AppArmor profile exchange

Find profiles by name | Find profiles by author | Find profiles by name and author | List all profiles | List all users | My profiles | New profile | Anonymous | Login
/usr/sbin/sshd liviudm Mon Mar 30 15:51:16 +0200 2009 67 views 
# $Id: usr.sbin.sshd 697 2007-05-25 03:09:30Z steve-beattie $
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# will need to revalidate this profile once we finish re-architecting
# the change_hat patch.
#

#include <tunables/global>

/usr/sbin/sshd flags=(complain) {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/wutmp>

  capability chown,
  capability fowner,
  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_tty_config,


  /bin/ash Ux,
  /bin/bash Ux,
  /bin/bash2 Ux,
  /bin/bsh Ux,
  /bin/csh Ux,
  /bin/ksh Ux,
  /bin/sh Ux,
  /bin/tcsh Ux,
  /bin/zsh Ux,
  /dev/ptmx rw,
  /dev/pts/[0-9]* rw,
  /dev/urandom r,
  /etc/environment r,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/modules.conf r,
  /etc/motd r,
  /etc/ssh/* r,
  /etc/ssh/moduli r,
  /sbin/nologin Ux,
  /tmp/ssh-*/agent.[0-9]* rwl,
  /tmp/ssh-*[0-9]*/ w,
  /usr/sbin/sshd mrix,
  /var/run w,
  /var/run/sshd{,.init}.pid wl,
  @{HOME}/.ssh/authorized_keys{,2} r,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/loginuid w,
  @{PROC}/[0-9]*/mounts r,


  ^AUTHENTICATED flags=(complain) {
    #include <abstractions/authentication>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/wutmp>

    capability setgid,
    capability setuid,
    capability sys_tty_config,


    /dev/log w,
    /dev/ptmx rw,
    /etc/default/passwd r,
    /etc/localtime r,
    /etc/login.defs r,
    /etc/motd r,
    /tmp/ssh-*/agent.[0-9]* rwl,
    /tmp/ssh-*[0-9]*/ w,

  }

  ^EXEC flags=(complain) {
    #include <abstractions/base>


    /bin/ash Ux,
    /bin/bash Ux,
    /bin/bash2 Ux,
    /bin/bsh Ux,
    /bin/csh Ux,
    /bin/ksh Ux,
    /bin/sh Ux,
    /bin/tcsh Ux,
    /bin/zsh Ux,
    /sbin/nologin Ux,

  }

  ^PRIVSEP flags=(complain) {
    #include <abstractions/base>
    #include <abstractions/nameservice>

    capability setgid,
    capability setuid,
    capability sys_chroot,



  }

  ^PRIVSEP_MONITOR flags=(complain) {
    #include <abstractions/authentication>
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/wutmp>

    capability chown,
    capability setgid,
    capability setuid,


    /dev/ptmx rw,
    /dev/pts/[0-9]* rw,
    /dev/urandom r,
    /etc/hosts.allow r,
    /etc/hosts.deny r,
    /etc/ssh/moduli r,
    @{HOME}/.ssh/authorized_keys{,2} r,
    @{PROC}/[0-9]*/mounts r,

  }
}

Edit | Show | History