[pkg-apparmor] Bug#809649: Bug#809649: ssh login not possible when setting usr.sbin.sshd to enforced

Christian Boltz debian-bugs at cboltz.de
Sat Jan 2 13:52:47 UTC 2016 

Hello,

Am Samstag, 2. Januar 2016 schrieb Evgeni Golov:
> using /usr/share/doc/apparmor-profiles/extras/usr.sbin.sshd with
> current sshd will make the system not accepting logins anymore.
> 
> The following patch fixes it:

I just tested on openSUSE and got similar results, but also some small 
differences:
- I additionally need capability sys_ptrace,
- I don't need w access to /var/log/btmp (but nevertheless it makes 
  sense to allow it)
- while on it, I changed most @{PROC}/@{pid} to use owner restrictions -
  and found out that @{PROC}/*/fd/ r, is using the pid of the shell
  started for the just-logged in user, so I changed it to use @{pids}
  (and didn't add the owner restriction)


My version of the patch is:

=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
--- profiles/apparmor/profiles/extras/usr.sbin.sshd     2013-01-05 06:31:00 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd     2016-01-02 13:44:20 +0000
@@ -2,6 +2,8 @@
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
 #    Copyright (C) 2012 Canonical Ltd.
+#    Copyright (C) 2016 Christian Boltz
+#    Copyright (C) 2016 Evgeni Golov
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -26,14 +28,17 @@
   capability sys_resource,
   capability sys_tty_config,
   capability net_bind_service,
+  capability net_admin,
   capability chown,
   capability fowner,
   capability kill,
   capability setgid,
   capability setuid,
   capability audit_control,
+  capability audit_write,
   capability dac_override,
   capability dac_read_search,
+  capability sys_ptrace,
 
   /dev/ptmx rw,
   /dev/urandom r,
@@ -48,13 +53,16 @@
   @{PROC}/@{pid}/oom_adj rw,
   @{PROC}/@{pid}/oom_score_adj rw,
   /usr/sbin/sshd mrix,
-  /var/log/btmp r,
+  /var/log/btmp rw,
   /{,var/}run w,
   /{,var/}run/sshd{,.init}.pid wl,
 
-  @{PROC}/@{pid}/fd/ r,
-  @{PROC}/@{pid}/loginuid w,
-  @{PROC}/@{pid}/limits r,
+  @{PROC}/cmdline r,
+  @{PROC}/1/environ r,
+  @{PROC}/@{pids}/fd/ r,  # pid of the just-logged in user's shell
+  owner @{PROC}/@{pid}/loginuid rw,
+  owner @{PROC}/@{pid}/limits r,
+  owner @{PROC}/@{pid}/uid_map r,
 
 # should only be here for use in non-change-hat openssh
 # duplicated from EXEC hat


Can you please test with this patch? (In theory the added owner 
restrictions could cause denials.)

I'll submit the patch upstream as soon as soon as you report back ;-)


Regards,

Christian Boltz
-- 
"What is the purpose of the systemd journal service?"
Answer: Forwarder for external or on-system real syslog service.
[Yamaban in opensuse-factory]

More information about the pkg-apparmor-team mailing list