[apparmor] [Merge] lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor

Simon Déziel simon.deziel at gmail.com
Sat Jan 9 02:17:23 UTC 2016


Simon Déziel has proposed merging lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~sdeziel/apparmor/usr.sbin.sshd-refresh/+merge/282088

The proposed profile has been extensively tested on 14.04 (OpenSSH 6.6p1) and very recently also on 16.04 (OpenSSH 7.1p1). The proposed profile includes everything that was in [0]. Also in that thread, Seth Arnold suggested [1] to put the libpam-systemd rules into an abstraction. I hope I got this right.

I tried to break the profile update into smaller chunks but finally gave up because none of the individual commits would have been working on their own.

For those testing the profile, there is (and always have been AFAICT) a huge limitation with it: one cannot use other AA profiles from the resulting SSH shell. In short, the following wouldn't work:

  ssh root at localhost tcpdump -ni lo0 -c 10

As tcpdump (also confined by AA) would be unable to output to the console. For the curious, please refer to John Johansen's excellent explanation in [2].

Fortunately, I was able to find a (work|hack)around:

cat << "EOF" > /etc/profile.d/01-apparmor-pts-bug-workaround.sh
# kludge to change pts if PPID is contained by sshd's Apparmor profile
if echo "$-" | grep -qF i && [ -e "/proc/$PPID/attr/current" ] && \
     grep -qw '^/usr/sbin/sshd' "/proc/$PPID/attr/current"; then
  exec script --quiet --return --command "$SHELL -l" /dev/null
fi
EOF


Not pretty but it works.

Feedback/suggestions are welcome.


0: https://lists.ubuntu.com/archives/apparmor/2016-January/009059.html
1: https://lists.ubuntu.com/archives/apparmor/2016-January/009105.html
2: https://lists.ubuntu.com/archives/apparmor/2015-September/008624.html
-- 
Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: review-diff.txt
Type: text/x-diff
Size: 9514 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160109/5f9c3cef/attachment.diff>


More information about the AppArmor mailing list