kernel-packages team mailing list archive

Thread
Date
[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1298611@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Apr 2014 08:53:35 -0000
Reply-to: Bug 1298611 <1298611@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5

---------------
apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium

  * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
    lightdm and apparmor-easyprof-ubuntu

apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium

  [ John Johansen, Steve Beattie ]
  * Add userspace support for AppArmor signals and ptrace mediation
    (LP: #1298611)
    + debian/patches/mediate-signals.patch,
      debian/patches/change-signal-syntax.patch: Parse signal rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/change-ptrace-syntax.patch,
      debian/patches/mediate-ptrace.patch: Parse ptrace rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/test-signal-rules.patch,
      debian/patches/test-ptrace-rules.patch,
      debian/patches/update-tests-for-new-semantics.patch: Update existing
      tests and add new tests for signal and ptrace mediation
    + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing
      apparmor_parser preprocessor output to contain garbage after include
      statements
    + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug
      causing apparmor_parser preprocessor output to contain double commas
      after some rules
    + debian/patches/symtab-tests-and-seenlist-bug.patch,
      debian/patches/add-profile-name-variable.patch: Add ${profile_name}
      variable for use in profiles when rules need to specify the current
      profile's name. This is useful for signal and ptrace rules that specify
    + debian/patches/fix-names-treated-as-condlistid.patch: Fix
      apparmor_parser bug that caused mount and dbus rules to fail for sets of
      values

  [ Jamie Strandboge ]
  * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
    Adjust the base abstraction for signals and ptrace mediation. Profiles
    that use the base abstraction can deny any of the granted permissions to
    achieve tighter confinement.
  * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man
    page to document signal rules, ptrace rules, and variables for use in
    AppArmor profiles
  * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq
    profile to allow libvirtd to send signals to and ptrace read the dnsmasq
    process
  * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser
    profile for permissions needed in newer chromium-browser versions and add
    the rules needed for AppArmor ptrace mediation

  [ Tyler Hicks ]
  * Add new rule type support to aa.py to fix tracebacks when using the Python
    utilities in apparmor-utils on systems with AppArmor profiles containing
    previously unsupported rule types
    - debian/patches/python-utils-file-support.patch: Support path rules
      containing the "file" prefix (LP: #1295346)
    - debian/patches/python-utils-signal-support.patch: Parse and write signal
      rules (LP: #1300316)
    - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace
      rules (LP: #1300317)
    - debian/patches/python-utils-pivot_root-support.patch: Parse and write
      pivot_root rules (LP: #1298678)
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Fri, 04 Apr 2014 01:07:24 -0500

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1298611

Title:
  [FFe] apparmor signal and ptrace mediation

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released
Status in “libvirt” package in Ubuntu:
  Fix Released
Status in “lightdm” package in Ubuntu:
  Fix Released
Status in “linux” package in Ubuntu:
  Fix Released
Status in “lxc” package in Ubuntu:
  Fix Released

Bug description:
  Background: kernel and apparmor userspace updates to support signal
  and ptrace mediation. These packages are listed in one bug because
  they are related, but the FFes may be granted and the uploads may
  happen at different times.

  = linux =
  Summary:
  This feature freeze exception is requested for signal and ptrace mediation via apparmor in the kernel. When used with a compatible apparmor userspace, signals and ptrace rules are supported. When used without a compatible apparmor userspace (eg, on a precise system with a trusty backport kernel), signal and ptrace mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).

  The fine grained mediation of signals and ptraces also incorporates improved
  versioning support that allows this kernel to better support older and newer
  userspaces. This allows for this version of the kernel to work as a backport
  kernel unmodified (currently a patch and config are used to provide backport
  kernels).

  The kernel patch is available at git://kernel.ubuntu.com/jj/ubuntu-trusty.git
  in the trusty-alpha6 branch apparmor-alpha6-sync

  Testing:
  * 12.04 system with backported kernel: DONE
   * test-apparmor.py: PASS (runs extensive tests (upstream and distro))
   * exploratory manual testing: PASS (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
   * aa-status: PASS
   * lxc: PASS (containers can be created, started, shutdown)
   * libvirt: PASS (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
  * 14.04 system (non-Touch) with current apparmor userspace: DONE (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
   * test-apparmor.py: PASS (runs extensive tests (upstream and distro))
   * exploratory manual testing: PASS (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
   * aa-status: PASS
   * lxc: PASS (containers can be created, started, shutdown)
   * libvirt: PASS (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
   * click-apparmor QRT touch image tests: PASS
   * apparmor-easyprof-ubuntu QRT touch image tests: PASS
  * 14.04 system (non-Touch) with updated apparmor userspace capable of supporting signal and ptrace mediation: DONE (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor. Note: this is marked 'done' from the kernel perspective-- the apparmor userspace upload is being prepared and tests assume userspace is using latest patches on the list)
   * test-apparmor.py: PASS (runs extensive tests (upstream and distro))
   * exploratory manual testing: PASS (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
   * aa-status: PASS
   * lxc: PASS (containers can be created, started, shutdown)
   * libvirt: PASS (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
   * click-apparmor QRT touch image tests: PASS
   * apparmor-easyprof-ubuntu QRT touch image tests: PASS

  Justification:
  This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a significant security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.

  = apparmor userspace =
  Summary:
  This feature freeze exception is requested for signal and ptrace mediation for apparmor userspace. When used with a compatible kernel, signals and ptrace rules are supported. When used without a compatible kernel (eg, on Ubuntu Touch for a few weeks or with upstream kernels), signal and ptrace rules are skipped (ie, you can use this userspace with other kernels without issue).

  Testing:
  * 14.04 system with current kernel (Touch, kernel doesn't have signal and ptrace mediation yet):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: PASS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
  * 14.04 system with previous kernel lacking signal and ptrace mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: PASS (exploratory manual testing, lxc, libvirt (3 failures unrelated to apparmor), etc)
   * test-apparmor.py: PASS
   * lightdm guest session: PASS (login, start browser, logout)
  * 14.04 system kernel capable of supporting signal and ptrace mediation (non-Touch):
   * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: PASS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt (3 failures unrelated to apparmor), etc)
   * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: PASS (except juju since it doesn't have policy itself)
   * lightdm guest session: PASS (login, start browser, logout)

  Justification:
  This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a significant security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.

  Extra information:
  While the apparmor userspace and kernel changes to support signal and ptrace mediation can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.

  Common rules added to the base abstraction are (ie, these rules will be included in all policy on Ubuntu since the base abstractions is always used in distro policy):
    # Allow other processes to read our /proc entries, futexes, perf tracing and
    # kcmp for now
    ptrace (readby),

    # Allow other processes to trace us by default (they will need 'trace' in
    # the first place). Administrators can override with:
    #   deny ptrace (tracedby) ...
    ptrace (tracedby),

    # Allow unconfined processes to send us signals by default
    signal (receive) peer=unconfined,

    # Allow us to signal ourselves
    signal peer=@{profile_name},

    # Checking for PID existence is quite common so add it by default for now
    signal (receive, send) set=("exists"),

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions