Merge lp:~sdeziel/apparmor-profiles/ssh-scp-profiles into lp:apparmor-profiles

Proposed by Simon Déziel on 2014-09-11
Status: Needs review
Proposed branch: lp:~sdeziel/apparmor-profiles/ssh-scp-profiles
Merge into: lp:apparmor-profiles
Diff against target: 601 lines (+555/-0) (has conflicts)
9 files modified
ubuntu/14.04/usr.bin.scp (+26/-0)
ubuntu/14.04/usr.bin.sftp (+34/-0)
ubuntu/14.04/usr.bin.ssh (+121/-0)
ubuntu/14.10/usr.bin.scp (+26/-0)
ubuntu/14.10/usr.bin.sftp (+34/-0)
ubuntu/14.10/usr.bin.ssh (+121/-0)
ubuntu/16.04/usr.bin.scp (+26/-0)
ubuntu/16.04/usr.bin.sftp (+36/-0)
ubuntu/16.04/usr.bin.ssh (+131/-0)
Conflict adding file ubuntu/16.04.  Moved existing file to ubuntu/16.04.moved.
To merge this branch: bzr merge lp:~sdeziel/apparmor-profiles/ssh-scp-profiles
Reviewer Review Type Date Requested Status
AppArmor Developers 2014-09-11 Pending
Review via email: mp+234310@code.launchpad.net

Description of the change

Second attempt at proposing a merge into lp:apparmor-profiles, hopefully in the right direction this time. Sorry for the noise BTW.

This is a slightly modified version of the profiles posted on the Apparmor mailing list [1].

1: https://lists.ubuntu.com/archives/apparmor/2014-August/006178.html

To post a comment you must log in.
Simon Déziel (sdeziel) wrote :

ping?

137. By Simon Déziel on 2014-11-10

Allow signals between scp and ssh.
Allow scp to fallback to cp

Christian Boltz (cboltz) wrote :

Oh nice, this was overlooked for more than a year :-/

The profiles mostly look good when reading (!= testing) them.

Some small notes:

In the scp profile, you have "/bin/cp PUx,". It's very unlikely that someone has a profile for it, so ffectively we get Ux. I'd prefer ix or Cx and a small child profile (assuming cp isn't too hard to profile - I never tried ;-)

In the ssh profile, you have "/usr/lib/openssh/gnome-ssh-askpass mix,". Please also allow /usr/lib/ssh/ssh-askpass which seems to be openSUSE's binary name.

For the ControlPath, I'm afraid you'll need a more permissive wildcard to avoid breaking cutom ControlPath settings. For example, I'm using ~/.ssh/ssh_control_HOSTNAME_PORT_USERNAME. Maybe something like ~/.ssh/*[0-9][0-9]* would work for everybody, while not opening up too many unrelated files because of the [0-9][0-9] (two digits) part which should be matched by the port.

Finally, please use "mr" instead of "rm". Technically it's the same, but a) we use "mr" everywhere and b) "rm" might confuse users not too familiar with the permission syntax ;-)

Simon Déziel (sdeziel) wrote :

On 12/30/2015 04:50 PM, Christian Boltz wrote:
> Oh nice, this was overlooked for more than a year :-/

Thanks for reviewing/commenting, that's a nice Christmas gift :)

> The profiles mostly look good when reading (!= testing) them.

I've been using and improving [*] them since the merge proposal. I'll
refresh the merge proposal shortly.

> Some small notes:
>
> In the scp profile, you have "/bin/cp PUx,". It's very unlikely that
> someone has a profile for it, so ffectively we get Ux. I'd prefer ix
> or Cx and a small child profile (assuming cp isn't too hard to
> profile - I never tried ;-)

No problem, done.

> In the ssh profile, you have "/usr/lib/openssh/gnome-ssh-askpass
> mix,". Please also allow /usr/lib/ssh/ssh-askpass which seems to be
> openSUSE's binary name.

Thanks for the suggestion.

> For the ControlPath, I'm afraid you'll need a more permissive
> wildcard to avoid breaking cutom ControlPath settings. For example,
> I'm using ~/.ssh/ssh_control_HOSTNAME_PORT_USERNAME. Maybe something
> like ~/.ssh/*[0-9][0-9]* would work for everybody, while not opening
> up too many unrelated files because of the [0-9][0-9] (two digits)
> part which should be matched by the port.

