[apparmor] [patch] Update the sshd profile
Simon Deziel
simon.deziel at gmail.com
Thu Apr 21 22:18:14 UTC 2016
On 2016-04-20 05:17 PM, Matthew Dawson wrote:
>> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
>> --- profiles/apparmor/profiles/extras/usr.sbin.sshd 2013-01-05 06:31:00
> +0000
>> +++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-01-02 13:44:20
> +0000
>> @@ -2,6 +2,8 @@
>> #
>> # Copyright (C) 2002-2005 Novell/SUSE
>> # Copyright (C) 2012 Canonical Ltd.
>> +# Copyright (C) 2016 Christian Boltz
>> +# Copyright (C) 2016 Evgeni Golov
>> #
>> # This program is free software; you can redistribute it and/or
>> # modify it under the terms of version 2 of the GNU General Public
>> @@ -26,14 +28,17 @@
>> capability sys_resource,
>> capability sys_tty_config,
>> capability net_bind_service,
>> + capability net_admin,
>
> sshd doesn't actually require the net_admin capability. libpam-systemd tries
> to use it if available to set the send/receive buffers size, but will fall
> back to a non-privileged version if it fails. Considering what net_admin
> would allow, I suggest removing it from the list (I'm running without it on my
> test apparmor server with no problems so far).
Interesting, I've updated [1] and it works well on all the systems I
tested could test it.
Thanks,
Simon
1:
https://code.launchpad.net/~sdeziel/apparmor/usr.sbin.sshd-refresh/+merge/282088
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160421/282b9636/attachment.pgp>
More information about the AppArmor
mailing list