mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/extras/usr.sbin.sshd
Steve Beattie 7a1a415557 Update svn:keywords properties. 
Fix makefile to find new common/ location.
2006-04-12 20:35:41 +00:00

163 lines
3.6 KiB
Text
Raw Blame History

# $Id$
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# will need to revalidate this profile once we finish re-architecting
# the change_hat patch.
#
# vim:syntax=apparmor
#include <tunables/global>
/usr/sbin/sshd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability sys_chroot,
capability sys_tty_config,
capability net_bind_service,
capability chown,
capability fowner,
capability kill,
capability setgid,
capability setuid,
/dev/ptmx rw,
/dev/urandom r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/modules.conf r,
/etc/ssh/* r,
/lib64/ld-*.so px,
/lib/ld-*.so px,
/usr/sbin/sshd rpx,
/var/run w,
/var/run/sshd{,.init}.pid wl,
/proc/[0-9]*/fd r,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
/bin/ash ux,
/bin/bash ux,
/bin/bash2 ux,
/bin/bsh ux,
/bin/csh ux,
/bin/ksh ux,
/bin/sh ux,
/bin/tcsh ux,
/bin/zsh ux,
/sbin/nologin ux,
# stuff duplicated from PRIVSEP_MONITOR
@{HOME}/.ssh/authorized_keys{,2} r,
/dev/pts/[0-9]* rw,
/etc/ssh/moduli r,
/proc/sys/kernel/ngroups_max r,
/proc/[0-9]*/mounts r,
# duplicated from AUTHENTICATED
/etc/motd r,
/tmp/ssh-*/agent.[0-9]* rwl,
#
# default subprofile for when sshd has authenticated the user
#
^EXEC {
#include <abstractions/base>
/bin/ash ux,
/bin/bash ux,
/bin/bash2 ux,
/bin/bsh ux,
/bin/csh ux,
/bin/ksh ux,
/bin/sh ux,
/bin/tcsh ux,
/bin/zsh ux,
/sbin/nologin ux,
# for debugging
# /dev/pts/[0-9]* rw,
}
#
# subprofile for handling network input (privilege seperated child)
#
^PRIVSEP {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_chroot,
capability setuid,
capability setgid,
# for debugging
# /dev/pts/[0-9]* rw,
}
#
# subprofile that handles authentication requests from the privilege
# seperated child
#
^PRIVSEP_MONITOR {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability setuid,
capability setgid,
capability chown,
@{HOME}/.ssh/authorized_keys{,2} r,
/dev/ptmx rw,
/dev/pts/[0-9]* rw,
/dev/urandom r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ssh/moduli r,
/proc/sys/kernel/ngroups_max r,
/proc/[0-9]*/mounts r,
# for debugging
# /dev/pts/[0-9]* rw,
}
#
# subprofile for post-authentication period until the user's shell is spawned
#
^AUTHENTICATED {
#include <abstractions/authentication>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability sys_tty_config,
capability setgid,
capability setuid,
/dev/log w,
/dev/ptmx rw,
/etc/default/passwd r,
/etc/localtime r,
/etc/login.defs r,
/etc/motd r,
/proc/sys/kernel/ngroups_max r,
/tmp/ssh-*/agent.[0-9]* rwl,
# for debugging
# /dev/pts/[0-9]* rw,
}
}
Reference in a new issue View git blame Copy permalink