[apparmor] [Merge] lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor

Simon Déziel simon.deziel at gmail.com
Thu Apr 21 22:01:00 UTC 2016

The proposal to merge lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor has been updated.

Description changed to:

The proposed profile has been extensively tested on 14.04 (OpenSSH 6.6p1) and very recently also on 16.04 (OpenSSH 7.2p2). The proposed profile includes everything that was in [0]. Also in that thread, Seth Arnold suggested [1] to put the libpam-systemd rules into an abstraction. I hope I got this right.

I tried to break the profile update into smaller chunks but finally gave up because none of the individual commits would have been working on their own.

For those testing the profile, there is (and always have been AFAICT) a huge limitation with it: one cannot use other AA profiles from the resulting SSH shell. In short, the following wouldn't work:

  ssh root at localhost tcpdump -ni lo0 -c 10

As tcpdump (also confined by AA) would be unable to output to the console. For the curious, please refer to John Johansen's excellent explanation in [2].

Fortunately, I was able to find a (work|hack)around:

cat << "EOF" > /etc/profile.d/01-apparmor-pts-bug-workaround.sh
# kludge to change pts if PPID is contained by sshd's Apparmor profile
if echo "$-" | grep -qF i && [ -e "/proc/$PPID/attr/current" ] && \
     grep -qw '^/usr/sbin/sshd' "/proc/$PPID/attr/current"; then
  exec script --quiet --return --command "$SHELL -l" /dev/null

Not pretty but it works.

Feedback/suggestions are welcome.

0: https://lists.ubuntu.com/archives/apparmor/2016-January/009059.html
1: https://lists.ubuntu.com/archives/apparmor/2016-January/009105.html
2: https://lists.ubuntu.com/archives/apparmor/2015-September/008624.html

For more details, see:
Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor.

More information about the AppArmor mailing list