On 2023-01-31 23:57:04, Christian Boltz wrote:
> Hello,
>
> Am Dienstag, 31. Januar 2023, 19:20:38 CET schrieb Antoine Beaupré:
>> so something is happening with apparmor here. it looks like profile
>> are "piling up" in some way, with something like this:
>>
>> /usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/sudo//null-/usr/bin/
>> apt//null-/usr/bin/dash//null-/usr/bin/etckeeper//null-/etc/etckeeper/
>> pre-install.d/50uncommitted-changes//null-/usr/bin/etckeeper//null-/us
>> r/bin/perl
>
> That means sshd executed /usr/bin/bash (without having an execute rule),
> and bash executed /usr/bin/sudo, which executed /usr/bin/apt, and so on.
>
> I'm somewhat surprised about that because the upstream profile for sshd
> has the following rule since Dec 3 2016 :
>
> /{usr/,}bin/bash Uxr,
>
> This rule should allow to execute /bin/bash and /usr/bin/bash in
> unconfined mode (= without AppArmor restrictions) - and therefore should
> also avoid the long chain you see.
>
> However, your log looks like your profile does not allow executing
> /usr/bin/bash.
>
> Now I wonder - does your sshd profile lack this line/rule?
> (If in doubt, please attach the complete profile.)
Okay, this is interesting. In the current state, the server has no file
in /etc/apparmor.d/usr.sbin.sshd at all. The apparmor package doesn't
ship such a file.
When I purged `apparmor` package, I still had a bunch of files in
/etc/apparmor.d and I'm not sure where those were coming from. Here's
the commit where I purged them manually before reinstalling apparmor:
commit 6ee1bc96eca9b7b94c1d17bdc41108be0fca3dcb
Author: Antoine Beaupré <anar...@debian.org>
Date: Tue Jan 31 13:44:46 2023 -0500
saving uncommitted changes in /etc prior to apt run
.etckeeper | 1 -
apparmor.d/abstractions/libvirt-lxc | 121 ----------
apparmor.d/abstractions/libvirt-qemu | 259 ---------------------
apparmor.d/abstractions/tor | 33 ---
apparmor.d/bin.netstat | 41 ----
apparmor.d/disable/torbrowser.start-tor-browser | 1 -
apparmor.d/disable/usr.bin.tcpdump | 1 -
apparmor.d/etc.cron.daily.logrotate | 57 -----
apparmor.d/etc.cron.daily.slocate.cron | 26 ---
apparmor.d/etc.cron.daily.tmpwatch | 23 --
apparmor.d/libvirt/TEMPLATE.lxc | 15 --
apparmor.d/libvirt/TEMPLATE.qemu | 9 -
.../libvirt-123003cb-fe9c-4afa-beef-ca3a32510061 | 11 -
.../libvirt-55a7efd5-53cd-469a-bf33-b088e716a435 | 11 -
...virt-55a7efd5-53cd-469a-bf33-b088e716a435.files | 17 --
.../libvirt-8bfd965a-9bb2-4a9c-bf2e-4dae08c027cd | 11 -
.../libvirt-a419db66-07ad-4a7a-a8a5-898c003e841a | 11 -
.../libvirt-a7d08ac4-7a5e-4bb0-89c4-3eed13c476bc | 11 -
.../libvirt-efd1e136-2f85-4356-a7c1-60f6cb502306 | 11 -
apparmor.d/local/abstractions/libvirt-lxc | 0
