apparmor/home.ssh-mitm.bin.ssh

# Copyright (C) 2017-2018  Joe Testa <jtesta@positronsecurity.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms version 3 of the GNU General Public License as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.


#include <tunables/global>

/home/ssh-mitm/bin/ssh {
  #include <abstractions/base>

  network inet stream,
  network inet6 stream,
  network unix stream,

  /dev/pts/* rw,
  /dev/tty rw,
  /proc/*/fd/ r,
  /etc/nsswitch.conf r,
  /etc/passwd r,

  /home/ssh-mitm/bin/ssh mr,

  # Allow reads to the config file.
  /home/ssh-mitm/etc/ssh_config r,

  # Allow writes to the log file (for stderr logging of the "ssh" and "sftp"
  # clients).
  /home/ssh-mitm/client.log w,

  # Allow reads & writes to the tmp/ dir.
  /home/ssh-mitm/tmp/* rw,

  # Allow the creation of the .ssh/ dir, and reads & writes to the known_hosts
  # file.
  /home/ssh-mitm/.ssh/ w,
  /home/ssh-mitm/.ssh/known_hosts rw,

  # Allow SFTP logging.
  /home/ssh-mitm/sftp_session_*.html w,
}