# ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE # Copyright (C) 2012 Canonical Ltd. # Copyright (C) 2015-2016 Simon Deziel # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # will need to revalidate this profile once we finish re-architecting # the change_hat patch. # # vim:syntax=apparmor abi , include /usr/sbin/sshd { include include include include include include include capability sys_chroot, capability sys_resource, capability sys_tty_config, capability net_bind_service, capability chown, capability fowner, capability kill, capability setgid, capability setuid, capability audit_control, capability audit_write, capability dac_override, capability dac_read_search, capability sys_ptrace, # sshd doesn't require net_admin. libpam-systemd tries to # use it if available to set the send/receive buffers size, # but will fall back to a non-privileged version if it fails. deny capability net_admin, # needed when /proc is mounted with hidepid>=1 ptrace (read,trace) peer="unconfined", unix (bind) type=stream addr="@*/bus/sshd/system", dbus (send) bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=CreateSessionWithPIDFD peer=(label=unconfined), /dev/ptmx rw, /dev/pts/[0-9]* rw, /dev/urandom r, /etc/default/locale r, /etc/environment r, /etc/modules.conf r, /etc/security/** r, /etc/ssh/** r, /etc/ssl/openssl.cnf r, /usr/sbin/sshd mrix, /usr/share/ssh/blacklist.* r, /var/log/btmp rw, owner @{run}/sshd{,.init}.pid wl, @{HOME}/.ssh/authorized_keys{,2} r, @{PROC}/cmdline r, @{PROC}/1/environ r, @{PROC}/@{pids}/fd/ r, # pid of the just-logged in user's shell owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_adj rw, owner @{PROC}/@{pid}/oom_score_adj rw, @{run}/systemd/notify w, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, @{sys}/fs/cgroup/systemd/user.slice/user-[0-9]*.slice/session-c[0-9]*.scope/ rw, /{usr/,}bin/ash Uxr, /{usr/,}bin/bash Uxr, /{usr/,}bin/bash2 Uxr, /{usr/,}bin/bsh Uxr, /{usr/,}bin/csh Uxr, /{usr/,}bin/dash Uxr, /{usr/,}bin/ksh Uxr, /{usr/,}bin/sh Uxr, /{usr/,}bin/tcsh Uxr, /{usr/,}bin/zsh Uxr, /{usr/,}bin/zsh4 Uxr, /{usr/,}bin/zsh5 Uxr, /{usr/,}sbin/nologin Uxr, /{usr/,}bin/false Uxr, # XXX: this needs to be enabled otherwise we risk locking out a user # Call passwd for password change when expired /usr/bin/passwd Cx -> passwd, # to set memory protection for passwd @{PROC}/@{pid}/task/@{pid}/attr/exec w, profile passwd { include include include capability audit_write, capability chown, capability fsetid, capability setuid, capability setgid, /usr/bin/passwd r, /dev/pts/[0-9]* rw, @{run}/utmp rwk, owner /etc/.pwd.lock rwk, owner /etc/nshadow rw, owner /etc/shadow rw, owner @{PROC}/@{pid}/loginuid r, # XXX: put into another subprofile? /usr/bin/gnome-keyring-daemon ix, capability ipc_lock, owner @{PROC}/@{pid}/status r, owner @{HOME}/.cache/keyring-*/ rw, owner @{HOME}/.cache/keyring-*/control rw, } /etc/legal r, /etc/motd r, @{run}/motd{,.dynamic}{,.new} rw, @{run}/motd.d/ r, @{run}/motd.d/* r, owner @{HOME}/.cache/ w, owner @{HOME}/.cache/motd.legal-displayed w, /tmp/krb5cc* wk, /tmp/ssh-[a-zA-Z0-9]*/ w, /tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl, # for internal-sftp / r, /** r, owner /** rwl, /usr/lib/openssh/sftp-server PUx, # Site-specific additions and overrides. See local/README for details. include if exists }