[apparmor] sshd and profile transitions
Simon Deziel
simon.deziel at gmail.com
Tue Sep 29 21:25:36 UTC 2015
Hi everyone,
My sshd is contained by the attached profile (also available here [1]).
Once logged in via SSH, I have an unconfined shell, at least according
to "ps Zaux | grep $$". As such, I would expect to be able to run
everything as usual but if I run a binary contained by Apparmor (like
tcpdump) I get the following denials:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/tcpdump"
name="/dev/pts/0" pid=1529 comm="tcpdump" requested_mask="wr"
denied_mask="wr" fsuid=0 ouid=0
[...]
apparmor="DENIED" operation="getattr" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/tcpdump"
name="apparmor/.null" pid=1529 comm="tcpdump" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
Adding "/dev/pts/[0-9]* rw" to the tcpdump profile fixes the problem but
it seems like the wrong way. FYI, this also happens with other programs
confined by AA.
I tried putting the sshd profile in complain mode to see if I was
missing something but it doesn't help nor log anything additional.
My last attempt was to give sshd access to all the existing capabilities
but it didn't help. I tried that because I noticed that sys_ptrace could
be missing from a profile without any denial being logged.
Any hints on what's going on here would be greatly appreciated.
Thanks in advance,
Simon
1:
https://github.com/simondeziel/aa-profiles/blob/master/14.04/usr.sbin.sshd
-------------- next part --------------
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# will need to revalidate this profile once we finish re-architecting
# the change_hat patch.
#
# vim:syntax=apparmor
#include <tunables/global>
/usr/sbin/sshd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/dbus-strict>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability sys_chroot,
capability sys_resource,
capability sys_tty_config,
capability net_bind_service,
capability chown,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability audit_control,
capability audit_write,
capability dac_override,
capability dac_read_search,
# needed when /proc is mounted with hidepid>=1
capability sys_ptrace,
ptrace read peer="unconfined",
dbus send
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession}
peer=(label=unconfined),
/dev/ptmx rw,
/dev/pts/[0-9]* rw,
/dev/urandom r,
/etc/default/locale r,
/etc/environment r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/modules.conf r,
/etc/security/** r,
/etc/ssh/** r,
/etc/ssl/openssl.cnf r,
/usr/sbin/sshd mrix,
/var/log/btmp r,
owner /{,var/}run/sshd{,.init}.pid wl,
@{HOME}/.ssh/authorized_keys{,2} r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_adj rw,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/uid_map r,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat (+r)
/bin/ash PUxr,
/bin/bash PUxr,
/bin/bash2 PUxr,
/bin/bsh PUxr,
/bin/csh PUxr,
/bin/dash PUxr,
/bin/ksh PUxr,
/bin/sh PUxr,
/bin/tcsh PUxr,
/bin/zsh PUxr,
/bin/zsh4 PUxr,
/bin/zsh5 PUxr,
/sbin/nologin PUxr,
/bin/false PUxr,
# XXX: this needs to be enabled otherwise we risk locking out a user
# Call passwd for password change when expired
/usr/bin/passwd Cx -> passwd,
# to set memory protection for passwd
@{PROC}/@{pid}/task/@{pid}/attr/exec w,
profile passwd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
capability audit_write,
capability chown,
capability fsetid,
capability setuid,
capability setgid,
/usr/bin/passwd r,
/dev/pts/[0-9]* rw,
/{,var/}run/utmp rwk,
owner /etc/.pwd.lock rwk,
owner /etc/nshadow rw,
owner /etc/shadow rw,
owner @{PROC}/@{pid}/loginuid r,
# XXX: put into another subprofile?
/usr/bin/gnome-keyring-daemon ix,
capability ipc_lock,
owner @{PROC}/@{pid}/status r,
owner @{HOME}/.cache/keyring-*/ rw,
owner @{HOME}/.cache/keyring-*/control rw,
}
# duplicated from AUTHENTICATED
/etc.legal r,
/etc/motd r,
/{,var/}run/motd{,.dynamic}{,.new} rw,
/tmp/ssh-[a-zA-Z0-9]*/ w,
/tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,
# for internal-sftp
/ r,
/** r,
owner /** rw,
#
# default subprofile for when sshd has authenticated the user
#
#^EXEC {
# #include <abstractions/base>
# /bin/ash PUx,
# /bin/bash PUx,
# /bin/bash2 PUx,
# /bin/bsh PUx,
# /bin/csh PUx,
# /bin/dash PUx,
# /bin/ksh PUx,
# /bin/sh PUx,
# /bin/tcsh PUx,
# /bin/zsh PUx,
# /bin/zsh4 PUx,
# /bin/zsh5 PUx,
# /bin/false PUx,
# /sbin/nologin PUx,
#}
#
# subprofile for handling network input (privilege seperated child)
#
#^PRIVSEP {
# #include <abstractions/base>
# #include <abstractions/nameservice>
# capability sys_chroot,
# capability setuid,
# capability setgid,
#}
#
# subprofile that handles authentication requests from the privilege
# seperated child
#
#^PRIVSEP_MONITOR {
# #include <abstractions/authentication>
# #include <abstractions/base>
# #include <abstractions/nameservice>
# #include <abstractions/wutmp>
# capability setuid,
# capability setgid,
# capability chown,
# owner @{HOME}/.ssh/authorized_keys{,2} r,
# /dev/ptmx rw,
# /dev/pts/[0-9]* rw,
# /dev/urandom r,
# /etc/hosts.allow r,
# /etc/hosts.deny r,
# /etc/ssh/moduli r,
# owner @{PROC}/@{pid}/mounts r,
#}
#
# subprofile for post-authentication period until the user's shell is spawned
#
#^AUTHENTICATED {
# #include <abstractions/authentication>
# #include <abstractions/consoles>
# #include <abstractions/nameservice>
# #include <abstractions/wutmp>
# capability sys_tty_config,
# capability setgid,
# capability setuid,
# /dev/log w,
# /dev/ptmx rw,
# /etc/default/passwd r,
# /etc/localtime r,
# /etc/writable/localtime r,
# /etc/login.defs r,
# /etc.legal r,
# /etc/motd r,
# /{,var/}run/motd{,.dynamic}{,.new} rw,
# owner /tmp/ssh-[a-zA-Z0-9]*/ w,
# owner /tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,
#}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150929/b9720e68/attachment.pgp>
More information about the AppArmor
mailing list