Ubuntu
openssh package

support changing Apparmor hats

Bug #1501966 reported by Simon Déziel on 2015-10-02

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openssh (Ubuntu)	New	Wishlist	Unassigned

Bug Description

Some older versions of OpenSSH had a patch allowing the daemon to change Apparmor hats to apply different containment profiles to different code paths (AUTHENTICATED, EXEC, PRIVSEP, etc).

This feature would need to be ported to recent OpenSSH versions and sent upstream for inclusion in the portable branch.

Tags:

Revision history for this message

Colin Watson (cjwatson) wrote on 2015-10-02:

#1

I don't recall that patch ever being in Debian OpenSSH packages, so it would be helpful to track it down and link to it.

Revision history for this message

John Johansen (jjohansen) wrote on 2015-10-02:

#2

It never was, and I don't think the patch ever made it into Novell/Suse openssh either. I think the only place it landed was in Immunix 7.3 on openssh 3.8 (this is pre-apparmor being know as subdomain at the time)

The patch would have to be reworked to work with apparmor, and that isn't even taking into account

Revision history for this message

John Johansen (jjohansen) wrote on 2015-10-02:

#3

openssh-3.8p1-subdomain-privsep-v3.patch Edit (5.4 KiB, text/plain)

The Immunix openssh patch for subdomain (apparmor before it was apparmor)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-10-02:

#4

The attachment "openssh-3.8p1-subdomain-privsep-v3.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2015-10-02:

#5

~ubuntu-reviewers, the patch posted here is intended to sketch what a new patch for this feature may look like and is not intended to be used as-is in any capacity. Feel free to unsub from this bug.

Thanks

tags:

removed: patch

Robie Basak (racb) on 2015-10-06

Changed in openssh (Ubuntu):
importance:	Undecided → Wishlist
tags:	added: needs-upstream-report

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

openssh-3.8p1-subdomain-privsep-v3.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.