© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
This is being caused by the apparmor profile masking the capability set, even in complain mode. ssd is requesting the capability set and then modifying its behavior based off of the reduced capability set, and then DAC does the actual reject.
AppArmor doesn't generate any messages hinting at this because,
1. the task checking its capability set is not a privileged operation (it is just masked)
2. sshd is modifying its behavior based on the retrieved capability set and does not ask for or try to use the capabilities it requires, so apparmor does not generate a log message recording which capabilities are needed.
This problem can be worked around by adding capabilities to the profile one by one, and reloading the profile. And testing if the behavior has changed.
It is fixed by not masking the read capability set of the task in complain mode as the task should effectively have all capabilities. Patch attached, and test kernel at
kernel.