cat /etc/apparmor.d/usr.sbin.sshd
# Last Modified: Mon Mar 28 16:33:46 2011
#include <tunables/global>
/usr/sbin/sshd flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability setgid,
/etc/ssh/* r,
/etc/ssl/openssl.cnf r,
/proc/*/fd/ r,
/proc/*/oom_adj w,
/usr/sbin/sshd rix,
/usr/share/ssh/blacklist.RSA-2048 r,
}
$ ssh localhost
Enter passphrase for key '/home/sarnold/.ssh/id_rsa':
Write failed: Broken pipe
I can log in if I remove the profile. Note that the profile has
flags=(complain), I would expect everything to work fine.
And dmesg only shows ALLOWED operations.
apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/sshd"
name="/usr/share/ssh/blacklist.DSA-1024" pid=6835 comm="sshd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/sshd"
name="/proc/6835/oom_adj" pid=6835 comm="sshd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="capable" parent=1
profile="/usr/sbin/sshd" pid=6835 comm="sshd" capability=24
capname="sys_resource"
apparmor="ALLOWED" operation="mknod" parent=1 profile="/usr/sbin/sshd"
name="/var/run/sshd.pid" pid=6835 comm="sshd" requested_mask="c"
denied_mask="c" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/sshd"
name="/var/run/sshd.pid" pid=6835 comm="sshd" requested_mask="wc"
denied_mask="wc" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.DSA-1024"
pid=6837 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/etc/hosts.allow" pid=6837 comm="sshd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/etc/hosts.deny" pid=6837 comm="sshd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="capable" parent=6837
profile="/usr/sbin/sshd" pid=6838 comm="sshd" capability=18
capname="sys_chroot"
apparmor="ALLOWED" operation="capable" parent=6837
profile="/usr/sbin/sshd" pid=6838 comm="sshd" capability=7
capname="setuid"
apparmor="ALLOWED" operation="capable" parent=6835
profile="/usr/sbin/sshd" pid=6837 comm="sshd" capability=7
capname="setuid"
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/home/sarnold/.ssh/authorized_keys"
pid=6837 comm="sshd" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/etc/shadow" pid=6837 comm="sshd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/etc/security/pam_env.conf" pid=6837
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/etc/environment" pid=6837 comm="sshd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/etc/security/pam_env.conf" pid=6837
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/etc/default/locale" pid=6837
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/etc/security/capability.conf" pid=6837
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" parent=6835
profile="/usr/sbin/sshd" name="/var/run/utmp" pid=6837 comm="sshd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="file_lock" parent=6835
profile="/usr/sbin/sshd" name="/var/run/utmp" pid=6837 comm="sshd"
requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Is complain mode expected to work?
More information about the AppArmor
mailing list