From 63f576c24e8c05db32b3f3b6482b7ce5d37b0c92 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 3 Apr 2024 07:42:31 +0000 Subject: [PATCH] Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04 Testing on noble turned these up: `2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system"` `2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined"` Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1196 Approved-by: John Johansen Merged-by: John Johansen (cherry picked from commit 3aa40249cf153c17be5ad9d20a77365915397000) Signed-off-by: John Johansen --- profiles/apparmor/profiles/extras/usr.sbin.sshd | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sshd b/profiles/apparmor/profiles/extras/usr.sbin.sshd index 98927ddd5..79b6cb319 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd @@ -50,6 +50,15 @@ include # needed when /proc is mounted with hidepid>=1 ptrace (read,trace) peer="unconfined", + unix (bind) type=stream addr="@*/bus/sshd/system", + + dbus (send) + bus=system + path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=CreateSessionWithPIDFD + peer=(label=unconfined), + /dev/ptmx rw, /dev/pts/[0-9]* rw, /dev/urandom r,