[apparmor] trouble confining sshd

John Johansen john.johansen at canonical.com
Tue Mar 29 10:38:40 UTC 2011


On 03/29/2011 02:53 AM, Seth Arnold wrote:
> I'm trying to build a profile for sshd 1:5.5p1-4ubuntu5, and I think
> the upstream kernel AppArmor doesn't work quite right:
> 
> Linux haig 2.6.38-02063802-generic #201103281246 SMP Mon Mar 28
> 12:50:24 UTC 2011 x86_64 GNU/Linux
> 
> $ cat /etc/apparmor.d/usr.sbin.sshd
> # Last Modified: Mon Mar 28 16:33:46 2011
> #include <tunables/global>
> 
> /usr/sbin/sshd flags=(complain) {
>   #include <abstractions/base>
>   #include <abstractions/nameservice>
> 
>   capability setgid,
> 
>   /etc/ssh/* r,
>   /etc/ssl/openssl.cnf r,
>   /proc/*/fd/ r,
>   /proc/*/oom_adj w,
>   /usr/sbin/sshd rix,
>   /usr/share/ssh/blacklist.RSA-2048 r,
> 
> }
> $ ssh localhost
> Enter passphrase for key '/home/sarnold/.ssh/id_rsa':
> Write failed: Broken pipe
> 
> I can log in if I remove the profile. Note that the profile has
> flags=(complain), I would expect everything to work fine.
> 
> And dmesg only shows ALLOWED operations.
> 
> apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/sshd"
> name="/usr/share/ssh/blacklist.DSA-1024" pid=6835 comm="sshd"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/sshd"
> name="/proc/6835/oom_adj" pid=6835 comm="sshd" requested_mask="r"
> denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="capable" parent=1
> profile="/usr/sbin/sshd" pid=6835 comm="sshd" capability=24
> capname="sys_resource"
> apparmor="ALLOWED" operation="mknod" parent=1 profile="/usr/sbin/sshd"
> name="/var/run/sshd.pid" pid=6835 comm="sshd" requested_mask="c"
> denied_mask="c" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=1 profile="/usr/sbin/sshd"
> name="/var/run/sshd.pid" pid=6835 comm="sshd" requested_mask="wc"
> denied_mask="wc" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.DSA-1024"
> pid=6837 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/etc/hosts.allow" pid=6837 comm="sshd"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/etc/hosts.deny" pid=6837 comm="sshd"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="capable" parent=6837
> profile="/usr/sbin/sshd" pid=6838 comm="sshd" capability=18
> capname="sys_chroot"
> apparmor="ALLOWED" operation="capable" parent=6837
> profile="/usr/sbin/sshd" pid=6838 comm="sshd" capability=7
> capname="setuid"
> apparmor="ALLOWED" operation="capable" parent=6835
> profile="/usr/sbin/sshd" pid=6837 comm="sshd" capability=7
> capname="setuid"
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/home/sarnold/.ssh/authorized_keys"
> pid=6837 comm="sshd" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=1000
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/etc/shadow" pid=6837 comm="sshd"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/etc/security/pam_env.conf" pid=6837
> comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/etc/environment" pid=6837 comm="sshd"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/etc/security/pam_env.conf" pid=6837
> comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/etc/default/locale" pid=6837
> comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/etc/security/capability.conf" pid=6837
> comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="open" parent=6835
> profile="/usr/sbin/sshd" name="/var/run/utmp" pid=6837 comm="sshd"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="ALLOWED" operation="file_lock" parent=6835
> profile="/usr/sbin/sshd" name="/var/run/utmp" pid=6837 comm="sshd"
> requested_mask="k" denied_mask="k" fsuid=0 ouid=0
> 
> Is complain mode expected to work?
> 
yes it should

seth can you enable debug
  echo 1 > /sys/module/apparmor/parameters/debug 

and see if it supplies any more information



More information about the AppArmor mailing list