[apparmor] [patch] Update the sshd profile
Matthew Dawson
matthew at mjdsystems.ca
Wed Apr 20 21:17:23 UTC 2016
>=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
>--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2013-01-05 06:31:00
+0000
>+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-01-02 13:44:20
+0000
>@@ -2,6 +2,8 @@
> #
> # Copyright (C) 2002-2005 Novell/SUSE
> # Copyright (C) 2012 Canonical Ltd.
>+# Copyright (C) 2016 Christian Boltz
>+# Copyright (C) 2016 Evgeni Golov
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
>@@ -26,14 +28,17 @@
> capability sys_resource,
> capability sys_tty_config,
> capability net_bind_service,
>+ capability net_admin,
sshd doesn't actually require the net_admin capability. libpam-systemd tries
to use it if available to set the send/receive buffers size, but will fall
back to a non-privileged version if it fails. Considering what net_admin
would allow, I suggest removing it from the list (I'm running without it on my
test apparmor server with no problems so far).
--
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160420/a3de29e2/attachment.pgp>
More information about the AppArmor
mailing list