[apparmor] [patch] Update the sshd profile
Simon Deziel
simon.deziel at gmail.com
Wed Jan 6 16:22:48 UTC 2016
On 2016-01-02 09:38 AM, Christian Boltz wrote:
> Hello,
>
> the sshd profile was bitrotting for a while and denies several
> permissions that are needed for a successful ssh login (see the
> patch for details).
>
> While on it, I added owner restrictions to the @{PROC}/@{pid} rules,
> except @{PROC}/@{pids}/fd/ which is used with the pid of the
> just-logged in user's shell (therefore changed to @{pids}).
>
> The patch makes the sshd profile working on Debian (which initially
> caused this patch via a bugreport) and openSUSE.
>
>
> An interesting question is
> + @{PROC}/cmdline r,
> + @{PROC}/1/environ r,
>
> These permissions don't seem to be really needed (sshd and ssh logins
> still work if denying it), and it's questionable why sshd needs to read
> them. Therefore the question is if we want to use 'deny' for those two.
>
>
> References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809649
>
>
>
> I propose this patch for trunk, 2.10 and 2.9.
>
> In your review, please also state if you want allow or deny rules for
> reading /proc/cmdline and /proc/1/environ.
I don't know about /proc/cmdline but in the past, I've seen PID 1 being
examined to figure the default rlimits for the sandbox. Maybe this is
for something similar?
> [ update-sshd-profile.diff ]
>
> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
> --- profiles/apparmor/profiles/extras/usr.sbin.sshd 2013-01-05 06:31:00 +0000
> +++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-01-02 13:44:20 +0000
> @@ -2,6 +2,8 @@
> #
> # Copyright (C) 2002-2005 Novell/SUSE
> # Copyright (C) 2012 Canonical Ltd.
> +# Copyright (C) 2016 Christian Boltz
> +# Copyright (C) 2016 Evgeni Golov
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -26,14 +28,17 @@
> capability sys_resource,
> capability sys_tty_config,
> capability net_bind_service,
> + capability net_admin,
> capability chown,
> capability fowner,
> capability kill,
> capability setgid,
> capability setuid,
> capability audit_control,
> + capability audit_write,
> capability dac_override,
> capability dac_read_search,
> + capability sys_ptrace,
>
> /dev/ptmx rw,
> /dev/urandom r,
> @@ -48,13 +53,16 @@
> @{PROC}/@{pid}/oom_adj rw,
> @{PROC}/@{pid}/oom_score_adj rw,
> /usr/sbin/sshd mrix,
> - /var/log/btmp r,
> + /var/log/btmp rw,
> /{,var/}run w,
> /{,var/}run/sshd{,.init}.pid wl,
>
> - @{PROC}/@{pid}/fd/ r,
> - @{PROC}/@{pid}/loginuid w,
> - @{PROC}/@{pid}/limits r,
> + @{PROC}/cmdline r,
> + @{PROC}/1/environ r,
> + @{PROC}/@{pids}/fd/ r, # pid of the just-logged in user's shell
> + owner @{PROC}/@{pid}/loginuid rw,
> + owner @{PROC}/@{pid}/limits r,
> + owner @{PROC}/@{pid}/uid_map r,
>
> # should only be here for use in non-change-hat openssh
> # duplicated from EXEC hat
>
Those changes are good on their own but the resulting profile leaves to
desire: no DBUS support, no support to change an expired password, etc.
I've put significant effort and testing on a forked profile [1] for
14.04. I'm currently testing OpenSSH 7.1 on 16.04 and will publish the
results on GitHub as well. I would be glad to help merge those back if
there is interest.
Regards,
Simon
1:
https://github.com/simondeziel/aa-profiles/blob/master/14.04/usr.sbin.sshd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160106/cfa66d0d/attachment.pgp>
More information about the AppArmor
mailing list