apparmor.d/local/abstractions/libvirt-qemu | 0
apparmor.d/local/gst_plugin_scanner | 2 -
apparmor.d/local/sbin.dhclient | 0
apparmor.d/local/system_tor | 2 -
apparmor.d/local/torbrowser.start-tor-browser | 2 -
apparmor.d/local/usr.bin.chromium-browser | 2 -
apparmor.d/local/usr.bin.freshclam | 2 -
apparmor.d/local/usr.bin.man | 0
apparmor.d/local/usr.bin.tcpdump | 0
apparmor.d/local/usr.lib.dovecot.anvil | 2 -
apparmor.d/local/usr.lib.dovecot.auth | 2 -
apparmor.d/local/usr.lib.dovecot.config | 2 -
apparmor.d/local/usr.lib.dovecot.deliver | 2 -
apparmor.d/local/usr.lib.dovecot.dict | 2 -
apparmor.d/local/usr.lib.dovecot.dovecot-auth | 2 -
apparmor.d/local/usr.lib.dovecot.dovecot-lda | 2 -
apparmor.d/local/usr.lib.dovecot.imap | 2 -
apparmor.d/local/usr.lib.dovecot.imap-login | 2 -
apparmor.d/local/usr.lib.dovecot.lmtp | 2 -
apparmor.d/local/usr.lib.dovecot.log | 2 -
apparmor.d/local/usr.lib.dovecot.managesieve | 2 -
apparmor.d/local/usr.lib.dovecot.managesieve-login | 2 -
apparmor.d/local/usr.lib.dovecot.pop3 | 2 -
apparmor.d/local/usr.lib.dovecot.pop3-login | 2 -
apparmor.d/local/usr.lib.dovecot.ssl-params | 2 -
apparmor.d/local/usr.lib.libvirt.virt-aa-helper | 0
apparmor.d/local/usr.sbin.chronyd | 0
apparmor.d/local/usr.sbin.dovecot | 2 -
apparmor.d/local/usr.sbin.libvirtd | 0
apparmor.d/local/usr.sbin.mysqld | 2 -
apparmor.d/local/usr.sbin.tcpdump | 2 -
apparmor.d/local/usr.sbin.unbound | 0
apparmor.d/sbin.dhclient | 111 ---------
apparmor.d/sbin.dhcpcd | 45 ----
apparmor.d/sbin.portmap | 25 --
apparmor.d/sbin.resmgrd | 32 ---
apparmor.d/sbin.rpc.lockd | 16 --
apparmor.d/sbin.rpc.statd | 29 ---
apparmor.d/system_tor | 25 --
apparmor.d/usr.NX.bin.nxclient | 37 ---
apparmor.d/usr.bin.acroread | 60 -----
apparmor.d/usr.bin.apropos | 26 ---
apparmor.d/usr.bin.evolution-2.10 | 156 -------------
apparmor.d/usr.bin.fam | 22 --
apparmor.d/usr.bin.freshclam | 47 ----
apparmor.d/usr.bin.gaim | 67 ------
apparmor.d/usr.bin.man | 113 ---------
apparmor.d/usr.bin.mlmmj-bounce | 22 --
apparmor.d/usr.bin.mlmmj-maintd | 36 ---
apparmor.d/usr.bin.mlmmj-make-ml.sh | 44 ----
apparmor.d/usr.bin.mlmmj-process | 29 ---
apparmor.d/usr.bin.mlmmj-recieve | 20 --
apparmor.d/usr.bin.mlmmj-send | 25 --
apparmor.d/usr.bin.mlmmj-sub | 28 ---
apparmor.d/usr.bin.mlmmj-unsub | 27 ---
apparmor.d/usr.bin.opera | 75 ------
apparmor.d/usr.bin.passwd | 35 ---
apparmor.d/usr.bin.procmail | 41 ----
apparmor.d/usr.bin.skype | 80 -------
apparmor.d/usr.bin.spamc | 20 --
apparmor.d/usr.bin.svnserve | 33 ---
apparmor.d/usr.bin.tcpdump | 69 ------
apparmor.d/usr.bin.wireshark | 44 ----
apparmor.d/usr.bin.xfs | 24 --
apparmor.d/usr.lib.GConf.2.gconfd-2 | 34 ---
apparmor.d/usr.lib.RealPlayer10.realplay | 50 ----
apparmor.d/usr.lib.bonobo.bonobo-activation-server | 25 --
...volution-data-server.evolution-data-server-1.10 | 40 ----
apparmor.d/usr.lib.firefox.firefox | 128 ----------
apparmor.d/usr.lib.firefox.firefox.sh | 19 --
apparmor.d/usr.lib.firefox.mozilla-xremote-client | 21 --
apparmor.d/usr.lib.libvirt.virt-aa-helper | 76 ------
apparmor.d/usr.lib.postfix.anvil | 28 ---
apparmor.d/usr.lib.postfix.bounce | 36 ---
apparmor.d/usr.lib.postfix.cleanup | 33 ---
apparmor.d/usr.lib.postfix.discard | 18 --
apparmor.d/usr.lib.postfix.error | 20 --
apparmor.d/usr.lib.postfix.flush | 44 ----
apparmor.d/usr.lib.postfix.lmtp | 20 --
apparmor.d/usr.lib.postfix.local | 45 ----
apparmor.d/usr.lib.postfix.master | 47 ----
apparmor.d/usr.lib.postfix.nqmgr | 47 ----
apparmor.d/usr.lib.postfix.oqmgr | 20 --
apparmor.d/usr.lib.postfix.pickup | 25 --
apparmor.d/usr.lib.postfix.pipe | 17 --
apparmor.d/usr.lib.postfix.proxymap | 25 --
apparmor.d/usr.lib.postfix.qmgr | 46 ----
apparmor.d/usr.lib.postfix.qmqpd | 20 --
apparmor.d/usr.lib.postfix.scache | 23 --
apparmor.d/usr.lib.postfix.showq | 44 ----
apparmor.d/usr.lib.postfix.smtp | 48 ----
apparmor.d/usr.lib.postfix.smtpd | 63 -----
apparmor.d/usr.lib.postfix.spawn | 20 --
apparmor.d/usr.lib.postfix.tlsmgr | 25 --
apparmor.d/usr.lib.postfix.trivial-rewrite | 26 ---
apparmor.d/usr.lib.postfix.verify | 20 --
apparmor.d/usr.lib.postfix.virtual | 26 ---
apparmor.d/usr.lib64.GConf.2.gconfd-2 | 34 ---
apparmor.d/usr.sbin.chronyd | 85 -------
apparmor.d/usr.sbin.dhcpd | 37 ---
apparmor.d/usr.sbin.httpd2-prefork | 179 --------------
apparmor.d/usr.sbin.imapd | 24 --
apparmor.d/usr.sbin.in.fingerd | 23 --
apparmor.d/usr.sbin.in.ftpd | 38 ---
apparmor.d/usr.sbin.in.ntalkd | 20 --
apparmor.d/usr.sbin.ipop2d | 24 --
apparmor.d/usr.sbin.ipop3d | 24 --
apparmor.d/usr.sbin.libvirtd | 145 ------------
apparmor.d/usr.sbin.lighttpd | 64 -----
apparmor.d/usr.sbin.mariadbd | 15 --
apparmor.d/usr.sbin.oidentd | 30 ---
apparmor.d/usr.sbin.popper | 25 --
apparmor.d/usr.sbin.postalias | 35 ---
apparmor.d/usr.sbin.postdrop | 34 ---
apparmor.d/usr.sbin.postmap | 25 --
apparmor.d/usr.sbin.postqueue | 33 ---
apparmor.d/usr.sbin.sendmail | 93 --------
apparmor.d/usr.sbin.sendmail.postfix | 51 ----
apparmor.d/usr.sbin.sendmail.sendmail | 48 ----
apparmor.d/usr.sbin.spamd | 40 ----
apparmor.d/usr.sbin.squid | 63 -----
apparmor.d/usr.sbin.sshd | 180 --------------
apparmor.d/usr.sbin.unbound | 56 -----
apparmor.d/usr.sbin.useradd | 50 ----
apparmor.d/usr.sbin.userdel | 51 ----
apparmor.d/usr.sbin.vsftpd | 35 ---
apparmor.d/usr.sbin.xinetd | 71 ------
147 files changed, 4992 deletions(-)
I *think* those are some "extra" profiles I might have manually deployed
at some point.
Now that I dig in the apparmor-profiles, I found a
/usr/share/apparmor/extra-profiles/ directory and there *is* a
usr.sbin.sshd profile in there. So I'm not sure what happened here,
maybe I deployed those by hand but they never got updated?
I also am a little confused by apparmor-profiles shipping an
"extra-profiles" directory *and* having at the same time an
apparmor-profiles-extra that only ships a handful of profiles... It's
all very confusing...
Here's that old profile that was causing problems:
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# will need to revalidate this profile once we finish re-architecting
# the change_hat patch.
#
# vim:syntax=apparmor
#include <tunables/global>
/usr/sbin/sshd flags=(complain) {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
#include <abstractions/openssl>
capability sys_chroot,
capability sys_tty_config,
capability net_bind_service,
capability chown,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability audit_control,
capability audit_write,
/dev/ptmx rw,
/dev/urandom r,
/etc/default/locale r,
/etc/environment r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/modules.conf r,
/etc/ssh/* r,
/proc/*/oom_adj rw,
/proc/*/oom_score_adj rw,
/usr/sbin/sshd mrix,
/var/log/btmp rw,
/{,var/}run w,
/{,var/}run/sshd{,.init}.pid wl,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
/bin/ash rUx,
/bin/bash rUx,
/bin/bash2 rUx,
/bin/bsh rUx,
/bin/csh rUx,
/bin/dash rUx,
/bin/ksh rUx,
/bin/sh rUx,
/bin/tcsh rUx,
/bin/zsh rUx,
/bin/zsh4 rUx,
/sbin/nologin rUx,
# Call passwd for password change when expired
# /usr/bin/passwd Px,
# stuff duplicated from PRIVSEP_MONITOR
@{HOME}/.ssh/authorized_keys{,2} r,
/dev/pts/[0-9]* rw,
/etc/ssh/moduli r,
@{PROC}/[0-9]*/mounts r,
# duplicated from AUTHENTICATED
/etc/motd r,
/{,var/}run/motd r,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
#
# default subprofile for when sshd has authenticated the user
#
^EXEC flags=(complain) {
#include <abstractions/base>
/bin/ash Ux,
/bin/bash Ux,
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,
/bin/dash Ux,
/bin/ksh Ux,
/bin/sh Ux,
/bin/tcsh Ux,
/bin/zsh Ux,
/bin/zsh4 Ux,
/sbin/nologin Ux,
# for debugging
# /dev/pts/[0-9]* rw,
}
#
# subprofile for handling network input (privilege seperated child)
#
^PRIVSEP flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_chroot,
capability setuid,
capability setgid,
# for debugging
# /dev/pts/[0-9]* rw,
}
#
# subprofile that handles authentication requests from the privilege
# seperated child
#
^PRIVSEP_MONITOR flags=(complain) {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability setuid,
capability setgid,
capability chown,
@{HOME}/.ssh/authorized_keys{,2} r,
/dev/ptmx rw,
/dev/pts/[0-9]* rw,
/dev/urandom r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ssh/moduli r,
@{PROC}/[0-9]*/mounts r,
# for debugging
# /dev/pts/[0-9]* rw,
}
#
# subprofile for post-authentication period until the user's shell is spawned
#
^AUTHENTICATED flags=(complain) {
#include <abstractions/authentication>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability sys_tty_config,
capability setgid,
capability setuid,
/dev/log w,
/dev/ptmx rw,
/etc/default/passwd r,
/etc/localtime r,
/etc/login.defs r,
/etc/motd r,
/{,var/}run/motd r,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
# for debugging
# /dev/pts/[0-9]* rw,
}
}
--
Il n'existe aucune limite sacrée ou non à l'action de l'homme dans
l'univers. Depuis nos origines nous avons le choix: être aveuglé par
la vérité ou coudre nos paupières.
- [no one is innocent]
