[apparmor] usr.bin.ssh and usr.bin.scp profiles

Sat Aug 23 13:50:00 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/23/2014 07:01 AM, Christian Boltz wrote:
> Am Freitag, 22. August 2014 schrieb Simon Deziel:
>> I've been testing those 2 profiles for a bit and feel they are ready
>> to be tested by a larger audience. If any of you is interested,
>> feedback/comments/pull requests(*) are welcome!
> 
> While the profile in general looks good at the first look, I somewhat 
> wonder about
> 
>   /bin/bash Cx -> proxycommand,
> 
>   profile proxycommand {
> [...]
>     /bin/bash rm,
> 
> I slightly ;-) doubt this allows to do anything useful in the shell. 
> I'm afraid you'll need to allow Ux for various shells to fix that.

I believe "Ux" is not desirable here because the shell is only used to
execute the ProxyCommand.

In my testing, the "Cx" transition plus the "rm" in the subprofile were
enough. I only tested with ssh and nc.openbsd as ProxyCommands as they
are the only 2 supported ATM.

Here is the ~/.ssh/config I used to test the ssh profile with bash:

Host aa-nc
  ProxyCommand nc bar 22
Host aa-ssh
  ProxyCommand ssh -qN foo nc bar 22
Host aa-ssh-full-path
  ProxyCommand /usr/bin/ssh -qN foo nc bar 22
Host aa-ssh-twice
  ProxyCommand ssh -qN foo ssh bar nc foo 22

All of them required the "Cx" for bash even the "aa-ssh-full-path" one.

> Please have a look at the sshd profile we ship in the extras dir 
> (profiles/apparmor/profiles/extras/usr.sbin.sshd in tarball and bzr) 
> which does exactly that.

Very good point, I took the list of shells from there and added them in
the profile. I didn't test ProxyCommands with a different shell than
bash though.

Thanks for the feedback Christian!

Regards,
Simon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJT+JwHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1NjVDMzc0QUZCQUQyRkM2MjBDNkMxQkI3
MkZFMERBRTkwMEIyQzM0AAoJEHL+Da6QCyw0lpAQAMVLIsZuzXXZeB+pzAzGJnpG
VecdQ0A1hF/aQPLrDz1KdZ3DhD3VFHbHB1l0P5goEbXYpD9n+hfjbVyreOGz/Qok
7opNNiLa6gXfjyhzISjcHgOB+70+CCgSBL0LNu4EDl9286q8JGPVDA3J7KR+UOSz
+adSHR0l17kS3J/zSm3uKA1jD2ow3z2SFSF+0fcRWjdWvREQLAqvqeadosALADaj
onPeZhTZVCv7/+VilvqN00Gezs42Ryk66De2Fxpf99JD4gc3oSrlHdWGgkoXoFgh
r6Ed9D/hb5IxHsn+FSKt3LWxBAbBJmxOldlVzB2YdL4UvVp2kjOZTIOTGAFXv1gM
WIj/QAfngwVgvCUJM5ZRkJsbEZ4g9Wx97EhRoJN+sUk8ZbQBx1JY5DIS1lHRsT7D
xtRWI4m8BeJQrlC/hAorneO67iVhuUVx42eFQ+CUjLS+0L2+E1yoCrlqmc1BGAaC
OCbPLvrJ/fA0Ep0DHKmkvbGktKk3KpgJKNnuXMZG2GndrL38nWJ9RtkKzu4IzVv9
mmWbp2scNSsbAZrOTKTnmC4VfNJBALZoULbjRH2HhU508twhDhpYhVA5iau9CC8V
Ap16Yw9qeeFbAAfJdrT+kW6VrCRCJpTEH1KaPIBnk2PvAMEjZk2F+bi2iVNZeAic
JUniu82D8dcG4o1d4czB
=+ckf
-----END PGP SIGNATURE-----
-------------- next part --------------
# Author: Simon Deziel <simon.deziel at gmail.com>

#include <tunables/global>

/usr/bin/ssh {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>

  /etc/ssh/ssh_config r,

  # to unlock private keys
  /dev/tty rw,
  /usr/lib/openssh/gnome-ssh-askpass mix,

  owner @{HOME}/.ssh/   rw,
  owner @{HOME}/.ssh/** rl,
  owner @{HOME}/.ssh/known_hosts rwl,
  # use with "ControlPath ~/.ssh/%r@%h:%p"
  owner @{HOME}/.ssh/*@*:* rwl,
  audit deny @{HOME}/.ssh/authorized_keys{,2} rw,
  audit deny @{HOME}/.ssh/config w,
  audit deny @{HOME}/.ssh/id_{dsa,rsa,ecdsa,ed25519}{,.pub} w,
  owner /tmp/ssh-*/ rw,
  owner /tmp/ssh-*/agent.@{pid} rw,
  owner /run/user/[0-9]*/keyring-*/ssh rw,
  owner @{PROC}/@{pid}/fd/ r,

  # for ProxyCommand
  /bin/ash      Cx -> proxycommand,
  /bin/bash{,2} Cx -> proxycommand,
  /bin/bsh      Cx -> proxycommand,
  /bin/csh      Cx -> proxycommand,
  /bin/csh      Cx -> proxycommand,
  /bin/dash     Cx -> proxycommand,
  /bin/ksh      Cx -> proxycommand,
  /bin/sh       Cx -> proxycommand,
  /bin/tcsh     Cx -> proxycommand,
  /bin/zsh{,4}  Cx -> proxycommand,
  /usr/bin/ssh rm,
  /bin/nc.openbsd rm,

  # Allow to HUP ProxyCommand from subprofile
  signal (send) set=("hup") peer=/usr/bin/ssh//nc,

  profile proxycommand {
    #include <abstractions/base>

    /bin/ash      rm,
    /bin/bash{,2} rm,
    /bin/bsh      rm,
    /bin/csh      rm,
    /bin/csh      rm,
    /bin/dash     rm,
    /bin/ksh      rm,
    /bin/sh       rm,
    /bin/tcsh     rm,
    /bin/zsh{,4}  rm,
    /usr/bin/ssh Px,
    # XXX: Cx doesn't work. For details, see
    # https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
    #/bin/nc.openbsd Cx -> nc,
    /bin/nc.openbsd Px -> /usr/bin/ssh//nc,

    # unlocking the key is done by the parent so why is this needed?
    /dev/tty rw,
  }
  profile nc {
    #include <abstractions/base>
    #include <abstractions/nameservice>

    # Accept HUP from parent
    signal (receive) set=("hup") peer=/usr/bin/ssh,

    /bin/nc.openbsd rix,
  }

  #include <local/usr.bin.ssh>
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usr.bin.ssh.sig
Type: application/pgp-signature
Size: 639 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140823/b561cdd3/attachment.pgp>