Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04

Testing on noble turned these up: `2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system"` `2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined"` Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1196 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit 3aa40249cf153c17be5ad9d20a77365915397000) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-29 13:28:19 +00:00 · 2024-04-03 07:42:31 +00:00 · 2024-04-03 07:42:31 +00:00 · 63f576c24e
commit 63f576c24e
parent 8acd1e59c7
1 changed files with 9 additions and 0 deletions
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@ -50,6 +50,15 @@ include <tunables/global>
  # needed when /proc is mounted with hidepid>=1
  ptrace (read,trace) peer="unconfined",

+  unix (bind) type=stream addr="@*/bus/sshd/system",
+
+  dbus (send)
+       bus=system
+       path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member=CreateSessionWithPIDFD
+       peer=(label=unconfined),
+
  /dev/ptmx rw,
  /dev/pts/[0-9]* rw,
  /dev/urandom r,