Merge lp://staging/~sdeziel/apparmor/usr.sbin.sshd-refresh into lp://staging/apparmor/2.12
| Status: | Merged |
|---|---|
| Merged at revision: | 3441 |
| Proposed branch: | lp://staging/~sdeziel/apparmor/usr.sbin.sshd-refresh |
| Merge into: | lp://staging/apparmor/2.12 |
| Diff against target: |
285 lines (+109/-130) 2 files modified
profiles/apparmor.d/abstractions/libpam-systemd (+19/-0) profiles/apparmor/profiles/extras/usr.sbin.sshd (+90/-130) |
| To merge this branch: | bzr merge lp://staging/~sdeziel/apparmor/usr.sbin.sshd-refresh |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Seth Arnold | Approve | ||
|
Review via email:
|
|||
Description of the change
The proposed profile has been extensively tested on 14.04 (OpenSSH 6.6p1) and very recently also on 16.04 (OpenSSH 7.2p2). The proposed profile includes everything that was in [0]. Also in that thread, Seth Arnold suggested [1] to put the libpam-systemd rules into an abstraction. I hope I got this right.
I tried to break the profile update into smaller chunks but finally gave up because none of the individual commits would have been working on their own.
For those testing the profile, there is (and always have been AFAICT) a huge limitation with it: one cannot use other AA profiles from the resulting SSH shell. In short, the following wouldn't work:
ssh root@localhost tcpdump -ni lo -c 10
As tcpdump (also confined by AA) would be unable to output to the console. For the curious, please refer to John Johansen's excellent explanation in [2].
Fortunately, I was able to find a (work|hack)around:
cat << "EOF" > /etc/profile.
# kludge to change pts if PPID is contained by sshd's Apparmor profile
if echo "$-" | grep -qF i && [ -e "/proc/
grep -qw '^/usr/sbin/sshd' "/proc/
exec script --quiet --return --command "$SHELL -l" /dev/null
fi
EOF
Not pretty but it works.
Feedback/
0: https:/
1: https:/
2: https:/
| Simon Déziel (sdeziel) wrote | # |
ping?