[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Changed in: linux-manta (Ubuntu) Status: In Progress = Fix Committed ** Changed in: linux-mako (Ubuntu) Status: In Progress = Fix Committed ** Changed in: linux-flo (Ubuntu) Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “linux-flo” package in Ubuntu: Fix Committed Status in “linux-goldfish” package in Ubuntu: In Progress Status in “linux-mako” package in Ubuntu: Fix Committed Status in “linux-manta” package in Ubuntu: Fix Committed Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package linux - 3.16.0-17.23 --- linux (3.16.0-17.23) utopic; urgency=low [ Tim Gardner ] * Release Tracking Bug - LP: #1371614 * [Config] CONFIG_USB_OHCI_HCD_PCI=y - LP: #1244176 [ Andy Whitcroft ] * rebase to v3.16.3 * updateconfigs following rebase to v3.16.3 [ John Johansen ] * SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot - LP: #1362199 [ Upstream Kernel Changes ] * rebase to v3.16.3 -- Andy Whitcroft a...@canonical.com Thu, 18 Sep 2014 13:09:25 +0100 ** Changed in: linux (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: Fix Released Status in “linux-flo” package in Ubuntu: Fix Committed Status in “linux-goldfish” package in Ubuntu: In Progress Status in “linux-mako” package in Ubuntu: Fix Committed Status in “linux-manta” package in Ubuntu: Fix Committed Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package linux-goldfish - 3.4.0-4.23 --- linux-goldfish (3.4.0-4.23) utopic; urgency=low [ Andy Whitcroft ] * SAUCE: ensure that if the first firmware is top level the firmware directory is made. Fixes FTBS -- Tim Gardner tim.gard...@canonical.com Mon, 22 Sep 2014 11:59:19 -0600 ** Changed in: linux-goldfish (Ubuntu) Status: In Progress = Fix Released ** Changed in: linux-mako (Ubuntu) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: Fix Released Status in “linux-flo” package in Ubuntu: Fix Released Status in “linux-goldfish” package in Ubuntu: Fix Released Status in “linux-mako” package in Ubuntu: Fix Released Status in “linux-manta” package in Ubuntu: Fix Released Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: *
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package linux-manta - 3.4.0-6.29 --- linux-manta (3.4.0-6.29) utopic; urgency=low [ John Johansen ] * SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot - LP: #1362199 [ Tim Gardner ] * Revert SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 6 snapshot [ Tyler Hicks ] * Revert SAUCE: (no-up) apparmor: fix disconnected bind mnts reconnection * Revert SAUCE: (no-up) apparmor fix: remove unused cxt var for unix_sendmsg * Revert SAUCE: (no-up) apparmor: use custom write_is_locked macro * Revert SAUCE: (no-up) apparmor: fix bug that constantly spam the console * Revert SAUCE: (no-up) apparmor: fix apparmor refcount bug in apparmor_kill * Revert SAUCE: (no-up) apparmor: fix refcount bug in apparmor pivotroot * Revert SAUCE: (no-up) apparmor: fix apparmor spams log with warning message -- Tim Gardner tim.gard...@canonical.com Fri, 19 Sep 2014 10:35:55 -0600 ** Branch linked: lp:ubuntu/utopic-proposed/linux-flo ** Changed in: linux-flo (Ubuntu) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: Fix Released Status in “linux-flo” package in Ubuntu: Fix Released Status in “linux-goldfish” package in Ubuntu: Fix Released Status in “linux-mako” package in Ubuntu: Fix Released Status in “linux-manta” package in Ubuntu: Fix Released Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package linux-mako - 3.4.0-5.34 --- linux-mako (3.4.0-5.34) utopic; urgency=low [ John Johansen ] * SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot - LP: #1362199 [ Tyler Hicks ] * Revert SAUCE: (no-up) apparmor: fix disconnected bind mnts reconnection * Revert SAUCE: (no-up) apparmor fix: remove unused cxt var for unix_sendmsg * Revert SAUCE: (no-up) apparmor: use custom write_is_locked macro * Revert SAUCE: (no-up) apparmor: fix bug that constantly spam the console * Revert SAUCE: (no-up) apparmor: fix apparmor refcount bug in apparmor_kill * Revert SAUCE: (no-up) apparmor: fix refcount bug in apparmor pivotroot * Revert SAUCE: (no-up) apparmor: fix apparmor spams log with warning message * Revert SAUCE: (no-ip) apparmor: update configs for apparmor 3 alpha 6 * Revert SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 6 snapshot * SAUCE: (no-up) apparmor: update configs for apparmor 3 - RC1 -- Tim Gardner tim.gard...