mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

usr.sbin.sshd: deny net_admin that is not strictly required

Browse source 
Matthew Dawson explained why:

> sshd doesn't actually require the net_admin capability. libpam-systemd tries
> to use it if available to set the send/receive buffers size, but will fall
> back to a non-privileged version if it fails.

https://lists.ubuntu.com/archives/apparmor/2016-April/009586.html
This commit is contained in:
Simon Deziel 2016-04-21 17:58:04 -04:00
parent cb011cd974
commit 5931538103
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
profiles/apparmor/profiles/extras/usr.sbin.sshd
View file

@ -28,7 +28,6 @@
capability sys_resource,
capability sys_tty_config,
capability net_bind_service,
capability net_admin,
capability chown,
capability fowner,
capability kill,
@ -40,6 +39,11 @@
capability dac_read_search,
capability sys_ptrace,
# sshd doesn't require net_admin. libpam-systemd tries to
# use it if available to set the send/receive buffers size,
# but will fall back to a non-privileged version if it fails.
deny capability net_admin,
# needed when /proc is mounted with hidepid>=1
ptrace (read,trace) peer="unconfined",