[apparmor] sshd and hats

Simon Deziel simon.deziel at gmail.com
Fri Oct 2 17:02:00 UTC 2015

On 10/02/2015 10:32 AM, Steve Beattie wrote:
> On Thu, Oct 01, 2015 at 10:21:38PM -0700, Seth Arnold wrote:
>> Hopefully the mediation points are still useful in OpenSSH. Perhaps
>> they've changed as much as we have.
> I'm not sure they are; the thing I've been meaning to
> look at is OpenSSH's sandbox infrastructure to add an
> apparmor option (e.g. see the seccomp sandbox discussed in
> http://www.chiark.greenend.org.uk/~cjwatson/blog/openssh-6.0p1.html ).

Works so well that I wonder why "UsePrivilegeSeparation sandbox" isn't
the default in Debian/Ubuntu.

> That said, this is a case where I *would* like to stack things by
> enabling both the apparmor sandbox and the seccomp sandbox at the same
> time.

This would indeed be a good addition to the rlimits+seccomp sandbox.

Thank you both for digging up the old patch and look at it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151002/a78aafd5/attachment.pgp>

More information about the AppArmor mailing list