@canonical.com Fri, 19 Sep 2014 10:17:31 -0600 ** Changed in: linux-manta (Ubuntu) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: Fix Released Status in “linux-flo” package in Ubuntu: Fix Released Status in “linux-goldfish” package in Ubuntu: Fix Released Status in “linux-mako” package in Ubuntu: Fix Released Status in “linux-manta” package in Ubuntu: Fix Released Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Tags removed: rtm14 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “linux-flo” package in Ubuntu: In Progress Status in “linux-goldfish” package in Ubuntu: In Progress Status in “linux-mako” package in Ubuntu: In Progress Status in “linux-manta” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Also affects: linux-mako (Ubuntu) Importance: Undecided Status: New ** Also affects: linux-goldfish (Ubuntu) Importance: Undecided Status: New ** Also affects: linux-flo (Ubuntu) Importance: Undecided Status: New ** Also affects: linux-manta (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-mako (Ubuntu) Importance: Undecided = High ** Changed in: linux-mako (Ubuntu) Status: New = In Progress ** Changed in: linux-mako (Ubuntu) Importance: High = Critical ** Changed in: linux-goldfish (Ubuntu) Importance: Undecided = High ** Changed in: linux-goldfish (Ubuntu) Status: New = In Progress ** Changed in: linux-manta (Ubuntu) Importance: Undecided = High ** Changed in: linux-manta (Ubuntu) Status: New = In Progress ** Changed in: linux-flo (Ubuntu) Importance: Undecided = High ** Changed in: linux-flo (Ubuntu) Status: New = In Progress ** Changed in: linux-mako (Ubuntu) Importance: Critical = High -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “linux-flo” package in Ubuntu: In Progress Status in “linux-goldfish” package in Ubuntu: In Progress Status in “linux-mako” package in Ubuntu: In Progress Status in “linux-manta” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Changed in: linux (Ubuntu) Importance: Undecided = Critical ** Changed in: linux (Ubuntu) Importance: Critical = High -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Branch linked: lp:ubuntu/utopic-proposed/tlsdate -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package tlsdate - 0.0.7-1.1ubuntu1 --- tlsdate (0.0.7-1.1ubuntu1) utopic; urgency=medium * debian/control: Suggests apparmor = 2.8.96~2541-0ubuntu4~ * debian/patches/apparmor-ubuntu.patch: update for unix and netlink socket mediation (LP: #1362199) -- Jamie Strandboge ja...@ubuntu.com Tue, 02 Sep 2014 20:11:13 -0500 ** Changed in: tlsdate (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: Fix Released Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor,
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Description changed: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. + + = apparmor userspace = + Summary: + This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). + + Testing: + * 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): + * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) + * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): + * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) + * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) + + Justification: + This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. + + Extra information: + While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. + = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO - * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) - * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) - * aa-status: TODO - * lxc: TODO (containers can be created, started, shutdown) - * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) - * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) - * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) - * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) - * aa-status: TODO - * lxc: TODO (containers can be created, started, shutdown) - * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) - * click-apparmor QRT touch image tests: TODO - * apparmor-easyprof-ubuntu QRT touch image tests: TODO - * 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) - * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) - * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) - * aa-status: TODO - * lxc: TODO (containers can be created, started, shutdown) - * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) - * click-apparmor QRT touch image tests: TODO - * apparmor-easyprof-ubuntu QRT touch image tests: TODO + * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) + * exploratory manual testing: TODO (networking, aa-enforce with
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Description changed: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: - * 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): + * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. - = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO - * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) - * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) - * aa-status: TODO - * lxc: TODO (containers can be created, started, shutdown) - * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) + * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) + * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) + * aa-status: TODO + * lxc: TODO (containers can be created, started, shutdown) + * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: - * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) + * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: - * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) + * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud.
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This could use some diffs attached to see how bad the damage is, but as long as the three combinations are tested, I'm fine with this in theory: 1) old kernel and new userspace 2) new kernel and old userspace 3) new kernel and new userspace Also, it's not clear if the other packages that need updating in lockstep thing is a hard dependency or just a so they can make use of the feature. If it's a hard dependency, you'll need that specified in package relationships (new apparmor should probably have a Breaks: foo ( ver), bar ( ver) rather than making all of those packages depend on versioned apparmor). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
1) old kernel and new userspace - this is well tested and ready to land now 2) new kernel and old userspace 3) new kernel and new userspace - these are tested, but need more testing on the kernel side. We are finalizing the kernel and will have these in place for kernel pull requests Ah, I did not update AppArmor's debian/control for the Breaks like I did for the signal and ptrace mediation, but meant to. Thanks for the reminder, I'll do that now. Here are the apparmor changes: https://code.launchpad.net/~apparmor-dev/apparmor/apparmor-ubuntu-citrain.abstract -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch)
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
2) new kernel and old userspace This is currently better tested than 3, but of course needs to be done again with any changes made to the kernel. Also note that the regression tests been improved and expanded for all three cases -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
FYI, when booting new userspace with old kernel, the parser will output something like this: Warning from profile /usr/lib/telepathy/telepathy-ofono (/etc/apparmor.d/usr.lib.telepathy): downgrading extended network unix socket rule to generic network rule -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Branch linked: lp:ubuntu/utopic-proposed/lightdm ** Branch linked: lp:ubuntu/utopic-proposed/rsyslog -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package libvirt - 1.2.6-0ubuntu6
---
libvirt (1.2.6-0ubuntu6) utopic; urgency=medium
* debian/apparmor/usr.sbin.libvirtd: update for abstract socket mediation
(LP: #1362199)
* debian/apparmor/libvirt-qemu: allow 'r' on @{PROC}/sys/kernel/cap_last_cap
* debian/control: Suggests apparmor = 2.8.96~2541-0ubuntu4~
-- Jamie Strandboge ja...@ubuntu.com Fri, 05 Sep 2014 17:32:16 -0500
** Changed in: libvirt (Ubuntu)
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1362199
Title:
[FFe] apparmor abstract, anonymous and netlink socket mediation
Status in “apparmor” package in Ubuntu:
In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
In Progress
Status in “isc-dhcp” package in Ubuntu:
Fix Released
Status in “libvirt” package in Ubuntu:
Fix Released
Status in “lightdm” package in Ubuntu:
Fix Released
Status in “linux” package in Ubuntu:
In Progress
Status in “rsyslog” package in Ubuntu:
In Progress
Status in “tlsdate” package in Ubuntu:
In Progress
Bug description:
Background: kernel and apparmor userspace updates to support abstract,
anonymous and fine-grained netlink socket mediation. These packages
are listed in one bug because they are related, but the FFes may be
granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and
fine-grained netlink socket for apparmor userspace. When used with a compatible
kernel, 'unix' and 'network netlink' rules are supported. When used without a
compatible apparmor userspace (eg, on a trusty system with an utopic backport
kernel), abstract, anonymous and fine-grained netlink socket mediation is not
enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernels lacking abstract, anonymous and
fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE
(exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and
fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE
(except juju since it doesn't have policy itself)
Justification:
This feature is required to support comprehensive application confinement on
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also
adds a welcome improvement to administrators wishing to further protect their
systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract,
anonymous and fine-grained netlink socket can happen at different times, the
apparmor userspace upload must correspond with uploads for packages that ship
AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
have been tested to either work without modification to the policy or updated
and tested to work with updated policy. Common rules will be added to the
apparmor base abstraction such that most packages shipping apparmor policy will
not require updating. These updates will be prepared, tested and published en
masse via a silo ppa.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and
fine-grained netlink socket via apparmor in the kernel. When used with a
compatible apparmor userspace, 'unix' and 'network netlink' rules are
supported. When used without a compatible apparmor userspace (eg, on a trusty
system with an utopic backport kernel), abstract, anonymous and fine-grained
netlink socket mediation is not enforced (ie, you can use this kernel with an
old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox,
firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT
passes all tests)
* 14.10 system (non-Touch) with updated kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS
(includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing,
etc)
* 14.10 system (Touch) with updated kernel:
*
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package lightdm - 1.11.8-0ubuntu2 --- lightdm (1.11.8-0ubuntu2) utopic; urgency=medium * debian/patches/06_apparmor-unix.patch: updates for unix socket mediation (LP: #1362199) -- Jamie Strandboge ja...@ubuntu.com Fri, 05 Sep 2014 17:34:03 -0500 ** Changed in: lightdm (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) Justification:
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package rsyslog - 7.4.4-1ubuntu9 --- rsyslog (7.4.4-1ubuntu9) utopic; urgency=medium * debian/usr.sbin.rsyslog: update for abstract socket mediation (LP: #1362199) * debian/control: Suggests apparmor = 2.8.96~2541-0ubuntu4~ -- Jamie Strandboge ja...@ubuntu.com Thu, 04 Sep 2014 09:45:43 -0500 ** Changed in: rsyslog (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. Extra information: While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system (Touch) with updated kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu,
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.22
---
apparmor-easyprof-ubuntu (1.2.22) utopic; urgency=medium
* Updates for abstract and anonymous socket mediation (LP: #1362199):
- ubuntu/*/ubuntu-*:
+ use dbus-strict and dbus-session-strict abstractions and remove
duplicated policy
+ allow ubuntu-sdk and ubuntu-webapp connect, receive and send on the
maliit abstract socket
+ allow write access to owner /{,var/}run/user/*/@{APP_PKGNAME}/{,**}
- ubuntu/*/unconfined: allow unix
- ubuntu/webview:
+ allow oxide to talk to sandbox via unix sockets
+ allow sandbox to talk to @{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}
peer
+ allow various unix perms from base abstract for the sandbox to use
unix sockets
- debian/control: Depends on apparmor = 2.8.96~2541-0ubuntu4
* ubuntu/webview: use @{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION} for
signal now that we have @{APP_APPNAME} available (LP: #1363112)
* ubuntu/debug: 'audit deny @{HOME}/.local/share/ r' which is used by the
SDK to see if confined
* debian/control: Depends on apparmor = 2.8.96~2541-0ubuntu4~
-- Jamie Strandboge ja...@ubuntu.com Fri, 05 Sep 2014 15:17:07 -0500
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: In Progress = Fix Released
** Changed in: apparmor (Ubuntu)
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1362199
Title:
[FFe] apparmor abstract, anonymous and netlink socket mediation
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
Fix Released
Status in “isc-dhcp” package in Ubuntu:
Fix Released
Status in “libvirt” package in Ubuntu:
Fix Released
Status in “lightdm” package in Ubuntu:
Fix Released
Status in “linux” package in Ubuntu:
In Progress
Status in “rsyslog” package in Ubuntu:
Fix Released
Status in “tlsdate” package in Ubuntu:
In Progress
Bug description:
Background: kernel and apparmor userspace updates to support abstract,
anonymous and fine-grained netlink socket mediation. These packages
are listed in one bug because they are related, but the FFes may be
granted and the uploads may happen at different times.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and
fine-grained netlink socket for apparmor userspace. When used with a compatible
kernel, 'unix' and 'network netlink' rules are supported. When used without a
compatible apparmor userspace (eg, on a trusty system with an utopic backport
kernel), abstract, anonymous and fine-grained netlink socket mediation is not
enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernels lacking abstract, anonymous and
fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE
(exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and
fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS
(includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
* Verify everything in
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE
(except juju since it doesn't have policy itself)
Justification:
This feature is required to support comprehensive application confinement on
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also
adds a welcome improvement to administrators wishing to further protect their
systems.
Extra information:
While the apparmor userspace and kernel changes to support abstract,
anonymous and fine-grained netlink socket can happen at different times, the
apparmor userspace upload must correspond with uploads for packages that ship
AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages
outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
have been tested to either work without modification to the policy or updated
and tested to work with updated policy. Common rules will be added to the
apparmor base abstraction such that most packages shipping apparmor policy will
not require updating. These updates will be prepared, tested and published en
masse via a silo ppa.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and
fine-grained netlink socket via apparmor in the kernel. When used with a
compatible apparmor userspace, 'unix' and 'network netlink' rules are
supported. When used without a compatible apparmor userspace (eg, on
