On 11/12/2016 12:24 PM, Steve Langasek wrote:
> Tyler, are there any packages shipping apparmor profiles in 14.04 that
> have /not/ been covered by this test plan?
There are some that are not covered. Using the output of
`reverse-depends -br trusty dh-apparmor`, the remainders are:
akonadi
digikam
fwknop
pollen
quassel
telepathy-mission-control-5
tlsdate
tor
vidalia
I feel like the extensive regression testing that is being performed
upstream, along with my QRT changes that run the new parser and kernel
through the old Trusty package's parser and regression tests are
sufficient enough that these remaining packages do not need to be
individually tested. Those test results indicate that the parser is
still putting out the same policy before and after this SRU update.
> Does the dbus task imply that there need to be any versioned
> Breaks/Depends between these two SRUs, or are the two packages
> bidirectionally compatible? (i.e. dbus is needed because the new
> functionality is not completely enabled until both are updated, but
> upgrading either one without the other does not introduce any
> regressions)
Upgrading either one without the other does not introduce any
regressions so there is no need for versioned Breaks/Depeneds between
the two. No AppArmor policy needs to be changed for the dbus SRU.
** Changed in: apparmor (Ubuntu Trusty)
Status: Incomplete => New
** Changed in: apparmor (Ubuntu Trusty)
Status: New => In Progress
** Changed in: dbus (Ubuntu Trusty)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1641243
Title:
Provide full AppArmor confinement for snaps on 14.04
Status in apparmor package in Ubuntu:
Invalid
Status in dbus package in Ubuntu:
Invalid
Status in apparmor source package in Trusty:
In Progress
Status in dbus source package in Trusty:
In Progress
Bug description:
[Rationale]
For backporting snapd to 14.04 LTS, we need to provide proper AppArmor
confinement for snaps when running under the 16.04 hardware enablement kernel.
The apparmor userspace package in 14.04 is missing support key mediation
features such as UNIX domain socket rules, AppArmor policy namespaces, and
AppArmor profile stacking. UNIX domain socket mediation is needed by nearly all
snaps. AppArmor policy namespaces and profile stacking are needed by the lxd
snap.
Unfortunately, it was not feasible to backport the individual features
to the 14.04 apparmor package as they're quite complex and have a
large number of dependency patches. Additionally, the AppArmor policy
abstractions from Ubuntu 16.04 are needed to provide proper snap
confinement. Because of these two reasons, the decision to bring
16.04's apparmor package to 14.04 was (very carefully) made.
[Test Case]
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
This update will go through the Test Plan as well as manual testing to
verify that snap confinement on 14.04 does work. Manual tests include
installing snapd in 14.04 and running simple snaps such as pwgen-
tyhicks and hello-world, as well as a much more complex snap such as
lxd.
The following regression tests from lp:qa-regression-testing (these
packages ship an AppArmor profile) can be used to verify that their
respective packages do not regress:
test-apache2-mpm-event.py
test-apache2-mpm-itk.py
test-apache2-mpm-perchild.py
test-apache2-mpm-prefork.py
test-apache2-mpm-worker.py
test-bind9.py
test-clamav.py
test-cups.py
test-dhcp.py
test-mysql.py
test-ntp.py
test-openldap.py
test-rsyslog.py
test-squid.py
test-strongswan.py
test-tcpdump.py
I have a branch of lp:qa-regression-testing (unmerged, currently at
https://code.launchpad.net/~tyhicks/+git/qa-regression-testing/+ref
/apparmor-trusty-sru) that pulls in the parser and regression tests
from the apparmor 2.8.95~2430-0ubuntu5.3 package currently shipping in
Trusty, in addition to the tests in the 2.10.95 based package.
Additionally, manually testing evince, which is confined by an
AppArmor profile, should be done. The manual test should check basic
functionality as well as for proper confinement (`ps auxZ` output).
[Regression Potential]
High. We must be extremely careful to not regress existing, confined
applications in Ubuntu 14.04. We are lucky that the upstream AppArmor project
has extensive regression tests and that the Ubuntu Security team adds even more
testing via the AppArmor Test Plan.
Care was taken to minimally change how the AppArmor policies are
loaded during the boot process. I also verified that the abstractions
shipped in apparmor and the profiles shipped in apparmor-profiles are
the same across this SRU update.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1641243/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
