[apparmor] usr.bin.ssh and usr.bin.scp profiles
Simon Deziel
simon.deziel at gmail.com
Sat Aug 23 13:50:00 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 08/23/2014 07:01 AM, Christian Boltz wrote:
> Am Freitag, 22. August 2014 schrieb Simon Deziel:
>> I've been testing those 2 profiles for a bit and feel they are ready
>> to be tested by a larger audience. If any of you is interested,
>> feedback/comments/pull requests(*) are welcome!
>
> While the profile in general looks good at the first look, I somewhat
> wonder about
>
> /bin/bash Cx -> proxycommand,
>
> profile proxycommand {
> [...]
> /bin/bash rm,
>
> I slightly ;-) doubt this allows to do anything useful in the shell.
> I'm afraid you'll need to allow Ux for various shells to fix that.
I believe "Ux" is not desirable here because the shell is only used to
execute the ProxyCommand.
In my testing, the "Cx" transition plus the "rm" in the subprofile were
enough. I only tested with ssh and nc.openbsd as ProxyCommands as they
are the only 2 supported ATM.
Here is the ~/.ssh/config I used to test the ssh profile with bash:
Host aa-nc
ProxyCommand nc bar 22
Host aa-ssh
ProxyCommand ssh -qN foo nc bar 22
Host aa-ssh-full-path
ProxyCommand /usr/bin/ssh -qN foo nc bar 22
Host aa-ssh-twice
ProxyCommand ssh -qN foo ssh bar nc foo 22
All of them required the "Cx" for bash even the "aa-ssh-full-path" one.
> Please have a look at the sshd profile we ship in the extras dir
> (profiles/apparmor/profiles/extras/usr.sbin.sshd in tarball and bzr)
> which does exactly that.
Very good point, I took the list of shells from there and added them in
the profile. I didn't test ProxyCommands with a different shell than
bash though.
Thanks for the feedback Christian!
Regards,
Simon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJT+JwHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1NjVDMzc0QUZCQUQyRkM2MjBDNkMxQkI3
MkZFMERBRTkwMEIyQzM0AAoJEHL+Da6QCyw0lpAQAMVLIsZuzXXZeB+pzAzGJnpG
VecdQ0A1hF/aQPLrDz1KdZ3DhD3VFHbHB1l0P5goEbXYpD9n+hfjbVyreOGz/Qok
7opNNiLa6gXfjyhzISjcHgOB+70+CCgSBL0LNu4EDl9286q8JGPVDA3J7KR+UOSz
+adSHR0l17kS3J/zSm3uKA1jD2ow3z2SFSF+0fcRWjdWvREQLAqvqeadosALADaj
onPeZhTZVCv7/+VilvqN00Gezs42Ryk66De2Fxpf99JD4gc3oSrlHdWGgkoXoFgh
r6Ed9D/hb5IxHsn+FSKt3LWxBAbBJmxOldlVzB2YdL4UvVp2kjOZTIOTGAFXv1gM
WIj/QAfngwVgvCUJM5ZRkJsbEZ4g9Wx97EhRoJN+sUk8ZbQBx1JY5DIS1lHRsT7D
xtRWI4m8BeJQrlC/hAorneO67iVhuUVx42eFQ+CUjLS+0L2+E1yoCrlqmc1BGAaC
OCbPLvrJ/fA0Ep0DHKmkvbGktKk3KpgJKNnuXMZG2GndrL38nWJ9RtkKzu4IzVv9
mmWbp2scNSsbAZrOTKTnmC4VfNJBALZoULbjRH2HhU508twhDhpYhVA5iau9CC8V
Ap16Yw9qeeFbAAfJdrT+kW6VrCRCJpTEH1KaPIBnk2PvAMEjZk2F+bi2iVNZeAic
JUniu82D8dcG4o1d4czB
=+ckf
-----END PGP SIGNATURE-----
-------------- next part --------------
# Author: Simon Deziel <simon.deziel at gmail.com>
#include <tunables/global>
/usr/bin/ssh {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
/etc/ssh/ssh_config r,
# to unlock private keys
/dev/tty rw,
/usr/lib/openssh/gnome-ssh-askpass mix,
owner @{HOME}/.ssh/ rw,
owner @{HOME}/.ssh/** rl,
owner @{HOME}/.ssh/known_hosts rwl,
# use with "ControlPath ~/.ssh/%r@%h:%p"
owner @{HOME}/.ssh/*@*:* rwl,
audit deny @{HOME}/.ssh/authorized_keys{,2} rw,
audit deny @{HOME}/.ssh/config w,
audit deny @{HOME}/.ssh/id_{dsa,rsa,ecdsa,ed25519}{,.pub} w,
owner /tmp/ssh-*/ rw,
owner /tmp/ssh-*/agent.@{pid} rw,
owner /run/user/[0-9]*/keyring-*/ssh rw,
owner @{PROC}/@{pid}/fd/ r,
# for ProxyCommand
/bin/ash Cx -> proxycommand,
/bin/bash{,2} Cx -> proxycommand,
/bin/bsh Cx -> proxycommand,
/bin/csh Cx -> proxycommand,
/bin/csh Cx -> proxycommand,
/bin/dash Cx -> proxycommand,
/bin/ksh Cx -> proxycommand,
/bin/sh Cx -> proxycommand,
/bin/tcsh Cx -> proxycommand,
/bin/zsh{,4} Cx -> proxycommand,
/usr/bin/ssh rm,
/bin/nc.openbsd rm,
# Allow to HUP ProxyCommand from subprofile
signal (send) set=("hup") peer=/usr/bin/ssh//nc,
profile proxycommand {
#include <abstractions/base>
/bin/ash rm,
/bin/bash{,2} rm,
/bin/bsh rm,
/bin/csh rm,
/bin/csh rm,
/bin/dash rm,
/bin/ksh rm,
/bin/sh rm,
/bin/tcsh rm,
/bin/zsh{,4} rm,
/usr/bin/ssh Px,
# XXX: Cx doesn't work. For details, see
# https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
#/bin/nc.openbsd Cx -> nc,
/bin/nc.openbsd Px -> /usr/bin/ssh//nc,
# unlocking the key is done by the parent so why is this needed?
/dev/tty rw,
}
profile nc {
#include <abstractions/base>
#include <abstractions/nameservice>
# Accept HUP from parent
signal (receive) set=("hup") peer=/usr/bin/ssh,
/bin/nc.openbsd rix,
}
#include <local/usr.bin.ssh>
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usr.bin.ssh.sig
Type: application/pgp-signature
Size: 639 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140823/b561cdd3/attachment.pgp>
More information about the AppArmor
mailing list