I would like to avoid giving such wide access. For example, a two digits
rule would match the private key: id_ed25519. While this specific case
is covered by an audit deny rule, I fear the ramifications of such change.

How about having rules allowing the following ControlPath:

~/.ssh/*control*[0-9][0-9]*
~/.ssh/control/**

The ~/.ssh/control subdirectory is because I get tired of tripping on
control sockets when using tab completions inside ~/.ssh :)

> Finally, please use "mr" instead of "rm". Technically it's the same,
> but a) we use "mr" everywhere and b) "rm" might confuse users not too
> familiar with the permission syntax ;-)

No problem Mr. ;)

Thank you very much for the review.

Regards,
Simon

*:
https://github.com/simondeziel/aa-profiles/tree/master/14.04/usr.bin.{ssh,scp}

138. By Simon Déziel on 2015-12-31

include feedback from Christian Boltz

Simon Déziel (sdeziel) wrote :

Rev 138 includes changes from Christian's feedback as well as other small improvements added since the initial merge proposal.

139. By Simon Deziel <email address hidden> on 2016-01-05

Add sftp profile and add profiles for 16.04

140. By Simon Déziel on 2016-01-05

Add missing unix mediation rules

This is required to allow communication between processes.

Unmerged revisions

140. By Simon Déziel on 2016-01-05

Add missing unix mediation rules

This is required to allow communication between processes.

