[mirrors/AppArmor-Profiles.git] / usr.sbin.sshd

# Last Modified: Wed Jan 18 10:55:22 2012
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# will need to revalidate this profile once we finish re-architecting
# the change_hat patch.
#

#include <tunables/global>

/usr/sbin/sshd {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/wutmp>


  capability audit_control,
  capability chown,
  capability dac_override,
  capability fowner,
  capability fsetid,
  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,
  capability sys_tty_config,


  /bin/ash rUx,
  /bin/bash rUx,
  /bin/bash2 rUx,
  /bin/bsh rUx,
  /bin/csh rUx,
  /bin/ksh rUx,
  /bin/sh rUx,
  /bin/tcsh rUx,
  /bin/zsh rUx,
  /dev/ptmx rw,
  /dev/pts/[0-9]* rw,
  /dev/urandom r,
  /etc/** r,
  /proc/*/oom_adj rw,
  /proc/*/oom_score_adj rw,
  /sbin/nologin rUx,
  /tmp/ssh-*/agent.[0-9]* rwl,
  /tmp/ssh-*[0-9]*/ w,
  /usr/sbin/sshd mrix,
  /var/log/* rw,
  /{,var/}run w,
  /{,var/}run/sshd{,.init}.pid wl,
  @{HOME}/.ssh/authorized_keys{,2} r,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/loginuid w,
  @{PROC}/[0-9]*/mounts r,


  ^AUTHENTICATED {
    #include <abstractions/authentication>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/wutmp>

    capability setgid,
    capability setuid,
    capability sys_tty_config,


    /dev/log w,
    /dev/ptmx rw,
    /etc/default/passwd r,
    /etc/localtime r,
    /etc/login.defs r,
    /etc/motd r,
    /tmp/ssh-*/agent.[0-9]* rwl,
    /tmp/ssh-*[0-9]*/ w,

  }

  ^EXEC {
    #include <abstractions/base>


    /bin/ash Ux,
    /bin/bash Ux,
    /bin/bash2 Ux,
    /bin/bsh Ux,
    /bin/csh Ux,
    /bin/ksh Ux,
    /bin/sh Ux,
    /bin/tcsh Ux,
    /bin/zsh Ux,
    /sbin/nologin Ux,

  }

  ^PRIVSEP {
    #include <abstractions/base>
    #include <abstractions/nameservice>

    capability setgid,
    capability setuid,
    capability sys_chroot,


  }

  ^PRIVSEP_MONITOR {
    #include <abstractions/authentication>
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/wutmp>

    capability chown,
    capability setgid,
    capability setuid,


    /dev/ptmx rw,
    /dev/pts/[0-9]* rw,
    /dev/urandom r,
    /etc/hosts.allow r,
    /etc/hosts.deny r,
    /etc/ssh/moduli r,
    @{HOME}/.ssh/authorized_keys{,2} r,
    @{PROC}/[0-9]*/mounts r,

  }
}
Commit	Line	Data
92bc3717	1	# Last Modified: Wed Jan 18 10:55:22 2012
	2	# ------------------------------------------------------------------
	3	#
	4	# Copyright (C) 2002-2005 Novell/SUSE
	5	#
	6	# This program is free software; you can redistribute it and/or
	7	# modify it under the terms of version 2 of the GNU General Public
	8	# License published by the Free Software Foundation.
	9	#
	10	# ------------------------------------------------------------------
	11	# will need to revalidate this profile once we finish re-architecting
	12	# the change_hat patch.
	13	#
	14
	15	#include <tunables/global>
	16
	17	/usr/sbin/sshd {
	18	#include <abstractions/authentication>
	19	#include <abstractions/base>
	20	#include <abstractions/consoles>
	21	#include <abstractions/nameservice>
	22	#include <abstractions/wutmp>
	23
	24
	25	capability audit_control,
	26	capability chown,
	27	capability dac_override,
	28	capability fowner,
	29	capability fsetid,
	30	capability kill,
	31	capability net_bind_service,
	32	capability setgid,
	33	capability setuid,
	34	capability sys_chroot,
	35	capability sys_resource,
	36	capability sys_tty_config,
	37
	38
	39	/bin/ash rUx,
	40	/bin/bash rUx,
	41	/bin/bash2 rUx,
	42	/bin/bsh rUx,
	43	/bin/csh rUx,
	44	/bin/ksh rUx,
	45	/bin/sh rUx,
	46	/bin/tcsh rUx,
	47	/bin/zsh rUx,
	48	/dev/ptmx rw,
	49	/dev/pts/[0-9]* rw,
	50	/dev/urandom r,
	51	/etc/** r,
	52	/proc/*/oom_adj rw,
	53	/proc/*/oom_score_adj rw,
	54	/sbin/nologin rUx,
	55	/tmp/ssh-/agent.[0-9] rwl,
	56	/tmp/ssh-[0-9]/ w,
	57	/usr/sbin/sshd mrix,
	58	/var/log/* rw,
	59	/{,var/}run w,
	60	/{,var/}run/sshd{,.init}.pid wl,
	61	@{HOME}/.ssh/authorized_keys{,2} r,
	62	@{PROC}/[0-9]*/fd/ r,
	63	@{PROC}/[0-9]*/loginuid w,
	64	@{PROC}/[0-9]*/mounts r,
65
66
67	^AUTHENTICATED {
68	#include <abstractions/authentication>
69	#include <abstractions/consoles>
70	#include <abstractions/nameservice>
71	#include <abstractions/wutmp>
72
73	capability setgid,
74	capability setuid,
75	capability sys_tty_config,
76
77
78	/dev/log w,
79	/dev/ptmx rw,
80	/etc/default/passwd r,
81	/etc/localtime r,
82	/etc/login.defs r,
83	/etc/motd r,
84	/tmp/ssh-/agent.[0-9] rwl,
85	/tmp/ssh-[0-9]/ w,
86
87	}
88
89	^EXEC {
90	#include <abstractions/base>
91
92
93	/bin/ash Ux,
94	/bin/bash Ux,
95	/bin/bash2 Ux,
96	/bin/bsh Ux,
97	/bin/csh Ux,
98	/bin/ksh Ux,
99	/bin/sh Ux,
100	/bin/tcsh Ux,
101	/bin/zsh Ux,
102	/sbin/nologin Ux,
103
104	}
105
106	^PRIVSEP {
107	#include <abstractions/base>
108	#include <abstractions/nameservice>
109
110	capability setgid,
111	capability setuid,
112	capability sys_chroot,
113
114
115
116	}
117
118	^PRIVSEP_MONITOR {
119	#include <abstractions/authentication>
120	#include <abstractions/base>
121	#include <abstractions/nameservice>
122	#include <abstractions/wutmp>
123
124	capability chown,
125	capability setgid,
126	capability setuid,
127
128
129	/dev/ptmx rw,
130	/dev/pts/[0-9]* rw,
131	/dev/urandom r,
132	/etc/hosts.allow r,
133	/etc/hosts.deny r,
134	/etc/ssh/moduli r,
135	@{HOME}/.ssh/authorized_keys{,2} r,
136	@{PROC}/[0-9]*/mounts r,
137
138	}
139	}