[apparmor] [patch] Update the sshd profile
Simon Deziel
simon.deziel at gmail.com
Sat Jan 9 00:49:28 UTC 2016
On 2016-01-08 02:04 AM, Seth Arnold wrote:
> On Thu, Jan 07, 2016 at 08:33:38PM -0500, Simon Deziel wrote:
>>> BTW: DBUS support in SSH? I didn't even imagine it could be there ;-)
>>> Any hints what it does?
>>
>> That's the first thing I tripped on when enabling the profile in 14.04.
>>
>> Upon connection, it sends a Hello to org.freedesktop.DBus then create
>> the session via org.freedesktop.login1.Manager. The ReleaseSession is
>> when you log out.
>
> Sounds a bit like a PAM module. It might make sense to figure out which
> one and create an abstraction for it.
Seems to be libpam-systemd as pointed by Simon McVittie (thanks).
>> Did I misunderstood how Ux work? Say I have a profile defined for
>> /bin/bash would Ux allow a transition to it?
>
> You _really_ don't want a /bin/bash profile. :) So many tools expect it to
> work for so many different tasks that providing a generic profile for it
> is going to an exercise in futility -- it would need to be extremely wide
> and permissive to avoid impacting the system's usability that it would
> provide nearly no security value.
>
> Having /bin/bash inherit the profile from its callers, or have a child
> profile from its callers, or explicit application-controlled domain
> transitions from its callers, are all going to be far better approaches.
Granted, the rational was to not prevent someone from confining a shell
if they wanted to. I never intended to use it myself as like you
mentioned pam_apparmor is better suited for the job. Let's drop that "P"
then :)
Regards,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160108/7fbb53c6/attachment.pgp>
More information about the AppArmor
mailing list