139. By Simon Deziel <email address hidden> on 2016-01-05

Add sftp profile and add profiles for 16.04

138. By Simon Déziel on 2015-12-31

include feedback from Christian Boltz

137. By Simon Déziel on 2014-11-10

Allow signals between scp and ssh.
Allow scp to fallback to cp

136. By Simon Déziel on 2014-09-11

Add profiles for ssh and scp

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'ubuntu/14.04/usr.bin.scp'
2--- ubuntu/14.04/usr.bin.scp 1970-01-01 00:00:00 +0000
3+++ ubuntu/14.04/usr.bin.scp 2016-01-05 19:23:24 +0000
4@@ -0,0 +1,26 @@
5+# Author: Simon Deziel <simon.deziel@gmail.com>
6+
7+#include <tunables/global>
8+
9+/usr/bin/scp {
10+ #include <abstractions/base>
11+
12+ signal (send) set=(int,winch) peer=/usr/bin/ssh,
13+
14+ # scp is almost just a wrapper around ssh
15+ /usr/bin/ssh Px,
16+
17+ # for file transfers
18+ owner /** rw,
19+ /** r,
20+
21+ # can fallback to cp if only local paths are provided
22+ /bin/cp Cx -> cp_fallback,
23+ profile cp_fallback {
24+ #include <abstractions/base>
25+ owner /** rw,
26+ /** r,
27+ }
28+
29+ #include <local/usr.bin.scp>
30+}
31
32=== added file 'ubuntu/14.04/usr.bin.sftp'
33--- ubuntu/14.04/usr.bin.sftp 1970-01-01 00:00:00 +0000
34+++ ubuntu/14.04/usr.bin.sftp 2016-01-05 19:23:24 +0000
35@@ -0,0 +1,34 @@
36+# Author: Simon Deziel <simon.deziel@gmail.com>
37+
38+#include <tunables/global>
39+
40+/usr/bin/sftp {
41+ #include <abstractions/base>
42+
43+ signal (send) set=(int,winch) peer=/usr/bin/ssh,
44+
45+ # sftp mostly uses ssh
46+ /usr/bin/ssh Px,
47+
48+ # except for local commands (lcd, lls, etc)
49+ # where it uses the user's shell
50+ /bin/ash Ux,
51+ /bin/bash Ux,
52+ /bin/bash2 Ux,
53+ /bin/bsh Ux,
54+ /bin/csh Ux,
55+ /bin/dash Ux,
56+ /bin/ksh Ux,
57+ /bin/sh Ux,
58+ /bin/tcsh Ux,
59+ /bin/zsh Ux,
60+ /bin/zsh4 Ux,
61+ /bin/zsh5 Ux,
62+
63+ # for file transfers
64+ owner /** rw,
65+ / r,
66+ /** r,
67+
68+ #include <local/usr.bin.sftp>
69+}
70
71=== added file 'ubuntu/14.04/usr.bin.ssh'
72--- ubuntu/14.04/usr.bin.ssh 1970-01-01 00:00:00 +0000
73+++ ubuntu/14.04/usr.bin.ssh 2016-01-05 19:23:24 +0000
74@@ -0,0 +1,121 @@
75+# Author: Simon Deziel <simon.deziel@gmail.com>
76+
77+#include <tunables/global>
78+
79+/usr/bin/ssh {
80+ #include <abstractions/base>
81+ #include <abstractions/nameservice>
82+ #include <abstractions/openssl>
83+ #include <abstractions/X>
84+
85+ capability setuid,
86+ capability setgid,
87+
88+ signal (receive) set=(int,winch) peer=/usr/bin/scp,
89+ signal (receive) set=(int,winch) peer=/usr/bin/sftp,
90+
91+ /etc/ssh/ssh_config r,
92+ /etc/ssh/ssh_known_hosts{,2} r,
93+
94+ # for tun/tap tunneling
95+ /dev/net/tun rw,
96+
97+ # to unlock private keys
98+ /dev/tty rw,
99+ /usr/lib/openssh/gnome-ssh-askpass mix,
100+ /usr/lib/ssh/ssh-askpass mix,
101+
102+ owner /dev/pts/[0-9]* rw,
103+
104+ owner @{HOME}/.ssh/ rw,
105+ owner @{HOME}/.ssh/** rl,
106+ owner @{HOME}/.ssh/known_hosts rwl,
107+ owner @{HOME}/.ssh/*control*[0-9][0-9]* rwl,
108+ owner @{HOME}/.ssh/control/** rwl,
109+ audit deny @{HOME}/.ssh/authorized_keys{,2} rw,
110+ audit deny @{HOME}/.ssh/config w,
111+ audit deny @{HOME}/.ssh/id_{dsa,rsa,ecdsa,ed25519}{,.pub} w,
112+ owner /tmp/ssh-*/ rw,
113+ owner /tmp/ssh-*/agent.@{pid} rw,
114+ owner /run/user/[0-9]*/keyring*/ssh rw,
115+ owner @{PROC}/@{pid}/fd/ r,
116+
117+ # for ProxyCommand
118+ /bin/ash Cx -> proxycommand,
119+ /bin/bash Cx -> proxycommand,
120+ /bin/bash2 Cx -> proxycommand,
121+ /bin/bsh Cx -> proxycommand,
122+ /bin/csh Cx -> proxycommand,
123+ /bin/dash Cx -> proxycommand,
124+ /bin/ksh Cx -> proxycommand,
125+ /bin/sh Cx -> proxycommand,
126+ /bin/tcsh Cx -> proxycommand,
127+ /bin/zsh Cx -> proxycommand,
128+ /bin/zsh4 Cx -> proxycommand,
129+ /bin/zsh5 Cx -> proxycommand,
130+ /usr/bin/ssh mr,
131+
132+ profile proxycommand {
133+ #include <abstractions/base>
134+
135+ /bin/ash mr,
136+ /bin/bash mr,
137+ /bin/bash2 mr,
138+ /bin/bsh mr,
139+ /bin/csh mr,
140+ /bin/dash mr,
141+ /bin/ksh mr,
142+ /bin/sh mr,
143+ /bin/tcsh mr,
144+ /bin/zsh mr,
145+ /bin/zsh4 mr,
146+ /bin/zsh5 mr,
147+ /usr/bin/ssh Px,
148+
149+ # XXX: Cx doesn't work. For details, see
150+ # https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
151+ #/usr/bin/xauth Cx -> xauth,
152+ /usr/bin/xauth Px -> /usr/bin/ssh//xauth,
153+ #/bin/nc.openbsd Cx -> nc,
154+ /bin/nc.openbsd Px -> /usr/bin/ssh//nc,
155+
156+ # unlocking the key is done by the parent so why is this needed?
157+ /dev/tty rw,
158+ }
159+
160+ /tmp/.X11-unix/* r,
161+ owner /tmp/ssh-*/xauthfile w,
162+ profile xauth {
163+ #include <abstractions/base>
164+ #include <abstractions/X>
165+
166+ /usr/bin/xauth r,
167+ /tmp/.X11-unix/* rw,
168+
169+ owner link /tmp/ssh-*/xauthfile -> /tmp/ssh-*/xauthfile-n,
170+ owner link /tmp/ssh-*/xauthfile-l -> /tmp/ssh-*/xauthfile-c,
171+ owner /tmp/ssh-*/xauthfile r,
172+ owner /tmp/ssh-*/xauthfile-c w,
173+ owner /tmp/ssh-*/xauthfile-l w,
174+ owner /tmp/ssh-*/xauthfile-n w,
175+
176+ # for ssh -Y
177+ owner link @{HOME}/.Xauthority-l -> /**/.Xauthority-c,
178+ owner @{HOME}/.Xauthority-c w,
179+ }
180+
181+ # XXX: for configs using "/bin/nc" instead of "ssh -W"
182+ /bin/nc.openbsd mr,
183+ signal (send) set=("hup") peer=/usr/bin/ssh//nc,
184+ profile nc {
185+ #include <abstractions/base>
186+ #include <abstractions/nameservice>
187+
188+ # Accept HUP from parent
189+ signal (receive) set=("hup") peer=/usr/bin/ssh,
190+
191+ /bin/nc.openbsd rix,
192+ }
193+
194+ #include <local/usr.bin.ssh>
195+}
196
197=== added file 'ubuntu/14.10/usr.bin.scp'
198--- ubuntu/14.10/usr.bin.scp 1970-01-01 00:00:00 +0000
199+++ ubuntu/14.10/usr.bin.scp 2016-01-05 19:23:24 +0000
200@@ -0,0 +1,26 @@
201+# Author: Simon Deziel <simon.deziel@gmail.com>
202+
203+#include <tunables/global>
204+
205+/usr/bin/scp {
206+ #include <abstractions/base>
207+
208+ signal (send) set=(int,winch) peer=/usr/bin/ssh,
209+
210+ # scp is almost just a wrapper around ssh
211+ /usr/bin/ssh Px,
212+
213+ # for file transfers
214+ owner /** rw,
215+ /** r,
216+
217+ # can fallback to cp if only local paths are provided
218+ /bin/cp Cx -> cp_fallback,
219+ profile cp_fallback {
220+ #include <abstractions/base>
221+ owner /** rw,
222+ /** r,
223+ }
224+
225+ #include <local/usr.bin.scp>
226+}
227
228=== added file 'ubuntu/14.10/usr.bin.sftp'
229--- ubuntu/14.10/usr.bin.sftp 1970-01-01 00:00:00 +0000
230+++ ubuntu/14.10/usr.bin.sftp 2016-01-05 19:23:24 +0000
231@@ -0,0 +1,34 @@
232+# Author: Simon Deziel <simon.deziel@gmail.com>
233+
234+#include <tunables/global>
235+
236+/usr/bin/sftp {
237+ #include <abstractions/base>
238+
239+ signal (send) set=(int,winch) peer=/usr/bin/ssh,
