[apparmor] usr.bin.ssh and usr.bin.scp profiles
Simon Deziel
simon.deziel at gmail.com
Sat Aug 23 02:25:37 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
I've been testing those 2 profiles for a bit and feel they are ready
to be tested by a larger audience. If any of you is interested,
feedback/comments/pull requests(*) are welcome!
Regards,
Simon
*: https://github.com/simondeziel/aa-profiles/tree/master/14.04
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJT9/ugXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1NjVDMzc0QUZCQUQyRkM2MjBDNkMxQkI3
MkZFMERBRTkwMEIyQzM0AAoJEHL+Da6QCyw0a40P/39APPGdrTbw/heH/mp/TD3p
AZ/C3vDLeUz6gxvca5BUq2SPL2qvDL5y8H8Uii4hAQuklY+Au0Wy+Jx3rKoiFnb9
F0ZyczJvfPnF5H+jJ+ylHjzh+MlVyHKRXRqdohD4nL7jdgrCs63TNrfB6u7vBVVs
95Ook7r6oKW54F9ZudajHlgWFlgv5zGvfs6jvrLBkE8FiQepeVIoq+ugVQK2ztNU
o3BjvkG1LJqrgnSL1udmTcdL/qIGjs+pDZmI47POM8cUseuFk33t65T+qQMsT8+A
Rg3UZGAecbOgEXyrygdmBPM0gbsNOCZ33FNp/VlayeL+TxxRje2G4gnz9XbGz5Jl
mGePCmCI7ZhdE0NocgCqAwvYl+P3eJG4TDMcf0a5YVBmmmiwOub2TkDcgaw2qe/p
LqcNHBegWwsx8rR+N3X5Q8kop9TtZQibda7y7tfDd3RbkxjyX9ij4T8bvUs+FBSt
qatjeSOBfKmKi33r39XPxwELw7r0N9qddU9oocoQejREDhXTbeSSgh2l7Ot17zph
Ssw71ePMa00geXDUUZIIKeONhWPXPwLg/XceVYvsEglcmj61KXPl101rrzleLU7q
YzKi2KWxlmfKN0lEVtbcLvVEbNM4jBy5KT+5+BtAU+flGw95TPHiQonN3VH99bcy
00KVUqdFZVbrHL9Aqlct
=nci7
-----END PGP SIGNATURE-----
-------------- next part --------------
# Author: Simon Deziel <simon.deziel at gmail.com>
#include <tunables/global>
/usr/bin/scp {
#include <abstractions/base>
# scp is almost just a wrapper around ssh
/usr/bin/ssh Px,
# for file transfers
owner /** rw,
/** r,
#include <local/usr.bin.scp>
}
-------------- next part --------------
# Author: Simon Deziel <simon.deziel at gmail.com>
#include <tunables/global>
/usr/bin/ssh {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
/etc/ssh/ssh_config r,
# to unlock private keys
/dev/tty rw,
/usr/lib/openssh/gnome-ssh-askpass mix,
owner @{HOME}/.ssh/ rw,
owner @{HOME}/.ssh/** rl,
owner @{HOME}/.ssh/known_hosts rwl,
# use with "ControlPath ~/.ssh/%r@%h:%p"
owner @{HOME}/.ssh/*@*:* rwl,
audit deny @{HOME}/.ssh/authorized_keys{,2} rw,
audit deny @{HOME}/.ssh/config w,
audit deny @{HOME}/.ssh/id_{dsa,rsa,ecdsa,ed25519}{,.pub} w,
owner /tmp/ssh-*/ rw,
owner /tmp/ssh-*/agent.@{pid} rw,
owner /run/user/[0-9]*/keyring-*/ssh rw,
owner @{PROC}/@{pid}/fd/ r,
# for ProxyCommand
/bin/bash Cx -> proxycommand,
/usr/bin/ssh rm,
/bin/nc.openbsd rm,
# Allow to HUP ProxyCommand from subprofile
signal (send) set=("hup") peer=/usr/bin/ssh//nc,
profile proxycommand {
#include <abstractions/base>
/bin/bash rm,
/usr/bin/ssh Px,
# XXX: Cx doesn't work. For details, see
# https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
#/bin/nc.openbsd Cx -> nc,
/bin/nc.openbsd Px -> /usr/bin/ssh//nc,
# unlocking the key is done by the parent so why is this needed?
/dev/tty rw,
}
profile nc {
#include <abstractions/base>
#include <abstractions/nameservice>
# Accept HUP from parent
signal (receive) set=("hup") peer=/usr/bin/ssh,
/bin/nc.openbsd rix,
}
#include <local/usr.bin.ssh>
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usr.bin.scp.sig
Type: application/pgp-signature
Size: 639 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140822/e1edc461/attachment.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usr.bin.ssh.sig
Type: application/pgp-signature
Size: 639 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140822/e1edc461/attachment-0001.pgp>
More information about the AppArmor
mailing list