← Back to team overview

kernel-packages team mailing list archive

[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation

 

** Description changed:

  = linux =
  This feature freeze exception is requested for signal and ptrace mediation via apparmor in the kernel. When used with a compatible apparmor userspace, signals and ptrace rules are supported. When used without a compatible apparmor userspace (eg, on a precise system with a trusty backport kernel), signal and ptrace mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
  
  This feature has been tested on a 12.04 system, 14.04 system with
- current apparmor userspace, and 14.04 system with update apparmor
+ current apparmor userspace, and 14.04 system with updated apparmor
  userspace capable of supporting signal and ptrace mediation. This
  feature has been tested to work on systems using lxc containers.
  
  This feature is required to support comprehensive application
  confinement on Ubuntu Touch (a separate pull will be requested at a
  later date). This feature adds a significant security benefit to
  libvirt's qemu guest isolation which is fundamental to Ubuntu on
- Server/Cloud. This feature adds welcome improvement to administrators
+ Server/Cloud. This feature adds a welcome improvement to administrators
  wishing to further protect their systems.
  
  = apparmor userspace =
  This feature freeze exception is requested for signal and ptrace mediation for apparmor userspace. When used with a compatible kernel, signals and ptrace rules are supported. When used without a compatible kernel (eg, immediately on Ubuntu Touch or with upstream kernels), signal and ptrace rules are skipped (ie, you can use this userspace with other kernels without issue).
  
  This feature has been tested on a 14.04 system with current kernel and a
  14.04 system with updated kernel capable of supporting signal and ptrace
  mediation. This feature has been tested to work with on systems using
  lxc containers.
  
  This feature is required to support comprehensive application
  confinement on Ubuntu Touch. This feature adds a significant security
  benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu
  on Server/Cloud. This feature adds welcome improvement to administrators
  wishing to further protect their systems.
  
  While the apparmor userspace and kernel changes to support signal and
  ptrace mediation can happen at different times, the apparmor userspace
  upload must correspond with uploads for packages that ship AppArmor
  policy that require updates (eg, libvirt, lxc, etc). The packages
  outlined in
  https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles will
  be tested to either work without modification to the policy or updated
  and tested to work with updated policy. Common rules will be added to
  the apparmor base abstraction such that most packages shipping apparmor
  policy will not require updating. These updates will be prepared, tested
  and published en masse via a silo ppa.

** Description changed:

  = linux =
  This feature freeze exception is requested for signal and ptrace mediation via apparmor in the kernel. When used with a compatible apparmor userspace, signals and ptrace rules are supported. When used without a compatible apparmor userspace (eg, on a precise system with a trusty backport kernel), signal and ptrace mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
  
  This feature has been tested on a 12.04 system, 14.04 system with
  current apparmor userspace, and 14.04 system with updated apparmor
  userspace capable of supporting signal and ptrace mediation. This
  feature has been tested to work on systems using lxc containers.
  
  This feature is required to support comprehensive application
  confinement on Ubuntu Touch (a separate pull will be requested at a
  later date). This feature adds a significant security benefit to
  libvirt's qemu guest isolation which is fundamental to Ubuntu on
  Server/Cloud. This feature adds a welcome improvement to administrators
  wishing to further protect their systems.
  
  = apparmor userspace =
  This feature freeze exception is requested for signal and ptrace mediation for apparmor userspace. When used with a compatible kernel, signals and ptrace rules are supported. When used without a compatible kernel (eg, immediately on Ubuntu Touch or with upstream kernels), signal and ptrace rules are skipped (ie, you can use this userspace with other kernels without issue).
  
  This feature has been tested on a 14.04 system with current kernel and a
  14.04 system with updated kernel capable of supporting signal and ptrace
  mediation. This feature has been tested to work with on systems using
  lxc containers.
  
  This feature is required to support comprehensive application
  confinement on Ubuntu Touch. This feature adds a significant security
  benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu
- on Server/Cloud. This feature adds welcome improvement to administrators
- wishing to further protect their systems.
+ on Server/Cloud. This feature adds a welcome improvement to
+ administrators wishing to further protect their systems.
  
  While the apparmor userspace and kernel changes to support signal and
  ptrace mediation can happen at different times, the apparmor userspace
  upload must correspond with uploads for packages that ship AppArmor
  policy that require updates (eg, libvirt, lxc, etc). The packages
  outlined in
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles will
- be tested to either work without modification to the policy or updated
+ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have
+ been tested to either work without modification to the policy or updated
  and tested to work with updated policy. Common rules will be added to
  the apparmor base abstraction such that most packages shipping apparmor
  policy will not require updating. These updates will be prepared, tested
  and published en masse via a silo ppa.

** Also affects: linux (Ubuntu)
   Importance: Undecided
       Status: New

** Tags added: bot-stop-nagging

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611

Title:
  [FFe] apparmor signal and ptrace mediation

Status in “apparmor” package in Ubuntu:
  New
Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  = linux =
  This feature freeze exception is requested for signal and ptrace mediation via apparmor in the kernel. When used with a compatible apparmor userspace, signals and ptrace rules are supported. When used without a compatible apparmor userspace (eg, on a precise system with a trusty backport kernel), signal and ptrace mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).

  This feature has been tested on a 12.04 system, 14.04 system with
  current apparmor userspace, and 14.04 system with updated apparmor
  userspace capable of supporting signal and ptrace mediation. This
  feature has been tested to work on systems using lxc containers.

  This feature is required to support comprehensive application
  confinement on Ubuntu Touch (a separate pull will be requested at a
  later date). This feature adds a significant security benefit to
  libvirt's qemu guest isolation which is fundamental to Ubuntu on
  Server/Cloud. This feature adds a welcome improvement to
  administrators wishing to further protect their systems.

  = apparmor userspace =
  This feature freeze exception is requested for signal and ptrace mediation for apparmor userspace. When used with a compatible kernel, signals and ptrace rules are supported. When used without a compatible kernel (eg, immediately on Ubuntu Touch or with upstream kernels), signal and ptrace rules are skipped (ie, you can use this userspace with other kernels without issue).

  This feature has been tested on a 14.04 system with current kernel and
  a 14.04 system with updated kernel capable of supporting signal and
  ptrace mediation. This feature has been tested to work with on systems
  using lxc containers.

  This feature is required to support comprehensive application
  confinement on Ubuntu Touch. This feature adds a significant security
  benefit to libvirt's qemu guest isolation which is fundamental to
  Ubuntu on Server/Cloud. This feature adds a welcome improvement to
  administrators wishing to further protect their systems.

  While the apparmor userspace and kernel changes to support signal and
  ptrace mediation can happen at different times, the apparmor userspace
  upload must correspond with uploads for packages that ship AppArmor
  policy that require updates (eg, libvirt, lxc, etc). The packages
  outlined in
  https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
  have been tested to either work without modification to the policy or
  updated and tested to work with updated policy. Common rules will be
  added to the apparmor base abstraction such that most packages
  shipping apparmor policy will not require updating. These updates will
  be prepared, tested and published en masse via a silo ppa.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions