← Back to team overview

kernel-packages team mailing list archive

[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation

 

** Description changed:

  Background: kernel and apparmor userspace updates to support signal and
  ptrace mediation. These packages are listed in one bug because they are
  related, but the FFes may be granted and the uploads may happen at
  different times.
  
  = linux =
  Summary:
  This feature freeze exception is requested for signal and ptrace mediation via apparmor in the kernel. When used with a compatible apparmor userspace, signals and ptrace rules are supported. When used without a compatible apparmor userspace (eg, on a precise system with a trusty backport kernel), signal and ptrace mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).
  
  The fine grained mediation of signals and ptraces also incorporates improved
  versioning support that allows this kernel to better support older and newer
  userspaces. This allows for this version of the kernel to work as a backport
  kernel unmodified (currently a patch and config are used to provide backport
  kernels).
+ 
+ The kernel patch is available at git://kernel.ubuntu.com/jj/ubuntu-trusty.git
+ in the trusty-alpha6 branch apparmor-alpha6-sync
  
  Testing:
  * 12.04 system with backported kernel: INPROGRESS
  * 14.04 system (non-Touch) with current apparmor userspace: INPROGRESS
  * 14.04 system (non-Touch) with updated apparmor userspace capable of supporting signal and ptrace mediation: INPROGRESS
  * 14.04 system (non-Touch) using lxc containers: INPROGRESS
  
  Justification:
  This feature is required to support comprehensive application confinement on Ubuntu Touch (a separate pull will be requested at a later date). This feature adds a significant security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature adds a welcome improvement to administrators wishing to further protect their systems.
  
  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for signal and ptrace mediation for apparmor userspace. When used with a compatible kernel, signals and ptrace rules are supported. When used without a compatible kernel (eg, immediately on Ubuntu Touch or with upstream kernels), signal and ptrace rules are skipped (ie, you can use this userspace with other kernels without issue).
  
  Testing:
  * 14.04 system with current kernel (Touch, Desktop, Server): TODO
  * 14.04 system with updated kernel capable of supporting signal and ptrace mediation (Touch, Desktop, Server): INPROGRESS
  * 14.04 system using lxc containers (Touch, Desktop, Server): TODO
  
  Justification:
  This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a significant security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature adds a welcome improvement to administrators wishing to further protect their systems.
  
  Extra information:
  While the apparmor userspace and kernel changes to support signal and ptrace mediation can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611

Title:
  [FFe] apparmor signal and ptrace mediation

Status in “apparmor” package in Ubuntu:
  New
Status in “linux” package in Ubuntu:
  Confirmed

Bug description:
  Background: kernel and apparmor userspace updates to support signal
  and ptrace mediation. These packages are listed in one bug because
  they are related, but the FFes may be granted and the uploads may
  happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for signal and ptrace mediation via apparmor in the kernel. When used with a compatible apparmor userspace, signals and ptrace rules are supported. When used without a compatible apparmor userspace (eg, on a precise system with a trusty backport kernel), signal and ptrace mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).

  The fine grained mediation of signals and ptraces also incorporates improved
  versioning support that allows this kernel to better support older and newer
  userspaces. This allows for this version of the kernel to work as a backport
  kernel unmodified (currently a patch and config are used to provide backport
  kernels).

  The kernel patch is available at git://kernel.ubuntu.com/jj/ubuntu-trusty.git
  in the trusty-alpha6 branch apparmor-alpha6-sync

  Testing:
  * 12.04 system with backported kernel: INPROGRESS
  * 14.04 system (non-Touch) with current apparmor userspace: INPROGRESS
  * 14.04 system (non-Touch) with updated apparmor userspace capable of supporting signal and ptrace mediation: INPROGRESS
  * 14.04 system (non-Touch) using lxc containers: INPROGRESS

  Justification:
  This feature is required to support comprehensive application confinement on Ubuntu Touch (a separate pull will be requested at a later date). This feature adds a significant security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature adds a welcome improvement to administrators wishing to further protect their systems.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for signal and ptrace mediation for apparmor userspace. When used with a compatible kernel, signals and ptrace rules are supported. When used without a compatible kernel (eg, immediately on Ubuntu Touch or with upstream kernels), signal and ptrace rules are skipped (ie, you can use this userspace with other kernels without issue).

  Testing:
  * 14.04 system with current kernel (Touch, Desktop, Server): TODO
  * 14.04 system with updated kernel capable of supporting signal and ptrace mediation (Touch, Desktop, Server): INPROGRESS
  * 14.04 system using lxc containers (Touch, Desktop, Server): TODO

  Justification:
  This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a significant security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature adds a welcome improvement to administrators wishing to further protect their systems.

  Extra information:
  While the apparmor userspace and kernel changes to support signal and ptrace mediation can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions