AppArmor

Merge lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor/2.12

  1. usr.sbin.sshd-refresh
  2. Merge into master
Proposed by Simon Déziel
Status: Merged
Merged at revision: 3441
Proposed branch: lp:~sdeziel/apparmor/usr.sbin.sshd-refresh
Merge into: lp:apparmor/2.12
Diff against target: 285 lines (+109/-130)
2 files modified
profiles/apparmor.d/abstractions/libpam-systemd (+19/-0)
profiles/apparmor/profiles/extras/usr.sbin.sshd (+90/-130)
To merge this branch: bzr merge lp:~sdeziel/apparmor/usr.sbin.sshd-refresh
Reviewer Review Type Date Requested Status
Seth Arnold Approve
Review via email: mp+282088@code.launchpad.net

Description of the change

The proposed profile has been extensively tested on 14.04 (OpenSSH 6.6p1) and very recently also on 16.04 (OpenSSH 7.2p2). The proposed profile includes everything that was in [0]. Also in that thread, Seth Arnold suggested [1] to put the libpam-systemd rules into an abstraction. I hope I got this right.

I tried to break the profile update into smaller chunks but finally gave up because none of the individual commits would have been working on their own.

For those testing the profile, there is (and always have been AFAICT) a huge limitation with it: one cannot use other AA profiles from the resulting SSH shell. In short, the following wouldn't work:

  ssh root@localhost tcpdump -ni lo -c 10

As tcpdump (also confined by AA) would be unable to output to the console. For the curious, please refer to John Johansen's excellent explanation in [2].

Fortunately, I was able to find a (work|hack)around:

cat << "EOF" > /etc/profile.d/01-apparmor-pts-bug-workaround.sh
# kludge to change pts if PPID is contained by sshd's Apparmor profile
if echo "$-" | grep -qF i && [ -e "/proc/$PPID/attr/current" ] && \
     grep -qw '^/usr/sbin/sshd' "/proc/$PPID/attr/current"; then
  exec script --quiet --return --command "$SHELL -l" /dev/null
fi
EOF

Not pretty but it works.

Feedback/suggestions are welcome.

0: https://lists.ubuntu.com/archives/apparmor/2016-January/009059.html
1: https://lists.ubuntu.com/archives/apparmor/2016-January/009105.html
2: https://lists.ubuntu.com/archives/apparmor/2015-September/008624.html

To post a comment you must log in.
lp:~sdeziel/apparmor/usr.sbin.sshd-refresh updated
3271. By Simon Déziel

usr.sbin.sshd: add cgroup-related rules

3272. By Simon Déziel

usr.sbin.sshd: allow ptrace tracing to cope with recent kernel/AA changes

3273. By Simon Déziel

usr.sbin.sshd: remove commented-out hat related rules

3274. By Simon Déziel

usr.sbin.sshd: deny net_admin that is not strictly required

Matthew Dawson explained why:

> sshd doesn't actually require the net_admin capability. libpam-systemd tries
> to use it if available to set the send/receive buffers size, but will fall
> back to a non-privileged version if it fails.

https://lists.ubuntu.com/archives/apparmor/2016-April/009586.html

3275. By Simon Déziel

usr.sbin.sshd: allow reading blacklisted host keys

Revision history for this message
Simon Déziel (sdeziel) wrote :

ping?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Looks good to me, but .. all those Ux permissions. I miss the apparmor privsep version.

Thanks

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== added file 'profiles/apparmor.d/abstractions/libpam-systemd'
--- profiles/apparmor.d/abstractions/libpam-systemd 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/abstractions/libpam-systemd 2016-04-29 18:26:17 +0000
@@ -0,0 +1,19 @@
1# vim:syntax=apparmor
2# ------------------------------------------------------------------
3#
4# Copyright (C) 2015-2016 Simon Deziel
5#
6# This program is free software; you can redistribute it and/or
7# modify it under the terms of version 2 of the GNU General Public
8# License published by the Free Software Foundation.
9#
10# ------------------------------------------------------------------
11
12#include <abstractions/dbus-strict>
13
14 # libpam-systemd notifies systemd-logind about session logins/logouts
15 dbus send
16 bus=system
17 path=/org/freedesktop/login1
18 interface=org.freedesktop.login1.Manager
19 member={CreateSession,ReleaseSession},
020
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2013-01-05 06:31:00 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-04-29 18:26:17 +0000
@@ -2,6 +2,7 @@
2#2#
3# Copyright (C) 2002-2005 Novell/SUSE3# Copyright (C) 2002-2005 Novell/SUSE
4# Copyright (C) 2012 Canonical Ltd.4# Copyright (C) 2012 Canonical Ltd.
5# Copyright (C) 2015-2016 Simon Deziel
5#6#
6# This program is free software; you can redistribute it and/or7# This program is free software; you can redistribute it and/or
7# modify it under the terms of version 2 of the GNU General Public8# modify it under the terms of version 2 of the GNU General Public
@@ -19,6 +20,7 @@
19 #include <abstractions/authentication>20 #include <abstractions/authentication>
20 #include <abstractions/base>21 #include <abstractions/base>
21 #include <abstractions/consoles>22 #include <abstractions/consoles>
23 #include <abstractions/libpam-systemd>
22 #include <abstractions/nameservice>24 #include <abstractions/nameservice>
23 #include <abstractions/wutmp>25 #include <abstractions/wutmp>
2426
@@ -32,10 +34,21 @@
32 capability setgid,34 capability setgid,
33 capability setuid,35 capability setuid,
34 capability audit_control,36 capability audit_control,
37 capability audit_write,
35 capability dac_override,38 capability dac_override,
36 capability dac_read_search,39 capability dac_read_search,
40 capability sys_ptrace,
41
42 # sshd doesn't require net_admin. libpam-systemd tries to
43 # use it if available to set the send/receive buffers size,
44 # but will fall back to a non-privileged version if it fails.
45 deny capability net_admin,
46
47 # needed when /proc is mounted with hidepid>=1
48 ptrace (read,trace) peer="unconfined",
3749
38 /dev/ptmx rw,50 /dev/ptmx rw,
51 /dev/pts/[0-9]* rw,
39 /dev/urandom r,52 /dev/urandom r,
40 /etc/default/locale r,53 /etc/default/locale r,
41 /etc/environment r,54 /etc/environment r,
@@ -43,142 +56,89 @@
43 /etc/hosts.deny r,56 /etc/hosts.deny r,
44 /etc/modules.conf r,57 /etc/modules.conf r,
45 /etc/security/** r,58 /etc/security/** r,
46 /etc/ssh/* r,59 /etc/ssh/** r,
47 /etc/ssl/openssl.cnf r,60 /etc/ssl/openssl.cnf r,
48 @{PROC}/@{pid}/oom_adj rw,
49 @{PROC}/@{pid}/oom_score_adj rw,
50 /usr/sbin/sshd mrix,61 /usr/sbin/sshd mrix,
51 /var/log/btmp r,62 /usr/share/ssh/blacklist.* r,
52 /{,var/}run w,63 /var/log/btmp rw,
53 /{,var/}run/sshd{,.init}.pid wl,64 owner /{,var/}run/sshd{,.init}.pid wl,
5465 @{HOME}/.ssh/authorized_keys{,2} r,
55 @{PROC}/@{pid}/fd/ r,66
56 @{PROC}/@{pid}/loginuid w,67 @{PROC}/cmdline r,
57 @{PROC}/@{pid}/limits r,68 @{PROC}/1/environ r,
5869 @{PROC}/@{pids}/fd/ r, # pid of the just-logged in user's shell
59# should only be here for use in non-change-hat openssh70 owner @{PROC}/@{pid}/loginuid rw,
60# duplicated from EXEC hat71 owner @{PROC}/@{pid}/limits r,
61 /bin/ash rUx,72 owner @{PROC}/@{pid}/uid_map r,
62 /bin/bash rUx,73 owner @{PROC}/@{pid}/mounts r,
63 /bin/bash2 rUx,74 owner @{PROC}/@{pid}/oom_adj rw,
64 /bin/bsh rUx,75 owner @{PROC}/@{pid}/oom_score_adj rw,
65 /bin/csh rUx,76
66 /bin/dash rUx,77 /sys/fs/cgroup/*/user/*/[0-9]*/ rw,
67 /bin/ksh rUx,78 /sys/fs/cgroup/systemd/user.slice/user-[0-9]*.slice/session-c[0-9]*.scope/ rw,
68 /bin/sh rUx,79
69 /bin/tcsh rUx,80 /bin/ash Uxr,
70 /bin/zsh rUx,81 /bin/bash Uxr,
71 /bin/zsh4 rUx,82 /bin/bash2 Uxr,
72 /sbin/nologin rUx,83 /bin/bsh Uxr,
7384 /bin/csh Uxr,
74# Call passwd for password change when expired85 /bin/dash Uxr,
75# /usr/bin/passwd Px,86 /bin/ksh Uxr,
7687 /bin/sh Uxr,
7788 /bin/tcsh Uxr,
78# stuff duplicated from PRIVSEP_MONITOR89 /bin/zsh Uxr,
79 @{HOME}/.ssh/authorized_keys{,2} r,90 /bin/zsh4 Uxr,
8091 /bin/zsh5 Uxr,
81 /dev/pts/[0-9]* rw,92 /{,usr/}sbin/nologin Uxr,
82 /etc/ssh/moduli r,93 /bin/false Uxr,
83 @{PROC}/@{pid}/mounts r,94
8495 # XXX: this needs to be enabled otherwise we risk locking out a user
85# duplicated from AUTHENTICATED96 # Call passwd for password change when expired
86 /etc/motd r,97 /usr/bin/passwd Cx -> passwd,
87 /{,var/}run/motd{,.new} rw,98
88 /tmp/ssh-*/agent.[0-9]* rwl,99 # to set memory protection for passwd
89100 @{PROC}/@{pid}/task/@{pid}/attr/exec w,
90 /tmp/ssh-*[0-9]*/ w,101 profile passwd {
91
92#
93# default subprofile for when sshd has authenticated the user
94#
95 ^EXEC {
96 #include <abstractions/base>
97
98 /bin/ash Ux,
99 /bin/bash Ux,
100 /bin/bash2 Ux,
101 /bin/bsh Ux,
102 /bin/csh Ux,
103 /bin/dash Ux,
104 /bin/ksh Ux,
105 /bin/sh Ux,
106 /bin/tcsh Ux,
107 /bin/zsh Ux,
108 /bin/zsh4 Ux,
109 /sbin/nologin Ux,
110
111# for debugging
112# /dev/pts/[0-9]* rw,
113 }
114
115#
116# subprofile for handling network input (privilege seperated child)
117#
118 ^PRIVSEP {
119 #include <abstractions/base>
120 #include <abstractions/nameservice>
121
122 capability sys_chroot,
123 capability setuid,
124 capability setgid,
125
126# for debugging
127# /dev/pts/[0-9]* rw,
128 }
129
130#
131# subprofile that handles authentication requests from the privilege
132# seperated child
133#
134 ^PRIVSEP_MONITOR {
135 #include <abstractions/authentication>102 #include <abstractions/authentication>
136 #include <abstractions/base>103 #include <abstractions/base>
137 #include <abstractions/nameservice>104 #include <abstractions/nameservice>
138 #include <abstractions/wutmp>105
139106 capability audit_write,
140
141 capability setuid,
142 capability setgid,
143 capability chown,107 capability chown,
108 capability fsetid,
109 capability setuid,
110 capability setgid,
144111
145 @{HOME}/.ssh/authorized_keys{,2} r,112 /usr/bin/passwd r,
146 /dev/ptmx rw,
147 /dev/pts/[0-9]* rw,113 /dev/pts/[0-9]* rw,
148 /dev/urandom r,114 /{,var/}run/utmp rwk,
149 /etc/hosts.allow r,115
150 /etc/hosts.deny r,116 owner /etc/.pwd.lock rwk,
151 /etc/ssh/moduli r,117 owner /etc/nshadow rw,
152 @{PROC}/@{pid}/mounts r,118 owner /etc/shadow rw,
153119 owner @{PROC}/@{pid}/loginuid r,
154# for debugging120
155# /dev/pts/[0-9]* rw,121 # XXX: put into another subprofile?
156 }122 /usr/bin/gnome-keyring-daemon ix,
157123 capability ipc_lock,
158#124 owner @{PROC}/@{pid}/status r,
159# subprofile for post-authentication period until the user's shell is spawned125 owner @{HOME}/.cache/keyring-*/ rw,
160#126 owner @{HOME}/.cache/keyring-*/control rw,
161 ^AUTHENTICATED {127 }
162 #include <abstractions/authentication>128
163 #include <abstractions/consoles>129 /etc.legal r,
164 #include <abstractions/nameservice>130 /etc/motd r,
165 #include <abstractions/wutmp>131 /{,var/}run/motd{,.dynamic}{,.new} rw,
166132 /tmp/ssh-[a-zA-Z0-9]*/ w,
167 capability sys_tty_config,133 /tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,
168 capability setgid,134
169 capability setuid,135 # for internal-sftp
170136 / r,
171 /dev/log w,137 /** r,
172 /dev/ptmx rw,138 owner /** rwl,
173 /etc/default/passwd r,139
174 /etc/localtime r,140 /usr/lib/openssh/sftp-server PUx,
175 /etc/login.defs r,141
176 /etc/motd r,142 # Site-specific additions and overrides. See local/README for details.
177 /{,var/}run/motd{,.new} rw,143 #include <local/usr.sbin.sshd>
178 /tmp/ssh-*/agent.[0-9]* rwl,
179 /tmp/ssh-*[0-9]*/ w,
180
181# for debugging
182# /dev/pts/[0-9]* rw,
183 }
184}144}

Subscribers

People subscribed via source and target branches