apparmor/home.ssh-mitm.bin.ssh

1. # Copyright (C) 2017-2018  Joe Testa <jtesta@positronsecurity.com>
2. #
3. # This program is free software: you can redistribute it and/or modify
4. # it under the terms version 3 of the GNU General Public License as
5. # published by the Free Software Foundation.
6. #
7. # This program is distributed in the hope that it will be useful,
8. # but WITHOUT ANY WARRANTY; without even the implied warranty of
9. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10. # GNU General Public License for more details.
11. #
12. # You should have received a copy of the GNU General Public License
13. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
14.  
15.  
16. #include <tunables/global>
17.  
18. /home/ssh-mitm/bin/ssh {
19.  #include <abstractions/base>
20.  
21.   network inet stream,
22.   network inet6 stream,
23.   network unix stream,
24.  
25.   /dev/pts/* rw,
26.   /dev/tty rw,
27.   /proc/*/fd/ r,
28.   /etc/nsswitch.conf r,
29.   /etc/passwd r,
30.  
31.   /home/ssh-mitm/bin/ssh mr,
32.  
33.   # Allow reads to the config file.
34.   /home/ssh-mitm/etc/ssh_config r,
35.  
36.   # Allow writes to the log file (for stderr logging of the "ssh" and "sftp"
37.  # clients).
38.   /home/ssh-mitm/client.log w,
39.  
40.   # Allow reads & writes to the tmp/ dir.
41.   /home/ssh-mitm/tmp/* rw,
42.  
43.   # Allow the creation of the .ssh/ dir, and reads & writes to the known_hosts
44.  # file.
45.   /home/ssh-mitm/.ssh/ w,
46.   /home/ssh-mitm/.ssh/known_hosts rw,
47.  
48.   # Allow SFTP logging.
49.   /home/ssh-mitm/sftp_session_*.html w,
50. }