Merge lp:~sdeziel/apparmor/usr.sbin.sshd-refresh into lp:apparmor/2.12

Proposed by Simon Déziel on 2016-01-09
Status: Merged
Merged at revision: 3441
Proposed branch: lp:~sdeziel/apparmor/usr.sbin.sshd-refresh
Merge into: lp:apparmor/2.12
Diff against target: 285 lines (+109/-130)
2 files modified
profiles/apparmor.d/abstractions/libpam-systemd (+19/-0)
profiles/apparmor/profiles/extras/usr.sbin.sshd (+90/-130)
To merge this branch: bzr merge lp:~sdeziel/apparmor/usr.sbin.sshd-refresh
Reviewer Review Type Date Requested Status
Seth Arnold 2016-01-09 Approve on 2016-04-29
Review via email: mp+282088@code.launchpad.net

Description of the change

The proposed profile has been extensively tested on 14.04 (OpenSSH 6.6p1) and very recently also on 16.04 (OpenSSH 7.2p2). The proposed profile includes everything that was in [0]. Also in that thread, Seth Arnold suggested [1] to put the libpam-systemd rules into an abstraction. I hope I got this right.

I tried to break the profile update into smaller chunks but finally gave up because none of the individual commits would have been working on their own.

For those testing the profile, there is (and always have been AFAICT) a huge limitation with it: one cannot use other AA profiles from the resulting SSH shell. In short, the following wouldn't work:

  ssh root@localhost tcpdump -ni lo -c 10

As tcpdump (also confined by AA) would be unable to output to the console. For the curious, please refer to John Johansen's excellent explanation in [2].

Fortunately, I was able to find a (work|hack)around:

cat << "EOF" > /etc/profile.d/01-apparmor-pts-bug-workaround.sh
# kludge to change pts if PPID is contained by sshd's Apparmor profile
if echo "$-" | grep -qF i && [ -e "/proc/$PPID/attr/current" ] && \
     grep -qw '^/usr/sbin/sshd' "/proc/$PPID/attr/current"; then
  exec script --quiet --return --command "$SHELL -l" /dev/null
fi
EOF

Not pretty but it works.

Feedback/suggestions are welcome.

0: https://lists.ubuntu.com/archives/apparmor/2016-January/009059.html
1: https://lists.ubuntu.com/archives/apparmor/2016-January/009105.html
2: https://lists.ubuntu.com/archives/apparmor/2015-September/008624.html

To post a comment you must log in.
3271. By Simon Déziel on 2016-04-05

usr.sbin.sshd: add cgroup-related rules

3272. By Simon Déziel on 2016-04-05

usr.sbin.sshd: allow ptrace tracing to cope with recent kernel/AA changes

3273. By Simon Déziel on 2016-04-05

usr.sbin.sshd: remove commented-out hat related rules

3274. By Simon Déziel on 2016-04-21

usr.sbin.sshd: deny net_admin that is not strictly required

Matthew Dawson explained why:

> sshd doesn't actually require the net_admin capability. libpam-systemd tries
> to use it if available to set the send/receive buffers size, but will fall
> back to a non-privileged version if it fails.

https://lists.ubuntu.com/archives/apparmor/2016-April/009586.html

3275. By Simon Déziel on 2016-04-29

usr.sbin.sshd: allow reading blacklisted host keys

Simon Déziel (sdeziel) wrote :

ping?

Seth Arnold (seth-arnold) wrote :

Looks good to me, but .. all those Ux permissions. I miss the apparmor privsep version.

Thanks

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'profiles/apparmor.d/abstractions/libpam-systemd'
2--- profiles/apparmor.d/abstractions/libpam-systemd 1970-01-01 00:00:00 +0000
3+++ profiles/apparmor.d/abstractions/libpam-systemd 2016-04-29 18:26:17 +0000
4@@ -0,0 +1,19 @@
5+# vim:syntax=apparmor
6+# ------------------------------------------------------------------
7+#
8+# Copyright (C) 2015-2016 Simon Deziel
9+#
10+# This program is free software; you can redistribute it and/or
11+# modify it under the terms of version 2 of the GNU General Public
12+# License published by the Free Software Foundation.
13+#
14+# ------------------------------------------------------------------
15+
16+#include <abstractions/dbus-strict>
17+
18+ # libpam-systemd notifies systemd-logind about session logins/logouts
19+ dbus send
20+ bus=system
21+ path=/org/freedesktop/login1
22+ interface=org.freedesktop.login1.Manager
23+ member={CreateSession,ReleaseSession},
24
25=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
26--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2013-01-05 06:31:00 +0000
27+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-04-29 18:26:17 +0000
28@@ -2,6 +2,7 @@
29 #
30 # Copyright (C) 2002-2005 Novell/SUSE
31 # Copyright (C) 2012 Canonical Ltd.
32+# Copyright (C) 2015-2016 Simon Deziel
33 #
34 # This program is free software; you can redistribute it and/or
35 # modify it under the terms of version 2 of the GNU General Public
36@@ -19,6 +20,7 @@
37 #include <abstractions/authentication>
38 #include <abstractions/base>
39 #include <abstractions/consoles>
40+ #include <abstractions/libpam-systemd>
41 #include <abstractions/nameservice>
42 #include <abstractions/wutmp>
43
44@@ -32,10 +34,21 @@
45 capability setgid,
46 capability setuid,
47 capability audit_control,
48+ capability audit_write,
49 capability dac_override,
50 capability dac_read_search,
51+ capability sys_ptrace,
52+
53+ # sshd doesn't require net_admin. libpam-systemd tries to
54+ # use it if available to set the send/receive buffers size,
55+ # but will fall back to a non-privileged version if it fails.
56+ deny capability net_admin,
57+
58+ # needed when /proc is mounted with hidepid>=1
59+ ptrace (read,trace) peer="unconfined",
60
61 /dev/ptmx rw,
62+ /dev/pts/[0-9]* rw,
63 /dev/urandom r,
64 /etc/default/locale r,
65 /etc/environment r,
66@@ -43,142 +56,89 @@
67 /etc/hosts.deny r,
68 /etc/modules.conf r,
69 /etc/security/** r,
70- /etc/ssh/* r,
71+ /etc/ssh/** r,
72 /etc/ssl/openssl.cnf r,
73- @{PROC}/@{pid}/oom_adj rw,
74- @{PROC}/@{pid}/oom_score_adj rw,
75 /usr/sbin/sshd mrix,
76- /var/log/btmp r,
77- /{,var/}run w,
78- /{,var/}run/sshd{,.init}.pid wl,
79-
80- @{PROC}/@{pid}/fd/ r,
81- @{PROC}/@{pid}/loginuid w,
82- @{PROC}/@{pid}/limits r,
83-
84-# should only be here for use in non-change-hat openssh
85-# duplicated from EXEC hat
86- /bin/ash rUx,
87- /bin/bash rUx,
88- /bin/bash2 rUx,
89- /bin/bsh rUx,
90- /bin/csh rUx,
91- /bin/dash rUx,
92- /bin/ksh rUx,
93- /bin/sh rUx,
94- /bin/tcsh rUx,
95- /bin/zsh rUx,
96- /bin/zsh4 rUx,
97- /sbin/nologin rUx,
98-
99-# Call passwd for password change when expired
100-# /usr/bin/passwd Px,
101-
102-
103-# stuff duplicated from PRIVSEP_MONITOR
104- @{HOME}/.ssh/authorized_keys{,2} r,
105-
106- /dev/pts/[0-9]* rw,
107- /etc/ssh/moduli r,
108- @{PROC}/@{pid}/mounts r,
109-
110-# duplicated from AUTHENTICATED
111- /etc/motd r,
112- /{,var/}run/motd{,.new} rw,
113- /tmp/ssh-*/agent.[0-9]* rwl,
114-
115- /tmp/ssh-*[0-9]*/ w,
116-
117-#
118-# default subprofile for when sshd has authenticated the user
119-#
120- ^EXEC {
121- #include <abstractions/base>
122-
123- /bin/ash Ux,
124- /bin/bash Ux,
125- /bin/bash2 Ux,
126- /bin/bsh Ux,
127- /bin/csh Ux,
128- /bin/dash Ux,
129- /bin/ksh Ux,
130- /bin/sh Ux,
131- /bin/tcsh Ux,
132- /bin/zsh Ux,
133- /bin/zsh4 Ux,
134- /sbin/nologin Ux,
135-
136-# for debugging
137-# /dev/pts/[0-9]* rw,
138- }
139-
140-#
141-# subprofile for handling network input (privilege seperated child)
142-#
143- ^PRIVSEP {
144- #include <abstractions/base>
145- #include <abstractions/nameservice>
146-
147- capability sys_chroot,
148- capability setuid,
149- capability setgid,
150-
151-# for debugging
152-# /dev/pts/[0-9]* rw,
153- }
154-
155-#
156-# subprofile that handles authentication requests from the privilege
157-# seperated child
158-#
159- ^PRIVSEP_MONITOR {
160+ /usr/share/ssh/blacklist.* r,
161+ /var/log/btmp rw,
162+ owner /{,var/}run/sshd{,.init}.pid wl,
163+ @{HOME}/.ssh/authorized_keys{,2} r,
164+
165+ @{PROC}/cmdline r,
166+ @{PROC}/1/environ r,
167+ @{PROC}/@{pids}/fd/ r, # pid of the just-logged in user's shell
168+ owner @{PROC}/@{pid}/loginuid rw,
169+ owner @{PROC}/@{pid}/limits r,
170+ owner @{PROC}/@{pid}/uid_map r,
171+ owner @{PROC}/@{pid}/mounts r,
172+ owner @{PROC}/@{pid}/oom_adj rw,
173+ owner @{PROC}/@{pid}/oom_score_adj rw,
174+
175+ /sys/fs/cgroup/*/user/*/[0-9]*/ rw,
176+ /sys/fs/cgroup/systemd/user.slice/user-[0-9]*.slice/session-c[0-9]*.scope/ rw,
177+
178+ /bin/ash Uxr,
179+ /bin/bash Uxr,
180+ /bin/bash2 Uxr,
181+ /bin/bsh Uxr,
182+ /bin/csh Uxr,
183+ /bin/dash Uxr,
184+ /bin/ksh Uxr,
185+ /bin/sh Uxr,
186+ /bin/tcsh Uxr,
187+ /bin/zsh Uxr,
188+ /bin/zsh4 Uxr,
189+ /bin/zsh5 Uxr,
190+ /{,usr/}sbin/nologin Uxr,
191+ /bin/false Uxr,
192+
193+ # XXX: this needs to be enabled otherwise we risk locking out a user
194+ # Call passwd for password change when expired
195+ /usr/bin/passwd Cx -> passwd,
196+
197+ # to set memory protection for passwd
198+ @{PROC}/@{pid}/task/@{pid}/attr/exec w,
199+ profile passwd {
200 #include <abstractions/authentication>
201 #include <abstractions/base>
202 #include <abstractions/nameservice>
203- #include <abstractions/wutmp>
204-
205-
206- capability setuid,
207- capability setgid,
208+
209+ capability audit_write,
210 capability chown,
211+ capability fsetid,
212+ capability setuid,
213+ capability setgid,
214
215- @{HOME}/.ssh/authorized_keys{,2} r,
216- /dev/ptmx rw,
217+ /usr/bin/passwd r,
218 /dev/pts/[0-9]* rw,
219- /dev/urandom r,
220- /etc/hosts.allow r,
221- /etc/hosts.deny r,
222- /etc/ssh/moduli r,
223- @{PROC}/@{pid}/mounts r,
224-
225-# for debugging
226-# /dev/pts/[0-9]* rw,
227- }
228-
229-#
230-# subprofile for post-authentication period until the user's shell is spawned
231-#
232- ^AUTHENTICATED {
233- #include <abstractions/authentication>
234- #include <abstractions/consoles>
235- #include <abstractions/nameservice>
236- #include <abstractions/wutmp>
237-
238- capability sys_tty_config,
239- capability setgid,
240- capability setuid,
241-
242- /dev/log w,
243- /dev/ptmx rw,
244- /etc/default/passwd r,
245- /etc/localtime r,
246- /etc/login.defs r,
247- /etc/motd r,
248- /{,var/}run/motd{,.new} rw,
249- /tmp/ssh-*/agent.[0-9]* rwl,
250- /tmp/ssh-*[0-9]*/ w,
251-
252-# for debugging
253-# /dev/pts/[0-9]* rw,
254- }
255+ /{,var/}run/utmp rwk,
256+
257+ owner /etc/.pwd.lock rwk,
258+ owner /etc/nshadow rw,
259+ owner /etc/shadow rw,
260+ owner @{PROC}/@{pid}/loginuid r,
261+
262+ # XXX: put into another subprofile?
263+ /usr/bin/gnome-keyring-daemon ix,
264+ capability ipc_lock,
265+ owner @{PROC}/@{pid}/status r,
266+ owner @{HOME}/.cache/keyring-*/ rw,
267+ owner @{HOME}/.cache/keyring-*/control rw,
268+ }
269+
270+ /etc.legal r,
271+ /etc/motd r,
272+ /{,var/}run/motd{,.dynamic}{,.new} rw,
273+ /tmp/ssh-[a-zA-Z0-9]*/ w,
274+ /tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,
275+
276+ # for internal-sftp
277+ / r,
278+ /** r,
279+ owner /** rwl,
280+
281+ /usr/lib/openssh/sftp-server PUx,
282+
283+ # Site-specific additions and overrides. See local/README for details.
284+ #include <local/usr.sbin.sshd>
285 }

Subscribers

People subscribed via source and target branches