[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2017-01-18 Thread Launchpad Bug Tracker 
This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.5~14.04.1

---
apparmor (2.10.95-0ubuntu2.5~14.04.1) trusty; urgency=medium

  * Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04.
- This allows for proper snap confinement on Ubuntu 14.04 when using the
  hardware enablement kernel (LP: #1641243)
  * Changes made on top of 2.10.95-0ubuntu2.5:
- debian/apparmor.upstart: Remove the upstart job and continue using the
  init script in 14.04
- debian/apparmor.postinst, debian/apparmor-profiles.postinst,
  debian/apparmor-profiles.postrm, debian/rules: Revert to using
  invoke-rc.d to load the profiles, rather than reloading them directly,
  since 14.04 will continue using the init script rather than the upstart
  job.
- debian/apparmor.init, debian/lib/apparmor/functions,
  debian/apparmor.postinst, debian/apparmor.postrm: Remove functionality
  dealing with AppArmor policy in system image based environments since
  this 14.04 package will not need to handle such environments. This
  removes the handle_system_policy_package_updates(),
  compare_previous_version(), compare_and_save_debsums() functions and
  their callers.
- debian/apparmor.init: Continue using running-in-container since
  systemd-detect-virt doesn't exist on 14.04
- debian/lib/apparmor/functions, debian/apparmor.init: Remove the
  is_container_with_internal_policy() function and adjust its call sites
  in apparmor.init so that AppArmor policy is not loaded inside of 14.04
  LXD containers (avoids bug #1641236)
- debian/lib/apparmor/profile-load, debian/apparmor.install: Remove
  profile-load as upstart's apparmor-profile-load is used in 14.04
- debian/patches/libapparmor-mention-dbus-method-in-getcon-man.patch:
  Continue applying this patch since the dbus version in 14.04 isn't new
  enough to support fetching the AppArmor context from
  org.freedesktop.DBus.GetConnectionCredentials().
- debian/patches/libapparmor-force-libtoolize-replacement.patch: Force
  libtoolize to replace existing files to fix a libapparmor FTBFS issue on
  14.04.
- debian/control: Retain the original 14.04 Breaks and ignore the new
  Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of
  the enablement of UNIX domain socket mediation. They're not needed in
  this upload since UNIX domain socket mediation is disabled by default so
  updates to the profiles included in those packages are not needed.
- Preserve the profiles and abstractions from 14.04's
  2.8.95~2430-0ubuntu5.3 apparmor package by recreating them in the
  top-level profiles-14.04/ directory of the source. They'll be installed
  to debian/tmp/etc/apparmor.d/ during the build process and then to
  /etc/apparmor.d/ on package install so that there are no changes to the
  shipped profiles or abstractions. The abstractions from
  2.10.95-0ubuntu2.5 will be installed into
  debian/tmp/snap/etc/apparmor.d/ during the build process and then into
  /etc/apparmor.d/snap/abstractions/ on package install for use with snap
  confinement. Snap confinement profiles, which includes AppArmor profiles
  loaded by snapd and profiles loaded by snaps that are allowed to manage
  AppArmor policy, will use the snap abstractions. All other AppArmor
  profiles will continue to use the 14.04 abstractions.
  - debian/rules: Adjust for new profiles-14.04/ directory
  - debian/apparmor-profiles.install: Adjust to install the profiles that
were installed in the 2.8.95~2430-0ubuntu5.3 package
  - debian/apparmor.install: Install the abstractions from the
2.10.95-0ubuntu2.5 package into /etc/apparmor.d/snap/abstractions/
  - debian/patches/14.04-profiles.patch: Preserve the 14.04 profiles and
abstractions from the 2.8.95~2430-0ubuntu5.3 apparmor package.
  - debian/patches/conditionalize-post-release-features.patch: Disable new
mediation features, implemented after the Ubuntu 14.04 release, unless
the profile is for snap confinement. If the profile is for snap
confinement, the abstractions from /etc/apparmor.d/snap/abstractions
will be used and all of the mediation features will be enabled.
- 14.04-add-chromium-browser.patch,
  14.04-add-debian-integration-to-lighttpd.patch,
  14.04-etc-writable.patch,
  14.04-update-base-abstraction-for-signals-and-ptrace.patch,
  14.04-dnsmasq-libvirtd-signal-ptrace.patch,
  14.04-update-chromium-browser.patch,
  14.04-php5-Zend_semaphore-lp1401084.patch,
  14.04-dnsmasq-lxc_networking-lp1403468.patch,
  14.04-profiles-texlive_font_generation-lp1010909.patch,
  14.04-profiles-dovecot-updates-lp1296667.patch,
  14.04-profiles-adjust_X_for_lightdm-lp1339727.patch: Import all of the
  patches, from 14.04's 2.8.95~2430-0ubuntu5.3

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2017-01-18 Thread Launchpad Bug Tracker 
This bug was fixed in the package dbus - 1.6.18-0ubuntu4.5

---
dbus (1.6.18-0ubuntu4.5) trusty; urgency=medium

  * debian/patches/unrequested-reply-mediation.patch: Don't let unrequested
reply messages through and don't audit them. Unrequested reply messages
are error or method_return messages that are sent from D-Bus connection A
to D-Bus connection B that do not correspond to any message ever sent by
D-Bus connection B. They should be quietly dropped as there's no use for
them outside of malicious activity. Patch based on upstream patches.
(LP: #1641243)

 -- Tyler Hicks   Wed, 30 Nov 2016 21:44:48 +

** Changed in: dbus (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

** Changed in: apparmor (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Fix Released
Status in dbus source package in Trusty:
  Fix Released

Bug description:
  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py

  I have pushed changes to lp:qa-regression-testing which pulls in the
  parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3
  package currently shipping in Trusty, in addition to the tests in the
  2.10.95 based package.

  Additionally, manually testing evince, which is confined by an
  AppArmor profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).

  Finally, we need to test that 12.04 -> 14.04 upgrades continue to
  work. Specifically, the apparmor packages in trusty-proposed and the
  12.04 kernel need to be tested together.

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the same across this SRU update.

  = dbus SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with unrequested reply messages and also to prevent two connections from 
subverting the snap confinement by communicating via unrequested reply messages.

  [Test Case]

  The upstream AppArmor userspace

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-12-22 Thread Tyler Hicks 
I've completed my verification of the apparmor
2.10.95-0ubuntu2.5~14.04.1 SRU. Testing very went well and I did not
uncover any issues. I completed the entire Test Case as documented in
the bug description. The AppArmor test plan was completed on the 14.04
release and HWE kernels as well as all of the regression tests from QRT.
The manual testing of evince was also performed on the release and HWE
kernels. Additionally, I ran test-apparmor.py on the i386 release and
HWE kernels (all other tests were ran on amd64).

On the HWE kernel, I was able to test apparmor with the snapd in trusty-
proposed. The pwgen-tyhicks, hello-world, and lxd snaps all seemed to be
working correctly. I created a 16.04 LXD container and verified that
confinement was working as intended. I also verified that confinement
was working properly with hello-world.sh.

As for the 12.04 -> 14.04 upgrade testing, it also went very well. I
installed most major 12.04 packages containing an AppArmor profile, in
addition to what's present in a default desktop install, and performed
an upgrade:

$ sudo apt-get install slapd mysql-server clamav tcpdump ntp
...

$ sudo aa-status
...
26 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//launchpad_integration
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//launchpad_integration
   /usr/bin/evince//sanitized_helper
   /usr/bin/freshclam
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//pxgsettings
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/lib/telepathy/telepathy-ofono
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/mysqld
   /usr/sbin/ntpd
   /usr/sbin/slapd
   /usr/sbin/tcpdump
...

There were a couple denials logged but they didn't affect the upgrade:

$ grep DENIED /var/log/syslog
Dec 16 18:00:41 sec-precise-amd64 kernel: [ 8267.110822] type=1400 
audit(1481911241.875:29): apparmor="DENIED" operation="open" parent=6862 
profile="/usr/sbin/slapd" name="/etc/pkcs11/modules/" pid=6873 comm="slapd" 
requested_mask="r" denied_mask="r" fsuid=118 ouid=0
Dec 16 18:32:21 sec-precise-amd64 kernel: [ 1766.776830] type=1400 
audit(1481913141.561:35): apparmor="DENIED" operation="open" parent=1 
profile="/usr/sbin/mysqld" name="/proc/sys/vm/overcommit_memory" pid=29835 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=116 ouid=0

I then performed the same 12.04 -> 14.04 upgrade test except that I
didn't use the new apparmor from trusty-proposed and it turns out that I
see the same two AppArmor denials:

$ grep DENIED /var/log/syslog
Dec 16 21:03:18 sec-precise-amd64 kernel: [  739.903410] type=1400 
audit(1481922198.702:34): apparmor="DENIED" operation="open" parent=1 
profile="/usr/sbin/mysqld" name="/proc/sys/vm/overcommit_memory" pid=1679 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=116 ouid=0
Dec 16 21:03:18 sec-precise-amd64 kernel: [  740.079754] type=1400 
audit(1481922198.878:35): apparmor="DENIED" operation="open" parent=1747 
profile="/usr/sbin/slapd" name="/etc/pkcs11/modules/" pid=1760 comm="slapd" 
requested_mask="r" denied_mask="r" fsuid=118 ouid=0

In other words, the apparmor package from trusty-proposed does not
regress the 12.04 -> 14.04 upgrade process.

I feel like the apparmor 2.10.95-0ubuntu2.5~14.04.1 SRU has went through
very thorough testing and that it is good to go.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Fix Committed
Status in dbus source package in Trusty:
  Fix Committed

Bug description:
  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-12-22 Thread Tyler Hicks 
I've completed my verification of the dbus 1.6.18-0ubuntu4.5 SRU. The
documented Test Plan went as expected. It leverages extensive automated
tests that were written when the AppArmor D-Bus mediation patch set was
upstreamed into the D-Bus project. I am confident of the dbus SRU and
feel like it is ready to migrate from proposed.

I'm marking this bug as verification-done since both the apparmor and
dbus packages have been verified.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Fix Committed
Status in dbus source package in Trusty:
  Fix Committed

Bug description:
  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py

  I have pushed changes to lp:qa-regression-testing which pulls in the
  parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3
  package currently shipping in Trusty, in addition to the tests in the
  2.10.95 based package.

  Additionally, manually testing evince, which is confined by an
  AppArmor profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).

  Finally, we need to test that 12.04 -> 14.04 upgrades continue to
  work. Specifically, the apparmor packages in trusty-proposed and the
  12.04 kernel need to be tested together.

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the same across this SRU update.

  = dbus SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with unrequested reply messages and also to prevent two connections from 
subverting the snap confinement by communicating via unrequested reply messages.

  [Test Case]

  The upstream AppArmor userspace project has thorough tests for D-Bus
  mediation, including unrequested replies. Its
  tests/regression/apparmor/dbus_*.sh tests should be ran before and
  after updating to the dbus SRU. Before updating, the
  dbus_unrequested_reply.sh should fail and should pass after updating.

  To run the dbus_*.sh tests:

  $ sudo apt-get

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-12-14 Thread Tyler Hicks 
** Description changed:

  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
  
  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a large
  number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring 16.04's
  apparmor package to 14.04 was (very carefully) made.
  
  [Test Case]
  
    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:
  
   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py
  
  I have pushed changes to lp:qa-regression-testing which pulls in the
  parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3
  package currently shipping in Trusty, in addition to the tests in the
  2.10.95 based package.
  
  Additionally, manually testing evince, which is confined by an AppArmor
  profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).
  
+ Finally, we need to test that 12.04 -> 14.04 upgrades continue to work.
+ Specifically, the apparmor packages in trusty-proposed and the 12.04
+ kernel need to be tested together.
+ 
  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
  
  Care was taken to minimally change how the AppArmor policies are loaded
  during the boot process. I also verified that the abstractions shipped
  in apparmor and the profiles shipped in apparmor-profiles are the same
  across this SRU update.
  
  = dbus SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with unrequested reply messages and also to prevent two connections from 
subverting the snap confinement by communicating via unrequested reply messages.
  
  [Test Case]
  
  The upstream AppArmor userspace project has thorough tests for D-Bus
  mediation, including unrequested replies. Its
  tests/regression/apparmor/dbus_*.sh tests should be ran before and after
  updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh
  should fail and should pass after updating.
  
  To run the dbus_*.sh tests:
  
  $ sudo apt-get install -y bzr libdbus-1-dev
  $ bzr branch lp:apparmor # apt-get source apparmor to test the current 
apparmor
  $ cd apparmor/tests/regression/apparmor/
  $ make USE_SYSTEM=1 \
    dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
  $ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
    do sudo VERBOSE=1 bash $t || break; done
  
  The exit code should be 0 and all output lines should start with "ok:".
  
