Policy: /usr/sbin/sshd, Emulation: native ## ## usr_sbin_sshd.in ## ## change default /home, /bin/ksh paths if necessary ## ## allows dns lookups, pubkey auth by default ## disallows root logins by default ## cpp -DUSE_BSD_AUTH -DALLOW_PORT_FWD -DALLOW_SFTP for more... ## ALL native-__sysctl: permit native-accept: permit native-break: permit native-close: permit native-connect: sockaddr eq "/dev/log" then permit native-chdir: filename eq "/" then permit native-exit: permit native-fcntl: permit native-getpeername: permit native-getpid: permit native-gettimeofday: permit native-mprotect: permit native-munmap: permit native-pipe: permit native-read: permit native-select: permit native-sendto: permit native-shutdown: permit native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit native-write: permit ## ROOT/USER [priv] native-chdir: filename match "/home/*" then permit, if user != sshd native-chdir: filename re "/home/.*/\.ssh" then permit, if user != sshd native-connect: sockaddr match "*:53" then permit, if user != sshd native-dup2: true then permit, if user != sshd native-fchdir: true then permit, if user != sshd native-fork: true then permit, if user != sshd native-fsread: filename eq "/" then permit, if user != sshd native-fsread: filename eq "/dev/arandom" then permit, if user != sshd native-fsread: filename eq "/etc/nologin" then permit, if user != sshd native-fsread: filename eq "/etc/resolv.conf" then permit, if user != sshd native-fsread: filename match "/usr/share/*" then permit, if user != sshd native-fsread: filename re "/home/.*/\.ssh" then permit, if user != sshd native-fsread: filename re "/home/.*/\.ssh/authorized_keys" then permit, if user != sshd native-fstat: true then permit, if user != sshd native-fstatfs: true then permit, if user != sshd native-fswrite: filename match "/dev/tty*" then permit, if user != sshd native-getdirentries: true then permit, if user != sshd native-getegid: true then permit, if user != sshd native-geteuid: true then permit, if user != sshd native-getsockname: true then permit, if user != sshd native-getsockopt: true then permit, if user != sshd native-getuid: true then permit, if user != sshd native-ioctl: true then permit, if user != sshd native-issetugid: true then permit, if user != sshd native-listen: true then permit, if user != sshd native-lseek: true then permit, if user != sshd native-mmap: true then permit, if user != sshd native-recvfrom: true then permit, if user != sshd native-recvmsg: true then permit, if user != sshd native-sendmsg: true then permit, if user != sshd native-setitimer: true then permit, if user != sshd native-setsid: true then permit, if user != sshd native-setsockopt: true then permit, if user != sshd native-sigaction: true then permit, if user != sshd native-sigprocmask: true then permit, if user != sshd native-sigreturn: true then permit, if user != sshd native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit, if user != sshd native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit, if user != sshd native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit, if user != sshd native-wait4: true then permit, if user != sshd native-xfspioctl: true then permit, if user != sshd ## ROOT [priv] native-bind: sockaddr match "*:22" then permit, if user = root native-chmod: filename match "/dev/tty*" then permit, if user = root native-chown: filename match "/dev/tty*" then permit, if user = root native-chroot: filename eq "/var/empty" then permit, if user = root native-connect: sockaddr eq "/var/run/xptyd" then permit, if user = root #ifdef ALLOW_BSD_AUTH native-execve: filename match "/usr/libexec/auth/*" then permit[detach], if user = root native-fsread: filename match "/usr/libexec/auth/*" then permit, if user = root #endif native-fsread: filename eq "/bin/ksh" then permit, if user = root native-fsread: filename eq "/dev/null" then permit, if user = root native-fsread: filename eq "/etc/group" then permit, if user = root native-fsread: filename eq "/etc/hosts" then permit, if user = root native-fsread: filename eq "/etc/hosts.allow" then permit, if user = root native-fsread: filename eq "/etc/hosts.deny" then permit, if user = root native-fsread: filename eq "/etc/login.conf" then permit, if user = root native-fsread: filename eq "/etc/login.conf.db" then permit, if user = root native-fsread: filename eq "/etc/malloc.conf" then permit, if user = root native-fsread: filename eq "/etc/moduli" then permit, if user = root native-fsread: filename eq "/etc/protocols" then permit, if user = root native-fsread: filename eq "/etc/spwd.db" then permit, if user = root native-fsread: filename eq "/etc/ttys" then permit, if user = root native-fsread: filename eq "/usr/libexec/ld.so" then permit, if user = root native-fsread: filename eq "/var/empty" then permit, if user = root native-fsread: filename match "/dev/tty*" then permit, if user = root native-fsread: filename match "/etc/ssh/*" then permit, if user = root native-fsread: filename match "/usr/lib/*" then permit, if user = root native-fsread: filename match "/var/run/*" then permit, if user = root native-fsread: filename sub "" then deny[enoent], if user = root native-fswrite: filename eq "/dev/crypto" then permit, if user = root native-fswrite: filename eq "/dev/null" then permit native-fswrite: filename eq "/dev/tty" then permit, if user = root native-fswrite: filename eq "/var/log/lastlog" then permit, if user = root native-fswrite: filename eq "/var/log/wtmp" then permit, if user = root native-fswrite: filename eq "/var/run/sshd.pid" then permit, if user = root native-fswrite: filename eq "/var/run/utmp" then permit, if user = root native-fswrite: filename match "/dev/pty*" then permit, if user = root native-getgroups: true then permit, if user = root native-getrlimit: true then permit, if user = root native-pread: true then permit, if user = root native-revoke: true then permit, if user = root native-setegid: true then permit, if user = root native-seteuid: true then permit, if user = root native-setgid: true then permit, if user = root native-setgroups: true then permit, if user = root native-setlogin: true then permit, if user = root native-setpriority: true then permit, if user = root native-setrlimit: true then permit, if user = root native-setuid: true then permit, if user = root native-socket: sockdom eq "AF_INET6" and socktype eq "SOCK_DGRAM" then permit, if user = root native-socket: sockdom eq "AF_INET6" and socktype eq "SOCK_STREAM" then permit, if user = root native-socketpair: true then permit, if user = root native-umask: true then permit, if user = root ## USER [priv] native-bind: sockaddr match "/tmp/ssh-*" then permit, if user != root #ifdef ALLOW_PORT_FWD native-connect: true then permit log, if user != root #endif native-dup: true then permit, if user != root native-execve: filename eq "/bin/ksh" then permit[detach], if user != root native-fsread: filename eq "/tmp" then permit, if user != root native-fsread: filename eq "/etc/motd" then permit, if user != root native-fsread: filename eq "/etc/ssh/sshrc" then permit, if user != root #ifdef ALLOW_SFTP native-fsread: filename eq "/usr/libexec/sftp-server" then permit, if user != root #endif native-fsread: filename eq "/var/log/lastlog" then permit, if user != root native-fsread: filename re "/home/.*/\.hushlogin" then permit, if user != root native-fswrite: filename re "/tmp/ssh-.*" then permit, if user != root native-fswrite: filename eq "/dev/tty" then permit, if user != root