[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/ssh-scp-profiles into lp:apparmor-profiles
Christian Boltz
apparmor at cboltz.de
Wed Dec 30 21:50:04 UTC 2015
Oh nice, this was overlooked for more than a year :-/
The profiles mostly look good when reading (!= testing) them.
Some small notes:
In the scp profile, you have "/bin/cp PUx,". It's very unlikely that someone has a profile for it, so ffectively we get Ux. I'd prefer ix or Cx and a small child profile (assuming cp isn't too hard to profile - I never tried ;-)
In the ssh profile, you have "/usr/lib/openssh/gnome-ssh-askpass mix,". Please also allow /usr/lib/ssh/ssh-askpass which seems to be openSUSE's binary name.
For the ControlPath, I'm afraid you'll need a more permissive wildcard to avoid breaking cutom ControlPath settings. For example, I'm using ~/.ssh/ssh_control_HOSTNAME_PORT_USERNAME. Maybe something like ~/.ssh/*[0-9][0-9]* would work for everybody, while not opening up too many unrelated files because of the [0-9][0-9] (two digits) part which should be matched by the port.
Finally, please use "mr" instead of "rm". Technically it's the same, but a) we use "mr" everywhere and b) "rm" might confuse users not too familiar with the permission syntax ;-)
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/ssh-scp-profiles/+merge/234310
Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor-profiles/ssh-scp-profiles into lp:apparmor-profiles.
More information about the AppArmor
mailing list