On Thu, Oct 01, 2015 at 08:08:17PM -0700, John Johansen wrote: > Ha! I was wrong, I did find a version of it and sftp too > > Its old, against openssh3.8 and I haven't really looked at it
This is great. Lots of fun old history in this.. 32 bit hats, a random chance for generating a 0x00000000 hat that will lead to a failed change_hat just before starting an authenticated session, and all the Ye Olde Immunix names. Hopefully the mediation points are still useful in OpenSSH. Perhaps they've changed as much as we have. For example I'd probably use aa_change_profile() instead of aa_change_hat() for some of these calls, it allows specifying allowed transitions. And the session handling should probably not jump back to the main profile before handing off to pam_apparmor (rather than hard-coding those here, too..) Anyway, this is at least a good fun trip down memory lane, and hopefully even useful to resurrecting the apparmor-enforced privsep OpenSSH. Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
