support changing Apparmor hats

Bug #1501966 reported by Simon Déziel on 2015-10-02
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)

Bug Description

Some older versions of OpenSSH had a patch allowing the daemon to change Apparmor hats to apply different containment profiles to different code paths (AUTHENTICATED, EXEC, PRIVSEP, etc).

This feature would need to be ported to recent OpenSSH versions and sent upstream for inclusion in the portable branch.

Colin Watson (cjwatson) wrote :

I don't recall that patch ever being in Debian OpenSSH packages, so it would be helpful to track it down and link to it.

John Johansen (jjohansen) wrote :

It never was, and I don't think the patch ever made it into Novell/Suse openssh either. I think the only place it landed was in Immunix 7.3 on openssh 3.8 (this is pre-apparmor being know as subdomain at the time)

The patch would have to be reworked to work with apparmor, and that isn't even taking into account

John Johansen (jjohansen) wrote :

The Immunix openssh patch for subdomain (apparmor before it was apparmor)

The attachment "openssh-3.8p1-subdomain-privsep-v3.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Seth Arnold (seth-arnold) wrote :

~ubuntu-reviewers, the patch posted here is intended to sketch what a new patch for this feature may look like and is not intended to be used as-is in any capacity. Feel free to unsub from this bug.


tags: removed: patch
Robie Basak (racb) on 2015-10-06
Changed in openssh (Ubuntu):
importance: Undecided → Wishlist
tags: added: needs-upstream-report
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers