Debian 8: Enforce usr.sbin.sshd profile to AppArmor


Table of Contents

1 Install AppArmor

Install AppArmor with this script.

2 Modify and apply usr.sbin.sshd profile

Use /usr/share/doc/apparmor-profiles/extras/usr.sbin.sshd as example.

$ sudo cp /usr/share/doc/apparmor-profiles/extras/usr.sbin.sshd /etc/apparmor.d/

Modify /etc/apparmor.d/usr.sbin.sshd with the following patch. This patch is created by DENIED message.

$ cd /etc/apparmor.d/$ cat <<EOF | sudo patch -p1— a/usr.sbin.sshd 2014-12-12 22:28:41.000000000 +0900+++ b/usr.sbin.sshd 2017-06-14 21:56:41.388000000 +0900@@ -32,6 +32,8 @@ capability setgid, capability setuid, capability audit_control,+ capability audit_write,+ capability net_admin, capability dac_override, capability dac_read_search,@@ -53,8 +55,9 @@ /{,var/}run/sshd{,.init}.pid wl, @{PROC}/@{pid}/fd/ r,- @{PROC}/@{pid}/loginuid w,+ @{PROC}/@{pid}/loginuid rw, @{PROC}/@{pid}/limits r,+ @{PROC}/@{pid}/uid_map r, # should only be here for use in non-change-hat openssh # duplicated from EXEC hatEOF

Enforce usr.sbin.sshd profile.

$ sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd

Android | Linux | SDL - Narrow Escape