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu3 --- apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu 14.10 * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu packaging * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin, and lightdm. Add Breaks on rsyslog. apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium * 07-parser-fix_local_perms.patch: do not output local permissions for rules that have peer_conditionals. Patch from John Johansen apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152) [ Steve Beattie ] * removed upstreamed patches: - dnsmasq-libvirtd-signal-ptrace.patch - update-base-abstraction-for-signals-and-ptrace.patch - update-nameservice-abstraction-for-extrausers.patch - debian/apparmor-profiles.install: dropped program-chunks/postfix-common, moved to abstractions/ and covered by apparmor.install - refreshed libapparmor-layout-deb.patch patch * Add in Tyler Hicks' regression test improvements: - 01-tests-unix_socket_lists.patch, - 02-tests-accept_unix_rules_in_mkprofile.patch, - 03-tests-unix_sockets_v7_pathnames.patch, - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - 05-tests-add_abstract_socket_tests.patch, * 07-parser-fix_local_perms.patch: do not output local permissions for rules that have peer_conditionals [ Jamie Strandboge ] * add-chromium-browser.patch: update for unix socket mediation * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none) with getattr, getopt, setopt and shutdown [ Tyler Hicks ] * debian/lib/apparmor/functions, debian/apparmor.init, debian/apparmor.upstart: Ensure system policy cache cannot become stale after image based upgrades that update the system profiles (LP: #1350673) * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust the default parser.conf file, to add /usr/share/apparmor as an additional search path when resolving include directives in profiles, and install the file in /etc/apparmor. Ubuntu places hardware specific access rules in /usr/share/apparmor/hardware. This change allows these files to be included without using an absolute path (e.g., '#include hardware/graphics.d'). -- Jamie Strandboge ja...@ubuntu.com Mon, 08 Sep 2014 16:13:10 -0500 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “libvirt” package in Ubuntu: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: Fix Released Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself) Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Importance: Undecided = Critical ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: In Progress Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO * 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * test-apparmor.py: DONE * lightdm guest session: DONE (login, start browser, logout) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor:
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
isc-dhcp (4.2.4-7ubuntu14) utopic; urgency=medium
* debian/apparmor-profile.dhclient: add file_inherit inet{,6} dgram rules
for child profiles
** Changed in: isc-dhcp (Ubuntu)
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1362199
Title:
[FFe] apparmor abstract, anonymous and netlink socket mediation
Status in “apparmor” package in Ubuntu:
In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
In Progress
Status in “isc-dhcp” package in Ubuntu:
Fix Released
Status in “libvirt” package in Ubuntu:
In Progress
Status in “lightdm” package in Ubuntu:
In Progress
Status in “linux” package in Ubuntu:
In Progress
Status in “rsyslog” package in Ubuntu:
In Progress
Status in “tlsdate” package in Ubuntu:
In Progress
Bug description:
Background: kernel and apparmor userspace updates to support abstract,
anonymous and fine-grained netlink socket mediation. These packages
are listed in one bug because they are related, but the FFes may be
granted and the uploads may happen at different times.
= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and
fine-grained netlink socket via apparmor in the kernel. When used with a
compatible apparmor userspace, 'unix' and 'network netlink' rules are
supported. When used without a compatible apparmor userspace (eg, on a trusty
system with an utopic backport kernel), abstract, anonymous and fine-grained
netlink socket mediation is not enforced (ie, you can use this kernel with an
old userspace without any issues).
Testing:
* 14.04 system with backported kernel: TODO
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox,
firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT
passes all tests)
* 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox,
firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures
unrelated to apparmor))
* click-apparmor QRT touch image tests: TODO
* apparmor-easyprof-ubuntu QRT touch image tests: TODO
* 14.10 system (non-Touch) with updated apparmor userspace capable of
supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant
parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
* test-apparmor.py: TODO (runs extensive tests (upstream and distro))
* exploratory manual testing: TODO (networking, aa-enforce with firefox,
firefox works, apparmor blocks access, etc)
* aa-status: TODO
* lxc: TODO (containers can be created, started, shutdown)
* libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures
unrelated to apparmor))
* click-apparmor QRT touch image tests: TODO
* apparmor-easyprof-ubuntu QRT touch image tests: TODO
Justification:
This feature is required to support comprehensive application confinement on
Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest
isolation which is fundamental to Ubuntu on Server/Cloud. This feature also
adds a welcome improvement to administrators wishing to further protect their
systems.
= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and
fine-grained netlink socket for apparmor userspace. When used with a compatible
kernel, 'unix' and 'network netlink' rules are supported. When used without a
compatible apparmor userspace (eg, on a trusty system with an utopic backport
kernel), abstract, anonymous and fine-grained netlink socket mediation is not
enforced (ie, you can use this userspace with an old kernel without any issues).
Testing:
* 14.10 system with current kernel:
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes
click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system with previous kernel lacking abstract, anonymous and
fine-grained netlink socket mediation (non-Touch):
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE
(exploratory manual testing, lxc, libvirt, etc)
* test-apparmor.py: DONE
* lightdm guest session: DONE (login, start browser, logout)
* 14.10 system kernel capable of supporting abstract, anonymous and
fine-grained netlink socket mediation (non-Touch):
*
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Description changed: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO - * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) - * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) - * aa-status: TODO - * lxc: TODO (containers can be created, started, shutdown) - * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) + * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) + * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) + * aa-status: TODO + * lxc: TODO (containers can be created, started, shutdown) + * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) - * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) - * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) - * aa-status: TODO - * lxc: TODO (containers can be created, started, shutdown) - * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) - * click-apparmor QRT touch image tests: TODO - * apparmor-easyprof-ubuntu QRT touch image tests: TODO + * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) + * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) + * aa-status: TODO + * lxc: TODO (containers can be created, started, shutdown) + * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) + * click-apparmor QRT touch image tests: TODO + * apparmor-easyprof-ubuntu QRT touch image tests: TODO * 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) - * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) - * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) - * aa-status: TODO - * lxc: TODO (containers can be created, started, shutdown) - * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) - * click-apparmor QRT touch image tests: TODO - * apparmor-easyprof-ubuntu QRT touch image tests: TODO + * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) + * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) + * aa-status: TODO + * lxc: TODO (containers can be created, started, shutdown) + * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) + * click-apparmor QRT touch image tests: TODO + * apparmor-easyprof-ubuntu QRT touch image tests: TODO Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernel: - * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) + *
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Tags added: rtm14 touch-2014-09-11 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: In Progress Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO * 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc) * test-apparmor.py: DONE * lightdm guest session: DONE (login, start browser, logout) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc) * Verify everything in
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** No longer affects: cups (Ubuntu) ** No longer affects: cups-filters (Ubuntu) ** Changed in: linux (Ubuntu) Assignee: (unassigned) = John Johansen (jjohansen) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: In Progress Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “lxc” package in Ubuntu: Triaged Status in “rsyslog” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO * 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (exploratory manual testing, lxc, libvirt, etc) * test-apparmor.py: TODO * lightdm guest session: TODO (login, start browser, logout) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Also affects: tlsdate (Ubuntu) Importance: Undecided Status: New ** Changed in: tlsdate (Ubuntu) Status: New = In Progress ** Changed in: tlsdate (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: In Progress Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “lxc” package in Ubuntu: Triaged Status in “rsyslog” package in Ubuntu: In Progress Status in “tlsdate” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO * 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (exploratory manual testing, lxc, libvirt, etc) * test-apparmor.py: TODO * lightdm guest session: TODO (login, start browser, logout) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Also affects: cups (Ubuntu) Importance: Undecided Status: New ** Also affects: cups-filters (Ubuntu) Importance: Undecided Status: New ** Changed in: cups (Ubuntu) Status: New = In Progress ** Changed in: cups-filters (Ubuntu) Status: New = In Progress ** Changed in: linux (Ubuntu) Status: Incomplete = In Progress ** Changed in: cups (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) ** Changed in: cups-filters (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “cups” package in Ubuntu: In Progress Status in “cups-filters” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: In Progress Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “lxc” package in Ubuntu: Triaged Status in “rsyslog” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO * 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system with previous kernel lacking
[Kernel-packages] [Bug 1362199] Re: [FFe] apparmor abstract, anonymous and netlink socket mediation
** Tags added: kernel-da-key -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1362199 Title: [FFe] apparmor abstract, anonymous and netlink socket mediation Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “cups” package in Ubuntu: In Progress Status in “cups-filters” package in Ubuntu: In Progress Status in “isc-dhcp” package in Ubuntu: In Progress Status in “libvirt” package in Ubuntu: In Progress Status in “lightdm” package in Ubuntu: In Progress Status in “linux” package in Ubuntu: In Progress Status in “lxc” package in Ubuntu: Triaged Status in “rsyslog” package in Ubuntu: In Progress Bug description: Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times. = linux = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues). Testing: * 14.04 system with backported kernel: TODO * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests) * 14.10 system (non-Touch) with current apparmor userspace: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO * 14.10 system (non-Touch) with updated apparmor userspace capable of supporting abstract, anonymous and fine-grained netlink socket: TODO (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor) * test-apparmor.py: TODO (runs extensive tests (upstream and distro)) * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc) * aa-status: TODO * lxc: TODO (containers can be created, started, shutdown) * libvirt: TODO (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor)) * click-apparmor QRT touch image tests: TODO * apparmor-easyprof-ubuntu QRT touch image tests: TODO Justification: This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems. = apparmor userspace = Summary: This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues). Testing: * 14.10 system with current kernel: * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc) * 14.10 system with previous kernel lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (exploratory manual testing, lxc, libvirt, etc) * test-apparmor.py: TODO * lightdm guest session: TODO (login, start browser, logout) * 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch): * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: TODO (includes test-apparmor.py, exploratory