  In addition, the test-dbus.py tests from lp:qa-regression-testing should
  be ran to verify basic D-Bus functionality.
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  [Regression Potential]
  Low. There's no use for unrequested D-Bus reply

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-12-14 Thread Tyler Hicks 
** Description changed:

  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
  
  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a large
  number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring 16.04's
  apparmor package to 14.04 was (very carefully) made.
  
  [Test Case]
  
    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:
  
   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py
  
- I have a branch of lp:qa-regression-testing (unmerged, currently at
- https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
- /apparmor-trusty-sru) that pulls in the parser and regression tests from
- the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
- Trusty, in addition to the tests in the 2.10.95 based package.
+ I have pushed changes to lp:qa-regression-testing which pulls in the
+ parser and regression tests from the apparmor 2.8.95~2430-0ubuntu5.3
+ package currently shipping in Trusty, in addition to the tests in the
+ 2.10.95 based package.
  
  Additionally, manually testing evince, which is confined by an AppArmor
  profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).
  
  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
  
  Care was taken to minimally change how the AppArmor policies are loaded
  during the boot process. I also verified that the abstractions shipped
  in apparmor and the profiles shipped in apparmor-profiles are the same
  across this SRU update.
  
  = dbus SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with unrequested reply messages and also to prevent two connections from 
subverting the snap confinement by communicating via unrequested reply messages.
  
  [Test Case]
  
  The upstream AppArmor userspace project has thorough tests for D-Bus
  mediation, including unrequested replies. Its
  tests/regression/apparmor/dbus_*.sh tests should be ran before and after
  updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh
  should fail and should pass after updating.
  
  To run the dbus_*.sh tests:
  
  $ sudo apt-get install -y bzr libdbus-1-dev
  $ bzr branch lp:apparmor # apt-get source apparmor to test the current 
apparmor
  $ cd apparmor/tests/regression/apparmor/
  $ make USE_SYSTEM=1 \
-   dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
+   dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
  $ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
-   do sudo VERBOSE=1 bash $t || break; done
+   do sudo VERBOSE=1 bash $t || break; done
  
  The exit code should be 0 and all output lines should start with "ok:".
  
  In addition, the test-dbus.py tests from lp:qa-regression-testing should
  be ran to verify basic D-Bus functionality.
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-12-09 Thread Timo Aaltonen 
Hello Tyler, or anyone else affected,

Accepted apparmor into trusty-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.5~14.04.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: apparmor (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Fix Committed
Status in dbus source package in Trusty:
  Fix Committed

Bug description:
  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py

  I have a branch of lp:qa-regression-testing (unmerged, currently at
  https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
  /apparmor-trusty-sru) that pulls in the parser and regression tests
  from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
  Trusty, in addition to the tests in the 2.10.95 based package.

  Additionally, manually testing evince, which is confined by an
  AppArmor profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the same across this SRU update.

  = dbus SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with unrequested reply

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-12-07 Thread Brian Murray 
Hello Tyler, or anyone else affected,

Accepted dbus into trusty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/dbus/1.6.18-0ubuntu4.5
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: dbus (Ubuntu Trusty)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  In Progress
Status in dbus source package in Trusty:
  Fix Committed

Bug description:
  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py

  I have a branch of lp:qa-regression-testing (unmerged, currently at
  https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
  /apparmor-trusty-sru) that pulls in the parser and regression tests
  from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
  Trusty, in addition to the tests in the 2.10.95 based package.

  Additionally, manually testing evince, which is confined by an
  AppArmor profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the same across this SRU update.

  = dbus SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-12-01 Thread Tyler Hicks 
The old apparmor upload has been rejected and I'll be uploading a new
version shortly.

** Changed in: apparmor (Ubuntu Trusty)
   Status: Incomplete => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  In Progress
Status in dbus source package in Trusty:
  In Progress

Bug description:
  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py

  I have a branch of lp:qa-regression-testing (unmerged, currently at
  https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
  /apparmor-trusty-sru) that pulls in the parser and regression tests
  from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
  Trusty, in addition to the tests in the 2.10.95 based package.

  Additionally, manually testing evince, which is confined by an
  AppArmor profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the same across this SRU update.

  = dbus SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with unrequested reply messages and also to prevent two connections from 
subverting the snap confinement by communicating via unrequested reply messages.

  [Test Case]

  The upstream AppArmor userspace project has thorough tests for D-Bus
  mediation, including unrequested replies. Its
  tests/regression/apparmor/dbus_*.sh tests should be ran before and
  after updating to the dbus SRU. Before updating, the
  dbus_unrequested_reply.sh should fail and should pass after updating.

