[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
** Tags added: cscc -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
In 4.20 we landed some of the infrastructure to support this. Specifically secmark support was landed which provides the infrastructure needed for apparmor labels to interact with iptables and iptables to interact with apparmor. This isn't something generally available for use yet as it infrastructure work necessary for full fine grained network mediation -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
** Tags added: kernel-key -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 796588] Re: Fine-grained network mediation
Fine-grained network security for snaps is going to be fantastic, but it's also a rich area, and when networking policy stuff is done simplistically it becomes awkward more than useful. I'd suggest that we start now working up detailed design on the topic, so that when we are ready to start implementing we have confidence that the policy language is appropriate. I'm happy to participate in a discussion on this in Salt Lake City at the next roadmap review, would suggest the security team representatives bring a Discourse draft that's had some review by the snapd team for discussion. Mark -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
No disagreement that this is a high priority item. There is some work around fine grained mediation happening but I am unsure when it will land. The problem is that this is not the only high priority item that needs to be addressed. Changing priority of these items can certainly be discussed again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
More to the point, implementing this would give snaps the ability to add fine-grained network permissions for plugs, and this would suddenly make snaps a very attractive alternative to Docker images for server apps. I think this should be considered for priority. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
I suppose it's time for the bi-annual nudge on this. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
FYI, this is a requirement for snapd, but it was deprioritized in favor of namespace stacking in support of LXD, upstreaming and other work in support of snappy (eg, gsettings mediation). A lot of work was done to support this, but the soonest it would be delivered given current priorities is 17.04. Note, I'm only giving the current status, not setting the priority for this, but this feature is very high on the list and in the queue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
** Changed in: apparmor Status: Confirmed = In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor Linux application security framework: In Progress Status in apparmor package in Ubuntu: Triaged Status in linux package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Status: New = Triaged ** Changed in: apparmor (Ubuntu) Status: Confirmed = Triaged ** Changed in: linux (Ubuntu) Importance: Undecided = High ** Tags added: aa-kernel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor Linux application security framework: In Progress Status in “apparmor” package in Ubuntu: Triaged Status in “linux” package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: Triaged = Confirmed ** Changed in: apparmor Importance: Undecided = High ** Changed in: apparmor Status: New = In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in AppArmor Linux application security framework: In Progress Status in “apparmor” package in Ubuntu: Confirmed Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
** Summary changed: - Limit inet and inet6 access by source or destination port + Fine-grained network mediation -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in “apparmor” package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 796588] Re: Fine-grained network mediation
** Changed in: apparmor (Ubuntu) Importance: Medium = High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/796588 Title: Fine-grained network mediation Status in “apparmor” package in Ubuntu: Triaged Bug description: Binary package hint: apparmor This is a wishlist item / feature request. Increase the granularity of network restrictions to allow specification of which ports or ranges of ports can or can't be used by an application. This functionality is available in systrace if either the example or code would be of help: http://en.wikipedia.org/wiki/Systrace http://www.systrace.org/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/796588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp