[apparmor] [patch] Update the sshd profile
Seth Arnold
seth.arnold at canonical.com
Fri Jan 8 07:04:48 UTC 2016
On Thu, Jan 07, 2016 at 08:33:38PM -0500, Simon Deziel wrote:
> > BTW: DBUS support in SSH? I didn't even imagine it could be there ;-)
> > Any hints what it does?
>
> That's the first thing I tripped on when enabling the profile in 14.04.
>
> Upon connection, it sends a Hello to org.freedesktop.DBus then create
> the session via org.freedesktop.login1.Manager. The ReleaseSession is
> when you log out.
Sounds a bit like a PAM module. It might make sense to figure out which
one and create an abstraction for it.
> Did I misunderstood how Ux work? Say I have a profile defined for
> /bin/bash would Ux allow a transition to it?
You _really_ don't want a /bin/bash profile. :) So many tools expect it to
work for so many different tasks that providing a generic profile for it
is going to an exercise in futility -- it would need to be extremely wide
and permissive to avoid impacting the system's usability that it would
provide nearly no security value.
Having /bin/bash inherit the profile from its callers, or have a child
profile from its callers, or explicit application-controlled domain
transitions from its callers, are all going to be far better approaches.
If you want interactive users to have confined shells then the best
approach is probably to use pam_apparmor in the PAM stack. (Perhaps
in the common-session file if you want to ensure new services get
the configuration too. Granted, pam_apparmor currently requires the
authenticating service to also be confined because it uses aa_change_hat()
instead of aa_change_profile() or aa_change_onexec() -- though that
ought to be easily addressed...)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160107/ff7e8adc/attachment.pgp>
More information about the AppArmor
mailing list