From c61181b5484ea5b591d83f46d4e4f8ee944ce605 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 May 2022 17:56:06 +0100 Subject: [PATCH] feat(profiles): add sshd profile. --- apparmor.d/groups/ssh/sftp-server | 16 +++++ apparmor.d/groups/ssh/sshd | 97 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 + 3 files changed, 115 insertions(+) create mode 100644 apparmor.d/groups/ssh/sftp-server create mode 100644 apparmor.d/groups/ssh/sshd diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server new file mode 100644 index 00000000..3cd08f48 --- /dev/null +++ b/apparmor.d/groups/ssh/sftp-server @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/openssh/sftp-server +profile sftp-server @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd new file mode 100644 index 00000000..0ef2b816 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd @@ -0,0 +1,97 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2012 Canonical Ltd. +# Copyright (C) 2015-2016 Simon Deziel +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Adapted from https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/usr.sbin.sshd + +# As SSH is used to administrate a server this is limited. +# If you want real protection disallow SSH access. + + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/sshd +profile sshd @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_read_search, + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + ptrace (read,trace) peer=unconfined, + + @{exec_path} mrix, + + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + /{usr/,}{s,}bin/nologin rPx, + /{usr/,}bin/false rix, + /{usr/,}bin/passwd rPx, + /{usr/,}lib/openssh/sftp-server rPx, + + /etc/default/locale r, + /etc/environment r, + /etc/gss/mech.d/{,*} r, + /etc/security/limits.d/ r, + /etc/motd r, + + /etc/ssh/ssh_host_* r, + /etc/ssh/sshd_config r, + /etc/ssh/sshd_config.d/{,*} r, + + # For scp + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, + owner @{user_sync_dirs}/{,**} rwl, + + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + + owner @{run}/sshd{,.init}.pid wl, + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + @{run}/resolvconf/resolv.conf r, + @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/userdb/ r, + + @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-[0-9]*.slice/session-c[0-9]*.scope/ rw, + + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_adj rw, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/cmdline r, + @{PROC}/filesystems r, + @{PROC}/sys/kernel/ngroups_max r, + + /dev/ptmx rw, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 951c53f9..09589e1e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -72,8 +72,10 @@ run-parts complain runuser complain s3fs complain scrcpy complain +sftp-server complain slirp4netns attach_disconnected,complain ssh complain +sshd attach_disconnected,complain su complain sudo complain sysctl complain