This article will describe usage of AppArmor.
Table of Contents
1 Install AppArmor
Install AppArmor with this article.
2 Modify and apply usr.sbin.sshd profile
Use /usr/share/doc/apparmor-profiles/extras/usr.sbin.sshd as example.
$ sudo cp /usr/share/doc/apparmor-profiles/extras/usr.sbin.sshd \
/etc/apparmor.d/
Modify /etc/apparmor.d/usr.sbin.sshd with the following patch. This patch is created by DENIED message.
$ cd /etc/apparmor.d/
$ cat <<EOF | sudo patch -p1
--- a/usr.sbin.sshd 2017-03-16 10:11:02.000000000 +0900
+++ b/usr.sbin.sshd 2017-06-14 13:38:47.862170542 +0900
@@ -21,6 +21,7 @@
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
+ #include <abstractions/dbus>
capability sys_chroot,
capability sys_resource,
@@ -32,6 +33,8 @@
capability setgid,
capability setuid,
capability audit_control,
+ capability audit_write,
+ capability net_admin,
capability dac_override,
capability dac_read_search,
@@ -51,10 +54,16 @@
/var/log/btmp r,
/{,var/}run w,
/{,var/}run/sshd{,.init}.pid wl,
+ /{,var/}run/systemd/notify w,
+
+ ptrace,
@{PROC}/@{pid}/fd/ r,
- @{PROC}/@{pid}/loginuid w,
+ @{PROC}/@{pid}/loginuid rw,
@{PROC}/@{pid}/limits r,
+ @{PROC}/@{pid}/uid_map r,
+ @{PROC}/@{pid}/environ r,
+ @{PROC}/cmdline r,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
@@ -85,6 +94,7 @@
# duplicated from AUTHENTICATED
/etc/motd r,
/{,var/}run/motd{,.new} rw,
+ /{,var/}run/motd.dynamic{,.new} rw,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
EOF
Enforce usr.sbin.sshd profile.
$ sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd