[pkg-apparmor] Bug#809649: Bug#809649: Bug#809649: ssh login not possible when setting usr.sbin.sshd to enforced

[Christian Boltz]

Hello,

Am Samstag, 2. Januar 2016 schrieb Evgeni Golov:
> On Sat, Jan 02, 2016 at 02:52:47PM +0100, Christian Boltz wrote:
> > I just tested on openSUSE and got similar results, but also some
> > small differences:
> Thanks for verifying. Just out of interest, which OpenSSH version do
> you have?

openssh-6.6p1 (on openSUSE Tumbleweed, the rolling release)

> > - I additionally need capability sys_ptrace,
> > - I don't need w access to /var/log/btmp (but nevertheless it makes
> >   sense to allow it)
> 
> These might or might not be dependant on the OpenSSH version.

The configuration of OpenSSH and/or PAM might also be relevant.

> > +  @{PROC}/cmdline r,
> > +  @{PROC}/1/environ r,
> 
> While I also get denials for these two on my Stretch VM, I did not add
> them in my initial version, as ssh seemed to work fine without and I
> really see no reason why the kernel commandline or the environment of
> the init process should matter to the ssh daemon.

Interesting point, but then I'd at least add deny rules for them to 
silence the logging.

I'll mention this when sending the path upstream.

> > Can you please test with this patch? (In theory the added owner
> > restrictions could cause denials.)
> 
> Yes, seems to work fine for me.

:-)

> > I'll submit the patch upstream as soon as soon as you report back
> > ;-)
> 
> Cool. Thanks!

Patch sent for review upstream. The review might need a while thanks to 
some[tm] [1] pending patches ;-)


Regards,

Christian Boltz

[1] there are currently 23 of my patches waiting for review, with a 
    total of 1597 added and 374 deleted lines ;-) (mostly for the aa-*
    tools - the biggest part of the pending patches is about adding
    support for dbus rules/events to aa-logprof and other aa-* tools)
-- 
 ... you start off with a typical message,
let's say a 2.5MB Word document containing
three lines of text and a macro virus ...
[Peter Gutmann]