[apparmor] [patch] Update the sshd profile

Christian Boltz apparmor at cboltz.de
Sat Jan 2 14:38:32 UTC 2016 

Hello,

the sshd profile was bitrotting for a while and denies several
permissions that are needed for a successful ssh login (see the
patch for details).

While on it, I added owner restrictions to the @{PROC}/@{pid} rules,
except @{PROC}/@{pids}/fd/ which is used with the pid of the
just-logged in user's shell (therefore changed to @{pids}).

The patch makes the sshd profile working on Debian (which initially
caused this patch via a bugreport) and openSUSE.


An interesting question is
+  @{PROC}/cmdline r,
+  @{PROC}/1/environ r,

These permissions don't seem to be really needed (sshd and ssh logins
still work if denying it), and it's questionable why sshd needs to read
them. Therefore the question is if we want to use 'deny' for those two.


References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809649



I propose this patch for trunk, 2.10 and 2.9.

In your review, please also state if you want allow or deny rules for
reading /proc/cmdline and /proc/1/environ.


[ update-sshd-profile.diff ]

=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
--- profiles/apparmor/profiles/extras/usr.sbin.sshd     2013-01-05 06:31:00 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd     2016-01-02 13:44:20 +0000
@@ -2,6 +2,8 @@
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
 #    Copyright (C) 2012 Canonical Ltd.
+#    Copyright (C) 2016 Christian Boltz
+#    Copyright (C) 2016 Evgeni Golov
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -26,14 +28,17 @@
   capability sys_resource,
   capability sys_tty_config,
   capability net_bind_service,
+  capability net_admin,
   capability chown,
   capability fowner,
   capability kill,
   capability setgid,
   capability setuid,
   capability audit_control,
+  capability audit_write,
   capability dac_override,
   capability dac_read_search,
+  capability sys_ptrace,
 
   /dev/ptmx rw,
   /dev/urandom r,
@@ -48,13 +53,16 @@
   @{PROC}/@{pid}/oom_adj rw,
   @{PROC}/@{pid}/oom_score_adj rw,
   /usr/sbin/sshd mrix,
-  /var/log/btmp r,
+  /var/log/btmp rw,
   /{,var/}run w,
   /{,var/}run/sshd{,.init}.pid wl,
 
-  @{PROC}/@{pid}/fd/ r,
-  @{PROC}/@{pid}/loginuid w,
-  @{PROC}/@{pid}/limits r,
+  @{PROC}/cmdline r,
+  @{PROC}/1/environ r,
+  @{PROC}/@{pids}/fd/ r,  # pid of the just-logged in user's shell
+  owner @{PROC}/@{pid}/loginuid rw,
+  owner @{PROC}/@{pid}/limits r,
+  owner @{PROC}/@{pid}/uid_map r,
 
 # should only be here for use in non-change-hat openssh
 # duplicated from EXEC hat


Regards,

Christian Boltz
-- 
Ich suche da noch nen schönen Schreibtisch für meine Tastatur.
Mit dieser wird ausschließlich mein Linux-Rechner bedient. Die
Windows-Tasten habe ich überklebt.
[Markus Nohn in suse-linux zur Frage "was ist OT?"]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160102/3481bc92/attachment.pgp>

More information about the AppArmor mailing list