Hello, Am Dienstag, 31. Januar 2023, 19:20:38 CET schrieb Antoine Beaupré: > so something is happening with apparmor here. it looks like profile > are "piling up" in some way, with something like this: > > /usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/sudo//null-/usr/bin/ > apt//null-/usr/bin/dash//null-/usr/bin/etckeeper//null-/etc/etckeeper/ > pre-install.d/50uncommitted-changes//null-/usr/bin/etckeeper//null-/us > r/bin/perl
That means sshd executed /usr/bin/bash (without having an execute rule),
and bash executed /usr/bin/sudo, which executed /usr/bin/apt, and so on.
I'm somewhat surprised about that because the upstream profile for sshd
has the following rule since Dec 3 2016 :
/{usr/,}bin/bash Uxr,
This rule should allow to execute /bin/bash and /usr/bin/bash in
unconfined mode (= without AppArmor restrictions) - and therefore should
also avoid the long chain you see.
However, your log looks like your profile does not allow executing
/usr/bin/bash.
Now I wonder - does your sshd profile lack this line/rule?
(If in doubt, please attach the complete profile.)
Regards,
Christian Boltz
--
But you are probably also complaining if local root exploits in the
kernel are fixed, because now you no longer can use that to become root
easily... [Stefan Seyfried in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