  To run the dbus_*.sh tests:

  $ sudo apt-get install -y bzr libdbus-1-dev
  $ bzr branch lp:apparmor # apt-get source apparmor to test the current 
apparmor
  $ cd apparmor/tests/regression/apparmor/
  $ make USE_SYSTEM=1 \
dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
  $ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
do sudo VERBOSE=1 bash $t || break; done

  The exit code should be 0 and all output lines should

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-30 Thread Tyler Hicks 
** Description changed:

  = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
  
  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a large
  number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring 16.04's
  apparmor package to 14.04 was (very carefully) made.
  
  [Test Case]
  
    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:
  
   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py
  
  I have a branch of lp:qa-regression-testing (unmerged, currently at
  https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
  /apparmor-trusty-sru) that pulls in the parser and regression tests from
  the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
  Trusty, in addition to the tests in the 2.10.95 based package.
  
  Additionally, manually testing evince, which is confined by an AppArmor
  profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).
  
  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
  
  Care was taken to minimally change how the AppArmor policies are loaded
  during the boot process. I also verified that the abstractions shipped
  in apparmor and the profiles shipped in apparmor-profiles are the same
  across this SRU update.
  
  = dbus SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with unrequested reply messages and also to prevent two connections from 
subverting the snap confinement by communicating via unrequested reply messages.
  
  [Test Case]
  
  The upstream AppArmor userspace project has thorough tests for D-Bus
  mediation, including unrequested replies. Its
  tests/regression/apparmor/dbus_*.sh tests should be ran before and after
  updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh
  should fail and should pass after updating.
  
+ To run the dbus_*.sh tests:
+ 
+ $ sudo apt-get install -y bzr libdbus-1-dev
+ $ bzr branch lp:apparmor # apt-get source apparmor to test the current 
apparmor
+ $ cd apparmor/tests/regression/apparmor/
+ $ make USE_SYSTEM=1 \
+   dbus_{eavesdrop,message,service,unrequested_reply} uservars.inc
+ $ for t in dbus_{eavesdrop,message,service,unrequested_reply}.sh; \
+   do sudo VERBOSE=1 bash $t || break; done
+ 
+ The exit code should be 0 and all output lines should start with "ok:".
+ 
  In addition, the test-dbus.py tests from lp:qa-regression-testing should
  be ran to verify basic D-Bus functionality.
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  [Regression Potential]
  Low. There's no use for unrequested D-Bus reply messages and silently 
dropping them for AppArmor confined applications

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-30 Thread Tyler Hicks 
Moving the apparmor task back to "incomplete" while I gather info for
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1628285/comments/10.

** Description changed:

+ = apparmor SRU =
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
  
  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a large
  number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring 16.04's
  apparmor package to 14.04 was (very carefully) made.
  
  [Test Case]
  
    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:
  
   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py
  
  I have a branch of lp:qa-regression-testing (unmerged, currently at
  https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
  /apparmor-trusty-sru) that pulls in the parser and regression tests from
  the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
  Trusty, in addition to the tests in the 2.10.95 based package.
  
  Additionally, manually testing evince, which is confined by an AppArmor
  profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).
  
  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
  
  Care was taken to minimally change how the AppArmor policies are loaded
  during the boot process. I also verified that the abstractions shipped
  in apparmor and the profiles shipped in apparmor-profiles are the same
  across this SRU update.
+ 
+ = dbus SRU =
+ [Rationale]
+ For backporting snapd to 14.04 LTS, we need to provide proper D-Bus mediation 
for snaps when running under the 16.04 hardware enablement kernel. The dbus 
package in 14.04 is missing support for blocking unrequested reply messages. 
This functionality was added to the D-Bus AppArmor mediation patches after 
14.04 was released but before the patches were merged upstream in dbus. The 
idea is to prevent a malicious snap from attacking another snap, over D-Bus, 
with unrequested reply messages and also to prevent two connections from 
subverting the snap confinement by communicating via unrequested reply messages.
+ 
+ [Test Case]
+ 
+ The upstream AppArmor userspace project has thorough tests for D-Bus
+ mediation, including unrequested replies. Its
+ tests/regression/apparmor/dbus_*.sh tests should be ran before and after
+ updating to the dbus SRU. Before updating, the dbus_unrequested_reply.sh
+ should fail and should pass after updating.
+ 
+ In addition, the test-dbus.py tests from lp:qa-regression-testing should
+ be ran to verify basic D-Bus functionality.
+ 
+ This update will go through the Test Plan as well as manual testing to
+ verify that snap confinement on 14.04 does work. Manual tests include
+ installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
+ and hello-world, as well as a much more complex snap such as lxd.
+ 
+ [Regression Potential]
+ Low. There's no use for unrequested D-Bus reply messages and silently 
dropping them for AppArmor confined applications should have no unintended side 
effects. The unrequested reply protections have been present in releases after 
14.04 and have not caused any issues.

