-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 08/23/2014 07:01 AM, Christian Boltz wrote:
> Am Freitag, 22. August 2014 schrieb Simon Deziel:
>> I've been testing those 2 profiles for a bit and feel they are ready
>> to be tested by a larger audience. If any of you is interested,
>> feedback/comments/pull requests(*) are welcome!
>
> While the profile in general looks good at the first look, I somewhat
> wonder about
>
> /bin/bash Cx -> proxycommand,
>
> profile proxycommand {
> [...]
> /bin/bash rm,
>
> I slightly ;-) doubt this allows to do anything useful in the shell.
> I'm afraid you'll need to allow Ux for various shells to fix that.I believe "Ux" is not desirable here because the shell is only used to execute the ProxyCommand. In my testing, the "Cx" transition plus the "rm" in the subprofile were enough. I only tested with ssh and nc.openbsd as ProxyCommands as they are the only 2 supported ATM. Here is the ~/.ssh/config I used to test the ssh profile with bash: Host aa-nc ProxyCommand nc bar 22 Host aa-ssh ProxyCommand ssh -qN foo nc bar 22 Host aa-ssh-full-path ProxyCommand /usr/bin/ssh -qN foo nc bar 22 Host aa-ssh-twice ProxyCommand ssh -qN foo ssh bar nc foo 22 All of them required the "Cx" for bash even the "aa-ssh-full-path" one. > Please have a look at the sshd profile we ship in the extras dir > (profiles/apparmor/profiles/extras/usr.sbin.sshd in tarball and bzr) > which does exactly that. Very good point, I took the list of shells from there and added them in the profile. I didn't test ProxyCommands with a different shell than bash though. Thanks for the feedback Christian! Regards, Simon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJT+JwHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1NjVDMzc0QUZCQUQyRkM2MjBDNkMxQkI3 MkZFMERBRTkwMEIyQzM0AAoJEHL+Da6QCyw0lpAQAMVLIsZuzXXZeB+pzAzGJnpG VecdQ0A1hF/aQPLrDz1KdZ3DhD3VFHbHB1l0P5goEbXYpD9n+hfjbVyreOGz/Qok 7opNNiLa6gXfjyhzISjcHgOB+70+CCgSBL0LNu4EDl9286q8JGPVDA3J7KR+UOSz +adSHR0l17kS3J/zSm3uKA1jD2ow3z2SFSF+0fcRWjdWvREQLAqvqeadosALADaj onPeZhTZVCv7/+VilvqN00Gezs42Ryk66De2Fxpf99JD4gc3oSrlHdWGgkoXoFgh r6Ed9D/hb5IxHsn+FSKt3LWxBAbBJmxOldlVzB2YdL4UvVp2kjOZTIOTGAFXv1gM WIj/QAfngwVgvCUJM5ZRkJsbEZ4g9Wx97EhRoJN+sUk8ZbQBx1JY5DIS1lHRsT7D xtRWI4m8BeJQrlC/hAorneO67iVhuUVx42eFQ+CUjLS+0L2+E1yoCrlqmc1BGAaC OCbPLvrJ/fA0Ep0DHKmkvbGktKk3KpgJKNnuXMZG2GndrL38nWJ9RtkKzu4IzVv9 mmWbp2scNSsbAZrOTKTnmC4VfNJBALZoULbjRH2HhU508twhDhpYhVA5iau9CC8V Ap16Yw9qeeFbAAfJdrT+kW6VrCRCJpTEH1KaPIBnk2PvAMEjZk2F+bi2iVNZeAic JUniu82D8dcG4o1d4czB =+ckf -----END PGP SIGNATURE-----
# Author: Simon Deziel <[email protected]> #include <tunables/global> /usr/bin/ssh { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/openssl> /etc/ssh/ssh_config r, # to unlock private keys /dev/tty rw, /usr/lib/openssh/gnome-ssh-askpass mix, owner @{HOME}/.ssh/ rw, owner @{HOME}/.ssh/** rl, owner @{HOME}/.ssh/known_hosts rwl, # use with "ControlPath ~/.ssh/%r@%h:%p" owner @{HOME}/.ssh/*@*:* rwl, audit deny @{HOME}/.ssh/authorized_keys{,2} rw, audit deny @{HOME}/.ssh/config w, audit deny @{HOME}/.ssh/id_{dsa,rsa,ecdsa,ed25519}{,.pub} w, owner /tmp/ssh-*/ rw, owner /tmp/ssh-*/agent.@{pid} rw, owner /run/user/[0-9]*/keyring-*/ssh rw, owner @{PROC}/@{pid}/fd/ r, # for ProxyCommand /bin/ash Cx -> proxycommand, /bin/bash{,2} Cx -> proxycommand, /bin/bsh Cx -> proxycommand, /bin/csh Cx -> proxycommand, /bin/csh Cx -> proxycommand, /bin/dash Cx -> proxycommand, /bin/ksh Cx -> proxycommand, /bin/sh Cx -> proxycommand, /bin/tcsh Cx -> proxycommand, /bin/zsh{,4} Cx -> proxycommand, /usr/bin/ssh rm, /bin/nc.openbsd rm, # Allow to HUP ProxyCommand from subprofile signal (send) set=("hup") peer=/usr/bin/ssh//nc, profile proxycommand { #include <abstractions/base> /bin/ash rm, /bin/bash{,2} rm, /bin/bsh rm, /bin/csh rm, /bin/csh rm, /bin/dash rm, /bin/ksh rm, /bin/sh rm, /bin/tcsh rm, /bin/zsh{,4} rm, /usr/bin/ssh Px, # XXX: Cx doesn't work. For details, see # https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html #/bin/nc.openbsd Cx -> nc, /bin/nc.openbsd Px -> /usr/bin/ssh//nc, # unlocking the key is done by the parent so why is this needed? /dev/tty rw, } profile nc { #include <abstractions/base> #include <abstractions/nameservice> # Accept HUP from parent signal (receive) set=("hup") peer=/usr/bin/ssh, /bin/nc.openbsd rix, } #include <local/usr.bin.ssh> }
usr.bin.ssh.sig
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