240+
241+ # sftp mostly uses ssh
242+ /usr/bin/ssh Px,
243+
244+ # except for local commands (lcd, lls, etc)
245+ # where it uses the user's shell
246+ /bin/ash Ux,
247+ /bin/bash Ux,
248+ /bin/bash2 Ux,
249+ /bin/bsh Ux,
250+ /bin/csh Ux,
251+ /bin/dash Ux,
252+ /bin/ksh Ux,
253+ /bin/sh Ux,
254+ /bin/tcsh Ux,
255+ /bin/zsh Ux,
256+ /bin/zsh4 Ux,
257+ /bin/zsh5 Ux,
258+
259+ # for file transfers
260+ owner /** rw,
261+ / r,
262+ /** r,
263+
264+ #include <local/usr.bin.sftp>
265+}
266
267=== added file 'ubuntu/14.10/usr.bin.ssh'
268--- ubuntu/14.10/usr.bin.ssh 1970-01-01 00:00:00 +0000
269+++ ubuntu/14.10/usr.bin.ssh 2016-01-05 19:23:24 +0000
270@@ -0,0 +1,121 @@
271+# Author: Simon Deziel <simon.deziel@gmail.com>
272+
273+#include <tunables/global>
274+
275+/usr/bin/ssh {
276+ #include <abstractions/base>
277+ #include <abstractions/nameservice>
278+ #include <abstractions/openssl>
279+ #include <abstractions/X>
280+
281+ capability setuid,
282+ capability setgid,
283+
284+ signal (receive) set=(int,winch) peer=/usr/bin/scp,
285+ signal (receive) set=(int,winch) peer=/usr/bin/sftp,
286+
287+ /etc/ssh/ssh_config r,
288+ /etc/ssh/ssh_known_hosts{,2} r,
289+
290+ # for tun/tap tunneling
291+ /dev/net/tun rw,
292+
293+ # to unlock private keys
294+ /dev/tty rw,
295+ /usr/lib/openssh/gnome-ssh-askpass mix,
296+ /usr/lib/ssh/ssh-askpass mix,
297+
298+ owner /dev/pts/[0-9]* rw,
299+
300+ owner @{HOME}/.ssh/ rw,
301+ owner @{HOME}/.ssh/** rl,
302+ owner @{HOME}/.ssh/known_hosts rwl,
303+ owner @{HOME}/.ssh/*control*[0-9][0-9]* rwl,
304+ owner @{HOME}/.ssh/control/** rwl,
305+ audit deny @{HOME}/.ssh/authorized_keys{,2} rw,
306+ audit deny @{HOME}/.ssh/config w,
307+ audit deny @{HOME}/.ssh/id_{dsa,rsa,ecdsa,ed25519}{,.pub} w,
308+ owner /tmp/ssh-*/ rw,
309+ owner /tmp/ssh-*/agent.@{pid} rw,
310+ owner /run/user/[0-9]*/keyring*/ssh rw,
311+ owner @{PROC}/@{pid}/fd/ r,
312+
313+ # for ProxyCommand
314+ /bin/ash Cx -> proxycommand,
315+ /bin/bash Cx -> proxycommand,
316+ /bin/bash2 Cx -> proxycommand,
317+ /bin/bsh Cx -> proxycommand,
318+ /bin/csh Cx -> proxycommand,
319+ /bin/dash Cx -> proxycommand,
320+ /bin/ksh Cx -> proxycommand,
321+ /bin/sh Cx -> proxycommand,
322+ /bin/tcsh Cx -> proxycommand,
323+ /bin/zsh Cx -> proxycommand,
324+ /bin/zsh4 Cx -> proxycommand,
325+ /bin/zsh5 Cx -> proxycommand,
326+ /usr/bin/ssh mr,
327+
328+ profile proxycommand {
329+ #include <abstractions/base>
330+
331+ /bin/ash mr,
332+ /bin/bash mr,
333+ /bin/bash2 mr,
334+ /bin/bsh mr,
335+ /bin/csh mr,
336+ /bin/dash mr,
337+ /bin/ksh mr,
338+ /bin/sh mr,
339+ /bin/tcsh mr,
340+ /bin/zsh mr,
341+ /bin/zsh4 mr,
342+ /bin/zsh5 mr,
343+ /usr/bin/ssh Px,
344+
345+ # XXX: Cx doesn't work. For details, see
346+ # https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
347+ #/usr/bin/xauth Cx -> xauth,
348+ /usr/bin/xauth Px -> /usr/bin/ssh//xauth,
349+ #/bin/nc.openbsd Cx -> nc,
350+ /bin/nc.openbsd Px -> /usr/bin/ssh//nc,
351+
352+ # unlocking the key is done by the parent so why is this needed?
353+ /dev/tty rw,
354+ }
355+
356+ /tmp/.X11-unix/* r,
357+ owner /tmp/ssh-*/xauthfile w,
358+ profile xauth {
359+ #include <abstractions/base>
360+ #include <abstractions/X>
361+
362+ /usr/bin/xauth r,
363+ /tmp/.X11-unix/* rw,
364+
365+ owner link /tmp/ssh-*/xauthfile -> /tmp/ssh-*/xauthfile-n,
366+ owner link /tmp/ssh-*/xauthfile-l -> /tmp/ssh-*/xauthfile-c,
367+ owner /tmp/ssh-*/xauthfile r,
368+ owner /tmp/ssh-*/xauthfile-c w,
369+ owner /tmp/ssh-*/xauthfile-l w,
370+ owner /tmp/ssh-*/xauthfile-n w,
371+
372+ # for ssh -Y
373+ owner link @{HOME}/.Xauthority-l -> /**/.Xauthority-c,
374+ owner @{HOME}/.Xauthority-c w,
375+ }
376+
377+ # XXX: for configs using "/bin/nc" instead of "ssh -W"
378+ /bin/nc.openbsd mr,
379+ signal (send) set=("hup") peer=/usr/bin/ssh//nc,
380+ profile nc {
381+ #include <abstractions/base>
382+ #include <abstractions/nameservice>
383+
384+ # Accept HUP from parent
385+ signal (receive) set=("hup") peer=/usr/bin/ssh,
386+
387+ /bin/nc.openbsd rix,
388+ }
389+
390+ #include <local/usr.bin.ssh>
391+}
392
393=== added directory 'ubuntu/16.04'
394=== renamed directory 'ubuntu/16.04' => 'ubuntu/16.04.moved'
395=== added file 'ubuntu/16.04/usr.bin.scp'
396--- ubuntu/16.04/usr.bin.scp 1970-01-01 00:00:00 +0000
397+++ ubuntu/16.04/usr.bin.scp 2016-01-05 19:23:24 +0000
398@@ -0,0 +1,26 @@
399+# Author: Simon Deziel <simon.deziel@gmail.com>
400+
401+#include <tunables/global>
402+
403+/usr/bin/scp {
404+ #include <abstractions/base>
405+
406+ signal (send) set=(int,winch) peer=/usr/bin/ssh,
407+
408+ # scp is almost just a wrapper around ssh
409+ /usr/bin/ssh Px,
410+
411+ # for file transfers
412+ owner /** rw,
413+ /** r,
414+
415+ # can fallback to cp if only local paths are provided
416+ /bin/cp Cx -> cp_fallback,
417+ profile cp_fallback {
418+ #include <abstractions/base>
419+ owner /** rw,
420+ /** r,
421+ }
422+
423+ #include <local/usr.bin.scp>
424+}
425
426=== added file 'ubuntu/16.04/usr.bin.sftp'
427--- ubuntu/16.04/usr.bin.sftp 1970-01-01 00:00:00 +0000
428+++ ubuntu/16.04/usr.bin.sftp 2016-01-05 19:23:24 +0000
429@@ -0,0 +1,36 @@
430+# Author: Simon Deziel <simon.deziel@gmail.com>
431+
432+#include <tunables/global>
433+
434+/usr/bin/sftp {
435+ #include <abstractions/base>
436+
437+ signal (send) set=(int,winch) peer=/usr/bin/ssh,
438+
439+ unix (send,receive) type=stream peer=(label=/usr/bin/ssh),
440+
441+ # sftp mostly uses ssh
442+ /usr/bin/ssh Px,
443+
444+ # except for local commands (lcd, lls, etc)
445+ # where it uses the user's shell
446+ /bin/ash Ux,
447+ /bin/bash Ux,
448+ /bin/bash2 Ux,
449+ /bin/bsh Ux,
450+ /bin/csh Ux,
451+ /bin/dash Ux,
452+ /bin/ksh Ux,
453+ /bin/sh Ux,
454+ /bin/tcsh Ux,
455+ /bin/zsh Ux,
456+ /bin/zsh4 Ux,
457+ /bin/zsh5 Ux,
458+
459+ # for file transfers
460+ owner /** rw,
461+ / r,
462+ /** r,
463+
464+ #include <local/usr.bin.sftp>
465+}
466
467=== added file 'ubuntu/16.04/usr.bin.ssh'
468--- ubuntu/16.04/usr.bin.ssh 1970-01-01 00:00:00 +0000
469+++ ubuntu/16.04/usr.bin.ssh 2016-01-05 19:23:24 +0000
470@@ -0,0 +1,131 @@
471+# Author: Simon Deziel <simon.deziel@gmail.com>
472+
473+#include <tunables/global>
474+
475+/usr/bin/ssh {
476+ #include <abstractions/base>
477+ #include <abstractions/nameservice>
478+ #include <abstractions/openssl>
479+ #include <abstractions/X>
480+
481+ capability setuid,
482+ capability setgid,
483+
484+ signal (receive) set=(int,winch) peer=/usr/bin/scp,
485+ signal (receive) set=(int,winch) peer=/usr/bin/sftp,
486+
487+ unix (send,receive) type=stream peer=(label=/usr/bin/sftp),
488+ unix (send,receive) type=stream peer=(label=/usr/bin/ssh),
489+ unix (send,receive) type=stream peer=(label=/usr/bin/ssh//*),
490+
491+ /etc/ssh/ssh_config r,
492+ /etc/ssh/ssh_known_hosts{,2} r,
493+
494+ # for tun/tap tunneling
495+ /dev/net/tun rw,
496+
497+ # to unlock private keys
498+ /dev/tty rw,
499+ /usr/lib/openssh/gnome-ssh-askpass mix,
500+ /usr/lib/ssh/ssh-askpass mix,
501+
502+ owner /dev/pts/[0-9]* rw,
503+
504+ owner @{HOME}/.ssh/ rw,
505+ owner @{HOME}/.ssh/** rl,
506+ owner @{HOME}/.ssh/known_hosts rwl,
507+ owner @{HOME}/.ssh/*control*[0-9][0-9]* rwl,
508+ owner @{HOME}/.ssh/control/** rwl,
509+ audit deny @{HOME}/.ssh/authorized_keys{,2} rw,
510+ audit deny @{HOME}/.ssh/config w,
511+ audit deny @{HOME}/.ssh/id_{dsa,rsa,ecdsa,ed25519}{,.pub} w,
512+ owner /tmp/ssh-*/ rw,
513+ owner /tmp/ssh-*/agent.@{pid} rw,
514+ owner /run/user/[0-9]*/keyring*/ssh rw,
515+ owner @{PROC}/@{pid}/fd/ r,
516+
517+ # for ProxyCommand
518+ /bin/ash Cx -> proxycommand,
519+ /bin/bash Cx -> proxycommand,
520+ /bin/bash2 Cx -> proxycommand,
521+ /bin/bsh Cx -> proxycommand,
522+ /bin/csh Cx -> proxycommand,
523+ /bin/dash Cx -> proxycommand,
524+ /bin/ksh Cx -> proxycommand,
525+ /bin/sh Cx -> proxycommand,
526+ /bin/tcsh Cx -> proxycommand,
527+ /bin/zsh Cx -> proxycommand,
528+ /bin/zsh4 Cx -> proxycommand,
529+ /bin/zsh5 Cx -> proxycommand,
530+ /usr/bin/ssh mr,
531+
532+ profile proxycommand {
533+ #include <abstractions/base>
534+
535+ unix (send,receive) type=stream peer=(label=/usr/bin/ssh),
536+
537+ /bin/ash mr,
538+ /bin/bash mr,
539+ /bin/bash2 mr,
540+ /bin/bsh mr,
541+ /bin/csh mr,
542+ /bin/dash mr,
543+ /bin/ksh mr,
544+ /bin/sh mr,
545+ /bin/tcsh mr,
546+ /bin/zsh mr,
547+ /bin/zsh4 mr,
548+ /bin/zsh5 mr,
549+ /usr/bin/ssh Px,
550+
551+ # XXX: Cx doesn't work. For details, see
552+ # https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
553+ #/usr/bin/xauth Cx -> xauth,
554+ /usr/bin/xauth Px -> /usr/bin/ssh//xauth,
555+ #/bin/nc.openbsd Cx -> nc,
556+ /bin/nc.openbsd Px -> /usr/bin/ssh//nc,
557+
558+ # unlocking the key is done by the parent so why is this needed?
559+ /dev/tty rw,
560+ }
561+
562+ /tmp/.X11-unix/* r,
563+ owner /tmp/ssh-*/xauthfile w,
564+ profile xauth {
565+ #include <abstractions/base>
566+ #include <abstractions/X>
567+
568+ unix (send,receive) type=stream peer=(label=/usr/bin/ssh),
569+
570+ /usr/bin/xauth r,
571+ /tmp/.X11-unix/* rw,
572+
573+ owner link /tmp/ssh-*/xauthfile -> /tmp/ssh-*/xauthfile-n,
574+ owner link /tmp/ssh-*/xauthfile-l -> /tmp/ssh-*/xauthfile-c,
575+ owner /tmp/ssh-*/xauthfile r,
576+ owner /tmp/ssh-*/xauthfile-c w,
577+ owner /tmp/ssh-*/xauthfile-l w,
578+ owner /tmp/ssh-*/xauthfile-n w,
579+
580+ # for ssh -Y
581+ owner link @{HOME}/.Xauthority-l -> /**/.Xauthority-c,
582+ owner @{HOME}/.Xauthority-c w,
583+ }
584+
585+ # XXX: for configs using "/bin/nc" instead of "ssh -W"
586+ /bin/nc.openbsd mr,
587+ signal (send) set=("hup") peer=/usr/bin/ssh//nc,
588+ profile nc {
589+ #include <abstractions/base>
590+ #include <abstractions/nameservice>
591+
592+ unix (send,receive) type=stream peer=(label=/usr/bin/ssh),
593+
594+ # Accept HUP from parent
595+ signal (receive) set=("hup") peer=/usr/bin/ssh,
596+
597+ /bin/nc.openbsd rix,
598+ }
599+
600+ #include <local/usr.bin.ssh>
601+}

Subscribers

People subscribed via source and target branches

to status/vote changes: