Hello,
Am Mittwoch, 1. Februar 2023, 16:00:06 CET schrieb Antoine Beaupré:
> On 2023-01-31 23:57:04, Christian Boltz wrote:
> > I'm somewhat surprised about that because the upstream profile for
> > sshd has the following rule since Dec 3 2016 :
> > /{usr/,}bin/bash Uxr,
[...]
> > Now I wonder - does your sshd profile lack this line/rule?
> > (If in doubt, please attach the complete profile.)
[...]
> I *think* those are some "extra" profiles I might have manually
> deployed at some point.
Possibly. That must have been years ago ;-)
> Now that I dig in the apparmor-profiles, I found a
> /usr/share/apparmor/extra-profiles/ directory and there *is* a
> usr.sbin.sshd profile in there. So I'm not sure what happened here,
> maybe I deployed those by hand but they never got updated?
Sounds like a valid explanation. The extra profiles never get copied to
/etc/apparmor.d/ automatically *), which also means they don't get
updated automatically.
*) only exception: aa-genprof offers to use them as starting point when
creating a _new_ profile
> I also am a little confused by apparmor-profiles shipping an
> "extra-profiles" directory *and* having at the same time an
> apparmor-profiles-extra that only ships a handful of profiles... It's
> all very confusing...
That's something one of the Debian packagers needs to answer.
(I use another distribution, see my signature ;-)
> Here's that old profile that was causing problems:
[...]
> /usr/sbin/sshd flags=(complain) {
[...]
> /bin/bash rUx,
That explains it - it doesn't allow /usr/bin/bash to be executed.
I'd recommend to copy over the latest sshd profile from extra-profiles to
/etc/apparmor.d/.
Regards,
Christian Boltz
--
> Using the internet since 28.8kbit. Yes, I'm 'old'.
My first modem was 300 bits/sec, you young whipper snapper! ;-)
[> Yamaban and James Knott in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