** Changed in: apparmor (Ubuntu Trusty)
   Status: In Progress => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed

Re: [Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-29 Thread Tyler Hicks 
On 11/12/2016 12:24 PM, Steve Langasek wrote:
> Tyler, are there any packages shipping apparmor profiles in 14.04 that
> have /not/ been covered by this test plan?

There are some that are not covered. Using the output of
`reverse-depends -br trusty dh-apparmor`, the remainders are:

akonadi
digikam
fwknop
pollen
quassel
telepathy-mission-control-5
tlsdate
tor
vidalia

I feel like the extensive regression testing that is being performed
upstream, along with my QRT changes that run the new parser and kernel
through the old Trusty package's parser and regression tests are
sufficient enough that these remaining packages do not need to be
individually tested. Those test results indicate that the parser is
still putting out the same policy before and after this SRU update.

> Does the dbus task imply that there need to be any versioned
> Breaks/Depends between these two SRUs, or are the two packages
> bidirectionally compatible? (i.e. dbus is needed because the new
> functionality is not completely enabled until both are updated, but
> upgrading either one without the other does not introduce any
> regressions)

Upgrading either one without the other does not introduce any
regressions so there is no need for versioned Breaks/Depeneds between
the two. No AppArmor policy needs to be changed for the dbus SRU.



** Changed in: apparmor (Ubuntu Trusty)
   Status: Incomplete => New

** Changed in: apparmor (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: dbus (Ubuntu Trusty)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  In Progress
Status in dbus source package in Trusty:
  In Progress

Bug description:
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py

  I have a branch of lp:qa-regression-testing (unmerged, currently at
  https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
  /apparmor-trusty-sru) that pulls in the parser and regression tests
  from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
  Trusty, in addition to the tests in the 2.10.95 based package.

  Additionally, manually testing evince, which is confined by an
  AppArmor profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the same across this SRU update.

To manage notifications about this bug go to:

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-29 Thread Tyler Hicks 
** Description changed:

  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
  
  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a large
  number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring 16.04's
  apparmor package to 14.04 was (very carefully) made.
  
  [Test Case]
  
    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:
  
   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py
  
+ I have a branch of lp:qa-regression-testing (unmerged, currently at
+ https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
+ /apparmor-trusty-sru) that pulls in the parser and regression tests from
+ the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
+ Trusty, in addition to the tests in the 2.10.95 based package.
+ 
  Additionally, manually testing evince, which is confined by an AppArmor
  profile, should be done. The manual test should check basic
  functionality as well as for proper confinement (`ps auxZ` output).
  
  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
  
  Care was taken to minimally change how the AppArmor policies are loaded
  during the boot process. I also verified that the abstractions shipped
  in apparmor and the profiles shipped in apparmor-profiles are the same
  across this SRU update.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Incomplete
Status in dbus source package in Trusty:
  Confirmed

Bug description:
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-29 Thread Tyler Hicks 
** Description changed:

  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
  
  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a large
  number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring 16.04's
  apparmor package to 14.04 was (very carefully) made.
  
  [Test Case]
  
    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:
  
   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
-  test-strongswan.py
+  test-strongswan.py
   test-tcpdump.py
  
  Additionally, manually testing evince, which is confined by an AppArmor
- profile, should be done.
+ profile, should be done. The manual test should check basic
+ functionality as well as for proper confinement (`ps auxZ` output).
  
  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
  
  Care was taken to minimally change how the AppArmor policies are loaded
  during the boot process. I also verified that the abstractions shipped
  in apparmor and the profiles shipped in apparmor-profiles are the same
  across this SRU update.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Incomplete
Status in dbus source package in Trusty:
  Confirmed

Bug description:
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-strongswan.py
   test-tcpdump.py

  Additionally, manually testing evince, which is confined by an
  AppArmor profile, should be done. The manual test

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-29 Thread Tyler Hicks 
** Description changed:

  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
  
  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a large
  number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring 16.04's
  apparmor package to 14.04 was (very carefully) made.
  
  [Test Case]
  
    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:
  
-  test-apache2-mpm-event.py
-  test-apache2-mpm-itk.py
-  test-apache2-mpm-perchild.py
-  test-apache2-mpm-prefork.py
-  test-apache2-mpm-worker.py
-  test-bind9.py
-  test-clamav.py
-  test-cups.py
-  test-dhcp.py
-  test-mysql.py
-  test-ntp.py
-  test-openldap.py
-  test-rsyslog.py
-  test-squid.py
-  test-tcpdump.py
+  test-apache2-mpm-event.py
+  test-apache2-mpm-itk.py
+  test-apache2-mpm-perchild.py
+  test-apache2-mpm-prefork.py
+  test-apache2-mpm-worker.py
+  test-bind9.py
+  test-clamav.py
+  test-cups.py
+  test-dhcp.py
+  test-mysql.py
+  test-ntp.py
+  test-openldap.py
+  test-rsyslog.py
+  test-squid.py
+  test-strongswan.py
+  test-tcpdump.py
  
  Additionally, manually testing evince, which is confined by an AppArmor
  profile, should be done.
  
  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
  
  Care was taken to minimally change how the AppArmor policies are loaded
  during the boot process. I also verified that the abstractions shipped
  in apparmor and the profiles shipped in apparmor-profiles are the same
  across this SRU update.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Incomplete
Status in dbus source package in Trusty:
  Confirmed

Bug description:
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages ship an AppArmor profile) can be used to verify that their
  respective packages do not regress:

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-29 Thread Tyler Hicks 
** Description changed:

  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
  
  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a large
  number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring 16.04's
  apparmor package to 14.04 was (very carefully) made.
  
  [Test Case]
  
-   https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
+   https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  
  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
  and hello-world, as well as a much more complex snap such as lxd.
  
- [Regression Potential]
- High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
- 
- Care was taken to minimally change how the AppArmor policies are loaded
- during the boot process. I also verified that the abstractions shipped
- in apparmor and the profiles shipped in apparmor-profiles are the same
- across this SRU update. Additionally, I've ran the following regression
- tests from lp:qa-regression-testing (these packages ship an AppArmor
- profile):
+ The following regression tests from lp:qa-regression-testing (these
+ packages ship an AppArmor profile) can be used to verify that their
+ respective packages do not regress:
  
   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-tcpdump.py
+ 
+ Additionally, manually testing evince, which is confined by an AppArmor
+ profile, should be done.
+ 
+ [Regression Potential]
+ High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
+ 
+ Care was taken to minimally change how the AppArmor policies are loaded
+ during the boot process. I also verified that the abstractions shipped
+ in apparmor and the profiles shipped in apparmor-profiles are the same
+ across this SRU update.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Incomplete
Status in dbus source package in Trusty:
  Confirmed

Bug description:
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

    https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  The following regression tests from lp:qa-regression-testing (these
  packages

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-12 Thread Steve Langasek 
Tyler, are there any packages shipping apparmor profiles in 14.04 that
have /not/ been covered by this test plan?

Does the dbus task imply that there need to be any versioned
Breaks/Depends between these two SRUs, or are the two packages
bidirectionally compatible? (i.e. dbus is needed because the new
functionality is not completely enabled until both are updated, but
upgrading either one without the other does not introduce any
regressions)

** Changed in: apparmor (Ubuntu Trusty)
   Status: In Progress => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  Incomplete
Status in dbus source package in Trusty:
  Confirmed

Bug description:
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the same across this SRU update. Additionally, I've ran the following
  regression tests from lp:qa-regression-testing (these packages ship an
  AppArmor profile):

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-tcpdump.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1641243/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-11 Thread Tyler Hicks 
Adding a dbus task because its AppArmor mediation patches need to be
updated to provide unrequested reply protection to prevent two D-Bus
connections from bypassing security policies by communicating via reply
and/or error D-Bus messages.

