[pkg-apparmor] Bug#1030153: complaining
Christian Boltz
debian-bugs at cboltz.de
Tue Jan 31 22:57:04 GMT 2023
Hello,
Am Dienstag, 31. Januar 2023, 19:20:38 CET schrieb Antoine Beaupré:
> so something is happening with apparmor here. it looks like profile
> are "piling up" in some way, with something like this:
>
> /usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/sudo//null-/usr/bin/
> apt//null-/usr/bin/dash//null-/usr/bin/etckeeper//null-/etc/etckeeper/
> pre-install.d/50uncommitted-changes//null-/usr/bin/etckeeper//null-/us
> r/bin/perl
That means sshd executed /usr/bin/bash (without having an execute rule),
and bash executed /usr/bin/sudo, which executed /usr/bin/apt, and so on.
I'm somewhat surprised about that because the upstream profile for sshd
has the following rule since Dec 3 2016 :
/{usr/,}bin/bash Uxr,
This rule should allow to execute /bin/bash and /usr/bin/bash in
unconfined mode (= without AppArmor restrictions) - and therefore should
also avoid the long chain you see.
However, your log looks like your profile does not allow executing
/usr/bin/bash.
Now I wonder - does your sshd profile lack this line/rule?
(If in doubt, please attach the complete profile.)
Regards,
Christian Boltz
--
But you are probably also complaining if local root exploits in the
kernel are fixed, because now you no longer can use that to become root
easily... [Stefan Seyfried in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230131/61e5516f/attachment-0001.sig>
More information about the pkg-apparmor-team
mailing list