From 03d7ef55896e0d5b7bf5348000fbdcab26737490 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Jun 2025 19:52:22 +0200
Subject: [PATCH] feat(profile): add profile  for sshd session.

It is only a first draft as recent update in sshd, split sshd in multiple binaries,
it will allow us to also split the confinement in multiple profile.
---
 apparmor.d/groups/ssh/sshd         |  2 +-
 apparmor.d/groups/ssh/sshd-session | 85 ++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/groups/ssh/sshd-session

diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index a514e7c99..75438c957 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -69,7 +69,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   @{bin}/passwd                      Px,
   @{lib}/{openssh,ssh}/sftp-server   Px,
   @{lib}/{openssh,ssh}/sshd-auth     Px,
-  @{lib}/{openssh,ssh}/sshd-session  ix,
+  @{lib}/{openssh,ssh}/sshd-session  Px,
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*.conf} r,
diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session
new file mode 100644
index 000000000..e74696334
--- /dev/null
+++ b/apparmor.d/groups/ssh/sshd-session
@@ -0,0 +1,85 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/{openssh,ssh}/sshd-session
+profile sshd-session @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>
+  include <abstractions/hosts_access>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+  include <mappings/sshd> #aa:only RBAC
+
+  capability audit_write,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  capability sys_resource,
+
+  # sshd doesn't require net_admin. libpam-systemd tries to
+  # use it if available to set the send/receive buffers size,
+  # but will fall back to a non-privileged version if it fails.
+  deny capability net_admin,
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
+  unix type=stream peer=(label=sshd),
+
+  dbus send bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
+
+  @{exec_path} mr,
+
+  @{bin}/@{shells}                   Ux, #aa:exclude RBAC
+  @{lib}/{openssh,ssh}/sshd-auth     Px,
+
+  @{etc_rw}/motd r,
+  @{etc_rw}/motd.d/{,**} r,
+  /etc/machine-id r,
+  /etc/motd r,
+
+  /var/lib/lastlog/ r,
+  /var/lib/lastlog/lastlog2.db rwk,
+  /var/lib/lastlog/lastlog2.db-journal rw,
+
+  /var/lib/wtmpdb/ w,
+
+  owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
+
+  owner @{user_cache_dirs}/{,motd*} rw,
+
+  @{att}/@{run}/systemd/sessions/@{int}.ref w,
+
+        @{run}/motd.d/{,*} r,
+        @{run}/motd.dynamic rw,
+        @{run}/motd.dynamic.new rw,
+
+        @{PROC}/1/limits r,
+  owner @{PROC}/@{pid}/loginuid rw,
+  owner @{PROC}/@{pid}/uid_map r,
+
+  /dev/ptmx rw,
+
+  include if exists <local/sshd-session>
+}
+
+# vim:syntax=apparmor