** Also affects: dbus (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: dbus (Ubuntu)
   Status: New => Invalid

** Changed in: dbus (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: dbus (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: dbus (Ubuntu Trusty)
   Importance: High => Medium

** Changed in: dbus (Ubuntu Trusty)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in dbus package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  In Progress
Status in dbus source package in Trusty:
  Confirmed

Bug description:
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the same across this SRU update. Additionally, I've ran the following
  regression tests from lp:qa-regression-testing (these packages ship an
  AppArmor profile):

   test-apache2-mpm-event.py
   test-apache2-mpm-itk.py
   test-apache2-mpm-perchild.py
   test-apache2-mpm-prefork.py
   test-apache2-mpm-worker.py
   test-bind9.py
   test-clamav.py
   test-cups.py
   test-dhcp.py
   test-mysql.py
   test-ntp.py
   test-openldap.py
   test-rsyslog.py
   test-squid.py
   test-tcpdump.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1641243/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1641243] Re: Provide full AppArmor confinement for snaps on 14.04

2016-11-11 Thread Tyler Hicks 
** Description changed:

  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.
+ 
+ Unfortunately, it was not feasible to backport the individual features
+ to the 14.04 apparmor package as they're quite complex and have a large
+ number of dependency patches. Additionally, the AppArmor policy
+ abstractions from Ubuntu 16.04 are needed to provide proper snap
+ confinement. Because of these two reasons, the decision to bring 16.04's
+ apparmor package to 14.04 was (very carefully) made.
+ 
+ [Test Case]
+ 
+   https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
+ 
+ This update will go through the Test Plan as well as manual testing to
+ verify that snap confinement on 14.04 does work. Manual tests include
+ installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks
+ and hello-world, as well as a much more complex snap such as lxd.
+ 
+ [Regression Potential]
+ High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.
+ 
+ Care was taken to minimally change how the AppArmor policies are loaded
+ during the boot process. I also verified that the abstractions shipped
+ in apparmor and the profiles shipped in apparmor-profiles are the same
+ across this SRU update. Additionally, I've ran the following regression
+ tests from lp:qa-regression-testing (these packages ship an AppArmor
+ profile):
+ 
+  test-apache2-mpm-event.py
+  test-apache2-mpm-itk.py
+  test-apache2-mpm-perchild.py
+  test-apache2-mpm-prefork.py
+  test-apache2-mpm-worker.py
+  test-bind9.py
+  test-clamav.py
+  test-cups.py
+  test-dhcp.py
+  test-mysql.py
+  test-ntp.py
+  test-openldap.py
+  test-rsyslog.py
+  test-squid.py
+  test-tcpdump.py

** Also affects: apparmor (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: apparmor (Ubuntu)
   Status: In Progress => Invalid

** Changed in: apparmor (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: apparmor (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: apparmor (Ubuntu)
   Importance: High => Undecided

** Changed in: apparmor (Ubuntu)
 Assignee: Tyler Hicks (tyhicks) => (unassigned)

** Changed in: apparmor (Ubuntu Trusty)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243

Title:
  Provide full AppArmor confinement for snaps on 14.04

Status in apparmor package in Ubuntu:
  Invalid
Status in apparmor source package in Trusty:
  In Progress

Bug description:
  [Rationale]
  For backporting snapd to 14.04 LTS, we need to provide proper AppArmor 
confinement for snaps when running under the 16.04 hardware enablement kernel. 
The apparmor userspace package in 14.04 is missing support key mediation 
features such as UNIX domain socket rules, AppArmor policy namespaces, and 
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all 
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd 
snap.

  Unfortunately, it was not feasible to backport the individual features
  to the 14.04 apparmor package as they're quite complex and have a
  large number of dependency patches. Additionally, the AppArmor policy
  abstractions from Ubuntu 16.04 are needed to provide proper snap
  confinement. Because of these two reasons, the decision to bring
  16.04's apparmor package to 14.04 was (very carefully) made.

  [Test Case]

https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

  This update will go through the Test Plan as well as manual testing to
  verify that snap confinement on 14.04 does work. Manual tests include
  installing snapd in 14.04 and running simple snaps such as pwgen-
  tyhicks and hello-world, as well as a much more complex snap such as
  lxd.

  [Regression Potential]
  High. We must be extremely careful to not regress existing, confined 
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project 
has extensive regression tests and that the Ubuntu Security team adds even more 
testing via the AppArmor Test Plan.

  Care was taken to minimally change how the AppArmor policies are
  loaded during the boot process. I also verified that the abstractions
  shipped in apparmor and the profiles shipped in apparmor-profiles are
  the