** Description changed: [Rationale] For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap. + + Unfortunately, it was not feasible to backport the individual features + to the 14.04 apparmor package as they're quite complex and have a large + number of dependency patches. Additionally, the AppArmor policy + abstractions from Ubuntu 16.04 are needed to provide proper snap + confinement. Because of these two reasons, the decision to bring 16.04's + apparmor package to 14.04 was (very carefully) made. + + [Test Case] + + https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor + + This update will go through the Test Plan as well as manual testing to + verify that snap confinement on 14.04 does work. Manual tests include + installing snapd in 14.04 and running simple snaps such as pwgen-tyhicks + and hello-world, as well as a much more complex snap such as lxd. + + [Regression Potential] + High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan. + + Care was taken to minimally change how the AppArmor policies are loaded + during the boot process. I also verified that the abstractions shipped + in apparmor and the profiles shipped in apparmor-profiles are the same + across this SRU update. Additionally, I've ran the following regression + tests from lp:qa-regression-testing (these packages ship an AppArmor + profile): + + test-apache2-mpm-event.py + test-apache2-mpm-itk.py + test-apache2-mpm-perchild.py + test-apache2-mpm-prefork.py + test-apache2-mpm-worker.py + test-bind9.py + test-clamav.py + test-cups.py + test-dhcp.py + test-mysql.py + test-ntp.py + test-openldap.py + test-rsyslog.py + test-squid.py + test-tcpdump.py
** Also affects: apparmor (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: In Progress => Invalid ** Changed in: apparmor (Ubuntu Trusty) Status: New => In Progress ** Changed in: apparmor (Ubuntu Trusty) Importance: Undecided => High ** Changed in: apparmor (Ubuntu) Importance: High => Undecided ** Changed in: apparmor (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) ** Changed in: apparmor (Ubuntu Trusty) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1641243 Title: Provide full AppArmor confinement for snaps on 14.04 Status in apparmor package in Ubuntu: Invalid Status in apparmor source package in Trusty: In Progress Bug description: [Rationale] For backporting snapd to 14.04 LTS, we need to provide proper AppArmor confinement for snaps when running under the 16.04 hardware enablement kernel. The apparmor userspace package in 14.04 is missing support key mediation features such as UNIX domain socket rules, AppArmor policy namespaces, and AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all snaps. AppArmor policy namespaces and profile stacking are needed by the lxd snap. Unfortunately, it was not feasible to backport the individual features to the 14.04 apparmor package as they're quite complex and have a large number of dependency patches. Additionally, the AppArmor policy abstractions from Ubuntu 16.04 are needed to provide proper snap confinement. Because of these two reasons, the decision to bring 16.04's apparmor package to 14.04 was (very carefully) made. [Test Case] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor This update will go through the Test Plan as well as manual testing to verify that snap confinement on 14.04 does work. Manual tests include installing snapd in 14.04 and running simple snaps such as pwgen- tyhicks and hello-world, as well as a much more complex snap such as lxd. [Regression Potential] High. We must be extremely careful to not regress existing, confined applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project has extensive regression tests and that the Ubuntu Security team adds even more testing via the AppArmor Test Plan. Care was taken to minimally change how the AppArmor policies are loaded during the boot process. I also verified that the abstractions shipped in apparmor and the profiles shipped in apparmor-profiles are the same across this SRU update. Additionally, I've ran the following regression tests from lp:qa-regression-testing (these packages ship an AppArmor profile): test-apache2-mpm-event.py test-apache2-mpm-itk.py test-apache2-mpm-perchild.py test-apache2-mpm-prefork.py test-apache2-mpm-worker.py test-bind9.py test-clamav.py test-cups.py test-dhcp.py test-mysql.py test-ntp.py test-openldap.py test-rsyslog.py test-squid.py test-tcpdump.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1641243/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp